[nextcloud module] add wrapper example

machines/.sops.yaml

@@ -100,10 +100,3 @@ creation_rules:
       - *admin_kalipso_dsktp
       age:
       - *admin_atlan
-  - path_regex: modules/malobeo/secrets.yaml$
-    key_groups:
-    - pgp:
-      - *admin_kalipso
-      - *admin_kalipso_dsktp
-      age:
-      - *admin_atlan

machines/bakunin/configuration.nix

@@ -8,11 +8,12 @@ in
     [ # Include the results of the hardware scan.
       #./hardware-configuration.nix
       ../modules/xserver.nix
+      ../modules/malobeo_user.nix
       ../modules/sshd.nix
+      ../modules/minimal_tools.nix
       ../modules/autoupdate.nix
       inputs.self.nixosModules.malobeo.disko
       inputs.self.nixosModules.malobeo.initssh
-      inputs.self.nixosModules.malobeo.users
     ];
 
   malobeo.autoUpdate = {
@@ -37,8 +38,6 @@ in
     ethernetDrivers = ["r8169"];
   };
 
-  malobeo.users.malobeo = true;
-
   hardware.sane.enable = true; #scanner support
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];

machines/fanny/configuration.nix

@@ -51,7 +51,6 @@ in
       disk0 = "disk/by-id/ata-SAMSUNG_MZ7LN256HCHP-000L7_S20HNAAH200381";
     };
     storage = {
-      enable = true;
       disks = ["disk/by-id/wwn-0x50014ee265b53b60" "disk/by-id/wwn-0x50014ee2bb0a194a"];
       mirror = true;
     };
@@ -70,7 +69,8 @@ in
   };
 
   services.malobeo.microvm.enableHostBridge = true;
-  services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "nextcloud" "durruti" ];
+  services.malobeo.microvm.deployHosts = [ "overwatch" "infradocs" "durruti" ];
+  services.malobeo.microvm.client.nextcloud.enable = true;
 
   networking = {
     nat = {

machines/modules/malobeo/microvm_client.nix

@@ -0,0 +1,28 @@
+{config, lib, pkgs, ...}:
+let
+  cfg = config.services.malobeo.microvm.client;
+in
+{
+  options.services.malobeo.microvm.client = {
+    nextcloud = {
+      enable = lib.mkEnableOption "enable the nextcloud microvm wrapper";
+      datadir = lib.mkOption {
+        type = lib.types.string;
+        default = "/data/services/nextcloud/";
+        description = "set a custom datadir";
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.nextcloud.enable { #add check for run-vm?
+      services.malobeo.microvm.deployHosts = ["nextcloud"];
+      microvm.vms.nextcloud.config.microvm.shares = lib.mkAfter [{
+        source = cfg.datadir;
+        mountPoint = "/datadir";
+        tag = "nc-datadir";
+        proto = "virtiofs";
+      }];
+    })
+  ];
+}

