test: trying to get microVMs to work

2025-12-06 21:17:14 -06:00 · 2025-11-11 01:01:05 -06:00 · 2025-11-11 01:01:05 -06:00 · 2582d3cec9
commit 2582d3cec9
parent 0c4173ceaf
9 changed files with 539 additions and 417 deletions
--- a/modules/nixos/guests/mastodon/default.nix
+++ b/modules/nixos/guests/mastodon/default.nix
@ -0,0 +1,323 @@
+{
+  flake,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (flake.config.people) user0;
+  inherit (flake.config.services) instances;
+  serviceCfg = flake.config.services.instances.mastodon;
+  smtpCfg = flake.config.services.instances.smtp;
+  hostCfg = flake.config.services.instances.web;
+  host = serviceCfg.domains.url0;
+  dns0 = instances.web.dns.provider0;
+  dns0Path = "dns/${dns0}";
+in
+{
+  # If you need to start fresh for some reason, run these to create the new Admin account:
+  # sudo -u mastodon mastodon-tootctl accounts create nick --email=nick@localhost --confirmed --role=Owner
+  # sudo -u mastodon mastodon-tootctl accounts approve nick
+
+  # If you fuck up and lose the password, use this:
+  # sudo mastodon-tootctl accounts modify --reset-password nick
+
+  # If you really fuck up and name yourself wrong, use this shit
+  # sudo mastodon-tootctl accounts modify username --remove-role
+
+  # nixpkgs.overlays = [
+  #   (
+  #     final: prev: {
+  #       mastodon = prev.mastodon.overrideAttrs (oldAttrs: {
+  #         postPatch =
+  #           (oldAttrs.postPatch or "")
+  #           + ''
+  #             patch -p1 < ${./chars.patch}
+  #           '';
+  #       });
+  #     }
+  #   )
+  # ];
+
+  microvm.vms = {
+    ${serviceCfg.name} = {
+      autostart = true;
+      restartIfChanged = true;
+      config = {
+        system.stateVersion = "24.05";
+        time.timeZone = "America/Winnipeg";
+        users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
+        services = {
+          ${serviceCfg.name} = {
+            enable = true;
+            localDomain = host;
+            secretKeyBaseFile = "/run/secrets/pass";
+            streamingProcesses = 7;
+            trustedProxy = hostCfg.localhost.address1;
+            automaticMigrations = true;
+            database = {
+              createLocally = true;
+              name = serviceCfg.name;
+              host = "/run/postgresql";
+              user = serviceCfg.name;
+              passwordFile = "/run/secrets/database";
+            };
+            extraConfig = {
+              SINGLE_USER_MODE = "true";
+              SMTP_AUTH_METHOD = "plain";
+              SMTP_DELIVERY_METHOD = "smtp";
+              SMTP_ENABLE_STARTTLS_AUTO = "true";
+              SMTP_SSL = "false";
+            };
+            mediaAutoRemove = {
+              enable = true;
+              olderThanDays = 14;
+            };
+            redis = {
+              createLocally = true;
+              enableUnixSocket = true;
+            };
+            sidekiqThreads = 25;
+            sidekiqProcesses = {
+              all = {
+                jobClasses = [
+                ];
+                threads = null;
+              };
+              default = {
+                jobClasses = [
+                  "default"
+                ];
+                threads = 5;
+              };
+              ingress = {
+                jobClasses = [
+                  "ingress"
+                ];
+                threads = 5;
+              };
+              push-pull = {
+                jobClasses = [
+                  "push"
+                  "pull"
+                ];
+                threads = 5;
+              };
+              mailers = {
+                jobClasses = [
+                  "mailers"
+                ];
+                threads = 5;
+              };
+            };
+            smtp = {
+              authenticate = true;
+              createLocally = false;
+              fromAddress = "upRootNutrition <${smtpCfg.email.address1}>";
+              host = smtpCfg.hostname;
+              passwordFile = "/run/secrets/smtp";
+              port = smtpCfg.ports.port1;
+              user = smtpCfg.email.address1;
+            };
+          };
+          caddy = {
+            virtualHosts = {
+              "${serviceCfg.interface.ip}" = {
+                extraConfig = ''
+                  handle_path /system/* {
+                    file_server * {
+                      root /var/lib/mastodon/public-system
+                    }
+                  }
+
+                  handle /api/v1/streaming/* {
+                    reverse_proxy unix//run/mastodon-streaming/streaming.socket
+                  }
+
+                  route * {
+                    file_server * {
+                      root ${pkgs.mastodon}/public
+                      pass_thru
+                    }
+                    reverse_proxy * unix//run/mastodon-web/web.socket
