From 9ab5ebd35f9334b3abe642e8f983c284f70007e6 Mon Sep 17 00:00:00 2001 From: Nick Date: Fri, 5 Dec 2025 02:47:08 -0600 Subject: [PATCH] test: setting up opencloud and microvms --- modules/nixos/default.nix | 4 +- .../guests/opencloud/opencloud0/default.nix | 53 +++++++------------ .../guests/opencloud/opencloud1/default.nix | 40 +++++++------- .../nixos/services/caddy/caddy0/default.nix | 36 ------------- .../nixos/services/caddy/caddy1/default.nix | 20 ------- modules/nixos/services/caddy/default.nix | 45 +++++++++++++--- .../services/samba/sambaEris/default.nix | 3 +- systems/mars/config/filesystem.nix | 2 +- 8 files changed, 81 insertions(+), 122 deletions(-) delete mode 100755 modules/nixos/services/caddy/caddy0/default.nix delete mode 100755 modules/nixos/services/caddy/caddy1/default.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 7a5dbef..4723ac9 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -45,7 +45,7 @@ in imports = builtins.attrValues { inherit (modules) acme - caddy0 + caddy comfyui firefly-iii forgejo @@ -70,8 +70,6 @@ in eris = { imports = builtins.attrValues { inherit (modules) - acme - caddy1 impermanence microvm opencloud0 diff --git a/modules/nixos/guests/opencloud/opencloud0/default.nix b/modules/nixos/guests/opencloud/opencloud0/default.nix index 97861f4..7905f65 100755 --- a/modules/nixos/guests/opencloud/opencloud0/default.nix +++ b/modules/nixos/guests/opencloud/opencloud0/default.nix @@ -1,5 +1,4 @@ { - config, flake, pkgs, ... @@ -9,10 +8,8 @@ let inherit (flake.config.services) instances; serviceCfg = instances.opencloud0; hostCfg = instances.web; - dns = instances.web.dns.provider0; localhost = instances.web.localhost.address1; host = serviceCfg.domains.url0; - dnsPath = "dns/${dns}"; in { microvm.vms = { @@ -55,17 +52,28 @@ in path = [ pkgs.inotify-tools ]; }; opencloud-fix-permissions = { - description = "Fix OpenCloud storage permissions on file changes"; + description = "Fix OpenCloud storage permissions"; after = [ "opencloud.service" ]; - wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "simple"; - ExecStart = pkgs.writeShellScript "fix-perms-on-change" '' - ${pkgs.inotify-tools}/bin/inotifywait -m -r -e create,moved_to /var/lib/opencloud/storage --format '%w%f' | while read filepath; do - ${pkgs.coreutils}/bin/chown opencloud:opencloud "$filepath" + Type = "oneshot"; + ExecStart = pkgs.writeShellScript "fix-perms" '' + echo "Starting permission fix..." + + OPENCLOUD_UID=$(id -u opencloud) + echo "OpenCloud UID: $OPENCLOUD_UID" + + find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do + echo "Fixing file: $file" + chown opencloud:opencloud "$file" 2>/dev/null || true done + + find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do + echo "Fixing dir: $dir" + chown opencloud:opencloud "$dir" 2>/dev/null || true + done + + echo "Permission fix complete" ''; - Restart = "always"; User = "root"; }; }; @@ -74,7 +82,7 @@ in description = "Periodically fix OpenCloud storage permissions"; wantedBy = [ "timers.target" ]; timerConfig = { - OnBootSec = "1min"; + OnBootSec = "30s"; OnUnitActiveSec = "1min"; Unit = "opencloud-fix-permissions.service"; }; @@ -158,6 +166,7 @@ in }; environment.systemPackages = builtins.attrValues { inherit (pkgs) + inotify-tools opencloud ; }; @@ -165,28 +174,6 @@ in }; }; - # security.acme.certs."${host}" = { - # dnsProvider = dns; - # environmentFile = config.sops.secrets.${dnsPath}.path; - # group = "caddy"; - # }; - - services.caddy.virtualHosts = { - "${host}" = { - extraConfig = '' - reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { - header_up X-Real-IP {remote_host} - } - - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - - ''; - }; - }; - - users.users.caddy.extraGroups = [ "acme" ]; - systemd = { tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" diff --git a/modules/nixos/guests/opencloud/opencloud1/default.nix b/modules/nixos/guests/opencloud/opencloud1/default.nix index 9c4e058..644f389 100755 --- a/modules/nixos/guests/opencloud/opencloud1/default.nix +++ b/modules/nixos/guests/opencloud/opencloud1/default.nix @@ -32,7 +32,6 @@ in stateDir = "/var/lib/${serviceCfg.name}"; environmentFile = "/run/secrets/projectenv"; }; - openssh = { enable = true; settings = { @@ -41,13 +40,11 @@ in }; }; }; - networking.firewall.allowedTCPPorts = [ 22 # SSH 587 # SMTP serviceCfg.ports.port0 ]; - systemd = { services = { systemd-networkd.wantedBy = [ "multi-user.target" ]; @@ -55,17 +52,28 @@ in path = [ pkgs.inotify-tools ]; }; opencloud-fix-permissions = { - description = "Fix OpenCloud storage permissions on file changes"; + description = "Fix OpenCloud storage permissions"; after = [ "opencloud.service" ]; - wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "simple"; - ExecStart = pkgs.writeShellScript "fix-perms-on-change" '' - ${pkgs.inotify-tools}/bin/inotifywait -m -r -e create,moved_to /var/lib/opencloud/storage --format '%w%f' | while read filepath; do - ${pkgs.coreutils}/bin/chown opencloud:opencloud "$filepath" + Type = "oneshot"; + ExecStart = pkgs.writeShellScript "fix-perms" '' + echo "Starting permission fix..." + + OPENCLOUD_UID=$(id -u opencloud) + echo "OpenCloud