From 0ed3bb9b64c8473e23c6b8a486dcdfc82ac43cc3 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 4 Dec 2025 21:45:24 -0600 Subject: [PATCH 1/9] test: setting up opencloud and microvms --- .../config/instances/config/opencloud0.nix | 56 +++++++++++++ .../config/{opencloud.nix => opencloud1.nix} | 0 .../bookmarks/config/flake/selfHosted.nix | 1 + modules/nixos/default.nix | 3 +- .../{erisOpenCloud => opencloud0}/default.nix | 83 ++++++++++++++----- .../default.nix | 2 +- profiles/user0/default.nix | 2 + secrets/secrets.yaml | 7 +- systems/ceres/config/networking.nix | 6 +- systems/eris/config/filesystem.nix | 10 ++- systems/eris/config/networking.nix | 34 ++++++++ 11 files changed, 171 insertions(+), 33 deletions(-) create mode 100755 modules/config/instances/config/opencloud0.nix rename modules/config/instances/config/{opencloud.nix => opencloud1.nix} (100%) rename modules/nixos/guests/opencloud/{erisOpenCloud => opencloud0}/default.nix (58%) rename modules/nixos/guests/opencloud/{ceresOpenCloud => opencloud1}/default.nix (99%) diff --git a/modules/config/instances/config/opencloud0.nix b/modules/config/instances/config/opencloud0.nix new file mode 100755 index 0000000..1667681 --- /dev/null +++ b/modules/config/instances/config/opencloud0.nix @@ -0,0 +1,56 @@ +{ moduleFunctions }: +let + inherit (moduleFunctions.instancesFunctions) + domain0 + sslPath + varPath + mntPath + secretPath + ; + label = "OpenCloud"; + name = "opencloud"; + short = "cloud"; + domain = "${short}.${domain0}"; + secrets = "${secretPath}/${name}"; + ssl = "${sslPath}/${domain}"; +in +{ + label = label; + name = name; + short = "Cloud"; + domains = { + url0 = domain; + }; + subdomain = short; + tags = [ + name + "opencloud" + "cloud" + ]; + ports = { + port0 = 9200; + }; + interface = { + id = "vm-${short}"; + mac = "02:00:00:00:56:09"; + idUser = "vmuser-${short}"; + macUser = "02:00:00:00:00:09"; + ip = "192.168.50.119"; + gate = "192.168.50.1"; + ssh = 2209; + }; + ssl = { + path = ssl; + cert = "${ssl}/fullchain.pem"; + key = "${ssl}/key.pem"; + }; + varPaths = { + path0 = "${varPath}/${name}"; + }; + mntPaths = { + path0 = "${mntPath}/${name}"; + }; + secretPaths = { + path0 = secrets; + }; +} diff --git a/modules/config/instances/config/opencloud.nix b/modules/config/instances/config/opencloud1.nix similarity index 100% rename from modules/config/instances/config/opencloud.nix rename to modules/config/instances/config/opencloud1.nix diff --git a/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix b/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix index d820bbe..6891a38 100755 --- a/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix +++ b/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix @@ -24,6 +24,7 @@ let instances.ollama.name instances.qbittorrent.name instances.vaultwarden.name + instances.opencloud0.name ]; bookmarkConfigs = [ { diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index d6517dd..283afdb 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -46,7 +46,6 @@ in inherit (modules) acme caddy - ceresOpenCloud comfyui firefly-iii forgejo @@ -56,6 +55,7 @@ in microvm minecraft ollama + opencloud1 projectSite qbittorrent restic @@ -74,6 +74,7 @@ in caddy impermanence microvm + opencloud0 sambaEris ; }; diff --git a/modules/nixos/guests/opencloud/erisOpenCloud/default.nix b/modules/nixos/guests/opencloud/opencloud0/default.nix similarity index 58% rename from modules/nixos/guests/opencloud/erisOpenCloud/default.nix rename to modules/nixos/guests/opencloud/opencloud0/default.nix index aaa6bf6..bda3c2a 100755 --- a/modules/nixos/guests/opencloud/erisOpenCloud/default.nix +++ b/modules/nixos/guests/opencloud/opencloud0/default.nix @@ -7,22 +7,19 @@ let inherit (flake.config.people) user0; inherit (flake.config.services) instances; - serviceCfg = instances.vaultwarden; + serviceCfg = instances.opencloud0; hostCfg = instances.web; - dns = instances.web.dns.provider1; + dns = instances.web.dns.provider0; localhost = instances.web.localhost.address1; - host = "${serviceCfg.subdomain}.${flake.inputs.linkpage.secrets.domains.projectsite}"; + host = serviceCfg.domains.url0; dnsPath = "dns/${dns}"; in { microvm.vms = { - projectcloud = { + opencloud = { autostart = true; restartIfChanged = true; config = { - environment.systemPackages = with pkgs; [ - inotify-tools - ]; system.stateVersion = "24.05"; time.timeZone = "America/Winnipeg"; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; @@ -33,7 +30,7 @@ in port = serviceCfg.ports.port0; address = localhost; stateDir = "/var/lib/${serviceCfg.name}"; - environmentFile = "/run/secrets/projectenv"; + environmentFile = "/run/secrets/env"; }; openssh = { @@ -52,10 +49,40 @@ in ]; systemd = { + services = { + systemd-networkd.wantedBy = [ "multi-user.target" ]; + opencloud = { + path = [ pkgs.inotify-tools ]; + }; + opencloud-fix-permissions = { + description = "Fix OpenCloud storage permissions on file changes"; + after = [ "opencloud.