feat: more nextcloud/container config

2023-12-18 02:11:24 +01:00 · 2023-12-18 02:11:24 +01:00 · f0b572c6ed
parent ea259bb80b
commit f0b572c6ed
13 changed files with 67 additions and 49 deletions
--- a/flake.nix
+++ b/flake.nix
@ -124,8 +124,9 @@
        hosts
        nixosConfigurations
        minimalConfigurations
+        guestConfigurations
        ;
-      nodes = self.nixosConfigurations;
+      nodes = self.nixosConfigurations // self.guestConfigurations;

      inherit
        (lib.foldl' lib.recursiveUpdate {}
--- a/hosts/desktopnix/default.nix
+++ b/hosts/desktopnix/default.nix
@ -50,4 +50,5 @@
  system.activationScripts.decryptKey.text = ''
    ln -f -s ${../../keys/PatC.key} /run/decrypt.key.pub
  '';
+  boot.binfmt.emulatedSystems = ["aarch64-linux"];
 }
--- a/hosts/testienix/secrets/guests/nextcloud/generated/dhparams.pem.age
+++ b/hosts/testienix/secrets/guests/nextcloud/generated/dhparams.pem.age
--- a/lib/containers.nix
+++ b/lib/containers.nix
@ -2,19 +2,32 @@ inputs: _self: super: {
  lib =
    super.lib
    // {
-      containers.mkConfig = name: config:
+      containers.mkConfig = name: attrs: config:
        super.lib.mkMerge [
          {
            config = {
              imports = [
-                ../modules/config/impermanence
-                ../modules/config/net.nix
+                ../modules/services/nginx.nix
+                ../modules/config
                ../modules/interface-naming.nix
-
-                inputs.impermanence.nixosModules.impermanence
              ];
+              node.name = name;
+              node.secretsDir = "${attrs.config.node.secretsDir}/guests/${name}";
+              nixpkgs = {
+                hostPlatform = attrs.config.nixpkgs.hostPlatform;
+                overlays = attrs.pkgs.overlays;
+                config = attrs.pkgs.config;
+              };
+              boot.initrd.systemd.enable = super.lib.mkForce false;
+            };
+            specialArgs = {
+              inherit (attrs) lib inputs minimal stateVersion;
            };

+            autoStart = true;
+            macvlans = [
+              "lan01:lan01-${name}"
+            ];
            ephemeral = true;
            bindMounts = {
              "state" = {
@ -29,8 +42,6 @@ inputs: _self: super: {
              };
            };
            zfs.mountpoint = super.lib.mkDefault "/containers/${name}";
-            #config = {...}: {
-            #};
          }
          config
        ];
--- a/modules/config/boot.nix
+++ b/modules/config/boot.nix
@ -4,7 +4,7 @@
  pkgs,
  ...
 }: {
-  boot = {
+  boot = lib.mkIf (!config.boot.isContainer) {
    initrd.systemd = {
      enable = true;
      emergencyAccess = config.secrets.secrets.global.users.root.passwordHash;
--- a/modules/config/impermanence/default.nix
+++ b/modules/config/impermanence/default.nix
@ -12,32 +12,24 @@ in {
  environment.persistence."/state" = {
    hideMounts = true;

-    files = onlyHost [
-      "/etc/machine-id"
-      "/etc/ssh/ssh_host_ed25519_key"
-      "/etc/ssh/ssh_host_ed25519_key.pub"
-    ];
-    directories =
+    files =
      [
-        "/var/log"
-        "/var/lib/systemd"
-        "/var/lib/nixos"
-        {
-          directory = "/var/tmp/agenix-rekey";
-          mode = "0777";
-        }
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
      ]
-      ++ lib.lists.optionals config.security.acme.acceptTerms [
-        {
-          directory = "/var/lib/acme";
-          user = "acme";
-          group = "acme";
-          mode = "0755";
-        }
-      ]
-      ++ lib.lists.optionals config.hardware.bluetooth.enable [
-        "/var/lib/bluetooth"
+      ++ lib.lists.optionals (!config.boot.isContainer)
+      [
+        "/etc/machine-id"
      ];
+    directories = [
+      "/var/log"
+      "/var/lib/systemd"
+      "/var/lib/nixos"
+      {
+        directory = "/var/tmp/agenix-rekey";
+        mode = "0777";
+      }
+    ];
  };
  environment.persistence."/persist" = {
    hideMounts = true;
--- a/modules/config/system.nix
+++ b/modules/config/system.nix
@ -60,8 +60,6 @@
    nvd
  ];