+                  }
+
+                  tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}
+
+                  handle_errors {
+                    root * ${pkgs.mastodon}/public
+                    rewrite 500.html
+                    file_server
+                  }
+
+                  encode gzip
+
+                  header /* {
+                    Strict-Transport-Security "max-age=31536000;"
+                  }
+                  header /emoji/* Cache-Control "public, max-age=31536000, immutable"
+                  header /packs/* Cache-Control "public, max-age=31536000, immutable"
+                  header /system/accounts/avatars/* Cache-Control "public, max-age=31536000, immutable"
+                  header /system/media_attachments/files/* Cache-Control "public, max-age=31536000, immutable"
+                '';
+              };
+            };
+          };
+
+          postgresql = {
+            enable = true;
+          };
+
+          openssh = {
+            enable = true;
+            settings = {
+              PasswordAuthentication = false;
+              PermitRootLogin = "prohibit-password";
+            };
+          };
+        };
+
+        users.users.${serviceCfg.name}.extraGroups = [
+          "postgres"
+        ];
+
+        networking.firewall.allowedTCPPorts = [
+          22 # SSH
+          80 # Caddy
+          25 # SMTP
+          139 # SMTP
+          587 # SMTP
+          2525 # SMTP
+          5432 # Postgres
+        ];
+
+        fileSystems."/tmp" = {
+          device = "tmpfs";
+          fsType = "tmpfs";
+          options = [
+            "size=4G"
+            "mode=1777"
+          ];
+        };
+
+        systemd = {
+          services = {
+            systemd-networkd.wantedBy = [ "multi-user.target" ];
+            caddy.serviceConfig.ReadWriteDirectories = lib.mkForce [
+              "/var/lib/caddy"
+              "/run/mastodon-web"
+            ];
+          };
+          network = {
+            enable = true;
+            networks."20-lan" = {
+              matchConfig.Name = "enp0s5";
+              addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ];
+              routes = [
+                {
+                  Destination = "${hostCfg.localhost.address1}/0";
+                  Gateway = serviceCfg.interface.gate;
+                }
+              ];
+              dns = [
+                "1.1.1.1"
+                "8.8.8.8"
+              ];
+            };
+          };
+
+          tmpfiles.rules = [
+            "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
+          ];
+        };
+
+        microvm = {
+          vcpu = 2;
+          mem = 3072;
+          hypervisor = "qemu";
+          interfaces = [
+            {
+              type = "tap";
+              id = serviceCfg.interface.id;
+              mac = serviceCfg.interface.mac;
+            }
+            {
+              type = "user";
+              id = serviceCfg.interface.idUser;
+              mac = serviceCfg.interface.macUser;
+            }
+          ];
+          forwardPorts = [
+            {
+              from = "host";
+              host.port = serviceCfg.interface.ssh;
+              guest.port = 22;
+            }
+          ];
+          shares = [
+            {
+              mountPoint = "/nix/.ro-store";
+              proto = "virtiofs";
+              source = "/nix/store";
+              tag = "read_only_nix_store";
+            }
+            {
+              mountPoint = "/var/lib/${serviceCfg.name}";
+              proto = "virtiofs";
+              source = "${serviceCfg.mntPaths.path0}";
+              tag = "${serviceCfg.name}_data";
+            }
+            {
+              mountPoint = "/run/secrets";
+              proto = "virtiofs";
+              source = "/run/secrets/${serviceCfg.name}";
+              tag = "host_secrets";
+            }
+          ];
+        };
+      };
+    };
+  };
+
+  sops = {
+    secrets = builtins.listToAttrs (
+      map
+        (secret: {
+          name = "${serviceCfg.name}/${secret}";
+          value = {
+            owner = "root";
+            mode = "0600";
+          };
+        })
+        [
+          "smtp"
+          "database"
+          "redis"
+          "pass"
+        ]
+    );
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
+  ];
+
+  services.caddy.virtualHosts."${host}" = {
+    extraConfig = ''
+      reverse_proxy ${serviceCfg.interface.ip}:80
+
+      tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}
+
+      encode zstd gzip
+    '';
+  };
+
+  users.users.caddy.extraGroups = [ "acme" ];
+
+  security.acme.certs."${host}" = {
+    dnsProvider = dns0;
+    environmentFile = config.sops.secrets.${dns0Path}.path;
+    group = "caddy";
+  };
+}