upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-07 13:32:15 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

test: trying to get microVMs to work

Browse source
This commit is contained in:
Nick 2025-11-11 01:01:05 -06:00
parent 0c4173ceaf
commit 2582d3cec9
9 changed files with 539 additions and 417 deletions
Download patch file Download diff file Expand all files Collapse all files

327
modules/nixos/guests/firefly-iii/default.nix
View file

@ -16,170 +16,191 @@ let
dns0Path = "dns/${dns0}";
in
{
microvm.vms.${serviceCfg.name} = {
autostart = true;
restartIfChanged = true;
config = {
system.stateVersion = "24.05";
time.timeZone = "America/Winnipeg";
users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
services = {
firefly-iii = {
enable = true;
dataDir = serviceCfg.varPaths.path0;
enableNginx = false;
poolConfig = {
"listen.owner" = config.services.caddy.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
microvm.vms = {
${serviceCfg.name} = {
autostart = true;
restartIfChanged = true;
config = {
system.stateVersion = "24.05";
time.timeZone = "America/Winnipeg";
users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
services = {
firefly-iii = {
enable = true;
# dataDir = serviceCfg.varPaths.path0;
enableNginx = false;
poolConfig = {
"listen.owner" = config.services.caddy.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 4;
"pm.max_requests" = 500;
};
settings = {
APP_URL = "https://${host}";
APP_KEY_FILE = "/run/secrets/pass";
# DB_PASSWORD_FILE = "/run/secrets/data";
# DB_CONNECTION = "pgsql";
# DB_HOST = "db";
# DB_DATABASE = "firefly";
# DB_USERNAME = "firefly";
MAIL_MAILER = smtpCfg.name;
MAIL_HOST = smtpCfg.hostname;
MAIL_PORT = smtpCfg.ports.port0;
MAIL_FROM = smtpCfg.email.address0;
MAIL_USERNAME = smtpCfg.email.address0;
MAIL_PASSWORD_FILE = "/run/secrets/smtp";
MAIL_ENCRYPTION = "tls";
SITE_OWNER = email.address2;
};
};
settings = {
APP_URL = "https://${host}";
APP_KEY_FILE = "/run/secrets/pass";
DB_PASSWORD_FILE = "/run/secrets/data";
DB_CONNECTION = "pgsql";
DB_HOST = "db";
DB_DATABASE = "firefly";
DB_USERNAME = "firefly";
MAIL_MAILER = smtpCfg.name;
MAIL_HOST = smtpCfg.hostname;
MAIL_PORT = smtpCfg.ports.port0;
MAIL_FROM = smtpCfg.email.address0;
MAIL_USERNAME = smtpCfg.email.address0;
MAIL_PASSWORD_FILE = "/run/secrets/smtp";
MAIL_ENCRYPTION = "tls";
SITE_OWNER = email.address2;
firefly-iii-data-importer = {
enable = true;
};
caddy = {
enable = true;
virtualHosts."${serviceCfg.interface.ip}" = {
extraConfig = ''
root * ${config.services.firefly-iii.package}/public
file_server
encode gzip
php_fastcgi unix//run/phpfpm/firefly-iii.sock
'';
};
};
# postgresql = {
# enable = true;
# ensureDatabases = [ "firefly" ];
# ensureUsers = [
# {
# name = "firefly";
# ensureDBOwnership = true;
# }
# ];
# };
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
};
firefly-iii-data-importer = {
enable = true;
};
networking.firewall.allowedTCPPorts = [
22
80
serviceCfg.ports.port0
serviceCfg.ports.port1
];
caddy = {
enable = true;
virtualHosts."${serviceCfg.interface.ip}" = {
extraConfig = ''
root * ${config.services.firefly-iii.package}/public
file_server
encode gzip
php_fastcgi unix//run/phpfpm/firefly-iii.sock
'';
systemd = {
services = {
fix-secrets-permissions = {
description = "Fix secrets permissions for firefly-iii";
wantedBy = [ "multi-user.target" ];
before = [
"firefly-iii-setup.service"
"phpfpm-firefly-iii.service"
];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
chown root:firefly-iii /run/secrets/pass
chown root:firefly-iii /run/secrets/smtp
chmod 0640 /run/secrets/pass
chmod 0640 /run/secrets/smtp
'';
};
systemd-networkd.wantedBy = [ "multi-user.target" ];
};
network = {
enable = true;
networks."20-lan" = {
matchConfig.Name = "enp0s5";
addresses = [
{ Address = "${serviceCfg.interface.ip}/24"; }
];
routes = [
{
Destination = "${hostCfg.localhost.address1}/0";
Gateway = serviceCfg.interface.gate;
}
];
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
};
postgresql = {
enable = true;
ensureDatabases = [ "firefly" ];
ensureUsers = [
{
name = "firefly";
ensureDBOwnership = true;
}
tmpfiles.rules = [
"Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
];
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
microvm = {
vcpu = 2;
mem = 3072;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = serviceCfg.interface.id;
mac = serviceCfg.interface.mac;
}
{
type = "user";
id = serviceCfg.interface.idUser;
mac = serviceCfg.interface.macUser;
}
];
forwardPorts = [
{
from = "host";
host.port = serviceCfg.interface.ssh;
guest.port = 22;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = "/var/lib/${serviceCfg.name}";
proto = "virtiofs";
source = "${serviceCfg.mntPaths.path0}";
tag = "${serviceCfg.name}_data";
}
# {
# mountPoint = "/var/lib/postgresql";
# proto = "virtiofs";
# source = "${serviceCfg.mntPaths.path0}/database";
# tag = "${serviceCfg.name}_database";
# }
{
mountPoint = "/run/secrets";
proto = "virtiofs";
source = "/run/secrets/${serviceCfg.name}";
tag = "host_secrets";
}
];
};
};
networking.firewall.allowedTCPPorts = [
22
80
serviceCfg.ports.port0
serviceCfg.ports.port1
];
systemd = {
network = {
enable = true;
networks."20-lan" = {
matchConfig.Name = "enp0s5";
addresses = [
{ Address = "${serviceCfg.interface.ip}/24"; }
];
routes = [
{
Destination = "${hostCfg.localhost.address1}/0";
Gateway = serviceCfg.interface.gate;
}
];
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
tmpfiles.rules = [
"Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
# "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"Z /var/lib/postgresql 755 postgres postgres -"
];
};
systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ];
microvm = {
vcpu = 2;
mem = 3072;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = serviceCfg.interface.id;
mac = serviceCfg.interface.mac;
}
{
type = "user";
id = serviceCfg.interface.idUser;
mac = serviceCfg.interface.macUser;
}
];
forwardPorts = [
{
from = "host";
host.port = serviceCfg.interface.ssh;
guest.port = 22;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = "/var/lib/${serviceCfg.name}";
proto = "virtiofs";
source = "${serviceCfg.mntPaths.path0}/data";
tag = "${serviceCfg.name}_data";
}
{
mountPoint = "/var/lib/postgresql";
proto = "virtiofs";
source = "${serviceCfg.mntPaths.path0}/database";
tag = "${serviceCfg.name}_database";
}
{
mountPoint = "/run/secrets";
proto = "virtiofs";
source = "/run/secrets/${serviceCfg.name}";
tag = "host_secrets";
}
];
};
};
};
@ -193,6 +214,8 @@ in
systemd.tmpfiles.rules = [
"d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
# "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -"
# "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -"
];
sops = {

