{ config, flake, pkgs, ... }: let inherit (flake.config.people) user0; inherit (flake.config.services) instances; serviceCfg = instances.opencloud0; hostCfg = instances.web; dns = instances.web.dns.provider0; localhost = instances.web.localhost.address1; host = serviceCfg.domains.url0; dnsPath = "dns/${dns}"; in { microvm.vms = { opencloud = { autostart = true; restartIfChanged = true; config = { system.stateVersion = "24.05"; time.timeZone = "America/Winnipeg"; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; services = { opencloud = { enable = true; url = "https://${host}"; port = serviceCfg.ports.port0; address = localhost; stateDir = "/var/lib/${serviceCfg.name}"; environmentFile = "/run/secrets/env"; }; openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; }; }; }; networking.firewall.allowedTCPPorts = [ 22 # SSH 587 # SMTP serviceCfg.ports.port0 ]; systemd = { services = { systemd-networkd.wantedBy = [ "multi-user.target" ]; opencloud = { path = [ pkgs.inotify-tools ]; }; opencloud-fix-permissions = { description = "Fix OpenCloud storage permissions on file changes"; after = [ "opencloud.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "simple"; ExecStart = pkgs.writeShellScript "fix-perms-on-change" '' ${pkgs.inotify-tools}/bin/inotifywait -m -r -e create,moved_to /var/lib/opencloud/storage --format '%w%f' | while read filepath; do ${pkgs.coreutils}/bin/chown opencloud:opencloud "$filepath" done ''; Restart = "always"; User = "root"; }; }; }; timers.opencloud-fix-permissions = { description = "Periodically fix OpenCloud storage permissions"; wantedBy = [ "timers.target" ]; timerConfig = { OnBootSec = "1min"; OnUnitActiveSec = "1min"; Unit = "opencloud-fix-permissions.service"; }; }; network = { enable = true; networks."20-lan" = { matchConfig.Name = "enp0s6"; addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; routes = [ { Destination = "${hostCfg.localhost.address1}/0"; Gateway = serviceCfg.interface.gate; } ]; dns = [ "1.1.1.1" "8.8.8.8" ]; }; }; tmpfiles.rules = [ "d ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; microvm = { vcpu = 1; mem = 1024 * 1; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = serviceCfg.interface.id; mac = serviceCfg.interface.mac; } { type = "user"; id = serviceCfg.interface.idUser; mac = serviceCfg.interface.macUser; } ]; forwardPorts = [ { from = "host"; host.port = serviceCfg.interface.ssh; guest.port = 22; } ]; shares = [ { mountPoint = "/nix/.ro-store"; proto = "virtiofs"; source = "/nix/store"; tag = "read_only_nix_store"; } { mountPoint = "/var/lib/${serviceCfg.name}"; proto = "virtiofs"; source = "${serviceCfg.mntPaths.path0}/data"; tag = "${serviceCfg.name}_data"; } { mountPoint = "/etc/opencloud"; proto = "virtiofs"; source = "${serviceCfg.mntPaths.path0}/config"; tag = "${serviceCfg.name}_config"; } { mountPoint = "/run/secrets"; proto = "virtiofs"; source = "/run/secrets/${serviceCfg.name}"; tag = "host_secrets"; } ]; }; environment.systemPackages = builtins.attrValues { inherit (pkgs) opencloud ; }; }; }; }; security.acme.certs."${host}" = { dnsProvider = dns; environmentFile = config.sops.secrets.${dnsPath}.path; group = "caddy"; }; services.caddy.virtualHosts = { "${host}" = { extraConfig = '' reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { header_up X-Real-IP {remote_host} } redir /.well-known/carddav /remote.php/dav/ 301 redir /.well-known/caldav /remote.php/dav/ 301 tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} ''; }; }; users.users.caddy.extraGroups = [ "acme" ]; systemd = { tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/config 0751 microvm wheel - -" ]; }; sops.secrets = { "${serviceCfg.name}/env" = { owner = "root"; mode = "0600"; }; }; }