diff --git a/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix b/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix index fe4cc78..ec3557e 100755 --- a/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix +++ b/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix @@ -30,7 +30,7 @@ in port = serviceCfg.ports.port0; address = localhost; stateDir = "/var/lib/${serviceCfg.name}"; - environmentFile = "/run/secrets/projectenv"; + environmentFile = "/etc/opencloud-secrets/env"; }; openssh = { @@ -53,11 +53,43 @@ in opencloud = { path = [ pkgs.inotify-tools ]; }; + opencloud-copy-secrets = { + description = "Copy secrets from virtiofs to local filesystem"; + before = [ + "opencloud-init-config.service" + "opencloud.service" + ]; + requiredBy = [ "opencloud.service" ]; + after = [ "run-secrets.mount" ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + set -e + echo "Checking for secrets..." + + if [ ! -f /run/secrets/projectenv ]; then + echo "ERROR: /run/secrets/projectenv not found!" + ls -la /run/secrets/ || true + exit 1 + fi + + echo "Copying secrets..." + mkdir -p /etc/opencloud-secrets + cp /run/secrets/projectenv /etc/opencloud-secrets/env + chmod 755 /etc/opencloud-secrets + chmod 644 /etc/opencloud-secrets/* + + echo "Secrets copied successfully" + cat /etc/opencloud-secrets/env + ''; + }; }; network = { enable = true; networks."20-lan" = { - matchConfig.Name = "enp0s5"; + matchConfig.Name = "enp0s6"; addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; @@ -75,7 +107,9 @@ in }; tmpfiles.rules = [ - "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -" + # "L+ /etc/opencloud/proxy.yaml - - - - /etc/static/opencloud/proxy.yaml" ]; }; @@ -83,8 +117,8 @@ in systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; microvm = { - vcpu = 2; - mem = 1024 * 3; + vcpu = 1; + mem = 1024 * 1; hypervisor = "qemu"; interfaces = [ { @@ -115,9 +149,15 @@ in { mountPoint = "/var/lib/${serviceCfg.name}"; proto = "virtiofs"; - source = serviceCfg.mntPaths.path0; + source = "${serviceCfg.mntPaths.path0}/data"; tag = "${serviceCfg.name}_data"; } + { + mountPoint = "/etc/opencloud"; + proto = "virtiofs"; + source = "${serviceCfg.mntPaths.path0}/config"; + tag = "${serviceCfg.name}_config"; + } { mountPoint = "/run/secrets"; proto = "virtiofs"; @@ -132,6 +172,7 @@ in bottom trashy fastfetch + opencloud ; }; @@ -147,16 +188,20 @@ in services.caddy.virtualHosts = { "${host}" = { - extraConfig = '' - reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { - header_up X-Real-IP {remote_host} - } + extraConfig = + let + credPath = "/var/lib/acme/${host}"; + in + '' + reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } - redir /.well-known/carddav /remote.php/dav/ 301 - redir /.well-known/caldav /remote.php/dav/ 301 + redir /.well-known/carddav /remote.php/dav/ 301 + redir /.well-known/caldav /remote.php/dav/ 301 - tls /var/lib/acme/${host}/fullchain.pem /var/lib/acme/${host}/key.pem - ''; + tls ${credPath}/fullchain.pem ${credPath}/key.pem + ''; }; }; @@ -165,8 +210,8 @@ in systemd = { tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" - "d ${serviceCfg.mntPaths.path0}/storage 0755 opencloud opencloud - -" - "d ${serviceCfg.mntPaths.path0}/storage/users 2775 opencloud wheel - -" + "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" + "d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -" ]; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 