35
modules/nixos/guests/forgejo/default.nix
View file

@ -34,12 +34,8 @@ in
${serviceCfg.name} = {
enable = true;
lfs.enable = true;
database = {
type = "postgres";
};
secrets = {
mailer.PASSWD = "/run/secrets/smtp";
database.PASSWD = "/run/secrets/database";
};
settings = {
server = {
@ -48,7 +44,7 @@ in
HTTP_PORT = serviceCfg.ports.port0;
};
# If you need to start from scratch, don't forget to turn this off again
service.DISABLE_REGISTRATION = false;
service.DISABLE_REGISTRATION = true;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
@ -76,17 +72,6 @@ in
PermitRootLogin = "prohibit-password";
};
};
postgresql = {
enable = true;
ensureDatabases = [ serviceCfg.name ];
ensureUsers = [
{
name = serviceCfg.name;
ensureDBOwnership = true;
}
];
};
};
networking.firewall.allowedTCPPorts = [
@ -128,7 +113,7 @@ in
tmpfiles.rules = [
"Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
"Z /var/lib/postgresql 0755 postgres postgres -"
# "Z /var/lib/postgresql 0755 postgres postgres -"
];
};
@ -167,15 +152,9 @@ in
{
mountPoint = "/var/lib/${serviceCfg.name}";
proto = "virtiofs";
source = "${serviceCfg.mntPaths.path0}/data";
source = "${serviceCfg.mntPaths.path0}";
tag = "${serviceCfg.name}_data";
}
{
mountPoint = "/var/lib/postgresql";
proto = "virtiofs";
source = "${serviceCfg.mntPaths.path0}/database";
tag = "${serviceCfg.name}_database";
}
{
mountPoint = "/run/secrets";
proto = "virtiofs";
@ -189,9 +168,7 @@ in
};
systemd.tmpfiles.rules = [
"d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -"
"d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -"
"d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
];
services.caddy.virtualHosts."${host}" = {
@ -211,9 +188,5 @@ in
owner = "root";
mode = "0600";
};
"${serviceCfg.name}/database" = {
owner = "root";
mode = "0600";
};
};
}