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = pkgs.writeShellScript "fix-perms-on-change" '' + ${pkgs.inotify-tools}/bin/inotifywait -m -r -e create,moved_to /var/lib/opencloud/storage --format '%w%f' | while read filepath; do + ${pkgs.coreutils}/bin/chown opencloud:opencloud "$filepath" + done + ''; + Restart = "always"; + User = "root"; + }; + }; + }; + timers.opencloud-fix-permissions = { + description = "Periodically fix OpenCloud storage permissions"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1min"; + OnUnitActiveSec = "1min"; + Unit = "opencloud-fix-permissions.service"; + }; + }; network = { enable = true; networks."20-lan" = { - matchConfig.Name = "enp0s5"; + matchConfig.Name = "enp0s6"; addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; @@ -73,16 +100,15 @@ in }; tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { - vcpu = 4; - mem = 4096; + vcpu = 1; + mem = 1024 * 1; hypervisor = "qemu"; interfaces = [ { @@ -113,9 +139,15 @@ in { mountPoint = "/var/lib/${serviceCfg.name}"; proto = "virtiofs"; - source = serviceCfg.mntPaths.path0; + source = "${serviceCfg.mntPaths.path0}/data"; tag = "${serviceCfg.name}_data"; } + { + mountPoint = "/etc/opencloud"; + proto = "virtiofs"; + source = "${serviceCfg.mntPaths.path0}/config"; + tag = "${serviceCfg.name}_config"; + } { mountPoint = "/run/secrets"; proto = "virtiofs"; @@ -124,6 +156,11 @@ in } ]; }; + environment.systemPackages = builtins.attrValues { + inherit (pkgs) + opencloud + ; + }; }; }; }; @@ -138,23 +175,29 @@ in "${host}" = { extraConfig = '' reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } redir /.well-known/carddav /remote.php/dav/ 301 redir /.well-known/caldav /remote.php/dav/ 301 - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} + tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} ''; }; }; users.users.caddy.extraGroups = [ "acme" ]; - systemd.tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - ]; + systemd = { + tmpfiles.rules = [ + "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" + "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" + "d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -" + ]; + }; sops.secrets = { - "${serviceCfg.name}/projectenv" = { + "${serviceCfg.name}/env" = { owner = "root"; mode = "0600"; }; diff --git a/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix b/modules/nixos/guests/opencloud/opencloud1/default.nix similarity index 99% rename from modules/nixos/guests/opencloud/ceresOpenCloud/default.nix rename to modules/nixos/guests/opencloud/opencloud1/default.nix index 2ffd160..9c4e058 100755 --- a/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix +++ b/modules/nixos/guests/opencloud/opencloud1/default.nix @@ -7,7 +7,7 @@ let inherit (flake.config.people) user0; inherit (flake.config.services) instances; - serviceCfg = instances.opencloud; + serviceCfg = instances.opencloud1; hostCfg = instances.web; dns = instances.web.dns.provider1; localhost = instances.web.localhost.address1; diff --git a/profiles/user0/default.nix b/profiles/user0/default.nix index dd87de7..2b70ca5 100755 --- a/profiles/user0/default.nix +++ b/profiles/user0/default.nix @@ -67,6 +67,8 @@ in file = if hostname == devices.ceres.name then { } + else if hostname == devices.eris.name then + { } else { "./justfile" = import ./files/misc/justfile.nix { inherit flake config lib; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 92dc43c..096a955 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,7 +1,7 @@ ssh: private: ENC[AES256_GCM,data:XJk/gjPkFeSZtPkKYS2vRHqMY/X5zRaDlS4UwzUvjm9MvTgdhoXUlqvFC0Dl5SZhRlY+XXAuG7gIIUESzCFWQKdOoUcto3r0WSuIm9EwLKXnnaHemeFVHYgZU9Rz45PK6yFWUC06+n56b2A1dFXftjeXcCqaQrT/jk3RDSHmhW9u7QgDmhhaybxXOrzkup2U8kjhrMmRBcf4xP//nihuzHcyYX75ONr56bgkjl6gpZTfZrn2ad8b+4iGn+rElzf7RHAG0mwTeEX2kYRyafaanGuc2xTnZubBAYDnc1eM6T99PXC0iWh/lUKc1zG1l18UchWzgvl3sPK0Cb2/5aaFMUk2ET6kVOlpKyGc94MRpyv3iUi8soFjh34sWH3mFtec2OWfIxDhoVfZoc2hmP2Hflfjp7acwaMskFBHaCSO2DGtNmN3hSUhAAeLx8OZupSIJmDVpq00qKUbN+5z4K78AdGuUOP07cE889evNniCHLP6yPav7tIulnBS9lD2U+CbqF7vMtdZx/eYFwJjmMtE,iv:JxSytvXKWLHDedlE0Wq5YpPUnfb0HoQgKJ2bt1Z8yqk=,tag:MjOoUSWsHWHgxp0yu9YQFA==,type:str] public: ENC[AES256_GCM,data:Cn4hutHHeptbefHOKK7zv5TmveGOqfHAwGHogDq9sRmeb+b1lzHwj7qvg8lcnlJtIo4qS+TrKtSj5ZCsPNXOhWG1rkk97gTfPMbcxj5f1O3WJigL2wsrB2cQgc5UsA==,iv:ID4zRdr/efClOAHbXzxG1bNuJR0A2qbydzGlMhvEcRE=,tag:qbIoaGb+RXxRRkkQtuX7/A==,type:str] - hosts: