diff --git a/modules/nixos/guests/firefly-iii/default.nix b/modules/nixos/guests/firefly-iii/default.nix index a27b497..0a8de09 100755 --- a/modules/nixos/guests/firefly-iii/default.nix +++ b/modules/nixos/guests/firefly-iii/default.nix @@ -1,6 +1,7 @@ { flake, config, + pkgs, ... }: let @@ -55,26 +56,20 @@ in SITE_OWNER = email.address2; }; }; - phpfpm.pools.firefly-iii.phpEnv = { TRUSTED_PROXIES = "*"; APP_URL = "https://${host}"; }; - firefly-iii-data-importer = { enable = true; }; - caddy = { enable = true; virtualHosts.":80" = { extraConfig = '' root * ${config.services.firefly-iii.package}/public - file_server - encode gzip - php_fastcgi unix//run/phpfpm/firefly-iii.sock { env HTTPS {http.request.header.X-Forwarded-Proto} env HTTP_X_FORWARDED_PROTO {http.request.header.X-Forwarded-Proto} @@ -82,7 +77,6 @@ in ''; }; }; - postgresql = { enable = true; ensureDatabases = [ "firefly-iii" ]; @@ -93,7 +87,6 @@ in } ]; }; - openssh = { enable = true; settings = { @@ -102,18 +95,15 @@ in }; }; }; - users.users.caddy = { extraGroups = [ "firefly-iii" ]; }; - networking.firewall.allowedTCPPorts = [ 22 80 serviceCfg.ports.port0 serviceCfg.ports.port1 ]; - systemd = { services = { caddy = { @@ -161,15 +151,13 @@ in ]; }; }; - tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; - microvm = { vcpu = 1; - mem = 1024; + mem = 512; hypervisor = "qemu"; interfaces = [ { diff --git a/modules/nixos/guests/forgejo/default.nix b/modules/nixos/guests/forgejo/default.nix index f36d6cd..92d47d9 100755 --- a/modules/nixos/guests/forgejo/default.nix +++ b/modules/nixos/guests/forgejo/default.nix @@ -15,13 +15,11 @@ let in { users.users.caddy.extraGroups = [ "acme" ]; - security.acme.certs."${host}" = { dnsProvider = dns0; environmentFile = config.sops.secrets.${dns0Path}.path; group = "caddy"; }; - microvm.vms = { ${serviceCfg.name} = { autostart = true; @@ -64,7 +62,6 @@ in }; }; }; - openssh = { enable = true; settings = { @@ -73,7 +70,6 @@ in }; }; }; - networking.firewall.allowedTCPPorts = [ 22 # SSH 25 # SMTP @@ -82,7 +78,6 @@ in 2525 # SMTP serviceCfg.ports.port0 ]; - fileSystems."/tmp" = { device = "tmpfs"; fsType = "tmpfs"; @@ -91,7 +86,6 @@ in "mode=1777" ]; }; - systemd = { network = { enable = true; @@ -110,15 +104,12 @@ in ]; }; }; - tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" # "Z /var/lib/postgresql 0755 postgres postgres -" ]; }; - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { vcpu = 1; mem = 1024; @@ -166,23 +157,18 @@ in }; }; }; - systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" ]; - services.caddy.virtualHosts."${host}" = { extraConfig = '' reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { header_up X-Real-IP {remote_host} } - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} - encode zstd gzip ''; }; - sops.secrets = { "${serviceCfg.name}/smtp" = { owner = "root"; diff --git a/modules/nixos/guests/jellyfin/default.nix b/modules/nixos/guests/jellyfin/default.nix index 3f309a2..542fd63 100755 --- a/modules/nixos/guests/jellyfin/default.nix +++ b/modules/nixos/guests/jellyfin/default.nix @@ -28,7 +28,6 @@ in enable = true; openFirewall = true; }; - openssh = { enable = true; settings = { @@ -37,24 +36,20 @@ in }; }; }; - users.users.jellyfin = { isSystemUser = true; group = serviceCfg.name; uid = id; }; - users.groups.jellyfin = { gid = id; }; - networking.firewall.allowedTCPPorts = [ 22 serviceCfg.ports.port0 serviceCfg.ports.port1 serviceCfg.ports.port2 ]; - fileSystems."