test: trying to fix opencloud

2025-12-06 21:17:14 -06:00 · 2025-11-30 18:39:54 -06:00 · 2025-11-30 18:16:08 -06:00 · 2025-11-30 17:53:28 -06:00 · 2025-11-30 17:53:19 -06:00 · 2025-11-30 17:33:57 -06:00
2 changed files with 64 additions and 19 deletions
--- a/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix
+++ b/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix
@ -30,7 +30,7 @@ in
            port = serviceCfg.ports.port0;
            address = localhost;
            stateDir = "/var/lib/${serviceCfg.name}";
-            environmentFile = "/run/secrets/projectenv";
+            environmentFile = "/etc/opencloud-secrets/env";
          };

          openssh = {
@ -53,11 +53,43 @@ in
            opencloud = {
              path = [ pkgs.inotify-tools ];
            };
+            opencloud-copy-secrets = {
+              description = "Copy secrets from virtiofs to local filesystem";
+              before = [
+                "opencloud-init-config.service"
+                "opencloud.service"
+              ];
+              requiredBy = [ "opencloud.service" ];
+              after = [ "run-secrets.mount" ];
+              serviceConfig = {
+                Type = "oneshot";
+                RemainAfterExit = true;
+              };
+              script = ''
+                set -e
+                echo "Checking for secrets..."
+
+                if [ ! -f /run/secrets/projectenv ]; then
+                  echo "ERROR: /run/secrets/projectenv not found!"
+                  ls -la /run/secrets/ || true
+                  exit 1
+                fi
+
+                echo "Copying secrets..."
+                mkdir -p /etc/opencloud-secrets
+                cp /run/secrets/projectenv /etc/opencloud-secrets/env
+                chmod 755 /etc/opencloud-secrets
+                chmod 644 /etc/opencloud-secrets/*
+
+                echo "Secrets copied successfully"
+                cat /etc/opencloud-secrets/env
+              '';
+            };
          };
          network = {
            enable = true;
            networks."20-lan" = {
-              matchConfig.Name = "enp0s5";
+              matchConfig.Name = "enp0s6";
              addresses = [
                { Address = "${serviceCfg.interface.ip}/24"; }
              ];
@ -75,7 +107,9 @@ in
          };

          tmpfiles.rules = [
-            "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
+            "d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
+            "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -"
+            # "L+ /etc/opencloud/proxy.yaml - - - - /etc/static/opencloud/proxy.yaml"
          ];

        };
@ -83,8 +117,8 @@ in
        systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ];

        microvm = {
-          vcpu = 2;
-          mem = 1024 * 3;
+          vcpu = 1;
+          mem = 1024 * 1;
          hypervisor = "qemu";
          interfaces = [
            {
@ -115,9 +149,15 @@ in
            {
              mountPoint = "/var/lib/${serviceCfg.name}";
              proto = "virtiofs";
-              source = serviceCfg.mntPaths.path0;
+              source = "${serviceCfg.mntPaths.path0}/data";
              tag = "${serviceCfg.name}_data";
            }
+            {
+              mountPoint = "/etc/opencloud";
+              proto = "virtiofs";
+              source = "${serviceCfg.mntPaths.path0}/config";
+              tag = "${serviceCfg.name}_config";
+            }
            {
              mountPoint = "/run/secrets";
              proto = "virtiofs";
@ -132,6 +172,7 @@ in
            bottom
            trashy
            fastfetch
+            opencloud
            ;
        };

@ -147,16 +188,20 @@ in

  services.caddy.virtualHosts = {
    "${host}" = {
-      extraConfig = ''
-        reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} {
-          header_up X-Real-IP {remote_host}
-        }
+      extraConfig =
+        let
+          credPath = "/var/lib/acme/${host}";
+        in
+        ''
+          reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} {
+            header_up X-Real-IP {remote_host}
+          }

-        redir /.well-known/carddav /remote.php/dav/ 301
-        redir /.well-known/caldav /remote.php/dav/ 301
+          redir /.well-known/carddav /remote.php/dav/ 301
+          redir /.well-known/caldav /remote.php/dav/ 301

-        tls /var/lib/acme/${host}/fullchain.pem /var/lib/acme/${host}/key.pem 
-      '';
+          tls ${credPath}/fullchain.pem ${credPath}/key.pem 
+        '';
    };
  };

