From 6011a900de359e09663901e2d452c9fea80679ab Mon Sep 17 00:00:00 2001
From: Nick <nickjhiebert@proton.me>
Date: Thu, 6 Nov 2025 12:29:48 -0600
Subject: [PATCH] test: forgejo microVM

---
 modules/config/instances/config/forgejo.nix |  6 +--
 modules/nixos/microvm/default.nix           | 57 +++++++++++++++++++++
 modules/nixos/services/forgejo/default.nix  | 30 +++++++++--
 systems/ceres/config/networking.nix         |  8 ++-
 systems/ceres/config/wireguard.nix          |  7 ++-
 5 files changed, 97 insertions(+), 11 deletions(-)

diff --git a/modules/config/instances/config/forgejo.nix b/modules/config/instances/config/forgejo.nix
index 747f518..3342eec 100755
--- a/modules/config/instances/config/forgejo.nix
+++ b/modules/config/instances/config/forgejo.nix
@@ -38,12 +38,12 @@ in
     port0 = 3033;
   };
   interface = {
-    id = "${idPrefix}-${name}";
+    id = "${idPrefix}${name}";
     mac = "02:00:00:00:00:50";
-    idUser = "${userPrefix}-${name}";
+    idUser = "${userPrefix}${name}";
     macUser = "02:00:00:00:00:02";
     ip = "192.168.50.50";
-    gate = "192.168.50.1";
+    gate = "192.168.50.2";
     ssh = 2200;
   };
   ssl = {
diff --git a/modules/nixos/microvm/default.nix b/modules/nixos/microvm/default.nix
index 80f2ea6..e0c46dd 100755
--- a/modules/nixos/microvm/default.nix
+++ b/modules/nixos/microvm/default.nix
@@ -3,4 +3,61 @@
   imports = [
     flake.inputs.microvm.nixosModules.host
   ];
+
+  # Enable systemd-networkd for microvm networking only
+  # NetworkManager handles the main network interface
+  systemd.network = {
+    enable = true;
+    wait-online.enable = false; # Don't wait for networkd interfaces
+
+    # Create a bridge for all microvms
+    netdevs = {
+      "20-br-vms" = {
+        netdevConfig = {
+          Name = "br-vms";
+          Kind = "bridge";
+        };
+      };
+    };
+
+    networks = {
+      # Configure the bridge with an IP in your LAN
+      "20-br-vms" = {
+        matchConfig.Name = "br-vms";
+        address = [ "192.168.50.2/24" ];
+        networkConfig = {
+          ConfigureWithoutCarrier = true;
+          # VMs will use this as their gateway
+        };
+        linkConfig = {
+          RequiredForOnline = "no";
+        };
+      };
+
+      # Tap interface for forgejo VM (handles both vm-forgejo and vm--forgejo)
+      "30-vm-forgejo" = {
+        matchConfig.Name = "vm-*forgejo";
+        networkConfig = {
+          Bridge = "br-vms";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig = {
+          RequiredForOnline = "no";
+        };
+      };
+
+      # Tap interface for vaultwarden VM (if you add it)
+      "30-vm-vaultwarden" = {
+        matchConfig.Name = "vm-*vaultwarden";
+        networkConfig = {
+          Bridge = "br-vms";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig = {
+          RequiredForOnline = "no";
+        };
+      };
+    };
+  };
+
 }
diff --git a/modules/nixos/services/forgejo/default.nix b/modules/nixos/services/forgejo/default.nix
index dbe4c2c..80ec0e0 100755
--- a/modules/nixos/services/forgejo/default.nix
+++ b/modules/nixos/services/forgejo/default.nix
@@ -36,11 +36,6 @@ in
                 database.type = "postgres";
                 lfs.enable = true;
 
-                secrets = {
-                  mailer.PASSWD = "${secrets}/${service.name}-smtp";
-                  database.PASSWD = "${secrets}/${service.name}-database";
-                };
-
                 dump = {
                   interval = "5:00";
                   type = "zip";
@@ -91,8 +86,33 @@ in
             systemd = {
               tmpfiles.rules = [
                 "d ${secrets} 0755 ${service.name} ${service.name} -"
+                "d /run/forgejo 0755 ${service.name} ${service.name} -"
               ];
 
+              services.copy-forgejo-secrets = {
+                description = "Prepare Forgejo secrets environment file";
+                before = [ "forgejo.service" ];
+                wantedBy = [ "multi-user.target" ];
+                serviceConfig = {
+                  Type = "oneshot";
+                  User = service.name;
+                  Group = service.name;
+                };
+                script = ''
+                  cat > /run/forgejo/env << EOF
+                  FORGEJO__database__PASSWD=$(cat /run/secrets/${service.name}-database)
+                  FORGEJO__mailer__PASSWD=$(cat /run/secrets/${service.name}-smtp)
+                  EOF
+                  chmod 600 /run/forgejo/env
+                '';
+              };
+
+              services.forgejo = {
+                serviceConfig = {
+                  EnvironmentFile = "/run/forgejo/env";
+                };
+              };
+
               services.forgejo-dump = {
                 serviceConfig = {
                   ExecStartPost = "${pkgs.nushell}/bin/nu -c 'ls ${service.varPaths.path0}/dump | where name =~ forgejo-backup and modified < ((date now) - 7day) | each { rm $in.name }'";
diff --git a/systems/ceres/config/networking.nix b/systems/ceres/config/networking.nix
index 836e48b..5bf0916 100755
--- a/systems/ceres/config/networking.nix
+++ b/systems/ceres/config/networking.nix
@@ -9,7 +9,13 @@ in
 {
   networking = {
     hostName = ceres.name;
-    networkmanager.enable = true;
+    networkmanager = {
+      enable = true;
+      unmanaged = [
+        "interface-name:br-vms"
+        "interface-name:vm-*"
+      ];
+    };
     nftables.enable = true;
     useDHCP = lib.mkDefault true;
     firewall = {
diff --git a/systems/ceres/config/wireguard.nix b/systems/ceres/config/wireguard.nix
index 3a178f0..cfb49c7 100755
--- a/systems/ceres/config/wireguard.nix
+++ b/systems/ceres/config/wireguard.nix
@@ -19,8 +19,11 @@ in
     nat = {
       enable = true;
       enableIPv6 = true;
-      externalInterface = "eth0";
-      internalInterfaces = [ "wg0" ];
+      externalInterface = "enp10s0";
+      internalInterfaces = [
+        "wg0"
+        "br-vms"
+      ];
     };
 
     wireguard.interfaces = {