{ flake, config, ... }: let inherit (flake.config.people) user0; inherit (flake.config.people.users.${user0}) email; inherit (flake.config.services) instances; serviceCfg = instances.firefly-iii; smtpCfg = instances.smtp; hostCfg = instances.web; host = serviceCfg.domains.url0; dns = instances.web.dns.provider0; dnsPath = "dns/${dns}"; in { microvm.vms = { ${serviceCfg.name} = { autostart = true; restartIfChanged = true; config = { system.stateVersion = "24.05"; time.timeZone = "America/Winnipeg"; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; services = { firefly-iii = { enable = true; enableNginx = false; poolConfig = { "listen.owner" = config.services.caddy.user; "pm" = "dynamic"; "pm.max_children" = 32; "pm.start_servers" = 2; "pm.min_spare_servers" = 2; "pm.max_spare_servers" = 4; "pm.max_requests" = 500; }; settings = { APP_URL = "https://${host}"; APP_KEY_FILE = "/etc/firefly-secrets/pass"; DB_PASSWORD_FILE = "/etc/firefly-secrets/data"; DB_CONNECTION = "pgsql"; DB_HOST = "/run/postgresql"; DB_DATABASE = "firefly-iii"; DB_USERNAME = "firefly-iii"; MAIL_MAILER = smtpCfg.name; MAIL_HOST = smtpCfg.hostname; MAIL_PORT = smtpCfg.ports.port0; MAIL_FROM = smtpCfg.email.address0; MAIL_USERNAME = smtpCfg.email.address0; MAIL_PASSWORD_FILE = "/etc/firefly-secrets/smtp"; MAIL_ENCRYPTION = "tls"; SITE_OWNER = email.address2; }; }; phpfpm.pools.firefly-iii.phpEnv = { TRUSTED_PROXIES = "*"; APP_URL = "https://${host}"; }; firefly-iii-data-importer = { enable = true; }; caddy = { enable = true; virtualHosts.":80" = { extraConfig = '' root * ${config.services.firefly-iii.package}/public file_server encode gzip php_fastcgi unix//run/phpfpm/firefly-iii.sock { env HTTPS {http.request.header.X-Forwarded-Proto} env HTTP_X_FORWARDED_PROTO {http.request.header.X-Forwarded-Proto} } ''; }; }; postgresql = { enable = true; ensureDatabases = [ "firefly-iii" ]; ensureUsers = [ { name = "firefly-iii"; ensureDBOwnership = true; } ]; }; openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; }; }; }; users.users.caddy = { extraGroups = [ "firefly-iii" ]; }; networking.firewall.allowedTCPPorts = [ 22 80 serviceCfg.ports.port0 serviceCfg.ports.port1 ]; systemd = { services = { caddy = { after = [ "phpfpm-firefly-iii.service" ]; requires = [ "phpfpm-firefly-iii.service" ]; }; fix-secrets-permissions = { description = "Fix secrets permissions for firefly-iii"; wantedBy = [ "multi-user.target" ]; before = [ "firefly-iii-setup.service" "phpfpm-firefly-iii.service" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' mkdir -p /etc/firefly-secrets cp /run/secrets/pass /etc/firefly-secrets/pass cp /run/secrets/data /etc/firefly-secrets/data cp /run/secrets/smtp /etc/firefly-secrets/smtp chmod 755 /etc/firefly-secrets chmod 644 /etc/firefly-secrets/* ''; }; systemd-networkd.wantedBy = [ "multi-user.target" ]; }; network = { enable = true; networks."20-lan" = { matchConfig.Name = "enp0s6"; addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; routes = [ { Destination = "${hostCfg.localhost.address1}/0"; Gateway = serviceCfg.interface.gate; } ]; dns = [ "1.1.1.1" "8.8.8.8" ]; }; }; tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; microvm = { vcpu = 1; mem = 1024; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = serviceCfg.interface.id; mac = serviceCfg.interface.mac; } { type = "user"; id = serviceCfg.interface.idUser; mac = serviceCfg.interface.macUser; } ]; forwardPorts = [ { from = "host"; host.port = serviceCfg.interface.ssh; guest.port = 22; } ]; shares = [ { mountPoint = "/nix/.ro-store"; proto = "virtiofs"; source = "/nix/store"; tag = "read_only_nix_store"; } { mountPoint = "/var/lib/${serviceCfg.name}"; proto = "virtiofs"; source = "${serviceCfg.mntPaths.path0}/data"; tag = "${serviceCfg.name}_data"; } { mountPoint = "/var/lib/postgresql"; proto = "virtiofs"; source = "${serviceCfg.mntPaths.path0}/database"; tag = "${serviceCfg.name}_database"; } { mountPoint = "/run/secrets"; proto = "virtiofs"; source = "/run/secrets/${serviceCfg.name}"; tag = "host_secrets"; } ]; }; }; }; }; systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0751 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/data 0751 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/database 0751 microvm wheel - -" ]; sops = { secrets = builtins.listToAttrs ( map (secret: { name = "${serviceCfg.name}/${secret}"; value = { owner = "root"; group = "root"; mode = "0644"; }; }) [ "pass" "data" "smtp" ] ); }; users.users.caddy.extraGroups = [ "acme" ]; security.acme.certs."${host}" = { dnsProvider = dns; environmentFile = config.sops.secrets.${dnsPath}.path; group = "caddy"; }; services.caddy.virtualHosts."${host}" = { extraConfig = '' reverse_proxy http://${serviceCfg.interface.ip}:80 { header_up X-Forwarded-Proto https header_up X-Forwarded-Host {host} } tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} encode zstd gzip ''; }; }