/tmp" = { device = "tmpfs"; fsType = "tmpfs"; @@ -63,7 +58,6 @@ in "mode=1777" ]; }; - systemd = { network = { enable = true; @@ -82,7 +76,6 @@ in ]; }; }; - tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "Z ${serviceCfg.varPaths.path2} 0755 ${serviceCfg.name} ${serviceCfg.name} -" @@ -90,11 +83,9 @@ in "Z ${serviceCfg.varPaths.path2} 0775 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { - vcpu = 2; + vcpu = 4; mem = 1024 * 3; hypervisor = "qemu"; interfaces = [ @@ -143,24 +134,14 @@ in } ]; }; - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - yazi - bottom - trashy - fastfetch - ; - }; }; }; }; - security.acme.certs."${host}" = { dnsProvider = dns0; environmentFile = config.sops.secrets.${dns0Path}.path; group = "caddy"; }; - services = { caddy = { virtualHosts = { @@ -182,7 +163,6 @@ in gid = id; members = [ user0 ]; }; - users = { jellyfin = { isSystemUser = true; @@ -192,7 +172,6 @@ in caddy.extraGroups = [ "acme" ]; }; }; - systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/data 0755 microvm wheel - -" diff --git a/modules/nixos/guests/minecraft/world0/default.nix b/modules/nixos/guests/minecraft/world0/default.nix index 8d467e5..ad6a2a5 100755 --- a/modules/nixos/guests/minecraft/world0/default.nix +++ b/modules/nixos/guests/minecraft/world0/default.nix @@ -1,5 +1,6 @@ { flake, + pkgs, ... }: let @@ -124,8 +125,8 @@ in systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; microvm = { - vcpu = 2; - mem = 1024 * 3; + vcpu = 4; + mem = 1024 * 4; hypervisor = "qemu"; interfaces = [ { diff --git a/modules/nixos/guests/minecraft/world1/default.nix b/modules/nixos/guests/minecraft/world1/default.nix index 79ae7c5..a57266b 100755 --- a/modules/nixos/guests/minecraft/world1/default.nix +++ b/modules/nixos/guests/minecraft/world1/default.nix @@ -1,5 +1,6 @@ { flake, + pkgs, ... }: let @@ -122,8 +123,8 @@ in systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; microvm = { - vcpu = 2; - mem = 1024 * 3; + vcpu = 4; + mem = 1024 * 4; hypervisor = "qemu"; interfaces = [ { diff --git a/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix b/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix index 79a71e2..86900b7 100755 --- a/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix +++ b/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix @@ -50,9 +50,34 @@ in systemd = { services = { + systemd-networkd.wantedBy = [ "multi-user.target" ]; opencloud = { path = [ pkgs.inotify-tools ]; }; + opencloud-fix-permissions = { + description = "Fix OpenCloud storage permissions on file changes"; + after = [ "opencloud.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = pkgs.writeShellScript "fix-perms-on-change" '' + ${pkgs.inotify-tools}/bin/inotifywait -m -r -e create,moved_to /var/lib/opencloud/storage --format '%w%f' | while read filepath; do + ${pkgs.coreutils}/bin/chown opencloud:opencloud "$filepath" + done + ''; + Restart = "always"; + User = "root"; + }; + }; + }; + timers.opencloud-fix-permissions = { + description = "Periodically fix OpenCloud storage permissions"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1min"; + OnUnitActiveSec = "1min"; + Unit = "opencloud-fix-permissions.service"; + }; }; network = { enable = true; @@ -81,8 +106,6 @@ in }; - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { vcpu = 1; mem = 1024 * 1; @@ -142,7 +165,6 @@ in opencloud ; }; - }; }; }; diff --git a/modules/nixos/guests/projectSite/default.nix b/modules/nixos/guests/projectSite/default.nix index 030d22d..b9bb425 100755 --- a/modules/nixos/guests/projectSite/default.nix +++ b/modules/nixos/guests/projectSite/default.nix @@ -15,26 +15,20 @@ in systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -" ]; - microvm.vms.