diff --git a/containers/garnet/configuration.nix b/containers/garnet/configuration.nix new file mode 100644 index 0000000..ff514e8 --- /dev/null +++ b/containers/garnet/configuration.nix @@ -0,0 +1,34 @@ +{ ... }: { + system.stateVersion = "25.11"; + fileSystems."/var/lib/opencloud" = { + device = "/flower/data"; + fsType = "none"; + options = [ "bind" ]; + }; + fileSystems."/etc/opencloud" = { + device = "/persist/cfg"; + fsType = "none"; + options = [ "bind" ]; + }; + # TODO: hardcoded address + networking.extraHosts = '' + 100.67.2.1 cloud.lava.moe + ''; + + networking.firewall.allowedTCPPorts = [ 9200 ]; + networking.firewall.allowedUDPPorts = [ 9200 ]; + + environment.etc."opencloud-admin-pass".text = '' + IDM_ADMIN_PASSWORD=supersillysecure + ''; + services.opencloud = { + enable = true; + url = "https://cloud.lava.moe"; + address = "10.30.7.2"; + port = 9200; + environment = { + PROXY_TLS = "false"; + }; + environmentFile = "/etc/opencloud-admin-pass"; + }; +} diff --git a/containers/garnet/flake.lock b/containers/garnet/flake.lock new file mode 100644 index 0000000..4070242 --- /dev/null +++ b/containers/garnet/flake.lock @@ -0,0 +1,27 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1779560665, + "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/containers/garnet/flake.nix b/containers/garnet/flake.nix new file mode 100644 index 0000000..93c3304 --- /dev/null +++ b/containers/garnet/flake.nix @@ -0,0 +1,77 @@ +{ + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + }; + outputs = { nixpkgs, ... }: + let + name = "garnet"; + fqdn = "cloud.lava.moe"; + subnetId = "7"; + + subnet = x: "fd0d:1::${subnetId}:${toString x}"; + host = subnet 1; + client = subnet 2; + + subnet4 = x: "10.30.${subnetId}.${toString x}"; + host4 = subnet4 1; + client4 = subnet4 2; + + modules = [ + ./configuration.nix + { + networking.useHostResolvConf = false; + networking.nameservers = [ host ]; + } + ]; + in { + nixosConfigurations.container = nixpkgs.lib.nixosSystem { + inherit modules; + }; + nixosModule = { config, ... }: { + networking.nat = { + enable = true; + enableIPv6 = true; + internalInterfaces = [ "ve-${name}" ]; + }; + + services.nginx.virtualHosts."${fqdn}" = { + useACMEHost = "lava.moe"; + forceSSL = true; + locations."/" = { + proxyPass = "http://${client4}:9200"; + proxyWebsockets = true; + }; + # TODO: hardcoded address + listenAddresses = [ "100.67.2.1" ]; + }; + + systemd.tmpfiles.rules = [ + "d /persist/containers/${name} 755 root users" + ]; + containers.${name} = { + autoStart = true; + privateNetwork = true; + hostAddress = host4; + localAddress = client4; + hostAddress6 = host; + localAddress6 = client; + # privateUsers = "pick"; + nixpkgs = nixpkgs; + ephemeral = true; + config = { imports = modules; }; + specialArgs = { inherit fqdn; }; + + bindMounts."persist" = { + hostPath = "/persist/containers/${name}"; + mountPoint = "/persist"; + isReadOnly = false; + }; + bindMounts."content" = { + hostPath = "/flower/opencloud"; + mountPoint = "/flower"; + isReadOnly = false; + }; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock index d6070b9..42cf89a 100644 --- a/flake.lock +++ b/flake.lock @@ -128,6 +128,20 @@ }, "parent": [] }, + "c-garnet": { + "inputs": { + "nixpkgs": "nixpkgs_9" + }, + "locked": { + "path": "./containers/garnet", + "type": "path" + }, + "original": { + "path": "./containers/garnet", + "type": "path" + }, + "parent": [] + }, "catppuccin": { "inputs": { "nixpkgs": "nixpkgs_4" @@ -595,7 +609,7 @@ "inputs": { "flake-parts": "flake-parts_2", "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs_9" + "nixpkgs": "nixpkgs_10" }, "locked": { "lastModified": 1778384395, @@ -679,6 +693,22 @@ } }, "nixpkgs_10": { + "locked": { + "lastModified": 1778274207, + "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_11": { "locked": { "lastModified": 1777954456, "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=", @@ -694,7 +724,7 @@ "type": "github" } }, - "nixpkgs_11": { + "nixpkgs_12": { "locked": { "lastModified": 1770019141, "narHash": "sha256-VKS4ZLNx4PNrABoB0L8KUpc1fE7CLpQXQs985tGfaCU=", @@ -824,16 +854,16 @@ }, "nixpkgs_9": { "locked": { - "lastModified": 1778274207, - "narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=", + "lastModified": 