feat: added nextcloud and opencloud to eris

modules/home/gui/apps/tools/espanso/config/url.nix

@@ -4,7 +4,7 @@ let
 in
 [
   (matchHelper ":dotfiles" "https://gitlab.com/upRootNutrition/dotfiles")
-  (matchHelper ":website" "https://${web.domains.url3}")
-  (matchHelper ":forgejo" "https://${forgejo.subdomain}.${web.domains.url3}")
-  (matchHelper ":mastodon" "https://${mastodon.subdomain}.${web.domains.url3}")
+  (matchHelper ":website" "https://${web.domains.url1}")
+  (matchHelper ":forgejo" "https://${forgejo.domains.url0}")
+  (matchHelper ":mastodon" "https://${mastodon.domains.url0}")
 ]

modules/nixos/default.nix

@@ -46,9 +46,9 @@ in
     ceres = {
       imports = builtins.attrValues {
         inherit (modules)
-          acme
+          acmeCeres
           audiobookshelf
-          caddy
+          caddyCeres
           comfyui
           filesorter
           firefly-iii
@@ -59,8 +59,7 @@ in
           mastodon
           minecraft
           ollama
-          opencloud
-          postgresql
+          postgresCeres
           projectSite
           prompter
           samba
@@ -76,7 +75,12 @@ in
     eris = {
       imports = builtins.attrValues {
         inherit (modules)
+          acmeEris
+          caddyEris
+          logrotate
           nextcloud
+          opencloud
+          postgresEris
           ;
       };
     };

modules/nixos/services/acme/acmeCeres/default.nix

@@ -39,12 +39,10 @@ in
           instances.glance.name
           instances.jellyfin.name
           instances.minecraft.name
-          instances.nextcloud.name
           instances.ollama.name
           instances.searx.name
           instances.syncthing.name
           instances.vaultwarden.name
-          instances.opencloud.name
           instances.prompter.name
           instances.comfyui.name
           instances.firefly-iii.name

modules/nixos/services/acme/acmeEris/default.nix

@@ -0,0 +1,69 @@
+{
+  config,
+  flake,
+  ...
+}:
+let
+  inherit (flake.config.people) user0;
+  inherit (flake.config.people.users.${user0}) email;
+  inherit (flake.config.services) instances;
+
+  domain0 = instances.web.domains.url0;
+  dns0 = instances.web.dns.provider0;
+  dns0Path = "dns/${dns0}";
+  instanceName = service: (instances.${service}.subdomain);
+
+  dnsConfig = provider: dns: {
+    dnsProvider = dns;
+    directory = "/var/lib/acme";
+    environmentFile = config.sops.secrets.${provider}.path;
+  };
+in
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = email.address0;
+      server = "https://acme-v02.api.letsencrypt.org/directory";
+    };
+    certs = builtins.listToAttrs (
+      (map
+        (service: {
+          name = "${instanceName service}.${domain0}";
+          value = dnsConfig dns0Path dns0;
+        })
+        [
+          instances.nextcloud.name
+          instances.opencloud.name
+        ]
+      )
+    );
+  };
+  sops =
+    let
+      dnsList = [
+        dns0
+      ];
+      secretList = [
+        "pass"
+      ];
+      sopsPath = secret: dns: {
+        path = "/var/lib/secrets/${instances.acme.name}/${dns}-${secret}";
+        owner = "root";
+        mode = "600";
+      };
+    in
+    {
+      secrets = builtins.listToAttrs (
+        builtins.concatLists (
+          map (
+            dns:
+            map (secret: {
+              name = "dns/${dns}";
+              value = sopsPath secret dns;
+            }) secretList
+          ) dnsList
+        )
+      );
+    };
+}

modules/nixos/services/caddy/caddyCeres/default.nix

@@ -1,13 +1,10 @@
 { flake, ... }:
 let
-  inherit (flake.config.services.instances)
-    caddy
-    web
-    ;
+  inherit (flake.config.services.instances) caddy web;
 
   domain0 = web.domains.url0;
-
   service = caddy;
+
 in
 {
   services.caddy = {
@@ -24,7 +21,6 @@ in
 
