upRootNutrition/dotfiles
upRootNutrition/dotfiles
1
0
Fork 0
mirror of https://gitlab.com/upRootNutrition/dotfiles.git synced 2025-12-07 13:32:15 -06:00
Code Issues Projects 1 Releases Packages Wiki Activity Actions

test: microVM test

Browse source
This commit is contained in:
Nick 2025-11-04 03:30:52 -06:00
parent bd1d74997d
commit f15baf7ccb
21 changed files with 405 additions and 529 deletions
Download patch file Download diff file Expand all files Collapse all files

86
modules/nixos/services/acme/acmeCeres/default.nix
View file

@ -15,12 +15,6 @@ let
dns1 = instances.web.dns.provider1;
dns0Path = "dns/${dns0}";
dns1Path = "dns/${dns1}";
instanceName = service: (instances.${service}.subdomain);
dnsConfig = provider: dns: {
dnsProvider = dns;
directory = instances.acme.paths.path0;
environmentFile = config.sops.secrets.${provider}.path;
};
in
{
security.acme = {
@ -29,60 +23,33 @@ in
email = email.address0;
server = "https://acme-v02.api.letsencrypt.org/directory";
};
certs = builtins.listToAttrs (
(map
(service: {
name = "${instanceName service}.${domain0}";
value = dnsConfig dns0Path dns0;
})
[
instances.audiobookshelf.name
instances.glance.name
instances.jellyfin.name
instances.minecraft.name
instances.ollama.name
instances.searx.name
instances.syncthing.name
instances.vaultwarden.name
instances.prompter.name
instances.comfyui.name
instances.firefly-iii.name
instances.nextcloud.name
instances.opencloud.name
]
)
++ (map
(service: {
name = "${instanceName service}.${domain1}";
value = dnsConfig dns0Path dns0;
})
[
instances.forgejo.name
instances.mastodon.name
instances.peertube.name
]
)
++ (map
(name: {
name = name;
value = dnsConfig dns0Path dns0;
})
[
domain0
domain1
]
)
++ (map
(name: {
name = name;
value = dnsConfig dns1Path dns1;
})
[
domain4
]
)
);
certs =
let
dnsConfig = provider: dns: directory: {
dnsProvider = dns;
environmentFile = config.sops.secrets.${provider}.path;
};
in
{
"${instances.audiobookshelf.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.glance.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.jellyfin.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.ollama.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.searx.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.syncthing.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.vaultwarden.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.prompter.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.comfyui.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.firefly-iii.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.opencloud.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.forgejo.domains.url0}" = dnsConfig dns0Path dns0;
"${instances.mastodon.domains.url0}" = dnsConfig dns0Path dns0;
"${domain0}" = dnsConfig dns0Path dns0;
"${domain1}" = dnsConfig dns0Path dns0;
"${domain4}" = dnsConfig dns1Path dns1;
};
};
sops =
let
dnsList = [
@ -117,5 +84,4 @@ in
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
};
}

1
modules/nixos/services/acme/acmeEris/default.nix
View file

@ -33,7 +33,6 @@ in
value = dnsConfig dns0Path dns0;
})
[
# instances.nextcloud.name
# instances.opencloud.name
]
)

19
modules/nixos/services/caddy/caddyCeres/default.nix
View file

@ -5,7 +5,6 @@ let
domain0 = instances.web.domains.url0;
service = instances.caddy;
nextcloud = instances.nextcloud;
opencloud = instances.opencloud;
in
{
@ -18,18 +17,12 @@ in
encode zstd gzip
'';
};
"${nextcloud.domains.url0}" = {
extraConfig = ''
reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port3}
tls ${nextcloud.ssl.cert} ${nextcloud.ssl.key}
'';
};
"${opencloud.domains.url0}" = {
extraConfig = ''
reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port4}
tls ${opencloud.ssl.cert} ${opencloud.ssl.key}
'';
};
# "${opencloud.domains.url0}" = {
# extraConfig = ''
# reverse_proxy http://${devices.eris.ip.address0}:${builtins.toString service.ports.port4}
# tls ${opencloud.ssl.cert} ${opencloud.ssl.key}
# '';
# };
};
};
users.users.${service.name}.extraGroups = [