${serviceCfg.name} = { autostart = true; config = { system.stateVersion = "25.05"; - networking.firewall.allowedTCPPorts = [ 22 80 ]; - services.openssh = { enable = true; settings.PasswordAuthentication = false; }; - environment.etc."website".source = websitePkg; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - systemd = { network = { enable = true; @@ -45,21 +39,17 @@ in }; }; }; - services.caddy = { enable = true; virtualHosts.":80".extraConfig = '' root * /etc/website - file_server - try_files {path} /index.html ''; }; - microvm = { - vcpu = 2; - mem = 1024; + vcpu = 1; + mem = 512; hypervisor = "qemu"; interfaces = [ { @@ -68,7 +58,6 @@ in mac = serviceCfg.interface.mac; } ]; - shares = [ { source = "/nix/store"; @@ -80,16 +69,13 @@ in }; }; }; - services.caddy = { enable = true; virtualHosts.${host}.extraConfig = '' reverse_proxy ${serviceCfg.interface.ip}:80 - tls /var/lib/acme/${host}/fullchain.pem /var/lib/acme/${host}/key.pem ''; }; - security.acme.certs.${host} = { dnsProvider = instances.web.dns.provider1; environmentFile = config.sops.secrets."dns/${instances.web.dns.provider1}".path; diff --git a/modules/nixos/guests/torrent/default.nix b/modules/nixos/guests/torrent/default.nix index 721caf4..caa32d8 100755 --- a/modules/nixos/guests/torrent/default.nix +++ b/modules/nixos/guests/torrent/default.nix @@ -316,7 +316,7 @@ in }; microvm = { - vcpu = 4; + vcpu = 1; mem = 1024 * 1; hypervisor = "qemu"; @@ -362,7 +362,6 @@ in } ]; }; - environment.systemPackages = builtins.attrValues { inherit (pkgs) bottom diff --git a/modules/nixos/guests/vaultwarden/default.nix b/modules/nixos/guests/vaultwarden/default.nix index c9fcdba..1a2dc2c 100755 --- a/modules/nixos/guests/vaultwarden/default.nix +++ b/modules/nixos/guests/vaultwarden/default.nix @@ -1,6 +1,7 @@ { config, flake, + pkgs, ... }: let @@ -12,7 +13,6 @@ let dns0 = instances.web.dns.provider0; host = serviceCfg.domains.url0; dns0Path = "dns/${dns0}"; - hostSecrets = "/var/lib/secrets/${serviceCfg.name}"; in { microvm.vms = { @@ -110,7 +110,7 @@ in microvm = { vcpu = 1; - mem = 1024; + mem = 512; hypervisor = "qemu"; interfaces = [ { diff --git a/modules/nixos/guests/website/default.nix b/modules/nixos/guests/website/default.nix index d175677..4ee6520 100755 --- a/modules/nixos/guests/website/default.nix +++ b/modules/nixos/guests/website/default.nix @@ -29,6 +29,7 @@ in environment.etc."website".source = websitePkg; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + systemd = { network = { enable = true; @@ -51,7 +52,7 @@ in }; microvm = { vcpu = 1; - mem = 1024; + mem = 512; hypervisor = "qemu"; interfaces = [ { diff --git a/modules/nixos/guests/zookeeper/default.nix b/modules/nixos/guests/zookeeper/default.nix index 97859b0..db7b3a6 100755 --- a/modules/nixos/guests/zookeeper/default.nix +++ b/modules/nixos/guests/zookeeper/default.nix @@ -57,7 +57,7 @@ in }; microvm = { vcpu = 1; - mem = 1024; + mem = 512; hypervisor = "qemu"; interfaces = [ { @@ -65,18 +65,6 @@ in id = serviceCfg.interface.id; mac = serviceCfg.interface.mac; } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } ]; shares = [ {