From 10f823a3a6821f8de4f37b030e4af05a4e5349ac Mon Sep 17 00:00:00 2001 From: William Date: Sun, 15 Feb 2026 22:21:33 -0300 Subject: [PATCH 1/3] lxc support for alexandria --- aspects/hosts/alexandria.nix | 1 + aspects/lxc.nix | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 aspects/lxc.nix diff --git a/aspects/hosts/alexandria.nix b/aspects/hosts/alexandria.nix index 57fdf5f..c0c9f32 100644 --- a/aspects/hosts/alexandria.nix +++ b/aspects/hosts/alexandria.nix @@ -27,6 +27,7 @@ # other aspects fwupd + lxc ]); }; } diff --git a/aspects/lxc.nix b/aspects/lxc.nix new file mode 100644 index 0000000..15da310 --- /dev/null +++ b/aspects/lxc.nix @@ -0,0 +1,17 @@ +{ ... }: + +{ + flake.modules.nixos.lxc = + { + config, + lib, + pkgs, + ... + }: + { + virtualisation.lxc = { + enable = true; + unprivilegedContainers = true; + }; + }; +} From fe460c9151c87b46c9ebcca327c09fb883fef8d9 Mon Sep 17 00:00:00 2001 From: William Date: Sun, 15 Feb 2026 23:01:25 -0300 Subject: [PATCH 2/3] fix secrets locations --- aspects/hosts/_alexandria/nextcloud.nix | 7 +++---- aspects/hosts/_alexandria/nginx.nix | 2 +- aspects/hosts/_trantor/nginx.nix | 2 +- aspects/hosts/alexandria.nix | 2 +- 4 files changed, 6 insertions(+), 7 deletions(-) diff --git a/aspects/hosts/_alexandria/nextcloud.nix b/aspects/hosts/_alexandria/nextcloud.nix index c4a9669..cb9f2ac 100644 --- a/aspects/hosts/_alexandria/nextcloud.nix +++ b/aspects/hosts/_alexandria/nextcloud.nix @@ -1,8 +1,7 @@ { - lib, config, - pkgs, inputs, + pkgs, ... }: @@ -83,12 +82,12 @@ in age.secrets = { "nextcloud-secrets.json" = { - file = ../../../secrets/nextcloud-secrets.json.age; + file = "${inputs.self}/secrets/nextcloud-secrets.json.age"; owner = "nextcloud"; group = "nextcloud"; }; nextcloud-adminpass = { - file = ../../../secrets/nextcloud-adminpass.age; + file = "${inputs.self}/secrets/nextcloud-adminpass.age"; owner = "nextcloud"; group = "nextcloud"; }; diff --git a/aspects/hosts/_alexandria/nginx.nix b/aspects/hosts/_alexandria/nginx.nix index 26a7ba1..087faf4 100644 --- a/aspects/hosts/_alexandria/nginx.nix +++ b/aspects/hosts/_alexandria/nginx.nix @@ -51,7 +51,7 @@ in ]; age.secrets.cloudflare = { - file = ../../../secrets/cloudflare.age; + file = "${inputs.self}/secrets/cloudflare.age"; owner = "nginx"; group = "nginx"; }; diff --git a/aspects/hosts/_trantor/nginx.nix b/aspects/hosts/_trantor/nginx.nix index 899666e..eccfb12 100644 --- a/aspects/hosts/_trantor/nginx.nix +++ b/aspects/hosts/_trantor/nginx.nix @@ -51,7 +51,7 @@ in ]; age.secrets.cloudflare = { - file = ../../../secrets/cloudflare.age; + file = "${inputs.self}/secrets/cloudflare.age"; owner = "nginx"; group = "nginx"; }; diff --git a/aspects/hosts/alexandria.nix b/aspects/hosts/alexandria.nix index c0c9f32..f10dfe7 100644 --- a/aspects/hosts/alexandria.nix +++ b/aspects/hosts/alexandria.nix @@ -27,7 +27,7 @@ # other aspects fwupd - lxc + podman ]); }; } From a3b4781bd09a168171d8fec121c46a8e93c39d2e Mon Sep 17 00:00:00 2001 From: William Date: Mon, 16 Feb 2026 00:07:36 -0300 Subject: [PATCH 3/3] fix forgejo on trantor --- aspects/hosts/_trantor/forgejo.nix | 5 ++++- aspects/hosts/_trantor/nginx.nix | 2 -- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/aspects/hosts/_trantor/forgejo.nix b/aspects/hosts/_trantor/forgejo.nix index 1112622..8421adb 100644 --- a/aspects/hosts/_trantor/forgejo.nix +++ b/aspects/hosts/_trantor/forgejo.nix @@ -67,5 +67,8 @@ in }; # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories - systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false; + systemd.services.forgejo.serviceConfig = { + PrivateMounts = lib.mkForce false; + ProtectSystem = lib.mkForce false; + }; } diff --git a/aspects/hosts/_trantor/nginx.nix b/aspects/hosts/_trantor/nginx.nix index eccfb12..24f96c3 100644 --- a/aspects/hosts/_trantor/nginx.nix +++ b/aspects/hosts/_trantor/nginx.nix @@ -8,10 +8,8 @@ let services = inputs.self.services; - # Get all unique domains from shared services on trantor (host = "trantor") localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "trantor") services)); - # Generate ACME cert configs for all local domains acmeCerts = lib.genAttrs localDomains (domain: { group = "nginx"; });