283
modules/nixos/services/forgejo/default.nix
View file

@ -1,84 +1,197 @@
{
flake,
config,
pkgs,
...
}:
let
inherit (flake.config.machines.devices) ceres;
inherit (flake.config.services)
instances
inherit (flake.config.people) user0;
inherit (flake.config.services.instances)
forgejo
smtp
web
;
service = instances.forgejo;
localhost = instances.web.localhost.address0;
host = service.domains.url0;
caddy = instances.caddy;
postgres = instances.postgresql;
syncthing = instances.syncthing;
backupPath = "${instances.syncthing.paths.path1}/${service.name}";
service = forgejo;
host = forgejo.domains.url0;
secrets = service.secretPaths.path0;
localhost = web.localhost.address1;
sshPort = 22;
in
{
services = {
forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
secrets = {
mailer.PASSWD = config.sops.secrets."${service.name}-smtp".path;
database.PASSWD = config.sops.secrets."${service.name}-database".path;
};
dump = {
interval = "5:00";
type = "zip";
file = "forgejo-backup";
enable = true;
backupDir = backupPath;
};
settings = {
server = {
DOMAIN = host;
ROOT_URL = "https://${host}/";
HTTP_PORT = service.ports.port0;
};
# If you need to start from scratch, don't forget to turn this off again
service.DISABLE_REGISTRATION = true;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
mirror = {
ENABLED = true;
};
mailer = {
ENABLED = true;
SMTP_ADDR = instances.smtp.hostname;
FROM = instances.smtp.email.address1;
USER = instances.smtp.email.address1;
PROTOCOL = "${instances.smtp.name}+${instances.smtp.records.record1}";
SMTP_PORT = instances.smtp.ports.port1;
SEND_AS_PLAIN_TEXT = true;
USE_CLIENT_CERT = false;
};
};
};
caddy = {
virtualHosts = {
"${host}" = {
extraConfig = ''
reverse_proxy ${localhost}:${toString service.ports.port0}
microvm = {
vms = {
forgejo = {
autostart = true;
config =
{ config, pkgs, ... }:
{
system.stateVersion = "25.05";
time.timeZone = "America/Winnipeg";
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
users.users.root = {
openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys;
};
services = {
forgejo = {
enable = true;
database.type = "postgres";
lfs.enable = true;
secrets = {
mailer.PASSWD = "${secrets}/${service.name}-smtp";
database.PASSWD = "${secrets}/${service.name}-database";
};
dump = {
interval = "5:00";
type = "zip";
file = "forgejo-backup";
enable = true;
};
settings = {
server = {
DOMAIN = host;
ROOT_URL = "https://${host}/";
HTTP_PORT = service.ports.port0;
HTTP_ADDR = localhost;
};
# If you need to start from scratch, don't forget to turn this off again
service.DISABLE_REGISTRATION = false;
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
mirror.ENABLED = true;
mailer = {
ENABLED = true;
SMTP_ADDR = smtp.hostname;
FROM = smtp.email.address1;
USER = smtp.email.address1;
PROTOCOL = "${smtp.name}+${smtp.records.record1}";
SMTP_PORT = smtp.ports.port1;
SEND_AS_PLAIN_TEXT = true;
USE_CLIENT_CERT = false;
};
};
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "prohibit-password";
};
};
};
systemd = {
tmpfiles.rules = [
"d ${secrets} 0755 ${service.name} ${service.name} -"
];
services.forgejo-dump = {
serviceConfig = {
ExecStartPost = "${pkgs.nushell}/bin/nu -c 'ls ${service.varPaths.path0}/dump | where name =~ forgejo-backup and modified < ((date now) - 7day) | each { rm $in.name }'";
};
};
network = {
enable = true;
networks."10-enp" = {
matchConfig.Name = "enp0s4";
addresses = [ { Address = "${service.interface.ip}/24"; } ];
routes = [
{
Destination = "${localhost}/0";
Gateway = service.interface.gate;
}
];
dns = [ service.interface.gate ];
};
};
};
networking.firewall.allowedTCPPorts = [
sshPort
service.ports.port0
];
microvm = {
vcpu = 2;
mem = 3096;
hypervisor = "qemu";
interfaces = [
{
type = "tap";
id = service.interface.id;
mac = service.interface.mac;
}
{
type = "user";
id = service.interface.idUser;
mac = service.interface.macUser;
}
];
shares = [
{
mountPoint = "/nix/.ro-store";
proto = "virtiofs";
source = "/nix/store";
tag = "read_only_nix_store";
}
{
mountPoint = service.varPaths.path0;
proto = "virtiofs";
source = service.mntPaths.path0;
tag = "${service.name}_data";
}
{
mountPoint = service.secretPaths.path0;
proto = "virtiofs";
source = service.secretPaths.path0;
tag = "${service.name}_secrets";
}
{
mountPoint = service.ssl.path;
proto = "virtiofs";
source = service.ssl.path;
tag = "acme_certs";
}
];
forwardPorts = [
{
from = "host";
host.port = service.interface.ssh;
guest.port = sshPort;
}
];
};
};
};
};
};
services.caddy.virtualHosts."${host}" = {
extraConfig = ''
reverse_proxy ${service.interface.ip}:${toString service.ports.port0}
tls ${service.ssl.cert} ${service.ssl.key}
'';
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
path = "${secrets}/${service.name}-${secret}";
owner = "root";
mode = "600";
};
in
@ -95,42 +208,4 @@ in
]
);
};
fileSystems."/var/lib/${service.name}" = {
device = service.paths.path0;
fsType = "none";
options = [
"bind"
];
depends = [
ceres.storage0.mount
];
};
systemd.services = {
forgejo-dump = {
serviceConfig = {
ExecStartPost = "${pkgs.nushell}/bin/nu -c 'ls ${backupPath} | where name =~ forgejo-backup and modified < ((date now) - 7day) | each { rm $in.name }'";
};
};
};
systemd.tmpfiles.rules = [
"Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
users.users.${service.name}.extraGroups = [
caddy.name
postgres.name
syncthing.name
];
networking = {
firewall = {
allowedTCPPorts = [
service.ports.port0
];
};
};
}

