feat: more nextcloud/container config

2023-12-18 02:11:24 +01:00 · 2023-12-18 02:11:24 +01:00 · f0b572c6ed
parent ea259bb80b
commit f0b572c6ed
13 changed files with 67 additions and 49 deletions
--- a/flake.nix
+++ b/flake.nix
@ -124,8 +124,9 @@
        hosts
        nixosConfigurations
        minimalConfigurations
        guestConfigurations
        ;
-      nodes = self.nixosConfigurations;
+      nodes = self.nixosConfigurations // self.guestConfigurations;
      inherit
        (lib.foldl' lib.recursiveUpdate {}
--- a/hosts/desktopnix/default.nix
+++ b/hosts/desktopnix/default.nix
@ -50,4 +50,5 @@
  system.activationScripts.decryptKey.text = ''
    ln -f -s ${../../keys/PatC.key} /run/decrypt.key.pub
  '';
  boot.binfmt.emulatedSystems = ["aarch64-linux"];
 }
--- a/hosts/testienix/secrets/guests/nextcloud/generated/dhparams.pem.age
+++ b/hosts/testienix/secrets/guests/nextcloud/generated/dhparams.pem.age
--- a/lib/containers.nix
+++ b/lib/containers.nix
@ -2,19 +2,32 @@ inputs: _self: super: {
  lib =
    super.lib
    // {
-      containers.mkConfig = name: config:
+      containers.mkConfig = name: attrs: config:
        super.lib.mkMerge [
          {
            config = {
              imports = [
-                ../modules/config/impermanence
+                ../modules/services/nginx.nix
-                ../modules/config/net.nix
+                ../modules/config
                ../modules/interface-naming.nix
                inputs.impermanence.nixosModules.impermanence
              ];
              node.name = name;
              node.secretsDir = "${attrs.config.node.secretsDir}/guests/${name}";
              nixpkgs = {
                hostPlatform = attrs.config.nixpkgs.hostPlatform;
                overlays = attrs.pkgs.overlays;
                config = attrs.pkgs.config;
              };
              boot.initrd.systemd.enable = super.lib.mkForce false;
            };
            specialArgs = {
              inherit (attrs) lib inputs minimal stateVersion;
            };
            autoStart = true;
            macvlans = [
              "lan01:lan01-${name}"
            ];
            ephemeral = true;
            bindMounts = {
              "state" = {
@ -29,8 +42,6 @@ inputs: _self: super: {
              };
            };
            zfs.mountpoint = super.lib.mkDefault "/containers/${name}";
            #config = {...}: {
            #};
          }
          config
        ];
--- a/modules/config/boot.nix
+++ b/modules/config/boot.nix
@ -4,7 +4,7 @@
  pkgs,
  ...
 }: {
-  boot = {
+  boot = lib.mkIf (!config.boot.isContainer) {
    initrd.systemd = {
      enable = true;
      emergencyAccess = config.secrets.secrets.global.users.root.passwordHash;
--- a/modules/config/impermanence/default.nix
+++ b/modules/config/impermanence/default.nix
@ -12,32 +12,24 @@ in {
  environment.persistence."/state" = {
    hideMounts = true;
-    files = onlyHost [
+    files =
      "/etc/machine-id"
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
    ];
    directories =
      [
-        "/var/log"
+        "/etc/ssh/ssh_host_ed25519_key"
-        "/var/lib/systemd"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
        "/var/lib/nixos"
        {
          directory = "/var/tmp/agenix-rekey";
          mode = "0777";
        }
      ]
-      ++ lib.lists.optionals config.security.acme.acceptTerms [
+      ++ lib.lists.optionals (!config.boot.isContainer)
-        {
+      [
-          directory = "/var/lib/acme";
+        "/etc/machine-id"
          user = "acme";
          group = "acme";
          mode = "0755";
        }
      ]
      ++ lib.lists.optionals config.hardware.bluetooth.enable [
        "/var/lib/bluetooth"
      ];
    directories = [
      "/var/log"
      "/var/lib/systemd"
      "/var/lib/nixos"
      {
        directory = "/var/tmp/agenix-rekey";
        mode = "0777";
      }
    ];
  };
  environment.persistence."/persist" = {
    hideMounts = true;
--- a/modules/config/system.nix