34
modules/nixos/guests/mastodon/config/chars.patch Executable file
View file

@ -0,0 +1,34 @@
diff --git a/app/javascript/mastodon/features/compose/components/compose_form.jsx b/app/javascript/mastodon/features/compose/components/compose_form.jsx
index 9222b2dc8..962310a28 100644
--- a/app/javascript/mastodon/features/compose/components/compose_form.jsx
+++ b/app/javascript/mastodon/features/compose/components/compose_form.jsx
@@ -100,7 +100,7 @@ class ComposeForm extends ImmutablePureComponent {
const fulltext = this.getFulltextForCharacterCounting();
const isOnlyWhitespace = fulltext.length !== 0 && fulltext.trim().length === 0;
- return !(isSubmitting || isUploading || isChangingUpload || length(fulltext) > 500 || (isOnlyWhitespace && !anyMedia));
+ return !(isSubmitting || isUploading || isChangingUpload || length(fulltext) > 5000 || (isOnlyWhitespace && !anyMedia));
};
handleSubmit = (e) => {
@@ -297,7 +297,7 @@ class ComposeForm extends ImmutablePureComponent {
</div>
<div className='character-counter__wrapper'>
- <CharacterCounter max={500} text={this.getFulltextForCharacterCounting()} />
+ <CharacterCounter max={5000} text={this.getFulltextForCharacterCounting()} />
</div>
</div>
</div>
diff --git a/app/validators/status_length_validator.rb b/app/validators/status_length_validator.rb
index dc841ded3..9cb1ec94b 100644
--- a/app/validators/status_length_validator.rb
+++ b/app/validators/status_length_validator.rb
@@ -1,7 +1,7 @@
# frozen_string_literal: true
class StatusLengthValidator < ActiveModel::Validator
- MAX_CHARS = 500
+ MAX_CHARS = 5000
URL_PLACEHOLDER_CHARS = 23
URL_PLACEHOLDER = 'x' * 23