ENC[AES256_GCM,data:paJLnlvk5GWjQeaiLkjThyyBzUNW0q6bBNs7+yykpgQFw9U1yyIJxObVgSgK3uQXZKGMMoZhbLKvYTSaxsvHNkGbtTpOD39uK2tT8Jx1ZFfSDe42KT1UHdksecmFFIxIcbtjx6+JhEs8dN1DoLESUQK35nvuT4m4GcnmzONGxIzScP199GApOUKHK2S88D+EbmVUawGjb6a6Y1yFuim/C2n6HCWvk9w9rK3tq1G+E0qZlrHqp/7O8SMYezEcE5YhH4ccQwtvhVeuj8CaSstDBhiW6RZT9fPCgb3IYLXmCiCQaYChpbP8alCazQQ4QzTtfSuDfzhPfde7YJL5/we9k3Xt9TWB0anqdBvyM0duXj7DFDpACz0vcE4360ZgIE+YAv3ABUxHpnh+j7hKEr69Wrhs0vtoiMG/BvjqlP8G3ZXwzVRaxhnk07mlQAqIrxOEyR+/YETg8P6YKrXN9bVhCwpn5TlOw2tUg+ZdPVWZhvH3XZbdgbOn0DSzvKT/7p+ouhH+w9fJvjmV1Oepu27fuhhbx5cimlouwLzVOCiy1MMm5zyV3f3h34oT8LVwEp8S11gRaZBPRP2YtgWSovXEEuimYtvXqH0cCoMfsxCS2u1ZxHdr0a6LhLP9yckFndRNutjeP9Ve5H7Ml3amMt7I6GDJCXOX6oMJ9LrCntsAWuSPtk3Yvw59aAUO7f1OAV6H18vhcGo+vDrE9OwYY9HcbQWtTrCUSZSUzeCkplbfYqsOmkfjFd63ZoRomar66/i/4L+D6XRcJHwxxmnBSovRLTbSSVJtW5JwRPH/LZMKctjB2p4EUWHIG9C17oXRF8nRAQLNoqfnp5jIewLqQzHN9/ONQzINWGfzhtJRXmK3RIi/L4lS5i3UKp8vKLI9QuY1a93B1/Cc+IqpR3rTx6wIFl9t375ECZSDUzbULlqzWnyAgAUKuyzUZ9+dTJVG8BCeNmF2+inNN0GOpPLow8OdDZK0R0Aj9YY+9vj1CljCkrB3377BSgEM7RZM8CpZW5m+NuwdF+wSPcTBzc0JXUTUFC8GasHJ5WaOQP68ETeAAqU+2Di/5pLPLPxKFDsAUprNY7bVrZq2b/GGqXtpiB8lVjuKiK1Tm43/ErAQmMt8RDOz1f5sQ2ewJmhUkKigeUxQPyjhAD818K7kBtvJCEaLSMqCC74BUNStp7f36OP6cwQvz/1bIjHb2Cg8YuiDy9DY46FgNEBtLMt3iFhSfMsV+JaKASsrx2w45JtJbr08vmq0/aLFWBwkGShxBDWbJvcSys1y6yMdSNV59v7xNjub7OY79VGSA9wS86Tf/TKFTSzSLMUdpCzeSTmkOWEMY+QxM/CGMuVoBmmxGkMboB+WU6AsVwr/3lxFsGhaupp6TgTMlXwmdWsNYB3E6YaFiTExB0BpJEA/qLOC1K0JBp+uTp9EnC/TmJAofNgaNA3AHWCVtNegXrpxlvACE3qG7ap7T1qlZNzcEyaTIpEivWrI/WT73a2TMlj6/nXd4NCGzkXbH8qv4oOT+urodglq05JjcM8PYLtFHcEFp1nue8HqAJXw2IvHf77ZPUbhvawwWABll/gBEl4Yb18OjWazaOcm8HaJQhiOQgde1Y4kvpP3NqsLi1atzZvbKgQHFIGeI9WUmPoLyMzd7FndvoQOT2dukSIRcz+kuXQqEbNs,iv:2aNCRzV0knKNrZGYNXahGS5WQkYzzqzu4aul1w0twPM=,tag:PXBdIdUL/5TqVaZAyF6Rpg==,type:str] + hosts: ENC[AES256_GCM,data:dfvIxDI75SnfEVeHQPfNWTfNBC8payffDCgLUyrf2U9xBFEXCE+LqaIlmiXOaFoZK6GyEwgqWyR1fPeYF+Txwe7oF1YPRF7Fg4+OYSZ/IWzUwlk8xblKvqDhF6ZBeYICFaEJ+pc6Cc3XnfLOk4M1rJqUSjhWoomKF3XNbyEbl2OfU3Yptn4dZmc9W9KQEZyduwakSz1K3nD+8EWx/qCU2O1Ga0DXol1BM+p++HKG7L5m7+B1r29mo96c08P5Rhi+s+lKgz0HsSRBzXRlA+wsueDJ8pKdNWp5QOf2TWoQ7eVmVyltlJsw7yFAzTYu/h9tisU0UWtEiHw5J7yGzTznY/4OKIObD//bD7+SANIrdXV1Wr9e3mzT81FRhMCtVZJK7u5nT1o2/vXg+tMl/t0kgus2BWZ2KFo5UOjppoS4BCEnHF16tw0jBwiUVlF5lxs+czOML9wWo/GkEkcJ2SaynXzu1qXEewzueLHl7Ghz4qWesimu9vPhe5d2PxvZsT8Ell3raryylLaawyN/W2Ea57Fn0I9UVW839PFYwn+XGhoh8SfufmY4hZj1WIg4L8tdCyfcoB0gOo8aKsNmQht2BAUb01eMeSNHdPduFjcNC5MZLJqz5pBY1a192R2mAzbpa70yBetDewOYfGkSAdSgo7DZMNYd/0Krf0Fh2QsE0NkQee6dQi70XoQ7gJaBpFED3GEvOg8oRTyZPHoNEbGFU/g/A0YaHj/S5RbmIaF9xUd1UcQjUnQ2+OzrPDnT3zYIFks8PostlDvTBS4399yDydzIV9Khk3U3qZqCtWxBO8Ny/1v1dESBtWZsZdC4yvhIvhkMx0roHcHxw0W4Kkp1cfGOTMuTSHMsApURJVNHfBLlKjBV+sHIQhYwRmYSiCKyM/HwvVyZERU5R/zubHIDxfPaYN7vs4aPmtF1gKAD83TP5bwEIT48OQdIZwycNhFQQZWZTBRT8f79W6d5/Q2bjY3j60xA/q4K96rFfa8lK2OSl3HGB1e8rBovG91VNuf8DOdiLB/6CQzXXAaGCNgDD6fxW38MooOhmr+gfdJOLyIKoWULBRIPGIBESp3iRt4mlQrwnQTcHI7RXFOo6S4tt/k4sbBjMp4ZgPA/cqpIyzc9GHVV6R6xaqY2A6o4rEmvlzIAoXkEfO+Jn+ZClonuQ5jK3VnnHoGydldW7VMPfM/hDzQO9dsSFkiWHvIhAMuAOKUuWsCyHHzY4ReG4evvTLgbf7/wpdbpAFelMaNjlxrRisXyPmvw+nxNC7y+XwkroEfBPVULivocLVyTZx+6xRRQ/2p0lF20Qv4Dp21C6nOWwuooMbQPGgpm1Yt35W2B2DbZyAq1akF/j7cmkfmIwSs87/fr2z1b738BEZsgETjWN3L3DZdikSH1cTlSxAuJn7fSlVhp//mA+ha+plmNGrqAUhwv5jilGqS2/aWE03lnLRSAD82dHEHflvAafa9p5/qII2X+tDoJHQNEERvbAjec4pekE++s777ZOMHMj5QzoZYB1sIeoWQMLT1y4xXXXyVvUubtA3mKUqLTh1ppS3IUizu9841j2yWkRUBJ1OrdiEFrkAC9qyKJkh0LV6XxwZnVa7yD1+kAWwCg+P7RZ+Pqqj2gifg7N8QsZo9O8ugFmgK58neH5Xe1moZXAP0n9A==,iv:N+l6jqTz8AA2uWb6txur85ZelwBae9ZXfOWgjUz9BJE=,tag:UYUMeHnid7MaWYcemwJSdQ==,type:str] network: server: ENC[AES256_GCM,data:EFsmXNkuf5OAMh8hjfZTixmmdjqBNIME9JjQC8azeCwcMVInm8bWdxE4OqFmxOk9MAU=,iv:pI6WeM2aQC+7vx1Xmp5O2rikqNLgzuEOg+Lo7TqFQxU=,tag:ElcA8mn9dx+IjIf38nKT5A==,type:str] fallaryn: ENC[AES256_GCM,data:O77hH3STB6zpl0b9iXsVu9OOrlLKUwfs2qI9hdqX4kMuBs3XgT/xsQ==,iv:RDKsuJoy+LIyADMc3bgOEmLKdXtu6kad2aeVetuZdJI=,tag:MrpCZ+iJUnGIjeHMgcYG6Q==,type:str] @@ -47,6 +47,7 @@ wireguard: glance: jellyfin: ENC[AES256_GCM,data:Ddpv23kdMGTWvlemn7o5M2ARQ+NuzUfgO9eLuMnRh/kt,iv:RiMRQPoyHtQqqc3wx48g1+Ip3meuCKSOniLZq2iJ3i4=,tag:B2sZT8R4ZnLIKiUMaU3L+w==,type:str] opencloud: + env: ENC[AES256_GCM,data:/bzPV7JRZncxMPOI7559IP5SZFBYA6n2WOZRPifBU/TRO67aM5N3cIwNfmpT3OEBs55RxujodAIDVGTQECnbWsh6RpbxfXb7DWnqQHiatBju70oeWZpa/cX1CiZsg9ma19O55PRmHD9kZYvIwPAnWo6FDRZJ/iwUz4qZpgPR1RuMBoxRZfZ9zDaf5yTwFbAuGEyY8cZghMC24uOXGTOoYsN2wGhog/EYFA2/Kw73xC6xMK+/GtwRJDJq7NEfWiwReM2Lxb/mc3EAtlzX9fWP/xE5o5FsnC7VZGc5HWV832wLpUjt+Fcw3d+Mb2aB2qRHTcXV891j8qnESnSYoZsTiJz1EPiIeebWFdNmfDqAAn5Kz/IVUaiPlDew26tq6aFr5JFVVxdmIgqtOgZyWmEPkr6K7joTl5kbEK1vT6ulaBA8UroY6tu529m9DXF2y6dWbNRqaQ18nq6GEZOL1WIAJ3PIGEh1x0f18jXTfPmEKMuUcWQ983B+sMyZFBU/Z5LDojsuwrEVvj/28MX7XM9TbvFmgW3J9x2LgN32B0Q01pZfvhHBh4VJc0E0hYX9b9r+MHTTxaH7/iyNWLAuwFkGL/+zcYyanwIOYmvO85r4affkWcvpltAIIJECrKJO8qf4uSw1K409QDKAtF0IVf5mjw8zddAThuo=,iv:xGkn4l8LxBZeAyLvOIgEMoxP91yzCvnGTHH7BfqW4ys=,tag:w7IlZdW5/BIAv9dbfqNfQg==,type:str] projectenv: ENC[AES256_GCM,data:NQuJeomWD+uaq+g5uGft/ecsWTNEpWkOi+vWQ9nXV3KRHDAeB9mCJuvxoj+642Q+hnq3zAH2fZ7KTa3W3UcizPbFIltoJMzh5E2vDteuEEYNXX2cJJLJir9b421Gsb9sB/5d8Mz+K0BhDPTG+fByR+O1XqoaSLbnqEGrdzje/6t/e2Eyse4+qE3oUvZkzJsGTHM+rkM+EE9NXXMd5dCvfZAzmnRnsLRWL/Axnv93s0lfTM2pDs0/+E4wAcRI2KLH08pQyRRAWJ7A0VB2d4hH6hYOerqAPVAtTBR5j7yDHeR3IyHMk4xzh35zz5MMfi2zSABBfzv6PXOaiYmuUPaZ7WH1ZJjfVdR+AIzMma3SFRn8n2fNdR11gX/ZBfaI0YLHg7rHZJ9JJM88poh1D3dByrkGVPRDRQMZpSUQPay8lymrjMAsjAlpWjUvVpELR99BTMpto3IB2D5aY7btHuUskBhIBl7nWTRKfGg8ScDaPgJeARNd78bfvXY5mtnUdT8m38m4AH7DTWpQ3rajHBJITbiLZaUDx7NxcYCVAJAjcQgJoV6fC/PCsMbUxwxlfjgnrirIRjGrA29+l784oMlNJuHQyAmFq9Ffe6GJUJP1WA5DIvxypBcGC3w4nUE6u/HyzFz7AcIpx2GCDIeC2UjsQgnr0ujzGb38/nM88+x8IWra,iv:YQR0CDFNDgeRwm+Q8xN7SYQ4Jo3PfneciGtIOhRDJOY=,tag:OArVLjnc3ZT2EAqP9QpzQQ==,type:str] caddy: share-auth: ENC[AES256_GCM,data:3jY2B2GOdz5EPJeAyVsk4XCs5NMft3VquIBep7SxYtEZ9H7IDroq1U1Sch6YVQ7VcL85L4Ix/OVPm4jVDEA0sZiGkltbYXRXZ8CR34ifsHtHR35lgjXyj8ZhJLydw7LgmZCEztWO8GjLdvSY,iv:MT5sA32Djx81HGc36rqV2xS5KUHLAeTyZiOdSu8oqQY=,tag:V1dv4yS2RXf4Xqrl5+tEuA==,type:str] @@ -78,7 +79,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-01T00:55:01Z" - mac: ENC[AES256_GCM,data:TlAyw4R25haTPzkDndYQI2TK9Uwc88Lwa/r40u0utMfflAz6v8HAbC8fm7jVqw+YzahbL+rRRCIjRHNbFPReflMeY3vxgPRgOHDb3FOL23sxuRDHcAx8m3R+/udY98PIMT9d40QxHGwBK76z0yMKSoDHgQFKF/5hhrQgwLHQx5Q=,iv:ev4chBe52ZAgzRTY0rDe92w+X0xGIibhp36NtaY1kes=,tag:r3OaebNEZtuQTV3D8g4UyQ==,type:str] + lastmodified: "2025-12-05T02:46:10Z" + mac: ENC[AES256_GCM,data:O0NMjjNBFbpD7dIEWuiezkrnr5Y+3meL322kLoSr5JFaOkGPKjpOSXdxRrf0cItdRWN06jFJGv53qd2N7lGN3afo+QzUzkepnxhlwlvE7/CwXpMrfHLAERa50lto0VHcHht1MgPnPa7/694mvoWQ9sG/kwEtTDix91YgeRH5eis=,iv:ng4l1IH7xO9+ewe5nRHydjxw0eyXtoiIvekIiUYtAbQ=,tag:8yNt5yA2D/FBWjYli7I8ag==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/systems/ceres/config/networking.nix b/systems/ceres/config/networking.nix index c9c3cf8..b32c7b8 100755 --- a/systems/ceres/config/networking.nix +++ b/systems/ceres/config/networking.nix @@ -18,11 +18,10 @@ in Kind = "bridge"; }; }; - networks = { "20-lan" = { matchConfig.Name = [ - "enp10s0" + "enp3s0" "vm-*" ]; networkConfig = { @@ -32,7 +31,7 @@ in "30-br-vms" = { matchConfig.Name = "br-vms"; networkConfig = { - Address = "192.168.50.240/24"; + Address = "192.168.50.245/24"; Gateway = "192.168.50.1"; DNS = [ "192.168.50.1" ]; }; @@ -40,7 +39,6 @@ in }; }; }; - networking = { hostName = ceres.name; networkmanager.enable = false; diff --git a/systems/eris/config/filesystem.nix b/systems/eris/config/filesystem.nix index 2f1c295..acd3e2b 100755 --- a/systems/eris/config/filesystem.nix +++ b/systems/eris/config/filesystem.nix @@ -104,10 +104,12 @@ in btrfs subvolume create /btrfs_tmp/root umount /btrfs_tmp ''; - swraid.enable = true; - # mdadmConf = '' - # ARRAY /dev/md0 metadata=1.2 name=eris:storage UUID=64659038:a939a18d:8cdc0f3f:97171a50 - # ''; + swraid = { + enable = true; + mdadmConf = '' + ARRAY /dev/md0 metadata=1.2 name=eris:storage UUID=64659038:a939a18d:8cdc0f3f:97171a50 + ''; + }; }; systemd.tmpfiles.rules = [ "Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -" diff --git a/systems/eris/config/networking.nix b/systems/eris/config/networking.nix index 17ffa05..8ebe526 100755 --- a/systems/eris/config/networking.nix +++ b/systems/eris/config/networking.nix @@ -7,6 +7,40 @@ let inherit (flake.config.machines.devices) eris; in { + + microvm.host.enable = true; + + systemd.network = { + enable = true; + netdevs."10-br-vms" = { + netdevConfig = { + Name = "br-vms"; + Kind = "bridge"; + }; + }; + + networks = { + "20-lan" = { + matchConfig.Name = [ + "enp10s0" + "vm-*" + ]; + networkConfig = { + Bridge = "br-vms"; + }; + }; + "30-br-vms" = { + matchConfig.Name = "br-vms"; + networkConfig = { + Address = "192.168.50.245/24"; + Gateway = "192.168.50.1"; + DNS = [ "192.168.50.1" ]; + }; + linkConfig.RequiredForOnline = "routable"; + }; + }; + }; + networking = { hostName = eris.name; networkmanager.enable = true; From b5929e08341b2cca60260aa9f9d18eebd7f31907 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 4 Dec 2025 23:24:00 -0600 Subject: [PATCH 2/9] test: setting up opencloud and microvms --- modules/config/instances/config/caddy.nix | 4 +-- .../config/instances/config/firefly-iii.nix | 2 +- modules/nixos/default.nix | 4 +-- .../nixos/services/caddy/caddy0/default.nix | 33 +++++++++++++++++++ .../nixos/services/caddy/caddy1/default.nix | 20 +++++++++++ modules/nixos/services/caddy/default.nix | 23 ++++--------- systems/ceres/config/networking.nix | 6 ++-- systems/eris/config/networking.nix | 22 ++++++------- 8 files changed, 79 insertions(+), 35 deletions(-) create mode 100755 modules/nixos/services/caddy/caddy0/default.nix create mode 100755 modules/nixos/services/caddy/caddy1/default.nix diff --git a/modules/config/instances/config/caddy.nix b/modules/config/instances/config/caddy.nix index 003f42b..c46e6af 100755 --- a/modules/config/instances/config/caddy.nix +++ b/modules/config/instances/config/caddy.nix @@ -16,7 +16,7 @@ in ports = { port0 = 80; port1 = 443; - port2 = 8443; - port3 = 8445; # Opencloud + port2 = 8080; + port3 = 8443; }; } diff --git a/modules/config/instances/config/firefly-iii.nix b/modules/config/instances/config/firefly-iii.nix index acb8721..2b0cc44 100755 --- a/modules/config/instances/config/firefly-iii.nix +++ b/modules/config/instances/config/firefly-iii.nix @@ -32,7 +32,7 @@ in ]; subdomain = subdomain; ports = { - port0 = 8080; + port0 = 8084; port1 = 8081; }; interface = { diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 283afdb..7a5dbef 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -45,7 +45,7 @@ in imports = builtins.attrValues { inherit (modules) acme - caddy + caddy0 comfyui firefly-iii forgejo @@ -71,7 +71,7 @@ in imports = builtins.attrValues { inherit (modules) acme - caddy + caddy1 impermanence microvm opencloud0 diff --git a/modules/nixos/services/caddy/caddy0/default.nix b/modules/nixos/services/caddy/caddy0/default.nix new file mode 100755 index 0000000..8d7e8b9 --- /dev/null +++ b/modules/nixos/services/caddy/caddy0/default.nix @@ -0,0 +1,33 @@ +{ flake, ... }: +let + inherit (flake.config.services) instances; + inherit (flake.config.machines.devices) eris; + opencloud = instances.opencloud0; + service = instances.caddy; +in +{ + services.caddy = { + enable = true; + virtualHosts = { + "${opencloud.domains.url0}" = { + extraConfig = '' + reverse_proxy ${eris.ip.address0}:${builtins.toString service.ports.port1} { + transport http { + tls + tls_insecure_skip_verify + } + } + ''; + }; + }; + }; + + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 + service.ports.port1 + ]; + }; + }; +} diff --git a/modules/nixos/services/caddy/caddy1/default.nix b/modules/nixos/services/caddy/caddy1/default.nix new file mode 100755 index 0000000..0cff934 --- /dev/null +++ b/modules/nixos/services/caddy/caddy1/default.nix @@ -0,0 +1,20 @@ +{ flake, ... }: +let + inherit (flake.config.services) instances; + + service = instances.caddy; +in +{ + services.caddy = { + enable = true; + }; + + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 + service.ports.port1 + ]; + }; + }; +} diff --git a/modules/nixos/services/caddy/default.nix b/modules/nixos/services/caddy/default.nix index 0cff934..da65bd2 100755 --- a/modules/nixos/services/caddy/default.nix +++ b/modules/nixos/services/caddy/default.nix @@ -1,20 +1,11 @@ -{ flake, ... }: let - inherit (flake.config.services) instances; - - service = instances.caddy; + importList = + let + content = builtins.readDir ./.; + dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); + in + map (name: ./. + "/${name}") dirContent; in { - services.caddy = { - enable = true; - }; - - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 - service.ports.port1 - ]; - }; - }; + imports = importList; } diff --git a/systems/ceres/config/networking.nix b/systems/ceres/config/networking.nix index b32c7b8..c9c3cf8 100755 --- a/systems/ceres/config/networking.nix +++ b/systems/ceres/config/networking.nix @@ -18,10 +18,11 @@ in Kind = "bridge"; }; }; + networks = { "20-lan" = { matchConfig.Name = [ - "enp3s0" + "enp10s0" "vm-*" ]; networkConfig = { @@ -31,7 +32,7 @@ in "30-br-vms" = { matchConfig.Name = "br-vms"; networkConfig = { - Address = "192.168.50.245/24"; + Address = "192.168.50.240/24"; Gateway = "192.168.50.1"; DNS = [ "192.168.50.1" ]; }; @@ -39,6 +40,7 @@ in }; }; }; + networking = { hostName = ceres.name; networkmanager.enable = false; diff --git a/systems/eris/config/networking.nix b/systems/eris/config/networking.nix index 8ebe526..79dde5b 100755 --- a/systems/eris/config/networking.nix +++ b/systems/eris/config/networking.nix @@ -1,5 +1,4 @@ { - lib, flake, ... }: @@ -7,9 +6,7 @@ let inherit (flake.config.machines.devices) eris; in { - microvm.host.enable = true; - systemd.network = { enable = true; netdevs."10-br-vms" = { @@ -18,13 +15,15 @@ in Kind = "bridge"; }; }; - networks = { - "20-lan" = { - matchConfig.Name = [ - "enp10s0" - "vm-*" - ]; + "20-enp3s0" = { + matchConfig.Name = "enp3s0"; + networkConfig = { + Bridge = "br-vms"; + }; + }; + "20-vm" = { + matchConfig.Name = "vm-*"; networkConfig = { Bridge = "br-vms"; }; @@ -40,12 +39,11 @@ in }; }; }; - networking = { hostName = eris.name; - networkmanager.enable = true; + networkmanager.enable = false; nftables.enable = true; - useDHCP = lib.mkDefault true; + useDHCP = false; firewall = { enable = true; allowedTCPPorts = [ From 589cccbe4d760d07aa4aba8e8e7f4df9e4311d38 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 4 Dec 2025 23:25:32 -0600 Subject: [PATCH 3/9] test: setting up opencloud and microvms --- modules/nixos/services/restic/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/nixos/services/restic/default.nix b/modules/nixos/services/restic/default.nix index d79f495..9993783 100755 --- a/modules/nixos/services/restic/default.nix +++ b/modules/nixos/services/restic/default.nix @@ -31,7 +31,7 @@ in (inst "firefly-iii") (inst "forgejo") (inst "mastodon") - (inst "opencloud") + (inst "opencloud1") (inst "minecraft0") (inst "minecraft1") (inst "vaultwarden") From 7b69c77f027c459503445b9dbfb817e4cbb795cc Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 4 Dec 2025 23:32:33 -0600 Subject: [PATCH 4/9] test: setting up opencloud and microvms --- modules/nixos/guests/opencloud/opencloud0/default.nix | 1 - modules/nixos/services/caddy/caddy0/default.nix | 11 ++++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/modules/nixos/guests/opencloud/opencloud0/default.nix b/modules/nixos/guests/opencloud/opencloud0/default.nix index bda3c2a..66dbcc4 100755 --- a/modules/nixos/guests/opencloud/opencloud0/default.nix +++ b/modules/nixos/guests/opencloud/opencloud0/default.nix @@ -181,7 +181,6 @@ in redir /.well-known/carddav /remote.php/dav/ 301 redir /.well-known/caldav /remote.php/dav/ 301 - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} ''; }; }; diff --git a/modules/nixos/services/caddy/caddy0/default.nix b/modules/nixos/services/caddy/caddy0/default.nix index 8d7e8b9..1426dd3 100755 --- a/modules/nixos/services/caddy/caddy0/default.nix +++ b/modules/nixos/services/caddy/caddy0/default.nix @@ -1,8 +1,11 @@ -{ flake, ... }: +{ flake, config, ... }: let inherit (flake.config.services) instances; inherit (flake.config.machines.devices) eris; opencloud = instances.opencloud0; + dns = instances.web.dns.provider0; + opencloudHost = opencloud.domains.url0; + dnsPath = "dns/${dns}"; service = instances.caddy; in { @@ -22,6 +25,12 @@ in }; }; + security.acme.certs."${opencloudHost}" = { + dnsProvider = dns; + environmentFile = config.sops.secrets.${dnsPath}.path; + group = "caddy"; + }; + networking = { firewall = { allowedTCPPorts = [ From 04fe2edcf785be2992779e749259e1b7a0116e09 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 4 Dec 2025 23:33:07 -0600 Subject: [PATCH 5/9] test: setting up opencloud and microvms --- modules/nixos/guests/opencloud/opencloud0/default.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/nixos/guests/opencloud/opencloud0/default.nix b/modules/nixos/guests/opencloud/opencloud0/default.nix index 66dbcc4..97861f4 100755 --- a/modules/nixos/guests/opencloud/opencloud0/default.nix +++ b/modules/nixos/guests/opencloud/opencloud0/default.nix @@ -165,11 +165,11 @@ in }; }; - security.acme.certs."${host}" = { - dnsProvider = dns; - environmentFile = config.sops.secrets.${dnsPath}.path; - group = "caddy"; - }; + # security.acme.certs."${host}" = { + # dnsProvider = dns; + # environmentFile = config.sops.secrets.${dnsPath}.path; + # group = "caddy"; + # }; services.caddy.virtualHosts = { "${host}" = { From 39e69d2cd62f75a03875ca7acb871fbf2cabca46 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 4 Dec 2025 23:36:47 -0600 Subject: [PATCH 6/9] test: setting up opencloud and microvms --- .../floorp/config/bookmarks/config/flake/selfHosted.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix b/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix index 6891a38..665fc98 100755 --- a/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix +++ b/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix @@ -24,7 +24,7 @@ let instances.ollama.name instances.qbittorrent.name instances.vaultwarden.name - instances.opencloud0.name + "opencloud0" ]; bookmarkConfigs = [ { From f45ce82e0abe3ce726d2b8c3441e1e899f39982b Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 4 Dec 2025 23:37:18 -0600 Subject: [PATCH 7/9] test: setting up opencloud and microvms --- .../browsers/floorp/config/bookmarks/config/flake/selfHosted.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix b/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix index 665fc98..d820bbe 100755 --- a/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix +++ b/modules/home/gui/apps/browsers/floorp/config/bookmarks/config/flake/selfHosted.nix @@ -24,7 +24,6 @@ let instances.ollama.name instances.qbittorrent.name instances.vaultwarden.name - "opencloud0" ]; bookmarkConfigs = [ { From 97aebfbb59c317488458de87be00447856a7fb24 Mon Sep 17 00:00:00 2001 From: Nick Date: Thu, 4 Dec 2025 23:46:05 -0600 Subject: [PATCH 8/9] test: setting up opencloud and microvms --- modules/nixos/services/caddy/caddy0/default.nix | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/modules/nixos/services/caddy/caddy0/default.nix b/modules/nixos/services/caddy/caddy0/default.nix index 1426dd3..0379819 100755 --- a/modules/nixos/services/caddy/caddy0/default.nix +++ b/modules/nixos/services/caddy/caddy0/default.nix @@ -14,28 +14,22 @@ in virtualHosts = { "${opencloud.domains.url0}" = { extraConfig = '' - reverse_proxy ${eris.ip.address0}:${builtins.toString service.ports.port1} { - transport http { - tls - tls_insecure_skip_verify - } - } + reverse_proxy ${eris.ip.address0}:${builtins.toString service.ports.port0} + tls ${opencloud.ssl.cert} ${opencloud.ssl.key} ''; }; }; }; - security.acme.certs."${opencloudHost}" = { dnsProvider = dns; environmentFile = config.sops.secrets.