test: forgejo microVM

2025-12-07 05:27:13 -06:00 · 2025-11-06 12:29:48 -06:00 · 2025-11-06 12:29:48 -06:00 · 6011a900de
commit 6011a900de
parent 1376cdbe77
5 changed files with 97 additions and 11 deletions
--- a/modules/config/instances/config/forgejo.nix
+++ b/modules/config/instances/config/forgejo.nix
@ -38,12 +38,12 @@ in
    port0 = 3033;
  };
  interface = {
-    id = "${idPrefix}-${name}";
+    id = "${idPrefix}${name}";
    mac = "02:00:00:00:00:50";
-    idUser = "${userPrefix}-${name}";
+    idUser = "${userPrefix}${name}";
    macUser = "02:00:00:00:00:02";
    ip = "192.168.50.50";
-    gate = "192.168.50.1";
+    gate = "192.168.50.2";
    ssh = 2200;
  };
  ssl = {
--- a/modules/nixos/microvm/default.nix
+++ b/modules/nixos/microvm/default.nix
@ -3,4 +3,61 @@
  imports = [
    flake.inputs.microvm.nixosModules.host
  ];
  # Enable systemd-networkd for microvm networking only
  # NetworkManager handles the main network interface
  systemd.network = {
    enable = true;
    wait-online.enable = false; # Don't wait for networkd interfaces
    # Create a bridge for all microvms
    netdevs = {
      "20-br-vms" = {
        netdevConfig = {
          Name = "br-vms";
          Kind = "bridge";
        };
      };
    };
    networks = {
      # Configure the bridge with an IP in your LAN
      "20-br-vms" = {
        matchConfig.Name = "br-vms";
        address = [ "192.168.50.2/24" ];
        networkConfig = {
          ConfigureWithoutCarrier = true;
          # VMs will use this as their gateway
        };
        linkConfig = {
          RequiredForOnline = "no";
        };
      };
      # Tap interface for forgejo VM (handles both vm-forgejo and vm--forgejo)
      "30-vm-forgejo" = {
        matchConfig.Name = "vm-*forgejo";
        networkConfig = {
          Bridge = "br-vms";
          ConfigureWithoutCarrier = true;
        };
        linkConfig = {
          RequiredForOnline = "no";
        };
      };
      # Tap interface for vaultwarden VM (if you add it)
      "30-vm-vaultwarden" = {
        matchConfig.Name = "vm-*vaultwarden";
        networkConfig = {
          Bridge = "br-vms";
          ConfigureWithoutCarrier = true;
        };
        linkConfig = {
          RequiredForOnline = "no";
        };
      };
    };
  };
 }
--- a/modules/nixos/services/forgejo/default.nix
+++ b/modules/nixos/services/forgejo/default.nix
@ -36,11 +36,6 @@ in
                database.type = "postgres";
                lfs.enable = true;
                secrets = {
                  mailer.PASSWD = "${secrets}/${service.name}-smtp";
                  database.PASSWD = "${secrets}/${service.name}-database";
                };
                dump = {
                  interval = "5:00";
                  type = "zip";
@ -91,8 +86,33 @@ in
            systemd = {
              tmpfiles.rules = [
                "d ${secrets} 0755 ${service.name} ${service.name} -"
                "d /run/forgejo 0755 ${service.name} ${service.name} -"
              ];
              services.copy-forgejo-secrets = {
                description = "Prepare Forgejo secrets environment file";
                before = [ "forgejo.service" ];
                wantedBy = [ "multi-user.target" ];
                serviceConfig = {
                  Type = "oneshot";
                  User = service.name;
                  Group = service.name;
                };
                script = ''
                  cat > /run/forgejo/env << EOF
                  FORGEJO__database__PASSWD=$(cat /run/secrets/${service.name}-database)
                  FORGEJO__mailer__PASSWD=$(cat /run/secrets/${service.name}-smtp)
                  EOF
                  chmod 600 /run/forgejo/env
                '';
              };
              services.forgejo = {
                serviceConfig = {
                  EnvironmentFile = "/run/forgejo/env";
                };
              };
              services.forgejo-dump = {
                serviceConfig = {
                  ExecStartPost = "${pkgs.nushell}/bin/nu -c 'ls ${service.varPaths.path0}/dump | where name =~ forgejo-backup and modified < ((date now) - 7day) | each { rm $in.name }'";
--- a/systems/ceres/config/networking.nix
+++ b/systems/ceres/config/networking.nix
@ -9,7 +9,13 @@ in
 {
  networking = {
    hostName = ceres.name;
-    networkmanager.enable = true;
+    networkmanager = {
      enable = true;
      unmanaged = [
        "interface-name:br-vms"
        "interface-name:vm-*"
      ];
    };
    nftables.enable = true;
    useDHCP = lib.mkDefault true;
    firewall = {
--- a/systems/ceres/config/wireguard.nix
+++ b/systems/ceres/config/wireguard.nix
@ -19,8 +19,11 @@ in
    nat = {
      enable = true;
      enableIPv6 = true;
-      externalInterface = "eth0";
+      externalInterface = "enp10s0";
-      internalInterfaces = [ "wg0" ];
+      internalInterfaces = [
        "wg0"
        "br-vms"
      ];
    };
    wireguard.interfaces = {