+++ b/modules/config/system.nix
@ -60,8 +60,6 @@
    nvd
  ];
  boot.binfmt.emulatedSystems = ["aarch64-linux" "mips-linux"];
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  secrets.secretFiles = let
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@ -19,6 +19,8 @@
    fwupd-refresh = uidGid 210;
    podman = uidGid 211;
    acme = uidGid 212;
    nextcloud = uidGid 213;
    redis-nextcloud = uidGid 214;
    systemd-oom = uidGid 300;
    systemd-coredump = uidGid 301;
  };
--- a/modules/hardware/bluetooth.nix
+++ b/modules/hardware/bluetooth.nix
@ -24,4 +24,7 @@
    '';
    extraModules = with pkgs; [pulseaudio-modules-bt];
  };
  environment.persistence."/state".directories = [
    "/var/lib/bluetooth"
  ];
 }
--- a/modules/services/acme.nix
+++ b/modules/services/acme.nix
@ -26,4 +26,12 @@
    extraDomainNames = ["*.${value}"];
  });
  users.groups.acme.members = ["nginx"];
  environment.persistence."/state".directories = [
    {
      directory = "/var/lib/acme";
      user = "acme";
      group = "acme";
      mode = "0755";
    }
  ];
 }
--- a/modules/services/containers.nix
+++ b/modules/services/containers.nix
@ -38,7 +38,7 @@ in {
            dataset = mkOption {
              type = types.str;
              default = "safe/containers/${name}";
-              description = mdDoc "The host's dataset that should be used for this containers persistent data (will automatically be created, parent dataset must exist)";
+              description = mdDoc "The host's dataset that should be used for this containers persistent data (will automatically be created)";
            };
            mountpoint = mkOption {
--- a/modules/services/nextcloud.nix
+++ b/modules/services/nextcloud.nix
@ -2,8 +2,9 @@
  lib,
  stateVersion,
  config,
  pkgs, # not unused neede for the usage of attrs later to contains pkgs
  ...
-}: let
+} @ attrs: let
  hostName = "nc.${config.secrets.secrets.global.domains.mail}";
 in {
  imports = [./containers.nix ./nginx.nix ./ddclient.nix ./acme.nix];
@ -11,6 +12,7 @@ in {
    enable = true;
    upstreams.nextcloud = {
      servers."192.168.178.33:80" = {};
      extraConfig = ''
        zone nextcloud 64k ;
        keepalive 5 ;
@ -22,15 +24,11 @@ in {
      locations."/".proxyPass = "http://nextcloud";
    };
  };
-  containers.nextcloud = lib.containers.mkConfig "nextcloud" {
+  containers.nextcloud = lib.containers.mkConfig "nextcloud" attrs {
    autoStart = true;
    zfs = {
      enable = true;
      pool = "panzer";
    };
    macvlans = [
      "lan01:lan01-nextcloud"
    ];
    config = {
      config,
      pkgs,
@ -48,6 +46,14 @@ in {
          };
        };
      };
      environment.persistence."/persist".directories = [
        {
          directory = config.services.nextcloud.home;
          user = "nextcloud";
          group = "nextcloud";
          mode = "750";
        }
      ];
      services.nextcloud = {
        inherit hostName;
        enable = true;
@ -95,13 +101,8 @@ in {
 #wireguard
 #samba/printer finding
 #vaultwarden
 #nextcloud
 #acme
 #nginx
 #maddy
 #kanidm
 #xdg portals
 #zfs snapshots
 #remote backups
 #immich
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@ -51,14 +51,15 @@ inputs: let
  # True NixOS nodes can define additional microvms (guest nodes) that are built
  # together with the true host. We collect all defined microvm nodes
  # from each node here to allow accessing any node via the unified attribute `nodes`.
-  microvmConfigurations = flip concatMapAttrs self.nixosConfigurations (_: node:
+  guestConfigurations = flip concatMapAttrs self.nixosConfigurations (_: node:
    mapAttrs'
-    (vm: def: nameValuePair def.nodeName node.config.microvm.vms.${vm}.config)
+    (vm: def: nameValuePair vm {config = node.config.containers.${vm}.config;})
-    (node.config.meta.microvms.vms or {}));
+    (node.config.containers or {}));
 in {
  inherit
    hosts
    nixosConfigurations
    minimalConfigurations
    guestConfigurations
    ;
 }