   users.users.${service.name}.extraGroups = [
     "acme"
-    "nextcloud"
     "mastodon"
     "firefly-iii"
   ];

modules/nixos/services/caddy/caddyEris/default.nix

@@ -0,0 +1,25 @@
+{ flake, ... }:
+let
+  inherit (flake.config.services.instances) caddy;
+
+  service = caddy;
+
+in
+{
+  services.caddy = {
+    enable = true;
+  };
+  users.users.${service.name}.extraGroups = [
+    "acme"
+    "nextcloud"
+  ];
+
+  networking = {
+    firewall = {
+      allowedTCPPorts = [
+        service.ports.port0
+        service.ports.port1
+      ];
+    };
+  };
+}

modules/nixos/services/nextcloud/default.nix

@@ -7,7 +7,6 @@
 let
   inherit (flake.config.people) user0;
   inherit (flake.config.people.users.${user0}) name;
-  inherit (flake.config.machines.devices) ceres;
   inherit (flake.config.services.instances)
     nextcloud
     nginx
@@ -17,28 +16,7 @@ let
   service = nextcloud;
   localhost = web.localhost.address0;
   host = service.domains.url0;
-  hostname = config.networking.hostName;
 
-  bindMount = {
-    fileSystems."/var/lib/${service.name}" = {
-      device = service.paths.path0;
-      fsType = "none";
-      options = [
-        "bind"
-      ];
-      depends = [
-        ceres.storage0.mount
-      ];
-    };
-
-    systemd.tmpfiles.rules = [
-      "Z ${service.paths.path0} 750 ${service.name} ${service.name} -"
-      "Z ${service.paths.path0}/config 750 ${service.name} ${service.name} -"
-      "Z ${service.sops.path0} 750 ${service.name} ${service.name} -"
-    ];
-  };
-
-  hostLogic = if hostname == ceres.name then bindMount else { };
 in
 {
   services = {
@@ -93,7 +71,7 @@ in
       enable = true;
       virtualHosts.${host}.listen = [
         {
-          addr = web.localhost.address1;
+          addr = localhost;
           port = nginx.ports.port0;
         }
       ];
@@ -102,9 +80,9 @@ in
     caddy = {
       virtualHosts = {
         "${host}" = {
+          listenAddresses = [ web.localhost.address1 ];
           extraConfig = ''
             reverse_proxy ${localhost}:${toString nginx.ports.port0}
-
             tls ${service.ssl.cert} ${service.ssl.key}
           '';
         };
@@ -149,4 +127,3 @@ in
     };
   };
 }
-// hostLogic

modules/nixos/services/opencloud/default.nix

@@ -53,22 +53,6 @@ in
       );
     };
 
-  fileSystems."/var/lib/${service.name}" = {
-    device = service.paths.path0;
-    fsType = "none";
-    options = [
-      "bind"
-    ];
-    depends = [
-      ceres.storage0.mount
-    ];
-  };
-
-  systemd.tmpfiles.rules = [
-    "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
-    "Z ${service.sops.path0} 755 ${service.name} ${service.name} -"
-  ];
-
   networking = {
     firewall = {
       allowedTCPPorts = [

modules/nixos/services/postgresql/postgresCeres/default.nix

@@ -5,12 +5,8 @@
   ...
 }:
 let
-  inherit (flake.config.machines.devices)
-    ceres
-    ;
-  inherit (flake.config.services)
-    instances
-    ;
+  inherit (flake.config.machines.devices) ceres;
+  inherit (flake.config.services) instances;
 
   service = instances.postgresql;
   # backupPath = "${instances.syncthing.paths.path1}/${service.name}";
@@ -51,7 +47,6 @@ in
   };
 
   users.users.${service.name}.extraGroups = [
-    instances.nextcloud.name
     instances.mastodon.name
     instances.forgejo.name
     instances.syncthing.name