machines/modules/malobeo/secrets.yaml

@@ -1,59 +0,0 @@
-malobeoUserPassword: ENC[AES256_GCM,data:/w9Q89njBL5eL8RU6IhOxegJqtvBmx/R2+b7+asop98PN4SZn3r53lagM/3UiNnbde/Mh1/3T3OtddNFTh+v64NNzMdKE65T/A==,iv:8o97dDxA6GHkFN0uAfbdG0DnatoiP3ytEGLTHOOZe0w=,tag:Jl2EPOooYdnSfyfOr9Pn2g==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1ljpdczmg5ctqyeezn739hv589fwhssjjnuqf7276fqun6kc62v3qmhkd0c
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2b2lTY1hhTUwxalZ6bHJJ
-            aUpUelB6K0hweW8rWXJzaTVKWC94Q0E4c2hRCnBaM3hwTkxwWGZjUCtycTR0aFJr
-            QXZPVkNjK2dIOWpHYUhxd2x6cW9MMTgKLS0tIEh4N2d5TEZuK2RRMklxRGNlOTFP
-            ZCtqbzVZYnB4WTh1RUt4V0FPYzRualUKh3lyO+Ow2698jZ05PZjeKK5CnuUnIAJ2
-            IdBRJNhalleoJPdQnsq/Yj3aewXtIYDdXKnhN4QdEfbQnrIrm1B7FQ==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-28T11:04:06Z"
-    mac: ENC[AES256_GCM,data:ZfWuWafknBtaLPjpujLfFjh4oRIk6Bq521NnI1woEamV1MZ53AbmGqZRroW4mAz2uI1KA3RSX7CLvFjJRzQiCBA/OblD89xGNEsQdRvsMCfkEGN85TgV5RVZ+Iqi/VoSXQUc4WcUZenBtgua8p84Ujikr/XT08dEB8hNVAOsSaw=,iv:fVX8LyxT3QkogpF/zRUY0LWzemp6ugrlK2eTag8jtWk=,tag:9kIXxg2hI1+D4XXx/ZPILw==,type:str]
-    pgp:
-        - created_at: "2025-01-28T11:02:47Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQGMA5HdvEwzh/H7AQv+JmOlIv1eupyfTV+T0jpZ0Ux49fjTP8xo/6aBNrukFFej
-            1JNX7Y57c5jUPUIWYX/obbhrT0yOj5w7yiA2lOO4ZUoHswDs70F7kuEXfdlEiL+Y
-            R2Zl5aAL+1Q0ydmjEG/P11H/ts0csHJTFwf6bR463Kv8yn8wjrpZKWcBTWoKzxbQ
-            LfEiDZ5F4FAjRJFgJRioWdUWCnMTaWWM6hQRathbVIi0DgddjzDma7I1l8qdsEEX
-            rh5y+SQSfajIPn1MxstY3Y8kkYb/LUOXIGGDxJV5UOuem8z2O0wiHsuRGtNAmQVJ
-            O0XjRALgoXbLFZYvej5xkDBvkr13JsJsa7P9IrVChF72ktFhWjPd5ALM63L3Rj//
-            voFD3JXmwOZsgsy+0wgfWwYb89xKcrLSrNkZKXFfLM1fUGx3huOw3YYqH35IccHe
-            KVPB0w5NkFRjq0Ubs9M/FpdspZPZmUgz6Y3hNUdSPsmd8+KWdDqFX0Nijv4dW/5k
-            1lMNcr6K/bHY9mWpqhsF0lgBfV1uX9Gw+rPVxpfbAmrqScw4XOnsYRhr39Ew2jyr
-            FY+EDPYj84AlfKCRr21lDOYsEYlxvRRL94LuzaJ5ZPsvc4fSRlLfA6CaTnyMO/Uh
-            0UaAUmo9gj8D
-            =oYMG
-            -----END PGP MESSAGE-----
-          fp: c4639370c41133a738f643a591ddbc4c3387f1fb
-        - created_at: "2025-01-28T11:02:47Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMA98TrrsQEbXUAQ/+O8kqGBbX22K56L7/TRjZIFsvPKNO89QADDuL8R9cYYug
-            iKvtCp1rjSkRZZOxEqdLltqlub7Qvm/FmOTTV/Ha97FyLu908ci9FhZhYSIu95PO
-            VVBKRqEvcjtYj7HV/WbHUPc0KNq3EJ2XmJPAbNel0vbLv5Y5RMCiPK7ZtP5owIX+
-            Vq5wxu92MUyQOcryqzVnP5Ly7hWjlQEVg88zHtOvzMBf2OtVh10f5xF6nNpxfmXO
-            ni0UvlzzatLmGX1t9CDchVvRkgvlALZAgwDnFqc3L3HbKlATgaH8Ilr5rEmjt3v1
-            wWSQWewoEH3BtMgNTvXcVZu4mji9wYTNR2MfrL7eIqkhQzxCgL+vIh9wpNXYN+jO
-            ghnQKUoGFpM0AnT8OXGODDfOqQd2nkUuySUP+n+N8LnEN021ve5500t4uAjZnASe
-            kVrNXK+9XUEIDNaWnO9ykRRvB4y41yqf5Pu5FfMtHg5s53ypqox3rSqQMPhwFtVz
-            HLSQ5iyv2v66RoXUX9Esk+QcTQuDRQpZFzM7v4tyU+IeT7rOe7dC0YEOYRetKApQ
-            bru47ZS4nPFfaCdOnMr5tmTMwv/dzMDQHeRkxqEKPTyYx56nHjrMRE13PjYUvSbT
-            aQVoAspsYXhxQ6eDVzGbBlbA1KXS7fbl9Ji0aVWXVS2otdL0hPRd6Nh0Cy0RuLnS
-            WAF5hbffH9AgRLC8HlAFAsYvf42JSjwpLdeFnGYka8dWZX0ItxLFEOJ1IAyilFy6
-            mkBFyUYLRwlbExJNEH+WFlbMSDWzZ6eXmuPzUBvhwOC/8AxKvhk8je4=
-            =x1tN
-            -----END PGP MESSAGE-----
-          fp: aef8d6c7e4761fc297cda833df13aebb1011b5d4
-    unencrypted_suffix: _unencrypted
-    version: 3.9.2