163
modules/nixos/services/nextcloud/default.nix
View file

@ -1,163 +0,0 @@
{
flake,
config,
pkgs,
...
}:
let
inherit (flake.config.people) user0;
inherit (flake.config.people.users.${user0}) name;
inherit (flake.config.services.instances)
nextcloud
nginx
caddy
smtp
web
;
service = nextcloud;
localhost = web.localhost.address0;
host = service.domains.url0;
in
{
services = {
nextcloud = {
appstoreEnable = true;
autoUpdateApps.enable = true;
configureRedis = true;
enable = true;
hostName = host;
https = true;
package = pkgs.nextcloud31;
phpOptions."opcache.interned_strings_buffer" = "24";
extraAppsEnable = true;
extraApps = {
inherit (pkgs.nextcloud31Packages.apps)
contacts
calendar
deck
;
};
config = {
adminpassFile = config.sops.secrets."${service.name}-pass".path;
adminuser = name;
dbtype = "pgsql";
};
database = {
createLocally = true;
};
settings = {
default_phone_region = "CA";
log_type = "file";
mail_domain = host;
mail_from_address = "noreply";
mail_sendmailmode = smtp.name;
mail_smtpmode = smtp.name;
mail_smtphost = smtp.hostname;
mail_smtpport = smtp.ports.port1;
mail_smtpsecure = "";
mail_smtptimeout = 30;
mail_smtpauth = 1;
mail_smtpname = smtp.email.address0;
mail_smtppassword = config.sops.secrets."${service.name}-smtp".path;
maintenance_window_start = 4;
overwriteprotocol = "https";
trusted_proxies = [
localhost
web.localhost.address1
];
security.headers = {
Strict-Transport-Security = "max-age=15552000; includeSubDomains";
X-XSS-Protection = "1; mode=block";
X-Content-Type-Options = "nosniff";
X-Frame-Options = "SAMEORIGIN";
Referrer-Policy = "strict-origin-when-cross-origin";
};
};
};
nginx = {
enable = true;
virtualHosts.${host} = {
listen = [
{
addr = localhost;
port = nginx.ports.port0;
}
];
forceSSL = false;
onlySSL = false;
addSSL = false;
};
};
caddy = {
virtualHosts = {
":${toString caddy.ports.port3}" = {
extraConfig = ''
header {
# Enable XSS protection and block instead of sanitizing
X-XSS-Protection "1; mode=block"
# Enable HSTS with 6 month duration
Strict-Transport-Security "max-age=15552000; includeSubDomains"
# Additional security headers
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "strict-origin-when-cross-origin"
# Remove server identification
-Server
}
reverse_proxy http://${localhost}:${toString nginx.ports.port0}
'';
};
};
};
};
sops =
let
sopsPath = secret: {
path = "${service.sops.path0}/${service.name}-${secret}";
owner = service.name;
mode = "600";
};
in
{
secrets = builtins.listToAttrs (
map
(secret: {
name = "${service.name}-${secret}";
value = sopsPath secret;
})
[
"pass"
"smtp"
]
);
};
systemd = {
tmpfiles.rules = [
"Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
];
};
users.users.${service.name} = {
packages = with pkgs; [
php
];
extraGroups = [
"caddy"
"nginx"
"postgres"
];
};
networking = {
firewall = {
allowedTCPPorts = [
nginx.ports.port0
service.ports.port0
caddy.ports.port3
];
};
};
}