@ -165,8 +210,8 @@ in
  systemd = {
    tmpfiles.rules = [
      "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -"
-      "d ${serviceCfg.mntPaths.path0}/storage 0755 opencloud opencloud - -"
-      "d ${serviceCfg.mntPaths.path0}/storage/users 2775 opencloud wheel - -"
+      "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -"
+      "d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -"
    ];
  };

--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -47,7 +47,7 @@ wireguard:
 glance:
    jellyfin: ENC[AES256_GCM,data:Ddpv23kdMGTWvlemn7o5M2ARQ+NuzUfgO9eLuMnRh/kt,iv:RiMRQPoyHtQqqc3wx48g1+Ip3meuCKSOniLZq2iJ3i4=,tag:B2sZT8R4ZnLIKiUMaU3L+w==,type:str]
 opencloud:
-    projectenv: ENC[AES256_GCM,data:+XCd3xScfxCN1Zl5L+4RAOjpmMPhVLSBtqH2nkEUpXhssy5EU82qAanNmqwiIJ1VrYXYovuu3XOwRKY3Ub1nsR5h1S0KUCwav2zmFKVopxF/5jVNIk6qR8Ggz/fAa1YQSW+SAnrtRGvP0Q1SERlCgnH4isVxNvWPyWCZKIgiX2Enu7hVwsJXKLYDomRWt47zzXNUzw50aFn7xPtXE/AYbMPBa+FweCrCfkaQ6i6jPvkdc6VBYTqIanD0908wB2SJA+1xvY7bYgRVB17/4a/9DuUN5J4xU84TOW7EFkvC/hWhlhC58GqQrOFyAgTP4YJHKGbLVKPlc4fcNMh5+pENpPG2fRDElCaLoJcYe6sYhaCDSegpDR/U9bgzKirnCu/hmdG+NQ3sGK/C89JL2kZT+tVT1u5JWnKGOGvLGQm73QUmnssDZVd8ubNsnd57W7siqAXY3+DN46yLrGgmTfHTRi4x2DKF8VCD9jXOxWsyoLvKYDyz09H9dI72xlCtSmcrFAt7bY7uEAWutrPCf3Kh/gq6oFUAPBEwfqhgnpgGA1vyA6o4zhxl4Rqye5YZMx2uNkxdA4wmk9KB/e7BVR/P04TSXoAV931OX7bnlw3XjSw5NTPEPnpmwZ3VPRGGkz171RiQQp+CkwUr35+DdwFrGazuv3wlwAhM19h9SRn8jikrw6PPGVehYp8mB/FhpNgqV0nM2DfjaBqE3yMfDzXH5b92t4Q=,iv:6mlHq6yh03x/FbZNu+A9QBoV6ALX1rRWuL13ItJWriI=,tag:tK6Ek2fzgPPWT8WCeU1Frw==,type:str]
+    projectenv: ENC[AES256_GCM,data:At9x06kOIXWdKQVeoyZyER8u4cyq4rrj8jpZThTJD3jqqc4pmdY52EIGw/sdzcK2IVSesgPiHnyCpqtMXm1dpkW69JLlZDPgf0h9+ADxRvGbLNRN4AszLLa34OtoxaTY53EGAtAY8KLyR6AycxLUVINReVDZWLF45MZ7gCl7HGwo06ut8VE9MqodQuqrwJSNl3lZMmWDP+Xu2INMOYS+sw7AlX8Apxvnqx1bzH34DjBcQkKXD2OYOCZFLmP7rd5NLL9zf3dCBHzNcYg3rIcV5fiYbnvxMRQ9CtiL2JvlcPTe5nNZlsZ3A+urAy/RCB7mDCydBwSEKVzGLwcOQmx+1H/9qXsD3YIvIJCLgcigfUs7d1/dfjOYfAQ2gMNjRRmX583XCu8F2d+bgb090wVYkejYY+61h/89TwVPrp+VC2H/Lt8DNW2qlu7QezvqPBZJf+2gtAPk7KmT4/kG2a2Abnj/TB4CwO20xFEtL/LNOwTfNnAWjHXTZeTl2I3tyGI0jrMmpyzXr6HsflbB9/yGLS3gVIVScOWnsnwhD/8rKqnEv2VmORl4c6zjqHm+W38pO2ehh9Cw+yoacjvGZu54nnGDzBpJai/6tj6+XUuCH8l25AMYyBqDv6OFROkEqRXkkB1rrdmXuUKFP298vShbXk4ZJKeD3PHMpV4pCoRrMmFNlDxeo+sHC+Cf7itFe7qHNjshZHxYoKIl/977gy6urWroWlORiGR+eJXrXFw7bHD/w/atXQ==,iv:vVVUwKuTVmrvcRNNgshbl/weBes6fGcflKqVc/1zRNw=,tag:Jt1lCAnuPs1AP9LAR7BXhg==,type:str]