1779560665, + "narHash": "sha256-tpyBcxPpcQb8ukyNF7DoCwfSY3VPsxHoYwj00Cayv5o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7", + "rev": "64c08a7ca051951c8eae34e3e3cb1e202fe36786", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixpkgs-unstable", + "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } @@ -880,7 +910,7 @@ "pastel": { "inputs": { "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_11", + "nixpkgs": "nixpkgs_12", "pnpm2nix": "pnpm2nix" }, "locked": { @@ -946,6 +976,7 @@ "c-diamond": "c-diamond", "c-emerald": "c-emerald", "c-fluorite": "c-fluorite", + "c-garnet": "c-garnet", "catppuccin": "catppuccin_2", "catppuccin-palette": "catppuccin-palette", "fast-syntax-highlighting": "fast-syntax-highlighting", @@ -954,7 +985,7 @@ "neovim-nightly": "neovim-nightly", "nix-gaming": "nix-gaming", "nix-index-database": "nix-index-database", - "nixpkgs": "nixpkgs_10", + "nixpkgs": "nixpkgs_11", "nvim-treesitter": "nvim-treesitter", "pastel": "pastel", "pure": "pure", diff --git a/flake.nix b/flake.nix index 377e601..5cf3457 100644 --- a/flake.nix +++ b/flake.nix @@ -44,6 +44,7 @@ c-diamond.url = "path:./containers/diamond"; c-emerald.url = "path:./containers/emerald"; c-fluorite.url = "path:./containers/fluorite"; + c-garnet.url = "path:./containers/garnet"; }; outputs = { self, agenix, catppuccin, nixpkgs, ... } @ inputs: diff --git a/hosts/alyssum/default.nix b/hosts/alyssum/default.nix index 087c77f..9a53926 100644 --- a/hosts/alyssum/default.nix +++ b/hosts/alyssum/default.nix @@ -1,9 +1,10 @@ -{ lib, modules, modulesPath, ... }: { +{ inputs, modules, modulesPath, ... }: { networking.hostName = "alyssum"; system.stateVersion = "25.11"; time.timeZone = "Australia/Melbourne"; age.secrets = { + acme_dns.file = ../../secrets/acme_dns.age; wpa_conf = { file = ../../secrets/wpa_conf.age; path = "/etc/wpa_supplicant/imperative.conf"; @@ -22,6 +23,10 @@ security tailscale + modules.services.nginx + + inputs.c-garnet.nixosModule + ./filesystem.nix ./kernel.nix ./networking.nix diff --git a/hosts/alyssum/filesystem.nix b/hosts/alyssum/filesystem.nix index 205106a..bdea423 100644 --- a/hosts/alyssum/filesystem.nix +++ b/hosts/alyssum/filesystem.nix @@ -26,6 +26,7 @@ in { }; "/boot" = mkLabelMount "stem" "vfat"; + "/flower" = mkBtrfsMount "myosotis" "/@" true; "/nix" = submount "/@/nix" false; "/persist" = (submount "/@/persist" true) // { neededForBoot = true; }; "/persist/.snapshots" = submount "/snap/persist" false; diff --git a/secrets.nix b/secrets.nix index 5a8bf1b..d2dbc82 100644 --- a/secrets.nix +++ b/secrets.nix @@ -10,7 +10,7 @@ in { "secrets/passwd.age".publicKeys = [ anemone blossom rin ]; "secrets/wpa_conf.age".publicKeys = [ alyssum blossom rin ]; - "secrets/acme_dns.age".publicKeys = [ dandelion hazel rin ]; + "secrets/acme_dns.age".publicKeys = [ alyssum dandelion hazel rin ]; "secrets/navidrome_env.age".publicKeys = [ anemone dandelion rin ]; "secrets/slskd_env.age".publicKeys = [ anemone dandelion rin ]; "secrets/tailscale_auth.age".publicKeys = [ alyssum anemone blossom dandelion rin ]; diff --git a/secrets/acme_dns.age b/secrets/acme_dns.age index a573417..c440de6 100644 --- a/secrets/acme_dns.age +++ b/secrets/acme_dns.age @@ -1,10 +1,11 @@ age-encryption.org/v1 --> ssh-ed25519 bRFqeQ trK7wfJ1fObF70yD3a6axuXaZv/EzzFI7he1dvUajH8 -1C5IrwITtma/um0zUo6by0llVTnla7TBdyRD07azTT8 --> ssh-ed25519 ZAcXHw f+n0WJKTViwizwTIgRpbLGqk458SnuAFVVj5FQS0nwA -MRinOTxWGwfeg16VWJYD+1Uta+7xF6G9oyqtYSfEq80 --> ssh-ed25519 U9FXlg 24QGfemIAHZYMwroayNJp91fUkbwUF7ACuXIk+7qdBg -RNGpjxUgfzV/e1Ab/NcA8A0zzxsXU06xmVbLpG3x+iI ---- mekieJNQOl4vcg+hsSOQsFC7mVUZf/oRl/dT7AeTRKg -H즏)k#%3cQں1?ad| 쳄ٗo2 -B)=Zi9pR Klg ՞h \ No newline at end of file +-> ssh-ed25519 kOMSPw vqjZO82kILUQaoD9EwOgnmXKD9IyscgtzP65BVKkGhs +07f0vL5fSq+EVdJ4n3L/q0tGsh0SVLCueTzbrMQC2ok +-> ssh-ed25519 bRFqeQ qZAsyhdIY/fg7weEBYfB/WwFBrr/fDRrjt0J/m+57W4 +FOWjbk7efoVdL9WxjWvaZ/0mJrQ4yj0fN/Fa3zztz84 +-> ssh-ed25519 ZAcXHw UHpAQ4nKoGGaZWXVj4UM6uBanOgDpBvG6XdoBvhz6y8 +xF1orqajQxp2QzU/e1sq8lMxz4AQ2Vr5a3wEU55QqyE +-> ssh-ed25519 U9FXlg n/LPuRDZ7N0VbZYLNr86hH/yRuqd2zFC7Nnpooz8d0o +aZig/wjd5vitGaJwQ89w2M7fj8fAiqTpdDOmLae74sM +--- mXuALIh6k4n0cErsTFnwKemo/r2jFG7mGSTz2M8zXF8 +Zr2. ~MPXŹ1)p9R9S cLzhQO0H7Lj5 \l97ܫn>