From a8423c3355c0e46e196fe7f43e1616ec374bf1e2 Mon Sep 17 00:00:00 2001 From: Nick Date: Sun, 16 Nov 2025 01:07:55 -0600 Subject: [PATCH] feat: spun up opencloud for projectsite --- .../opencloud/ceresOpenCloud/default.nix | 171 ++++++++++++++++++ modules/nixos/guests/opencloud/default.nix | 11 ++ .../opencloud/erisOpenCloud/default.nix | 163 +++++++++++++++++ 3 files changed, 345 insertions(+) create mode 100755 modules/nixos/guests/opencloud/ceresOpenCloud/default.nix create mode 100755 modules/nixos/guests/opencloud/default.nix create mode 100755 modules/nixos/guests/opencloud/erisOpenCloud/default.nix diff --git a/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix b/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix new file mode 100755 index 0000000..ec5cbd2 --- /dev/null +++ b/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix @@ -0,0 +1,171 @@ +{ + config, + flake, + pkgs, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + serviceCfg = instances.opencloud; + hostCfg = instances.web; + dns = instances.web.dns.provider1; + localhost = instances.web.localhost.address1; + host = "${serviceCfg.subdomain}.${flake.inputs.linkpage.secrets.domains.projectsite}"; + dnsPath = "dns/${dns}"; +in +{ + microvm.vms = { + projectcloud = { + autostart = true; + restartIfChanged = true; + config = { + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + services = { + opencloud = { + enable = true; + url = "https://${host}"; + port = serviceCfg.ports.port0; + address = localhost; + stateDir = "/var/lib/${serviceCfg.name}"; + environmentFile = "/run/secrets/projectenv"; + }; + + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 22 # SSH + 587 # SMTP + serviceCfg.ports.port0 + ]; + + systemd = { + services = { + opencloud = { + path = [ pkgs.inotify-tools ]; + }; + }; + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s5"; + addresses = [ + { Address = "${serviceCfg.interface.ip}/24"; } + ]; + routes = [ + { + Destination = "${hostCfg.localhost.address1}/0"; + Gateway = serviceCfg.interface.gate; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + + tmpfiles.rules = [ + "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + ]; + + }; + + systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; + + microvm = { + vcpu = 4; + mem = 4096; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = serviceCfg.interface.id; + mac = serviceCfg.interface.mac; + } + { + type = "user"; + id = serviceCfg.interface.idUser; + mac = serviceCfg.interface.macUser; + } + ]; + forwardPorts = [ + { + from = "host"; + host.port = serviceCfg.interface.ssh; + guest.port = 22; + } + ]; + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = serviceCfg.mntPaths.path0; + tag = "${serviceCfg.name}_data"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/${serviceCfg.name}"; + tag = "host_secrets"; + } + ]; + }; + }; + }; + }; + + security.acme.certs."${host}" = { + dnsProvider = dns; + environmentFile = config.sops.secrets.${dnsPath}.path; + group = "caddy"; + }; + + services.caddy.virtualHosts = { + "${host}" = { + extraConfig = '' + reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } + + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + + tls /var/lib/acme/${host}/fullchain.pem /var/lib/acme/${host}/key.pem + ''; + }; + }; + + users.users.caddy.extraGroups = [ "acme" ]; + + systemd = { + tmpfiles.rules = [ + "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" + "d ${serviceCfg.mntPaths.path0}/storage 0755 opencloud opencloud - -" + "d ${serviceCfg.mntPaths.path0}/storage/users 2775 opencloud wheel - -" + ]; + }; + + sops.secrets = { + "${serviceCfg.name}/projectenv" = { + owner = "root"; + mode = "0600"; + }; + }; + +} diff --git a/modules/nixos/guests/opencloud/default.nix b/modules/nixos/guests/opencloud/default.nix new file mode 100755 index 0000000..da65bd2 --- /dev/null +++ b/modules/nixos/guests/opencloud/default.nix @@ -0,0 +1,11 @@ +let + importList = + let + content = builtins.readDir ./.; + dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); + in + map (name: ./. + "/${name}") dirContent; +in +{ + imports = importList; +} diff --git a/modules/nixos/guests/opencloud/erisOpenCloud/default.nix b/modules/nixos/guests/opencloud/erisOpenCloud/default.nix new file mode 100755 index 0000000..aaa6bf6 --- /dev/null +++ b/modules/nixos/guests/opencloud/erisOpenCloud/default.nix @@ -0,0 +1,163 @@ +{ + config, + flake, + pkgs, + ... +}: +let + inherit (flake.config.people) user0; + inherit (flake.config.services) instances; + serviceCfg = instances.vaultwarden; + hostCfg = instances.web; + dns = instances.web.dns.provider1; + localhost = instances.web.localhost.address1; + host = "${serviceCfg.subdomain}.${flake.inputs.linkpage.secrets.domains.projectsite}"; + dnsPath = "dns/${dns}"; +in +{ + microvm.vms = { + projectcloud = { + autostart = true; + restartIfChanged = true; + config = { + environment.systemPackages = with pkgs; [ + inotify-tools + ]; + system.stateVersion = "24.05"; + time.timeZone = "America/Winnipeg"; + users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + services = { + opencloud = { + enable = true; + url = "https://${host}"; + port = serviceCfg.ports.port0; + address = localhost; + stateDir = "/var/lib/${serviceCfg.name}"; + environmentFile = "/run/secrets/projectenv"; + }; + + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 22 # SSH + 587 # SMTP + serviceCfg.ports.port0 + ]; + + systemd = { + network = { + enable = true; + networks."20-lan" = { + matchConfig.Name = "enp0s5"; + addresses = [ + { Address = "${serviceCfg.interface.ip}/24"; } + ]; + routes = [ + { + Destination = "${hostCfg.localhost.address1}/0"; + Gateway = serviceCfg.interface.gate; + } + ]; + dns = [ + "1.1.1.1" + "8.8.8.8" + ]; + }; + }; + + tmpfiles.rules = [ + "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + ]; + + }; + + systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; + + microvm = { + vcpu = 4; + mem = 4096; + hypervisor = "qemu"; + interfaces = [ + { + type = "tap"; + id = serviceCfg.interface.id; + mac = serviceCfg.interface.mac; + } + { + type = "user"; + id = serviceCfg.interface.idUser; + mac = serviceCfg.interface.macUser; + } + ]; + forwardPorts = [ + { + from = "host"; + host.port = serviceCfg.interface.ssh; + guest.port = 22; + } + ]; + shares = [ + { + mountPoint = "/nix/.ro-store"; + proto = "virtiofs"; + source = "/nix/store"; + tag = "read_only_nix_store"; + } + { + mountPoint = "/var/lib/${serviceCfg.name}"; + proto = "virtiofs"; + source = serviceCfg.mntPaths.path0; + tag = "${serviceCfg.name}_data"; + } + { + mountPoint = "/run/secrets"; + proto = "virtiofs"; + source = "/run/secrets/${serviceCfg.name}"; + tag = "host_secrets"; + } + ]; + }; + }; + }; + }; + + security.acme.certs."${host}" = { + dnsProvider = dns; + environmentFile = config.sops.secrets.${dnsPath}.path; + group = "caddy"; + }; + + services.caddy.virtualHosts = { + "${host}" = { + extraConfig = '' + reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { + + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + + tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} + ''; + }; + }; + + users.users.caddy.extraGroups = [ "acme" ]; + + systemd.tmpfiles.rules = [ + "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" + ]; + + sops.secrets = { + "${serviceCfg.name}/projectenv" = { + owner = "root"; + mode = "0600"; + }; + }; + +}