diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 0a39269..5c845e9 100755 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -17,7 +17,6 @@ in tuios wireguard microvm - defenseio ; }; }; @@ -32,7 +31,6 @@ in plymouth wireguard microvm - defenseio ; }; }; @@ -41,7 +39,6 @@ in imports = builtins.attrValues { inherit (modules) microvm - defenseio ; }; }; @@ -53,7 +50,6 @@ in caddy ceresOpenCloud comfyui - defenseio firefly-iii forgejo jellyfin @@ -67,7 +63,6 @@ in vaultwarden website zookeeper - defenseioGpu ; }; }; @@ -81,7 +76,6 @@ in microvm sambaEris postgresEris - defenseio ; }; }; diff --git a/modules/nixos/guests/firefly-iii/default.nix b/modules/nixos/guests/firefly-iii/default.nix index a27b497..0a8de09 100755 --- a/modules/nixos/guests/firefly-iii/default.nix +++ b/modules/nixos/guests/firefly-iii/default.nix @@ -1,6 +1,7 @@ { flake, config, + pkgs, ... }: let @@ -55,26 +56,20 @@ in SITE_OWNER = email.address2; }; }; - phpfpm.pools.firefly-iii.phpEnv = { TRUSTED_PROXIES = "*"; APP_URL = "https://${host}"; }; - firefly-iii-data-importer = { enable = true; }; - caddy = { enable = true; virtualHosts.":80" = { extraConfig = '' root * ${config.services.firefly-iii.package}/public - file_server - encode gzip - php_fastcgi unix//run/phpfpm/firefly-iii.sock { env HTTPS {http.request.header.X-Forwarded-Proto} env HTTP_X_FORWARDED_PROTO {http.request.header.X-Forwarded-Proto} @@ -82,7 +77,6 @@ in ''; }; }; - postgresql = { enable = true; ensureDatabases = [ "firefly-iii" ]; @@ -93,7 +87,6 @@ in } ]; }; - openssh = { enable = true; settings = { @@ -102,18 +95,15 @@ in }; }; }; - users.users.caddy = { extraGroups = [ "firefly-iii" ]; }; - networking.firewall.allowedTCPPorts = [ 22 80 serviceCfg.ports.port0 serviceCfg.ports.port1 ]; - systemd = { services = { caddy = { @@ -161,15 +151,13 @@ in ]; }; }; - tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; - microvm = { vcpu = 1; - mem = 1024; + mem = 512; hypervisor = "qemu"; interfaces = [ { diff --git a/modules/nixos/guests/forgejo/default.nix b/modules/nixos/guests/forgejo/default.nix index f36d6cd..92d47d9 100755 --- a/modules/nixos/guests/forgejo/default.nix +++ b/modules/nixos/guests/forgejo/default.nix @@ -15,13 +15,11 @@ let in { users.users.caddy.extraGroups = [ "acme" ]; - security.acme.certs."${host}" = { dnsProvider = dns0; environmentFile = config.sops.secrets.${dns0Path}.path; group = "caddy"; }; - microvm.vms = { ${serviceCfg.name} = { autostart = true; @@ -64,7 +62,6 @@ in }; }; }; - openssh = { enable = true; settings = { @@ -73,7 +70,6 @@ in }; }; }; - networking.firewall.allowedTCPPorts = [ 22 # SSH 25 # SMTP @@ -82,7 +78,6 @@ in 2525 # SMTP serviceCfg.ports.port0 ]; - fileSystems."/tmp" = { device = "tmpfs"; fsType = "tmpfs"; @@ -91,7 +86,6 @@ in "mode=1777" ]; }; - systemd = { network = { enable = true; @@ -110,15 +104,12 @@ in ]; }; }; - tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" # "Z /var/lib/postgresql 0755 postgres postgres -" ]; }; - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { vcpu = 1; mem = 1024; @@ -166,23 +157,18 @@ in }; }; }; - systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" ]; - services.caddy.virtualHosts."