l ubik.r: init on neoprism.r

kartei/lass/ubik.nix

@@ -0,0 +1,38 @@
+{ r6, w6, ... }:
+{
+  nets = {
+    retiolum = {
+      ip4.addr = "10.243.0.12";
+      ip6.addr = r6 "0b1c";
+      aliases = [
+        "ubik.r"
+      ];
+      tinc.pubkey = ''
+        -----BEGIN RSA PUBLIC KEY-----
+        MIICCgKCAgEAnWJKDrDmmGZbwVeaBhvOdTR4nsumo1yzOR2Iu+SMTOH6fbgJM5cW
+        WtlgPhrdOMrBYR956SBiBNkvsdczRrOF7F6hvXyDwwoGdWGsZXzaTMJlNAYjP5Y4
+        fbJlDq8/QV/SvVFGeu4XP3g2yuU/aNu/4FkU4jlysX+8wo9qGpIFPLpLvqfuU247
+        jHCatNzHfLK60fx7yt57iDhuX2plyFfQVX7xPTxudfGZKD7rEDEnKX4Ghd5dUkOA
+        z0lr0B1AOrkZgrnajU0ZmkjnNy8lrylCWDOnEPhJdao53gL4XFmUcZaR4uFsWuS7
+        V1VM+VivuMTAXRUnJScyLap2mo6dcr9h11kas70c/R7tI2pGmxlNk9t2uYy/jQnC
+        WmyzNCcqpPSfKikx5sRVAVIuv2wtAKYDuZg+1D4YEfeklA0+ZZlHO43NnRnIoKeO
+        Za0SNUE6vtd/EPoiifMkOWtHaO0LppgOxMTk8OgUxR6dcTmbuL0Roz3aY0rSW3EG
+        +li3yjS3YAtMtvhQwuqooVrkBFrcGQLjTnAfCeUHbCjZidGAHnqhESA+Aj+LKx32
+        0ALQY439xAs6Vf3rICs93cO4Yxa8W1F5sHE6ANOGU+jCmSkCWI2hdHGbckD3L0AQ
+        NBJ+jyXm0kFfVgqRS2i17JPz2ZZxhAHw3KH13Ef1KI4tMdzCvFSayW0CAwEAAQ==
+        -----END RSA PUBLIC KEY-----
+      '';
+      tinc.pubkey_ed25519 = "BcbZOID7dipWNH0/uowqCF7Ivqm4QktMoz11Yv249tG";
+    };
+    wiregrill = {
+      ip6.addr = w6 "0b1c";
+      aliases = [
+        "ubik.w"
+      ];
+      wireguard.pubkey = ''
+        JakWwg7Rq76jjzLFWPBQJPpzRHbIEbb46VLsSUOKI2I=
+      '';
+    };
+  };
+  ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHlqW8zqJpjbva0NTty9Ex7R/Jk2emDxHJNpaM3WPt5L";
+}

lass/1systems/neoprism/config.nix

@@ -9,6 +9,7 @@
     <stockholm/lass/2configs/consul.nix>
     <stockholm/lass/2configs/yellow-host.nix>
     <stockholm/lass/2configs/radio/container-host.nix>
+    <stockholm/lass/2configs/ubik-host.nix>
 
     # other containers
     <stockholm/lass/2configs/riot.nix>

lass/1systems/ubik/config.nix

@@ -0,0 +1,33 @@
+with import <stockholm/lib>;
+{ config, lib, pkgs, ... }:
+{
+  imports = [
+    <stockholm/lass>
+    <stockholm/lass/2configs>
+    <stockholm/lass/2configs/retiolum.nix>
+  ];
+
+  krebs.build.host = config.krebs.hosts.ubik;
+
+  lass.sync-containers3.inContainer = {
+    enable = true;
+    pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBFGMjH0+Dco6DVFZbByENMci8CFTLXCL7j53yctPnM";
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
+  services.nextcloud = {
+    enable = true;
+    hostName = "c.apanowicz.de";
+    package = pkgs.nextcloud25;
+    config.adminpassFile = "/run/nextcloud.pw";
+    https = true;
+  };
+  systemd.services.nextcloud-setup.serviceConfig.ExecStartPre = [
+    "+${pkgs.writeDash "copy-pw" ''
+      ${pkgs.rsync}/bin/rsync \
+        --chown nextcloud:nextcloud \
+        --chmod 0700 \
+        /var/src/secrets/nextcloud.pw /run/nextcloud.pw
+    ''}"
+  ];
+}

lass/1systems/ubik/physical.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./config.nix
+  ];
+  boot.isContainer = true;
+  networking.useDHCP = true;
+}

lass/2configs/ubik-host.nix

@@ -0,0 +1,26 @@
+{ config, pkgs, ... }:
+{
+  lass.sync-containers3.containers.ubik = {
+    sshKey = "${toString <secrets>}/ubik.sync.key";
+  };
+  containers.ubik.bindMounts."/var/lib" = {
+    hostPath = "/var/lib/sync-containers3/ubik/state";
+    isReadOnly = false;
+  };
+  containers.ubik.bindMounts."/var/lib/nextcloud/data" = {
+    hostPath = "/var/ubik";
+    isReadOnly = false;
+  };
+  services.nginx.virtualHosts."c.apanowicz.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      recommendedProxySettings = true;
+      proxyWebsockets = true;
+      proxyPass = "http://ubik.r";
+      extraConfig = ''
+        client_max_body_size 9001M;
+      '';
+    };
+  };
+}