{ flake, pkgs, ... }: let inherit (flake.config.people) user0; serviceCfg = { name = "opencloud"; }; in { opencloudVM = { user, ip, mac, userMac, ssh, host, }: { microvm.vms = { "${serviceCfg.name}-${user}" = { autostart = true; restartIfChanged = true; config = { system.stateVersion = "24.05"; time.timeZone = "America/Winnipeg"; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; services = { opencloud = { enable = true; url = "https://${host}"; port = 9200; address = "0.0.0.0"; stateDir = "/var/lib/${serviceCfg.name}"; environmentFile = "/run/secrets/${user}-env"; }; openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; }; }; }; networking.firewall.allowedTCPPorts = [ 22 587 9200 ]; systemd = { services = { systemd-networkd.wantedBy = [ "multi-user.target" ]; opencloud = { path = [ pkgs.inotify-tools ]; }; opencloud-fix-permissions = { description = "Fix OpenCloud storage permissions"; after = [ "opencloud.service" ]; serviceConfig = { Type = "oneshot"; ExecStart = pkgs.writeShellScript "fix-perms" '' echo "Starting permission fix..." OPENCLOUD_UID=$(id -u opencloud) echo "OpenCloud UID: $OPENCLOUD_UID" find /var/lib/opencloud/storage/users -type f ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r file; do echo "Fixing file: $file" chown opencloud:opencloud "$file" 2>/dev/null || true done find /var/lib/opencloud/storage/users -type d ! -uid "$OPENCLOUD_UID" 2>/dev/null | while read -r dir; do echo "Fixing dir: $dir" chown opencloud:opencloud "$dir" 2>/dev/null || true done echo "Permission fix complete" ''; User = "root"; }; }; }; timers.opencloud-fix-permissions = { description = "Periodically fix OpenCloud storage permissions"; wantedBy = [ "timers.target" ]; timerConfig = { OnBootSec = "30s"; OnUnitActiveSec = "2min"; Unit = "opencloud-fix-permissions.service"; }; }; network = { enable = true; networks."20-lan" = { matchConfig.Name = "enp0s6"; addresses = [ { Address = "${ip}/24"; } ]; routes = [ { Destination = "0.0.0.0/0"; Gateway = "192.168.50.1"; } ]; dns = [ "1.1.1.1" "8.8.8.8" ]; }; }; tmpfiles.rules = [ "d /var/lib/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "z /etc/opencloud 0700 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; microvm = { vcpu = 1; mem = 512; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = "vm-oc-${user}"; mac = mac; } { type = "user"; id = "vmuser-cloud"; mac = userMac; } ]; forwardPorts = [ { from = "host"; host.port = ssh; guest.port = 22; } ]; shares = [ { mountPoint = "/nix/.ro-store"; proto = "virtiofs"; source = "/nix/store"; tag = "read_only_nix_store"; } { mountPoint = "/var/lib/${serviceCfg.name}"; proto = "virtiofs"; source = "/mnt/storage/users/${user}/guests/${serviceCfg.name}/data"; tag = "${serviceCfg.name}_${user}_data"; } { mountPoint = "/etc/${serviceCfg.name}"; proto = "virtiofs"; source = "/mnt/storage/users/${user}/guests/${serviceCfg.name}/config"; tag = "${serviceCfg.name}_${user}_config"; } { mountPoint = "/run/secrets"; proto = "virtiofs"; source = "/run/secrets/${serviceCfg.name}"; tag = "host_secrets"; } ]; }; environment.systemPackages = builtins.attrValues { inherit (pkgs) inotify-tools opencloud ; }; }; }; }; systemd.tmpfiles.rules = [ "d /mnt/storage/users/${user}/guests/${serviceCfg.name} 0751 microvm wheel - -" "d /mnt/storage/users/${user}/guests/${serviceCfg.name}/config 0751 microvm wheel - -" "d /mnt/storage/users/${user}/guests/${serviceCfg.name}/data 0751 microvm wheel - -" ]; sops.secrets = { "${serviceCfg.name}/${user}-env" = { owner = "root"; mode = "0600"; }; }; }; }