${host}" = { extraConfig = '' reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { header_up X-Real-IP {remote_host} } - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} - encode zstd gzip ''; }; - sops.secrets = { "${serviceCfg.name}/smtp" = { owner = "root"; diff --git a/modules/nixos/guests/jellyfin/default.nix b/modules/nixos/guests/jellyfin/default.nix index 3f309a2..542fd63 100755 --- a/modules/nixos/guests/jellyfin/default.nix +++ b/modules/nixos/guests/jellyfin/default.nix @@ -28,7 +28,6 @@ in enable = true; openFirewall = true; }; - openssh = { enable = true; settings = { @@ -37,24 +36,20 @@ in }; }; }; - users.users.jellyfin = { isSystemUser = true; group = serviceCfg.name; uid = id; }; - users.groups.jellyfin = { gid = id; }; - networking.firewall.allowedTCPPorts = [ 22 serviceCfg.ports.port0 serviceCfg.ports.port1 serviceCfg.ports.port2 ]; - fileSystems."/tmp" = { device = "tmpfs"; fsType = "tmpfs"; @@ -63,7 +58,6 @@ in "mode=1777" ]; }; - systemd = { network = { enable = true; @@ -82,7 +76,6 @@ in ]; }; }; - tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "Z ${serviceCfg.varPaths.path2} 0755 ${serviceCfg.name} ${serviceCfg.name} -" @@ -90,11 +83,9 @@ in "Z ${serviceCfg.varPaths.path2} 0775 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { - vcpu = 2; + vcpu = 4; mem = 1024 * 3; hypervisor = "qemu"; interfaces = [ @@ -143,24 +134,14 @@ in } ]; }; - environment.systemPackages = builtins.attrValues { - inherit (pkgs) - yazi - bottom - trashy - fastfetch - ; - }; }; }; }; - security.acme.certs."${host}" = { dnsProvider = dns0; environmentFile = config.sops.secrets.${dns0Path}.path; group = "caddy"; }; - services = { caddy = { virtualHosts = { @@ -182,7 +163,6 @@ in gid = id; members = [ user0 ]; }; - users = { jellyfin = { isSystemUser = true; @@ -192,7 +172,6 @@ in caddy.extraGroups = [ "acme" ]; }; }; - systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/data 0755 microvm wheel - -" diff --git a/modules/nixos/guests/minecraft/world0/default.nix b/modules/nixos/guests/minecraft/world0/default.nix index 8d467e5..ad6a2a5 100755 --- a/modules/nixos/guests/minecraft/world0/default.nix +++ b/modules/nixos/guests/minecraft/world0/default.nix @@ -1,5 +1,6 @@ { flake, + pkgs, ... }: let @@ -124,8 +125,8 @@ in systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; microvm = { - vcpu = 2; - mem = 1024 * 3; + vcpu = 4; + mem = 1024 * 4; hypervisor = "qemu"; interfaces = [ { diff --git a/modules/nixos/guests/minecraft/world1/default.nix b/modules/nixos/guests/minecraft/world1/default.nix index 79ae7c5..a57266b 100755 --- a/modules/nixos/guests/minecraft/world1/default.nix +++ b/modules/nixos/guests/minecraft/world1/default.nix @@ -1,5 +1,6 @@ { flake, + pkgs, ... }: let @@ -122,8 +123,8 @@ in systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; microvm = { - vcpu = 2; - mem = 1024 * 3; + vcpu = 4; + mem = 1024 * 4; hypervisor = "qemu"; interfaces = [ { diff --git a/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix b/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix index 79a71e2..86900b7 100755 --- a/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix +++ b/modules/nixos/guests/opencloud/ceresOpenCloud/default.nix @@ -50,9 +50,34 @@ in systemd = { services = { + systemd-networkd.wantedBy = [ "multi-user.target" ]; opencloud = { path = [ pkgs.inotify-tools ]; }; + opencloud-fix-permissions = { + description = "Fix OpenCloud storage permissions on file changes"; + after = [ "opencloud.