feat: acme/ddclient/nextcloud container

flake.nix

@@ -122,11 +122,10 @@
       inherit
         (import ./nix/hosts.nix inputs)
         hosts
-        microvmConfigurations
         nixosConfigurations
         minimalConfigurations
         ;
-      nodes = self.nixosConfigurations // self.microvmConfigurations;
+      nodes = self.nixosConfigurations;
 
       inherit
         (lib.foldl' lib.recursiveUpdate {}

hosts/testienix/fs.nix

@@ -115,6 +115,7 @@
   };
 
   fileSystems."/state".neededForBoot = true;
+  fileSystems."/persist".neededForBoot = true;
   fileSystems."/panzer/state".neededForBoot = true;
   fileSystems."/panzer/persist".neededForBoot = true;
   boot.initrd.luks.devices.enc-rpool.allowDiscards = true;

lib/containers.nix

@@ -1,18 +1,30 @@
-_inputs: _self: super: {
+inputs: _self: super: {
   lib =
     super.lib
     // {
       containers.mkConfig = name: config:
         super.lib.mkMerge [
           {
+            config = {
+              imports = [
+                ../modules/config/impermanence
+                ../modules/config/net.nix
+                ../modules/interface-naming.nix
+
+                inputs.impermanence.nixosModules.impermanence
+              ];
+            };
+
             bindMounts = {
               "state" = {
                 mountPoint = "/state";
                 hostPath = "/state/containers/${name}";
+                isReadOnly = false;
               };
               "persist" = {
                 mountPoint = "/persist";
                 hostPath = "/containers/${name}";
+                isReadOnly = false;
               };
             };
             zfs.mountpoint = super.lib.mkDefault "/containers/${name}";

lib/test.nix

@@ -0,0 +1,9 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  networking.hostName = "lololo";
+  programs.fuse.userAllowOther = true;
+  environment.systemPackages = [pkgs.hello];
+}

modules/config/home-manager.nix

@@ -4,6 +4,7 @@
   pkgs,
   ...
 }: {
+  imports = [./impermanence/users.nix];
   home-manager = {
     useGlobalPkgs = true;
     useUserPackages = true;

modules/config/impermanence/default.nix

@@ -3,14 +3,16 @@
   lib,
   pkgs,
   ...
-}: {
-  imports = [./users.nix];
+}: let
+  onlyHost =
+    lib.mkIf (!config.boot.isContainer);
+in {
   # to allow all users to access hm managed persistent folders
   programs.fuse.userAllowOther = true;
   environment.persistence."/state" = {
     hideMounts = true;
 
-    files = [
+    files = onlyHost [
       "/etc/machine-id"
       "/etc/ssh/ssh_host_ed25519_key"
       "/etc/ssh/ssh_host_ed25519_key.pub"
@@ -25,20 +27,34 @@
           mode = "0777";
         }
       ]
+      ++ lib.lists.optionals config.security.acme.acceptTerms [
+        {
+          directory = "/var/lib/acme";
+          user = "acme";
+          group = "acme";
+          mode = "0755";
+        }
+      ]
       ++ lib.lists.optionals config.hardware.bluetooth.enable [
         "/var/lib/bluetooth"
       ];
   };
+  environment.persistence."/persist" = {
+    hideMounts = true;
+    directories = [];
+  };
 
   # After importing the rpool, rollback the root system to be empty.
-  boot.initrd.systemd.services.impermanence-root = {
-    wantedBy = ["initrd.target"];
-    after = ["zfs-import-rpool.service"];
-    before = ["sysroot.mount"];
-    unitConfig.DefaultDependencies = "no";
-    serviceConfig = {
-      Type = "oneshot";
-      ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
+  boot.initrd.systemd.services.impermanence-root =
+    onlyHost
+    {
+      wantedBy = ["initrd.target"];
+      after = ["zfs-import-rpool.service"];
+      before = ["sysroot.mount"];
+      unitConfig.DefaultDependencies = "no";
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = "${pkgs.zfs}/bin/zfs rollback -r rpool/local/root@blank";
+      };
     };
-  };
 }

modules/config/impermanence/users.nix

@@ -10,8 +10,10 @@
     attrNames
     mkOption
     types
+    hasAttr
     mkMerge
     isAttrs
+    mkIf
     ;
 in {
   # Expose a home manager module for each user that allows extending

modules/config/net.nix

@@ -6,11 +6,13 @@
   networking = {
     useNetworkd = true;
     dhcpcd.enable = false;
+    firewall.enable = true;
     # allow mdns port
     firewall.allowedUDPPorts = [5353];
-    renameInterfacesByMac =
+    renameInterfacesByMac = lib.mkIf (!config.boot.isContainer) (
       lib.mapAttrs (_: v: v.mac)
-      (config.secrets.secrets.local.networking.interfaces or {});
+      (config.secrets.secrets.local.networking.interfaces or {})
+    );
   };
   systemd.network = {
     enable = true;

modules/config/users.nix

@@ -18,6 +18,7 @@
     avahi = uidGid 209;
     fwupd-refresh = uidGid 210;
     podman = uidGid 211;
+    acme = uidGid 212;
     systemd-oom = uidGid 300;
     systemd-coredump = uidGid 301;
   };