machines/modules/malobeo/users.nix

@@ -1,58 +0,0 @@
-{config, lib, pkgs, inputs, ...}:
-let 
-  cfg = config.malobeo.users;
-  sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
-in
-{
-  options.malobeo.users = {
-    malobeo = lib.mkEnableOption "enable malobeo user";
-    admin = lib.mkEnableOption "enable admin user";
-  };
-  config = lib.mkMerge [
-    (lib.mkIf cfg.malobeo {
-      sops.secrets.malobeoUserPassword = {
-        sopsFile = ./secrets.yaml;
-        neededForUsers = true;
-      };
-      users.users.malobeo = {
-        isNormalUser = true;
-        description = "malobeo user, password and ssh access, no root";
-        extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ];
-        openssh.authorizedKeys.keys = sshKeys.admins;
-        hashedPasswordFile = config.sops.secrets.malobeoUserPassword.path;
-      };
-      environment.systemPackages = with pkgs; [];
-    })
-    (lib.mkIf cfg.admin {
-      users.users.admin = {
-        isNormalUser = true;
-        description = "admin user, passwordless sudo access, only ssh";
-        hashedPassword = null;
-        extraGroups = [ "networkmanager" ];
-      };
-      environment.systemPackages = with pkgs; [];
-      security.sudo.extraRules = [
-        {
-          users = [ "admin" ];
-          commands = [
-            {
-              command = "ALL";
-              options = [ "NOPASSWD" ];
-            }
-          ];
-        }
-      ];
-    })
-    {
-      users.mutableUsers = false;
-      environment.systemPackages = with pkgs; [
-        nix-output-monitor
-        vim
-        htop
-        wget
-        git
-        pciutils
-      ];
-    }
-  ];
-}

machines/nextcloud/configuration.nix

@@ -37,6 +37,7 @@ with lib;
     hostName = "cloud.malobeo.org";
     config.adminpassFile = config.sops.secrets.nextcloudAdminPass.path;
     #https = true; #disable for testing
+    datadir = "/datadir";
     database.createLocally = true;
     config.dbtype = "pgsql";
     configureRedis = true;
@@ -55,6 +56,12 @@ with lib;
     };
     settings = {
       trusted_domains = ["10.0.0.13"];
+      "maintenance_window_start" = "1";
+      "default_phone_region" = "DE";
+    };
+    phpOptions = {
+      "realpath_cache_size" = "0";
+      "opcache.interned_strings_buffer" = "23";
     };
   };
 

outputs.nix

@@ -108,12 +108,11 @@ in (utils.lib.eachSystem (builtins.filter filter_system utils.lib.defaultSystems
 
     nixosModules.malobeo = {
       host.imports = [ ./machines/durruti/host_config.nix ];
-      microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ];
+      microvm.imports = [ ./machines/modules/malobeo/microvm_host.nix ./machines/modules/malobeo/microvm_client.nix];
       vpn.imports = [ ./machines/modules/malobeo/wireguard.nix ];
       initssh.imports = [ ./machines/modules/malobeo/initssh.nix ];
       metrics.imports = [ ./machines/modules/malobeo/metrics.nix ];
       disko.imports = [ ./machines/modules/disko ];
-      users.imports = [ ./machines/modules/malobeo/users.nix ];
     };
 
     hydraJobs = nixpkgs.lib.mapAttrs (_: nixpkgs.lib.hydraJob) (