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "simple"; + ExecStart = pkgs.writeShellScript "fix-perms-on-change" '' + ${pkgs.inotify-tools}/bin/inotifywait -m -r -e create,moved_to /var/lib/opencloud/storage --format '%w%f' | while read filepath; do + ${pkgs.coreutils}/bin/chown opencloud:opencloud "$filepath" + done + ''; + Restart = "always"; + User = "root"; + }; + }; + }; + timers.opencloud-fix-permissions = { + description = "Periodically fix OpenCloud storage permissions"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1min"; + OnUnitActiveSec = "1min"; + Unit = "opencloud-fix-permissions.service"; + }; }; network = { enable = true; @@ -81,8 +106,6 @@ in }; - systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; - microvm = { vcpu = 1; mem = 1024 * 1; @@ -142,7 +165,6 @@ in opencloud ; }; - }; }; }; diff --git a/modules/nixos/guests/projectSite/default.nix b/modules/nixos/guests/projectSite/default.nix index 030d22d..b9bb425 100755 --- a/modules/nixos/guests/projectSite/default.nix +++ b/modules/nixos/guests/projectSite/default.nix @@ -15,26 +15,20 @@ in systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -" ]; - microvm.vms.${serviceCfg.name} = { autostart = true; config = { system.stateVersion = "25.05"; - networking.firewall.allowedTCPPorts = [ 22 80 ]; - services.openssh = { enable = true; settings.PasswordAuthentication = false; }; - environment.etc."website".source = websitePkg; - users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - systemd = { network = { enable = true; @@ -45,21 +39,17 @@ in }; }; }; - services.caddy = { enable = true; virtualHosts.":80".extraConfig = '' root * /etc/website - file_server - try_files {path} /index.html ''; }; - microvm = { - vcpu = 2; - mem = 1024; + vcpu = 1; + mem = 512; hypervisor = "qemu"; interfaces = [ { @@ -68,7 +58,6 @@ in mac = serviceCfg.interface.mac; } ]; - shares = [ { source = "/nix/store"; @@ -80,16 +69,13 @@ in }; }; }; - services.caddy = { enable = true; virtualHosts.${host}.extraConfig = '' reverse_proxy ${serviceCfg.interface.ip}:80 - tls /var/lib/acme/${host}/fullchain.pem /var/lib/acme/${host}/key.pem ''; }; - security.acme.certs.${host} = { dnsProvider = instances.web.dns.provider1; environmentFile = config.sops.secrets."dns/${instances.web.dns.provider1}".path; diff --git a/modules/nixos/guests/torrent/default.nix b/modules/nixos/guests/torrent/default.nix index e2901c4..caa32d8 100755 --- a/modules/nixos/guests/torrent/default.nix +++ b/modules/nixos/guests/torrent/default.nix @@ -120,7 +120,7 @@ in uTPEnabled = true; AlternativeGlobalDLSpeedLimit = 0; AlternativeGlobalUPSpeedLimit = 0; - GlobalMaxInactiveSeedingMinutes = 10080; + GlobalMaxInactiveSeedingMinutes = 10224; GlobalMaxRatio = -1; }; }; @@ -316,7 +316,7 @@ in }; microvm = { - vcpu = 4; + vcpu = 1; mem = 1024 * 1; hypervisor = "qemu"; @@ -362,7 +362,6 @@ in } ]; }; - environment.systemPackages = builtins.attrValues { inherit (pkgs) bottom diff --git a/modules/nixos/guests/vaultwarden/default.nix b/modules/nixos/guests/vaultwarden/default.nix index c9fcdba..1a2dc2c 100755 --- a/modules/nixos/guests/vaultwarden/default.nix +++ b/modules/nixos/guests/vaultwarden/default.nix @@ -1,6 +1,7 @@ { config, flake, + pkgs, ... }: let @@ -12,7 +13,6 @@ let dns0 = instances.web.dns.provider0; host = serviceCfg.domains.url0; dns0Path = "dns/${dns0}"; - hostSecrets = "/var/lib/secrets/${serviceCfg.name}"; in { microvm.vms = { @@ -110,7 +110,7 @@ in microvm = { vcpu = 1; - mem = 1024; + mem = 512; hypervisor = "qemu"; interfaces = [ { diff --git a/modules/nixos/guests/website/default.nix b/modules/nixos/guests/website/default.nix index d175677..4ee6520 100755 --- a/modules/nixos/guests/website/default.nix +++ b/modules/nixos/guests/website/default.nix @@ -29,6 +29,7 @@ in environment.etc."website".source = websitePkg; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; + systemd = { network = { enable = true; @@ -51,7 +52,7 @@ in }; microvm = { vcpu = 1; - mem = 1024; + mem = 512; hypervisor = "qemu"; interfaces = [ { diff --git a/modules/nixos/guests/zookeeper/default.nix b/modules/nixos/guests/zookeeper/default.nix index 97859b0..db7b3a6 100755 --- a/modules/nixos/guests/zookeeper/default.nix +++ b/modules/nixos/guests/zookeeper/default.nix @@ -57,7 +57,7 @@ in }; microvm = { vcpu = 1; - mem = 1024; + mem = 512; hypervisor = "qemu"; interfaces = [ { @@ -65,18 +65,6 @@ in id = serviceCfg.interface.id; mac = serviceCfg.interface.mac; } - { - type = "user"; - id = serviceCfg.interface.idUser; - mac = serviceCfg.interface.macUser; - } - ]; - forwardPorts = [ - { - from = "host"; - host.port = serviceCfg.interface.ssh; - guest.port = 22; - } ]; shares = [ { diff --git a/modules/nixos/services/samba/sambaEris/default.nix b/modules/nixos/services/samba/sambaEris/default.nix index 079bee9..d261aa1 100755 --- a/modules/nixos/services/samba/sambaEris/default.nix +++ b/modules/nixos/services/samba/sambaEris/default.nix @@ -17,7 +17,7 @@ in openFirewall = true; settings = { "raid0" = { - path = "/mnt/raid0"; + path = "/mnt/storage"; writable = "yes"; "valid users" = user0; "force user" = user0; @@ -29,11 +29,6 @@ in }; }; - systemd.tmpfiles.rules = [ - "d /mnt/raid0 0755 ${user0} users -" - "Z /mnt/raid0 0755 ${user0} users -" - ]; - networking = { firewall = { allowedTCPPorts = [ diff --git a/systems/ceres/config/filesystem.nix b/systems/ceres/config/filesystem.nix index 65c216c..69f5ece 100755 --- a/systems/ceres/config/filesystem.nix +++ b/systems/ceres/config/filesystem.nix @@ -6,31 +6,10 @@ }: let inherit (flake.config.people) user0; - inherit (flake.config.machines.devices) eris; - erisSecrets = config.sops.secrets."network/server".path; rootDevice = "/dev/disk/by-label/root"; bootDevice = "/dev/disk/by-label/BOOT"; - sambaDrives = [ - "samba0" - ]; - - sambaFolders = [ - "raid0" - ]; - - sambaMounts = sambaDrive: folder: { - name = "${eris.${sambaDrive}.mount}/${folder}"; - value = { - device = "${eris.${sambaDrive}.device}/${folder}"; - fsType = "cifs"; - options = eris.${sambaDrive}.options ++ [ - "credentials=${erisSecrets}" - ]; - }; - }; - in { fileSystems = { @@ -77,10 +56,7 @@ in neededForBoot = true; }; - } - // (builtins.listToAttrs ( - builtins.concatMap (drive: map (folder: sambaMounts drive folder) sambaFolders) sambaDrives - )); + }; boot.initrd.postResumeCommands = lib.mkAfter '' mkdir /btrfs_tmp diff --git a/systems/eris/config/filesystem.nix b/systems/eris/config/filesystem.nix index 6710eb8..7e27956 100755 --- a/systems/eris/config/filesystem.nix +++ b/systems/eris/config/filesystem.nix @@ -38,12 +38,13 @@ in device = "/dev/disk/by-uuid/B645-7527"; fsType = "vfat"; }; - "/mnt/raid0" = { - device = "/dev/md127"; + "/mnt/storage" = { + device = "/dev/md0"; fsType = "ext4"; options = [ "defaults" "nofail" + "x-systemd.device-timeout=10" ]; }; } @@ -57,8 +58,12 @@ in boot.swraid.enable = true; boot.swraid.mdadmConf = '' - ARRAY /dev/md0 level=raid0 num-devices=2 metadata=1.2 + ARRAY /dev/md0 metadata=1.2 name=eris:storage UUID=64659038:a939a18d:8cdc0f3f:97171a50 ''; + systemd.tmpfiles.rules = [ + "d /mnt/storage 2775 root root -" + ]; + services.udisks2.enable = true; }