modules/services/acme.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  age.secrets.cloudflare_token_acme = {
+    rekeyFile = ../../secrets/cloudflare/api_token.age;
+    mode = "440";
+    group = "acme";
+  };
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = config.secrets.secrets.global.devEmail;
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = ["nginx"];
+      credentialFiles = {
+        "CF_DNS_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
+        "CF_ZONE_API_TOKEN_FILE" = config.age.secrets.cloudflare_token_acme.path;
+      };
+    };
+  };
+  security.acme.certs = lib.flip lib.mapAttrs config.secrets.secrets.global.domains (_: value: {
+    domain = value;
+    extraDomainNames = ["*.${value}"];
+  });
+  users.groups.acme.members = ["nginx"];
+}

modules/services/ddclient.nix

@@ -0,0 +1,14 @@
+{config, ...}: {
+  age.secrets.cloudflare_token_dns = {
+    rekeyFile = ../../secrets/cloudflare/api_token.age;
+    mode = "440";
+  };
+  services.ddclient = {
+    enable = true;
+    zone = config.secrets.secrets.global.domains.mail;
+    protocol = "Cloudflare";
+    username = "token";
+    passwordFile = config.age.secrets.cloudflare_token_dns.path;
+    domains = [config.secrets.secrets.global.domains.mail];
+  };
+}

modules/services/nextcloud.nix

@@ -1,9 +1,27 @@
 {
   lib,
   stateVersion,
+  config,
   ...
-}: {
-  imports = [./containers.nix];
+}: let
+  hostName = "nc.${config.secrets.secrets.global.domains.mail}";
+in {
+  imports = [./containers.nix ./nginx.nix ./ddclient.nix ./acme.nix];
+  services.nginx = {
+    enable = true;
+    upstreams.nextcloud = {
+      servers."192.168.178.33:80" = {};
+      extraConfig = ''
+        zone nextcloud 64k ;
+        keepalive 5 ;
+      '';
+    };
+    virtualHosts.${hostName} = {
+      forceSSL = true;
+      useACMEHost = "mail";
+      locations."/".proxyPass = "http://nextcloud";
+    };
+  };
   containers.nextcloud = lib.containers.mkConfig "nextcloud" {
     autoStart = true;
     zfs = {
@@ -18,11 +36,41 @@
       pkgs,
       ...
     }: {
+      systemd.network.networks = {
+        "lan01" = {
+          address = ["192.168.178.33/24"];
+          gateway = ["192.168.178.1"];
+          matchConfig.Name = "mv-lan01*";
+          dns = ["192.168.178.2"];
+          networkConfig = {
+            IPv6PrivacyExtensions = "yes";
+            MulticastDNS = true;
+          };
+        };
+      };
       services.nextcloud = {
+        inherit hostName;
         enable = true;
         package = pkgs.nextcloud27;
-        hostName = "localhost";
+        configureRedis = true;
         config.adminpassFile = "${pkgs.writeText "adminpass" "test123"}"; # DON'T DO THIS IN PRODUCTION - the password file will be world-readable in the Nix Store!
+        extraApps = with config.services.nextcloud.package.packages.apps; {
+          inherit contacts calendar tasks;
+        };
+        extraAppsEnable = true;
+        extraOptions.enabledPreviewProviders = [
+          "OC\\Preview\\BMP"
+          "OC\\Preview\\GIF"
+          "OC\\Preview\\JPEG"
+          "OC\\Preview\\Krita"
+          "OC\\Preview\\MarkDown"
+          "OC\\Preview\\MP3"
+          "OC\\Preview\\OpenDocument"
+          "OC\\Preview\\PNG"
+          "OC\\Preview\\TXT"
+          "OC\\Preview\\XBitmap"
+          "OC\\Preview\\HEIC"
+        ];
       };
 
       system.stateVersion = stateVersion;

modules/services/nginx.nix

@@ -52,6 +52,8 @@ in {
       mode = "440";
       group = "nginx";
     };
+    security.acme.acceptTerms = true;
+    security.acme.defaults.email = config.secrets.secrets.global.devEmail;
 
     # Sensible defaults for nginx
     services.nginx = {

nix/hosts.nix

@@ -58,7 +58,6 @@ inputs: let
 in {
   inherit
     hosts
-    microvmConfigurations
     nixosConfigurations
     minimalConfigurations
     ;

secrets/cloudflare/api_token.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> X25519 j1vdwUZ+o5coMFAaOCyiS42rLq7FPX6xwuWmoHcN61U
+m1QEYj4NW5IdNsFh26Uhwe2Sg1ggkvTYB92S4B2lC8M
+-> piv-p256 XTQkUA AhjsxoVBz3h/1Sj+cwnT7gpcE6SDMhNOBMU9nP+gfC5G
+a7E3dolF4QaxTVpJBOKA314INK32eTdDykDyRT+/8XQ
+-> piv-p256 ZFgiIw Ah49xwjTzvroi4R90URbbE0yY15w+OvUsWZ2cQdYHs/w
+4i6XZ8lwOeWinlU1IiCgUBTSWMzxuPyvYKRbz6GqNUk
+-> piv-p256 ZFgiIw A49Cv751h0WJYL6qPceFVwjbGVpF668SGKVjHq/lQ4Rs
+AAGD0jOCHIOAIBk872SJwe2mCx69xn/1ZjiswebgU0w
+-> K("0$@8-grease z`/W }"_xiVH <~Bj._
+
+--- /NUrs98fD72LqCIYVOzrUhFNhxGivAEOZ9pob65I2fI
+8î:(#­–¥aô[8@BÊ4èÝ|ÍC7!³>Ù?¬Œ›`5á‰o‡Þr
õB´ˆ°y`óAIJ;)÷Å&“)@ÝÎB²¹Ï¡ñ´¾Q