-  boot.binfmt.emulatedSystems = ["aarch64-linux" "mips-linux"];
-
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";

  secrets.secretFiles = let
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@ -19,6 +19,8 @@
    fwupd-refresh = uidGid 210;
    podman = uidGid 211;
    acme = uidGid 212;
+    nextcloud = uidGid 213;
+    redis-nextcloud = uidGid 214;
    systemd-oom = uidGid 300;
    systemd-coredump = uidGid 301;
  };
--- a/modules/hardware/bluetooth.nix
+++ b/modules/hardware/bluetooth.nix
@ -24,4 +24,7 @@
    '';
    extraModules = with pkgs; [pulseaudio-modules-bt];
  };
+  environment.persistence."/state".directories = [
+    "/var/lib/bluetooth"
+  ];
 }
--- a/modules/services/acme.nix
+++ b/modules/services/acme.nix
@ -26,4 +26,12 @@
    extraDomainNames = ["*.${value}"];
  });
  users.groups.acme.members = ["nginx"];
+  environment.persistence."/state".directories = [
+    {
+      directory = "/var/lib/acme";
+      user = "acme";
+      group = "acme";
+      mode = "0755";
+    }
+  ];
 }
--- a/modules/services/containers.nix
+++ b/modules/services/containers.nix
@ -38,7 +38,7 @@ in {
            dataset = mkOption {
              type = types.str;
              default = "safe/containers/${name}";
-              description = mdDoc "The host's dataset that should be used for this containers persistent data (will automatically be created, parent dataset must exist)";
+              description = mdDoc "The host's dataset that should be used for this containers persistent data (will automatically be created)";
            };

            mountpoint = mkOption {
--- a/modules/services/nextcloud.nix
+++ b/modules/services/nextcloud.nix
@ -2,8 +2,9 @@
  lib,
  stateVersion,
  config,
+  pkgs, # not unused neede for the usage of attrs later to contains pkgs
  ...
-}: let
+} @ attrs: let
  hostName = "nc.${config.secrets.secrets.global.domains.mail}";
 in {
  imports = [./containers.nix ./nginx.nix ./ddclient.nix ./acme.nix];
@ -11,6 +12,7 @@ in {
    enable = true;
    upstreams.nextcloud = {
      servers."192.168.178.33:80" = {};
+
      extraConfig = ''
        zone nextcloud 64k ;
        keepalive 5 ;
@ -22,15 +24,11 @@ in {
      locations."/".proxyPass = "http://nextcloud";
    };
  };
-  containers.nextcloud = lib.containers.mkConfig "nextcloud" {
-    autoStart = true;
+  containers.nextcloud = lib.containers.mkConfig "nextcloud" attrs {
    zfs = {
      enable = true;
      pool = "panzer";
    };
-    macvlans = [
-      "lan01:lan01-nextcloud"
-    ];
    config = {
      config,
      pkgs,
@ -48,6 +46,14 @@ in {
          };
        };
      };
+      environment.persistence."/persist".directories = [
+        {
+          directory = config.services.nextcloud.home;
+          user = "nextcloud";
+          group = "nextcloud";
+          mode = "750";
+        }
+      ];
      services.nextcloud = {
        inherit hostName;
        enable = true;
@ -95,13 +101,8 @@ in {
 #wireguard
 #samba/printer finding
 #vaultwarden
-#nextcloud
-#acme
-#nginx
 #maddy
 #kanidm
-#xdg portals
-#zfs snapshots
 #remote backups
 #immich

--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@ -51,14 +51,15 @@ inputs: let
  # True NixOS nodes can define additional microvms (guest nodes) that are built
  # together with the true host. We collect all defined microvm nodes
  # from each node here to allow accessing any node via the unified attribute `nodes`.
-  microvmConfigurations = flip concatMapAttrs self.nixosConfigurations (_: node:
+  guestConfigurations = flip concatMapAttrs self.nixosConfigurations (_: node:
    mapAttrs'
-    (vm: def: nameValuePair def.nodeName node.config.microvm.vms.${vm}.config)
-    (node.config.meta.microvms.vms or {}));
+    (vm: def: nameValuePair vm {config = node.config.containers.${vm}.config;})
+    (node.config.containers or {}));
 in {
  inherit
    hosts
    nixosConfigurations
    minimalConfigurations
+    guestConfigurations
    ;
 }