UID: $OPENCLOUD_UID" + + find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do + echo "Fixing file: $file" + chown opencloud:opencloud "$file" 2>/dev/null || true done + + find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do + echo "Fixing dir: $dir" + chown opencloud:opencloud "$dir" 2>/dev/null || true + done + + echo "Permission fix complete" ''; - Restart = "always"; User = "root"; }; }; @@ -74,7 +82,7 @@ in description = "Periodically fix OpenCloud storage permissions"; wantedBy = [ "timers.target" ]; timerConfig = { - OnBootSec = "1min"; + OnBootSec = "30s"; OnUnitActiveSec = "1min"; Unit = "opencloud-fix-permissions.service"; }; @@ -98,14 +106,11 @@ in ]; }; }; - tmpfiles.rules = [ "d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -" ]; - }; - microvm = { vcpu = 1; mem = 1024 * 1; @@ -158,19 +163,18 @@ in }; environment.systemPackages = builtins.attrValues { inherit (pkgs) + inotifywait opencloud ; }; }; }; }; - security.acme.certs."${host}" = { dnsProvider = dns; environmentFile = config.sops.secrets.${dnsPath}.path; group = "caddy"; }; - services.caddy.virtualHosts = { "${host}" = { extraConfig = @@ -189,9 +193,7 @@ in ''; }; }; - users.users.caddy.extraGroups = [ "acme" ]; - systemd = { tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" @@ -199,12 +201,10 @@ in "d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -" ]; }; - sops.secrets = { "${serviceCfg.name}/projectenv" = { owner = "root"; mode = "0600"; }; }; - } diff --git a/modules/nixos/services/caddy/caddy0/default.nix b/modules/nixos/services/caddy/caddy0/default.nix deleted file mode 100755 index 0379819..0000000 --- a/modules/nixos/services/caddy/caddy0/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ flake, config, ... }: -let - inherit (flake.config.services) instances; - inherit (flake.config.machines.devices) eris; - opencloud = instances.opencloud0; - dns = instances.web.dns.provider0; - opencloudHost = opencloud.domains.url0; - dnsPath = "dns/${dns}"; - service = instances.caddy; -in -{ - services.caddy = { - enable = true; - virtualHosts = { - "${opencloud.domains.url0}" = { - extraConfig = '' - reverse_proxy ${eris.ip.address0}:${builtins.toString service.ports.port0} - tls ${opencloud.ssl.cert} ${opencloud.ssl.key} - ''; - }; - }; - }; - security.acme.certs."${opencloudHost}" = { - dnsProvider = dns; - environmentFile = config.sops.secrets.${dnsPath}.path; - group = "caddy"; - }; - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 # 80 - service.ports.port1 # 443 - ]; - }; - }; -} diff --git a/modules/nixos/services/caddy/caddy1/default.nix b/modules/nixos/services/caddy/caddy1/default.nix deleted file mode 100755 index 0cff934..0000000 --- a/modules/nixos/services/caddy/caddy1/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ flake, ... }: -let - inherit (flake.config.services) instances; - - service = instances.caddy; -in -{ - services.caddy = { - enable = true; - }; - - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 - service.ports.port1 - ]; - }; - }; -} diff --git a/modules/nixos/services/caddy/default.nix b/modules/nixos/services/caddy/default.nix index da65bd2..712472e 100755 --- a/modules/nixos/services/caddy/default.nix +++ b/modules/nixos/services/caddy/default.nix @@ -1,11 +1,42 @@ +{ flake, config, ... }: let - importList = - let - content = builtins.readDir ./.; - dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); - in - map (name: ./. + "/${name}") dirContent; + inherit (flake.config.services) instances; + inherit (flake.config.machines.devices) eris; + opencloud = instances.opencloud0; + dns = instances.web.dns.provider0; + opencloudHost = opencloud.domains.url0; + dnsPath = "dns/${dns}"; + service = instances.caddy; in { - imports = importList; + services.caddy = { + enable = true; + virtualHosts = { + "${opencloud.domains.url0}" = { + extraConfig = '' + reverse_proxy ${opencloud.interface.ip}:${toString opencloud.ports.port0} { + header_up X-Real-IP {remote_host} + } + + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + + tls ${opencloud.ssl.cert} ${opencloud.ssl.key} + ''; + }; + }; + }; + security.acme.certs."${opencloudHost}" = { + dnsProvider = dns; + environmentFile = config.sops.secrets.${dnsPath}.path; + group = "caddy"; + }; + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 # 80 + service.ports.port1 # 443 + ]; + }; + }; } diff --git a/modules/nixos/services/samba/sambaEris/default.nix b/modules/nixos/services/samba/sambaEris/default.nix index d261aa1..c54a857 100755 --- a/modules/nixos/services/samba/sambaEris/default.nix +++ b/modules/nixos/services/samba/sambaEris/default.nix @@ -12,11 +12,10 @@ in # sudo smbpasswd -a username services = { samba = { - # package = pkgs.samba4Full; enable = true; openFirewall = true; settings = { - "raid0" = { + "storage" = { path = "/mnt/storage"; writable = "yes"; "valid users" = user0; diff --git a/systems/mars/config/filesystem.nix b/systems/mars/config/filesystem.nix index fa09336..a999182 100755 --- a/systems/mars/config/filesystem.nix +++ b/systems/mars/config/filesystem.nix @@ -19,7 +19,7 @@ in "samba0" ]; erisFolders = [ - "raid0" + "storage" ]; ceresDrives = [ "samba0"