1836602..d6f945c 100755 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -47,7 +47,7 @@ wireguard: glance: jellyfin: ENC[AES256_GCM,data:Ddpv23kdMGTWvlemn7o5M2ARQ+NuzUfgO9eLuMnRh/kt,iv:RiMRQPoyHtQqqc3wx48g1+Ip3meuCKSOniLZq2iJ3i4=,tag:B2sZT8R4ZnLIKiUMaU3L+w==,type:str] opencloud: - projectenv: ENC[AES256_GCM,data:+XCd3xScfxCN1Zl5L+4RAOjpmMPhVLSBtqH2nkEUpXhssy5EU82qAanNmqwiIJ1VrYXYovuu3XOwRKY3Ub1nsR5h1S0KUCwav2zmFKVopxF/5jVNIk6qR8Ggz/fAa1YQSW+SAnrtRGvP0Q1SERlCgnH4isVxNvWPyWCZKIgiX2Enu7hVwsJXKLYDomRWt47zzXNUzw50aFn7xPtXE/AYbMPBa+FweCrCfkaQ6i6jPvkdc6VBYTqIanD0908wB2SJA+1xvY7bYgRVB17/4a/9DuUN5J4xU84TOW7EFkvC/hWhlhC58GqQrOFyAgTP4YJHKGbLVKPlc4fcNMh5+pENpPG2fRDElCaLoJcYe6sYhaCDSegpDR/U9bgzKirnCu/hmdG+NQ3sGK/C89JL2kZT+tVT1u5JWnKGOGvLGQm73QUmnssDZVd8ubNsnd57W7siqAXY3+DN46yLrGgmTfHTRi4x2DKF8VCD9jXOxWsyoLvKYDyz09H9dI72xlCtSmcrFAt7bY7uEAWutrPCf3Kh/gq6oFUAPBEwfqhgnpgGA1vyA6o4zhxl4Rqye5YZMx2uNkxdA4wmk9KB/e7BVR/P04TSXoAV931OX7bnlw3XjSw5NTPEPnpmwZ3VPRGGkz171RiQQp+CkwUr35+DdwFrGazuv3wlwAhM19h9SRn8jikrw6PPGVehYp8mB/FhpNgqV0nM2DfjaBqE3yMfDzXH5b92t4Q=,iv:6mlHq6yh03x/FbZNu+A9QBoV6ALX1rRWuL13ItJWriI=,tag:tK6Ek2fzgPPWT8WCeU1Frw==,type:str] + projectenv: ENC[AES256_GCM,data:At9x06kOIXWdKQVeoyZyER8u4cyq4rrj8jpZThTJD3jqqc4pmdY52EIGw/sdzcK2IVSesgPiHnyCpqtMXm1dpkW69JLlZDPgf0h9+ADxRvGbLNRN4AszLLa34OtoxaTY53EGAtAY8KLyR6AycxLUVINReVDZWLF45MZ7gCl7HGwo06ut8VE9MqodQuqrwJSNl3lZMmWDP+Xu2INMOYS+sw7AlX8Apxvnqx1bzH34DjBcQkKXD2OYOCZFLmP7rd5NLL9zf3dCBHzNcYg3rIcV5fiYbnvxMRQ9CtiL2JvlcPTe5nNZlsZ3A+urAy/RCB7mDCydBwSEKVzGLwcOQmx+1H/9qXsD3YIvIJCLgcigfUs7d1/dfjOYfAQ2gMNjRRmX583XCu8F2d+bgb090wVYkejYY+61h/89TwVPrp+VC2H/Lt8DNW2qlu7QezvqPBZJf+2gtAPk7KmT4/kG2a2Abnj/TB4CwO20xFEtL/LNOwTfNnAWjHXTZeTl2I3tyGI0jrMmpyzXr6HsflbB9/yGLS3gVIVScOWnsnwhD/8rKqnEv2VmORl4c6zjqHm+W38pO2ehh9Cw+yoacjvGZu54nnGDzBpJai/6tj6+XUuCH8l25AMYyBqDv6OFROkEqRXkkB1rrdmXuUKFP298vShbXk4ZJKeD3PHMpV4pCoRrMmFNlDxeo+sHC+Cf7itFe7qHNjshZHxYoKIl/977gy6urWroWlORiGR+eJXrXFw7bHD/w/atXQ==,iv:vVVUwKuTVmrvcRNNgshbl/weBes6fGcflKqVc/1zRNw=,tag:Jt1lCAnuPs1AP9LAR7BXhg==,type:str] caddy: share-auth: ENC[AES256_GCM,data:3jY2B2GOdz5EPJeAyVsk4XCs5NMft3VquIBep7SxYtEZ9H7IDroq1U1Sch6YVQ7VcL85L4Ix/OVPm4jVDEA0sZiGkltbYXRXZ8CR34ifsHtHR35lgjXyj8ZhJLydw7LgmZCEztWO8GjLdvSY,iv:MT5sA32Djx81HGc36rqV2xS5KUHLAeTyZiOdSu8oqQY=,tag:V1dv4yS2RXf4Xqrl5+tEuA==,type:str] comfyui-auth: ENC[AES256_GCM,data:7VTXoRxnD0NyVCFRAjHaZswEUsFuQd/ZIwVfqGPmNNV87hn6CBYWvxvcPPFwe+uw7BmKMt+I66DyKx5ydYENTWxPocyT/rFdgdtWwNoenj+JwsUzegmMbEiH2HCZdiwKj0h1lo142mtA6zkc,iv:xT5XHCj8D4dyvglstE2oqo92fLdscCkaNMux43hJ7nQ=,tag:HgU9wAmjPvfoDXgnorB5yA==,type:str] @@ -78,7 +78,7 @@ sops: bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-29T02:32:25Z" - mac: ENC[AES256_GCM,data:DiW/akEjhRu7Bvfh3je1llcfj6ytRT5+ntWUIobdvVZA4fu7z00skzUYiAdAg/CAnepEgAJ1R8JDag/TFIrnKg+JHM4Kdv7F4Ier/qaSGURxGQ/rxG5jwsj5N9ar8nWxpt9X3Ox7alyNyGpCW5bzbLL2EWzPmHVQiHWpfrlkivc=,iv:QOWZ5uAq7eNPiJF2/YY83bCnSaCXhm3b25egDcFDczg=,tag:zSlHQvCRugSP/wxJ7P+gGw==,type:str] + lastmodified: "2025-12-01T00:35:20Z" + mac: ENC[AES256_GCM,data:yLqmOp2239jXoew95D+2EDq00j9tEJuIvXT+s653rG+dTesa4oYIDYnSnlZzf+TOHKgz83Xrity2mDeqOnxpdiuLPmKIVQrh4JelgQQJ7OUvtAeJJdvMiaz6M8YLT7jwF8sUF2S0MTysXQK7EPzG/9eokgI5u1U1sp+CNH027Oc=,iv:JGpL/QkFn28wP2qjo7O59PFX3/xjlGSx8EHSavVBTec=,tag:bqmx+MlkGjrnJT0Z+vj5lw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0