${dnsPath}.path; group = "caddy"; }; - networking = { firewall = { allowedTCPPorts = [ - service.ports.port0 - service.ports.port1 + service.ports.port0 # 80 + service.ports.port1 # 443 ]; }; }; From 9ab5ebd35f9334b3abe642e8f983c284f70007e6 Mon Sep 17 00:00:00 2001 From: Nick Date: Fri, 5 Dec 2025 02:47:08 -0600 Subject: [PATCH 9/9] test: setting up opencloud and microvms --- modules/nixos/default.nix | 4 +- .../guests/opencloud/opencloud0/default.nix | 53 +++++++------------ .../guests/opencloud/opencloud1/default.nix | 40 +++++++------- .../nixos/services/caddy/caddy0/default.nix | 36 ------------- .../nixos/services/caddy/caddy1/default.nix | 20 ------- modules/nixos/services/caddy/default.nix | 45 +++++++++++++--- .../services/samba/sambaEris/default.nix | 3 +- systems/mars/config/filesystem.nix | 2 +- 8 files changed, 81 insertions(+), 122 deletions(-) delete mode 100755 modules/nixos/services/caddy/caddy0/default.nix delete mode 100755 modules/nixos/services/caddy/caddy1/default.nix diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 7a5dbef..4723ac9 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -45,7 +45,7 @@ in imports = builtins.attrValues { inherit (modules) acme - caddy0 + caddy comfyui firefly-iii forgejo @@ -70,8 +70,6 @@ in eris = { imports = builtins.attrValues { inherit (modules) - acme - caddy1 impermanence microvm opencloud0 diff --git a/modules/nixos/guests/opencloud/opencloud0/default.nix b/modules/nixos/guests/opencloud/opencloud0/default.nix index 97861f4..7905f65 100755 --- a/modules/nixos/guests/opencloud/opencloud0/default.nix +++ b/modules/nixos/guests/opencloud/opencloud0/default.nix @@ -1,5 +1,4 @@ { - config, flake, pkgs, ... @@ -9,10 +8,8 @@ let inherit (flake.config.services) instances; serviceCfg = instances.opencloud0; hostCfg = instances.web; - dns = instances.web.dns.provider0; localhost = instances.web.localhost.address1; host = serviceCfg.domains.url0; - dnsPath = "dns/${dns}"; in { microvm.vms = { @@ -55,17 +52,28 @@ in path = [ pkgs.inotify-tools ]; }; opencloud-fix-permissions = { - description = "Fix OpenCloud storage permissions on file changes"; + description = "Fix OpenCloud storage permissions"; after = [ "opencloud.service" ]; - wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "simple"; - ExecStart = pkgs.writeShellScript "fix-perms-on-change" '' - ${pkgs.inotify-tools}/bin/inotifywait -m -r -e create,moved_to /var/lib/opencloud/storage --format '%w%f' | while read filepath; do - ${pkgs.coreutils}/bin/chown opencloud:opencloud "$filepath" + Type = "oneshot"; + ExecStart = pkgs.writeShellScript "fix-perms" '' + echo "Starting permission fix..." + + OPENCLOUD_UID=$(id -u opencloud) + echo "OpenCloud UID: $OPENCLOUD_UID" + + find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do + echo "Fixing file: $file" + chown opencloud:opencloud "$file" 2>/dev/null || true done + + find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do + echo "Fixing dir: $dir" + chown opencloud:opencloud "$dir" 2>/dev/null || true + done + + echo "Permission fix complete" ''; - Restart = "always"; User = "root"; }; }; @@ -74,7 +82,7 @@ in description = "Periodically fix OpenCloud storage permissions"; wantedBy = [ "timers.target" ]; timerConfig = { - OnBootSec = "1min"; + OnBootSec = "30s"; OnUnitActiveSec = "1min"; Unit = "opencloud-fix-permissions.service"; }; @@ -158,6 +166,7 @@ in }; environment.systemPackages = builtins.attrValues { inherit (pkgs) + inotify-tools opencloud ; }; @@ -165,28 +174,6 @@ in }; }; - # security.acme.certs."${host}" = { - # dnsProvider = dns; - # environmentFile = config.sops.secrets.${dnsPath}.path; - # group = "caddy"; - # }; - - services.caddy.virtualHosts = { - "${host}" = { - extraConfig = '' - reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { - header_up X-Real-IP {remote_host} - } - - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 - - ''; - }; - }; - - users.users.caddy.extraGroups = [ "acme" ]; - systemd = { tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" diff --git a/modules/nixos/guests/opencloud/opencloud1/default.nix b/modules/nixos/guests/opencloud/opencloud1/default.nix index 9c4e058..644f389 100755 --- a/modules/nixos/guests/opencloud/opencloud1/default.nix +++ b/modules/nixos/guests/opencloud/opencloud1/default.nix @@ -32,7 +32,6 @@ in stateDir = "/var/lib/${serviceCfg.name}"; environmentFile = "/run/secrets/projectenv"; }; - openssh = { enable = true; settings = { @@ -41,13 +40,11 @@ in }; }; }; - networking.firewall.allowedTCPPorts = [ 22 # SSH 587 # SMTP serviceCfg.ports.port0 ]; - systemd = { services = { systemd-networkd.wantedBy = [ "multi-user.target" ]; @@ -55,17 +52,28 @@ in path = [ pkgs.inotify-tools ]; }; opencloud-fix-permissions = { - description = "Fix OpenCloud storage permissions on file changes"; + description = "Fix OpenCloud storage permissions"; after = [ "opencloud.service" ]; - wantedBy = [ "multi-user.target" ]; serviceConfig = { - Type = "simple"; - ExecStart = pkgs.writeShellScript "fix-perms-on-change" '' - ${pkgs.inotify-tools}/bin/inotifywait -m -r -e create,moved_to /var/lib/opencloud/storage --format '%w%f' | while read filepath; do - ${pkgs.coreutils}/bin/chown opencloud:opencloud "$filepath" + Type = "oneshot"; + ExecStart = pkgs.writeShellScript "fix-perms" '' + echo "Starting permission fix..." + + OPENCLOUD_UID=$(id -u opencloud) + echo "OpenCloud UID: $OPENCLOUD_UID" + + find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do + echo "Fixing file: $file" + chown opencloud:opencloud "$file" 2>/dev/null || true done + + find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do + echo "Fixing dir: $dir" + chown opencloud:opencloud "$dir" 2>/dev/null || true + done + + echo "Permission fix complete" ''; - Restart = "always"; User = "root"; }; }; @@ -74,7 +82,7 @@ in description = "Periodically fix OpenCloud storage permissions"; wantedBy = [ "timers.target" ]; timerConfig = { - OnBootSec = "1min"; + OnBootSec = "30s"; OnUnitActiveSec = "1min"; Unit = "opencloud-fix-permissions.service"; }; @@ -98,14 +106,11 @@ in ]; }; }; - tmpfiles.rules = [ "d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -" ]; - }; - microvm = { vcpu = 1; mem = 1024 * 1; @@ -158,19 +163,18 @@ in }; environment.systemPackages = builtins.attrValues { inherit (pkgs) + inotifywait opencloud ; }; }; }; }; - security.acme.certs."