5500
modules/nixos/guests/mastodon/config/twitter.txt Executable file
View file

File diff suppressed because one or more lines are too long

323
modules/nixos/guests/mastodon/default.nix Executable file
View file

@ -0,0 +1,323 @@
{
flake,
config,
pkgs,
lib,
...
}:
let
inherit (flake.config.people) user0;
inherit (flake.config.services) instances;
serviceCfg = flake.config.services.instances.mastodon;
smtpCfg = flake.config.services.instances.smtp;
hostCfg = flake.config.services.instances.web;
host = serviceCfg.domains.url0;
dns0 = instances.web.dns.provider0;
dns0Path = "dns/${dns0}";
in
{
# If you need to start fresh for some reason, run these to create the new Admin account:
# sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner
# sudo -u mastodon mastodon-tootctl accounts approve nick
# If you fuck up and lose the password, use this:
# sudo mastodon-tootctl accounts modify --reset-password nick
# If you really fuck up and name yourself wrong, use this shit
# sudo mastodon-tootctl accounts modify username --remove-role
# nixpkgs.overlays = [
# (
# final: prev: {
# mastodon = prev.mastodon.overrideAttrs (oldAttrs: {
# postPatch =
# (oldAttrs.postPatch or "")
# + ''
# patch -p1 < ${./chars.patch}
# '';
# });
# }
# )
# ];
microvm.vms = {
${serviceCfg.name} = {
autostart = true;
restartIfChanged = true;
config = {
system.stateVersion = "24.05";
time.timeZone = "America/Winnipeg";
users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
services = {
${serviceCfg.name} = {
enable = true;
localDomain = host;
secretKeyBaseFile = "/run/secrets/pass";
streamingProcesses = 7;
trustedProxy = hostCfg.localhost.address1;
automaticMigrations = true;
database = {
createLocally = true;
name = serviceCfg.name;
host = "/run/postgresql";
user = serviceCfg.name;
passwordFile = "/run/secrets/database";
};
extraConfig = {
SINGLE_USER_MODE = "true";
SMTP_AUTH_METHOD = "plain";
SMTP_DELIVERY_METHOD = "smtp";
SMTP_ENABLE_STARTTLS_AUTO = "true";
SMTP_SSL = "false";
};
mediaAutoRemove = {
enable = true;
olderThanDays = 14;
};
redis = {
createLocally = true;
enableUnixSocket = true;
};
sidekiqThreads = 25;
sidekiqProcesses = {
all = {
jobClasses = [
];
threads = null;
};
default = {
jobClasses = [
"default"
];
threads = 5;
};
ingress = {
jobClasses = [
"ingress"
];
threads = 5;
};
push-pull = {
jobClasses = [
"push"
"pull"
];
threads = 5;
};
mailers = {
jobClasses = [
"mailers"
];
threads = 5;
};
};
smtp = {
authenticate = true;
createLocally = false;
fromAddress = "upRootNutrition <${smtpCfg.email.address1}>";
host = smtpCfg.hostname;
passwordFile = "/run/secrets/smtp";
port = smtpCfg.ports.port1;
user = smtpCfg.email.address1;
};
};
caddy = {
virtualHosts = {
"${serviceCfg.interface.ip}" = {
extraConfig = ''
handle_path /system/* {
file_server * {
root /var/lib/mastodon/public-system
}
}
handle /api/v1/streaming/* {
reverse_proxy unix//run/mastodon-streaming/streaming.socket
}
route * {
file_server * {
root ${pkgs.mastodon}/public
pass_thru
}
reverse_proxy * unix//run/mastodon-web/web.socket
}
tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}
handle_errors {
root * ${pkgs.mastodon}/public
rewrite 500.html
file_server
}
encode gzip
header /* {
Strict-Transport-Security "max-age=31536000;"
}
header /emoji/* Cache-Control "public, max-age=31536000, immutable"
header /packs/* Cache-Control "public, max-age=31536000, immutable"
header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
'';
};
};
};
postgresql = {
enable = true;
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
};
users.users.${serviceCfg.name}.extraGroups = [
"postgres"
];
networking.firewall.allowedTCPPorts = [
22 # SSH
80 # Caddy
25 # SMTP
139 # SMTP
587 # SMTP
2525 # SMTP
5432 # Postgres
];
fileSystems."/tmp" = {
device = "tmpfs";
fsType = "tmpfs";
options = [
"size=4G"
"mode=1777"
];
};
systemd = {
services = {
systemd-networkd.wantedBy = [ "multi-user.target" ];
caddy.serviceConfig.ReadWriteDirectories = lib.mkForce [
"/var/lib/caddy"
"/run/mastodon-web"
];
};
network = {
enable = true;
networks."20-lan" = {
matchConfig.Name = "enp0s5";
addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ];
routes = [
{
Destination = "${hostCfg.localhost.address1}/0";
Gateway = serviceCfg.interface.gate;
}
];
dns = [
"1.1.1.1"
"8.8.8.8"
];
};
};
tmpfiles.rules = [
"Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
];
};
microvm = {
vcpu = 2;
mem = 3072;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = serviceCfg.interface.id;
mac = serviceCfg.interface.mac;
}
{
type = "user";
id = serviceCfg.interface.idUser;
mac = serviceCfg.interface.macUser;
}
];
forwardPorts = [
{
from = "host";
host.port = serviceCfg.interface.ssh;
guest.port = 22;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = "/var/lib/${serviceCfg.name}";
proto = "virtiofs";
source = "${serviceCfg.mntPaths.path0}";
tag = "${serviceCfg.name}_data";
}
{
mountPoint = "/run/secrets";
proto = "virtiofs";
source = "/run/secrets/${serviceCfg.name}";
tag = "host_secrets";
}
];
};
};
};
};
sops = {
secrets = builtins.listToAttrs (
map
(secret: {
name = "${serviceCfg.name}/${secret}";
value = {
owner = "root";
mode = "0600";
};
})
[
"smtp"
"database"
"redis"
"pass"
]
);
};
systemd.tmpfiles.rules = [
"d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
];
services.caddy.virtualHosts."${host}" = {
extraConfig = ''
reverse_proxy ${serviceCfg.interface.ip}:80
tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}
encode zstd gzip
'';
};
users.users.caddy.extraGroups = [ "acme" ];
security.acme.certs."${host}" = {
dnsProvider = dns0;
environmentFile = config.sops.secrets.${dns0Path}.path;
group = "caddy";
};
}

2
modules/nixos/guests/vaultwarden/default.nix
View file

@ -144,7 +144,7 @@ in
mountPoint = "/var/lib/bitwarden_rs";
proto = "virtiofs";
source = serviceCfg.mntPaths.path0;
tag = "vaultwarden_data";
tag = "${serviceCfg.name}_data";
}
{
mountPoint = "/run/secrets";