modules/nixos/services/postgresql/postgresEris/default.nix

@@ -0,0 +1,36 @@
+{
+  flake,
+  ...
+}:
+let
+  inherit (flake.config.services) instances;
+
+  service = instances.postgresql;
+in
+{
+  services = {
+    postgresqlBackup = {
+      enable = true;
+      startAt = "*-*-* 07:00:00";
+      databases = [
+        instances.nextcloud.name
+      ];
+    };
+    postgresql = {
+      enable = true;
+    };
+  };
+
+  users.users.${service.name}.extraGroups = [
+    instances.nextcloud.name
+  ];
+
+  networking = {
+    firewall = {
+      allowedTCPPorts = [
+        service.ports.port0
+      ];
+    };
+  };
+
+}

profiles/user0/files/misc/justfile.nix

@@ -44,13 +44,13 @@ in
           nixos-rebuild switch --sudo --flake ~/projects/dotfiles#${hostname} --show-trace
 
       rebuild-ceres:
-          nixos-rebuild switch --flake ~/projects/dotfiles#${ceres.name} --target-host ${ceres.ip.address0} --sudo --ask-sudo-password
+          nixos-rebuild switch --flake ~/projects/dotfiles#${ceres.name} --target-host ${ceres.ip.address0} --sudo --ask-sudo-password --show-trace
 
       rebuild-eris:
-          nixos-rebuild switch --flake ~/projects/dotfiles#${eris.name} --target-host ${eris.ip.address0} --sudo --ask-sudo-password
+          nixos-rebuild switch --flake ~/projects/dotfiles#${eris.name} --target-host ${eris.ip.address0} --sudo --ask-sudo-password --show-trace
 
       rebuild-lamda:
-          nixos-rebuild switch --flake ~/projects/lamdagibson#lamdagibson --target-host denise@${lamdaIP} --sudo --ask-sudo-password
+          nixos-rebuild switch --flake ~/projects/lamdagibson#lamdagibson --target-host denise@${lamdaIP} --sudo --ask-sudo-password --show-trace
 
       update:
           nix flake update --flake ~/projects/dotfiles
@@ -61,9 +61,12 @@ in
       remove-imports:
           ls **/*.hs | each { |file| ormolu --mode inplace $file.name }
 
-      server:
+      ceres:
           ssh ${ceres.ip.address0}
 
+      eris:
+          ssh ${eris.ip.address0}
+
       lamda:
           ssh denise@${lamdaIP}
 