 caddy:
    share-auth: ENC[AES256_GCM,data:3jY2B2GOdz5EPJeAyVsk4XCs5NMft3VquIBep7SxYtEZ9H7IDroq1U1Sch6YVQ7VcL85L4Ix/OVPm4jVDEA0sZiGkltbYXRXZ8CR34ifsHtHR35lgjXyj8ZhJLydw7LgmZCEztWO8GjLdvSY,iv:MT5sA32Djx81HGc36rqV2xS5KUHLAeTyZiOdSu8oqQY=,tag:V1dv4yS2RXf4Xqrl5+tEuA==,type:str]
    comfyui-auth: ENC[AES256_GCM,data:7VTXoRxnD0NyVCFRAjHaZswEUsFuQd/ZIwVfqGPmNNV87hn6CBYWvxvcPPFwe+uw7BmKMt+I66DyKx5ydYENTWxPocyT/rFdgdtWwNoenj+JwsUzegmMbEiH2HCZdiwKj0h1lo142mtA6zkc,iv:xT5XHCj8D4dyvglstE2oqo92fLdscCkaNMux43hJ7nQ=,tag:HgU9wAmjPvfoDXgnorB5yA==,type:str]
@ -78,7 +78,7 @@ sops:
            bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
            aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-29T02:32:25Z"
-    mac: ENC[AES256_GCM,data:DiW/akEjhRu7Bvfh3je1llcfj6ytRT5+ntWUIobdvVZA4fu7z00skzUYiAdAg/CAnepEgAJ1R8JDag/TFIrnKg+JHM4Kdv7F4Ier/qaSGURxGQ/rxG5jwsj5N9ar8nWxpt9X3Ox7alyNyGpCW5bzbLL2EWzPmHVQiHWpfrlkivc=,iv:QOWZ5uAq7eNPiJF2/YY83bCnSaCXhm3b25egDcFDczg=,tag:zSlHQvCRugSP/wxJ7P+gGw==,type:str]
+    lastmodified: "2025-12-01T00:35:20Z"
+    mac: ENC[AES256_GCM,data:yLqmOp2239jXoew95D+2EDq00j9tEJuIvXT+s653rG+dTesa4oYIDYnSnlZzf+TOHKgz83Xrity2mDeqOnxpdiuLPmKIVQrh4JelgQQJ7OUvtAeJJdvMiaz6M8YLT7jwF8sUF2S0MTysXQK7EPzG/9eokgI5u1U1sp+CNH027Oc=,iv:JGpL/QkFn28wP2qjo7O59PFX3/xjlGSx8EHSavVBTec=,tag:bqmx+MlkGjrnJT0Z+vj5lw==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
Author	SHA1	Message	Date
Nick	dc66e0050d	test: trying to fix opencloud	2025-11-30 18:39:54 -06:00
Nick	6da9433ba0	test: trying to fix opencloud	2025-11-30 18:16:08 -06:00
Nick	cd9522913a	test: trying to fix opencloud	2025-11-30 17:53:28 -06:00
Nick	b3b9ed430e	test: trying to fix opencloud	2025-11-30 17:53:19 -06:00
Nick	8c2a56cda2	test: trying to fix opencloud	2025-11-30 17:33:57 -06:00
Nick	05f1f40208	test: trying to fix opencloud	2025-11-30 17:15:54 -06:00
Nick	58ce309071	test: trying to fix opencloud	2025-11-30 17:13:44 -06:00
Nick	1fe4a86a19	test: trying to fix opencloud	2025-11-30 17:12:26 -06:00
Nick	ac0ba3e5d6	test: trying to fix opencloud	2025-11-30 17:04:02 -06:00
Nick	6a7fb05c69	test: trying to fix opencloud	2025-11-30 16:59:47 -06:00
Nick	3edcf0883b	test: trying to fix opencloud	2025-11-30 16:32:34 -06:00
Nick	2d09ad6359	test: trying to fix opencloud	2025-11-30 16:18:57 -06:00
Nick	27c1859ace	test: trying to fix opencloud	2025-11-30 14:57:21 -06:00