${host}" = { dnsProvider = dns; environmentFile = config.sops.secrets.${dnsPath}.path; group = "caddy"; }; - services.caddy.virtualHosts = { "${host}" = { extraConfig = @@ -189,9 +193,7 @@ in ''; }; }; - users.users.caddy.extraGroups = [ "acme" ]; - systemd = { tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" @@ -199,12 +201,10 @@ in "d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -" ]; }; - sops.secrets = { "${serviceCfg.name}/projectenv" = { owner = "root"; mode = "0600"; }; }; - } diff --git a/modules/nixos/services/caddy/caddy0/default.nix b/modules/nixos/services/caddy/caddy0/default.nix deleted file mode 100755 index 0379819..0000000 --- a/modules/nixos/services/caddy/caddy0/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ flake, config, ... }: -let - inherit (flake.config.services) instances; - inherit (flake.config.machines.devices) eris; - opencloud = instances.opencloud0; - dns = instances.web.dns.provider0; - opencloudHost = opencloud.domains.url0; - dnsPath = "dns/${dns}"; - service = instances.caddy; -in -{ - services.caddy = { - enable = true; - virtualHosts = { - "${opencloud.domains.url0}" = { - extraConfig = '' - reverse_proxy ${eris.ip.address0}:${builtins.toString service.ports.port0} - tls ${opencloud.ssl.cert} ${opencloud.ssl.key} - ''; - }; - }; - }; - security.acme.certs."${opencloudHost}" = { - dnsProvider = dns; - environmentFile = config.sops.secrets.${dnsPath}.path; - group = "caddy"; - }; - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 # 80 - service.ports.port1 # 443 - ]; - }; - }; -} diff --git a/modules/nixos/services/caddy/caddy1/default.nix b/modules/nixos/services/caddy/caddy1/default.nix deleted file mode 100755 index 0cff934..0000000 --- a/modules/nixos/services/caddy/caddy1/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ flake, ... }: -let - inherit (flake.config.services) instances; - - service = instances.caddy; -in -{ - services.caddy = { - enable = true; - }; - - networking = { - firewall = { - allowedTCPPorts = [ - service.ports.port0 - service.ports.port1 - ]; - }; - }; -} diff --git a/modules/nixos/services/caddy/default.nix b/modules/nixos/services/caddy/default.nix index da65bd2..712472e 100755 --- a/modules/nixos/services/caddy/default.nix +++ b/modules/nixos/services/caddy/default.nix @@ -1,11 +1,42 @@ +{ flake, config, ... }: let - importList = - let - content = builtins.readDir ./.; - dirContent = builtins.filter (n: content.${n} == "directory") (builtins.attrNames content); - in - map (name: ./. + "/${name}") dirContent; + inherit (flake.config.services) instances; + inherit (flake.config.machines.devices) eris; + opencloud = instances.opencloud0; + dns = instances.web.dns.provider0; + opencloudHost = opencloud.domains.url0; + dnsPath = "dns/${dns}"; + service = instances.caddy; in { - imports = importList; + services.caddy = { + enable = true; + virtualHosts = { + "${opencloud.domains.url0}" = { + extraConfig = '' + reverse_proxy ${opencloud.interface.ip}:${toString opencloud.ports.port0} { + header_up X-Real-IP {remote_host} + } + + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 + + tls ${opencloud.ssl.cert} ${opencloud.ssl.key} + ''; + }; + }; + }; + security.acme.certs."${opencloudHost}" = { + dnsProvider = dns; + environmentFile = config.sops.secrets.${dnsPath}.path; + group = "caddy"; + }; + networking = { + firewall = { + allowedTCPPorts = [ + service.ports.port0 # 80 + service.ports.port1 # 443 + ]; + }; + }; } diff --git a/modules/nixos/services/samba/sambaEris/default.nix b/modules/nixos/services/samba/sambaEris/default.nix index d261aa1..c54a857 100755 --- a/modules/nixos/services/samba/sambaEris/default.nix +++ b/modules/nixos/services/samba/sambaEris/default.nix @@ -12,11 +12,10 @@ in # sudo smbpasswd -a username services = { samba = { - # package = pkgs.samba4Full; enable = true; openFirewall = true; settings = { - "raid0" = { + "storage" = { path = "/mnt/storage"; writable = "yes"; "valid users" = user0; diff --git a/systems/mars/config/filesystem.nix b/systems/mars/config/filesystem.nix index fa09336..a999182 100755 --- a/systems/mars/config/filesystem.nix +++ b/systems/mars/config/filesystem.nix @@ -19,7 +19,7 @@ in "samba0" ]; erisFolders = [ - "raid0" + "storage" ]; ceresDrives = [ "samba0"