secrets/secrets.yaml

@@ -45,7 +45,7 @@ wireguard-deimos-private: ENC[AES256_GCM,data:A/LbG/kTjT0xa93Y31RXfM6D9ibHHjuaZ0
 wireguard-deimos-public: ENC[AES256_GCM,data:ZhcnUafVzrPtEP19TgnsEl6Edwjxbkeb2N+Rg7V1O7zArhcc+Owk/l6iHU4=,iv:UcKBnz/4sGyLM/lQJo7e3G0qWAWlTtRNl5K1e3oT1sw=,tag:BbjZcjl98X9aoCTD+hfhgg==,type:str]
 glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str]
 opencloud:
-    env: ENC[AES256_GCM,data:1mDynSVUQ4fFbIfNC9TO1pGvOa9kBR2fjloMzrA1XCn3VEyrTL0JMd1p7cmShFv9TTvuPB6N1PR8JA3nmlRfWV3OWfbtkp/alhV+rRtbsmZ3bWAvEfyT431TFVbwU81i68mG1ueL9UfZ7u+bSZ8udHEvTJiDbAh20DYYwZMBkrQ9huzuCdJlEwhBqP9IzZHvhMuFv6PZVNInMkAPY8UcZEmJfPpXu9x6KZ0B6NPnuGttTagGnSrYgqnlad953ij8bV3i50KQV7uGTKhWrUZ3vRXfAx1QkRLkh5Hb8B8mf4FyWGc2xy0OIxkmReJIdWRDYJg3wWUT5XdG7nATSxkBvbhRCcMdLjPcv4uEmG/CuaXra+dTi/XNXnOTfoiNywFLEfxY2bmw9fIYqUk2d8MJDA==,iv:cNnxZnIcRc2lkEaXyRjPQ3hDmeAec4KCb80MEQ9a2sY=,tag:X8/eD06Vf4yaUNh0aTEBUg==,type:str]
+    env: ENC[AES256_GCM,data:WnzaI6YPGtVzdo+qQZejz3zRDReuKSbr9n/Kg2Djh4Gzv+VuqPCxCIzJRAQs79O9CIj5mezy33KeJIXEstwhWmnG7xmv59nzBuDTdWP170JnsRWIdLRgj3jm8uBZiT7fZ2XcunKc0N7M6i0c0GK3u5ikzeVoXOzfX5S5DeIarwGutq0yi14+MAxHMjubJdgMkG1Ke/vyuSyqw9NZUCN3XfCN03rw3RhRPuB1hGZc0WEqxdY/EkpU1wpVDNnOZT/iKImjyDDLIjFo96YnHXaAAoeO8g2g5gbOIaUQFFWB0H8L2yw4zlifRpmjP6OV7AAWPJI/hsQS1YubOJLBN1UHLncxZh55ItlWr3fo6zLfpZIlkvNfama+tzu2kOTG4ALrgu8dwwYmwXbVdFCP3njsMSfp///aqjC4ShvzSQZSgfH+jkd86CZp079Ime7b1vo30CVcFlmCHrE=,iv:vDvTaxj4gSnvJBUzj/D+76DeXTEOQ/tSGdOfNSS0Oo4=,tag:dSqwIy4vFtFJxo0KkaslfQ==,type:str]
 caddy:
     prompter-auth: ENC[AES256_GCM,data:uEj6gruCfcIRoCQY9eNcOka+PAIIhAlKnI+ehZ88aZo90tINcxZ7ZvKqlTJr4rt5o+EO7rvRJcYH/s8/+piszFyxSa64Rtq5KdAjfHnRm0QM8q/2JIHnZsQC3fPz1S177WPs/c3Eydh4VeVe,iv:ZOru4ABFgIy9DoTlMl3InSf8zM1ERNpbRNLN6vy97Jc=,tag:5v3w7kvFQCEPBjchE8K0cw==,type:str]
     comfyui-auth: ENC[AES256_GCM,data:YkHxbW/0zTmnrggXKl2jNO4OnBaepmCwB3ZC6d8MPIKf8snWJzAvTq5+X5ABzziwKaypHRTcS6vuNntxKrrD8DS7hX9DqVCZc5WeFHI6S5VzHh3SprW2MF4E8nm4Hj+VHoKGmRSSOU1cfX3J,iv:v0Pid0BCY2QsMNaahBvJd4WWZD115JDLHlOCQvPiaGU=,tag:gpsAgt052NoOyIa9WqJXyg==,type:str]
@@ -65,7 +65,7 @@ sops:
             bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
             aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-25T01:22:52Z"
-    mac: ENC[AES256_GCM,data:nrXg655ZQmcxW3Nqqru3hqHFLj5qvmguhXTMyNqZI9m7ABDpLgEcM4L2tfDj8T6094d4mmCVDDuEF4jHhmtKihmFK7LnJfd5s4+bgPbPtD9VvPfmAYE57Zv9dUZZ9ulJXd6FMwCiIMQ0i7xcqhP9a7QM5mg9CSemwRCS87nvuZc=,iv:62Td+PdqC9JJk+ceANnAByG9uJVQCvKAv6WfzSiga4w=,tag:7BUUyMIcrx3P9Lph4Ps3oA==,type:str]
+    lastmodified: "2025-10-25T03:49:30Z"
+    mac: ENC[AES256_GCM,data:bfAu4s0n86ArKD+Dnq/dwkxmMZ/h06O+0hjtEKnwlkU4lLxaxLORWPMlZKw97UbSB/SqNpD1wHjqV9CuwvdCOPzZxRizmGqMKsgE3RTg4FxFo29Fr7xL3pm8uKsEeIQDMJbY62GOCkxtBUsmae0nKLdDfufVlnlxGKvjtSYA1ww=,iv:sjV1MQI9R69oB75IvUc1RM9VWS+fyATvBEVmzyE2ASk=,tag:pZ4Zsd59CV2wKohHeYc9jQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0