test: forgejo microVM

2025-12-06 21:17:14 -06:00 · 2025-11-06 12:29:48 -06:00 · 2025-11-06 12:29:48 -06:00 · 6011a900de
commit 6011a900de
parent 1376cdbe77
5 changed files with 97 additions and 11 deletions
--- a/modules/config/instances/config/forgejo.nix
+++ b/modules/config/instances/config/forgejo.nix
@ -38,12 +38,12 @@ in
    port0 = 3033;
  };
  interface = {
-    id = "${idPrefix}-${name}";
+    id = "${idPrefix}${name}";
    mac = "02:00:00:00:00:50";
-    idUser = "${userPrefix}-${name}";
+    idUser = "${userPrefix}${name}";
    macUser = "02:00:00:00:00:02";
    ip = "192.168.50.50";
-    gate = "192.168.50.1";
+    gate = "192.168.50.2";
    ssh = 2200;
  };
  ssl = {
--- a/modules/nixos/microvm/default.nix
+++ b/modules/nixos/microvm/default.nix
@ -3,4 +3,61 @@
  imports = [
    flake.inputs.microvm.nixosModules.host
  ];
+
+  # Enable systemd-networkd for microvm networking only
+  # NetworkManager handles the main network interface
+  systemd.network = {
+    enable = true;
+    wait-online.enable = false; # Don't wait for networkd interfaces
+
+    # Create a bridge for all microvms
+    netdevs = {
+      "20-br-vms" = {
+        netdevConfig = {
+          Name = "br-vms";
+          Kind = "bridge";
+        };
+      };
+    };
+
+    networks = {
+      # Configure the bridge with an IP in your LAN
+      "20-br-vms" = {
+        matchConfig.Name = "br-vms";
+        address = [ "192.168.50.2/24" ];
+        networkConfig = {
+          ConfigureWithoutCarrier = true;
+          # VMs will use this as their gateway
+        };
+        linkConfig = {
+          RequiredForOnline = "no";
+        };
+      };
+
+      # Tap interface for forgejo VM (handles both vm-forgejo and vm--forgejo)
+      "30-vm-forgejo" = {
+        matchConfig.Name = "vm-*forgejo";
+        networkConfig = {
+          Bridge = "br-vms";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig = {
+          RequiredForOnline = "no";
+        };
+      };
+
+      # Tap interface for vaultwarden VM (if you add it)
+      "30-vm-vaultwarden" = {
+        matchConfig.Name = "vm-*vaultwarden";
+        networkConfig = {
+          Bridge = "br-vms";
+          ConfigureWithoutCarrier = true;
+        };
+        linkConfig = {
+          RequiredForOnline = "no";
+        };
+      };
+    };
+  };
+
 }
--- a/modules/nixos/services/forgejo/default.nix
+++ b/modules/nixos/services/forgejo/default.nix
@ -36,11 +36,6 @@ in
                database.type = "postgres";
                lfs.enable = true;

-                secrets = {
-                  mailer.PASSWD = "${secrets}/${service.name}-smtp";
-                  database.PASSWD = "${secrets}/${service.name}-database";
-                };
-
                dump = {
                  interval = "5:00";
                  type = "zip";
@ -91,8 +86,33 @@ in
            systemd = {
              tmpfiles.rules = [
                "d ${secrets} 0755 ${service.name} ${service.name} -"
+                "d /run/forgejo 0755 ${service.name} ${service.name} -"
              ];

+              services.copy-forgejo-secrets = {
+                description = "Prepare Forgejo secrets environment file";
+                before = [ "forgejo.service" ];
+                wantedBy = [ "multi-user.target" ];
+                serviceConfig = {
+                  Type = "oneshot";
+                  User = service.name;
+                  Group = service.name;
+                };
+                script = ''
+                  cat > /run/forgejo/env << EOF
+                  FORGEJO__database__PASSWD=$(cat /run/secrets/${service.name}-database)
+                  FORGEJO__mailer__PASSWD=$(cat /run/secrets/${service.name}-smtp)
+                  EOF
+                  chmod 600 /run/forgejo/env
+                '';
+              };
+
+              services.forgejo = {
+                serviceConfig = {
+                  EnvironmentFile = "/run/forgejo/env";
+                };
+              };
+
              services.forgejo-dump = {
                serviceConfig = {
                  ExecStartPost = "${pkgs.nushell}/bin/nu -c 'ls ${service.varPaths.path0}/dump | where name =~ forgejo-backup and modified < ((date now) - 7day) | each { rm $in.name }'";
--- a/systems/ceres/config/networking.nix
+++ b/systems/ceres/config/networking.nix
@ -9,7 +9,13 @@ in
 {
  networking = {
    hostName = ceres.name;
-    networkmanager.enable = true;
+    networkmanager = {
+      enable = true;
+      unmanaged = [
+        "interface-name:br-vms"
+        "interface-name:vm-*"
+      ];
+    };
    nftables.enable = true;
    useDHCP = lib.mkDefault true;
    firewall = {
--- a/systems/ceres/config/wireguard.nix
+++ b/systems/ceres/config/wireguard.nix
@ -19,8 +19,11 @@ in
    nat = {
      enable = true;
      enableIPv6 = true;
-      externalInterface = "eth0";
-      internalInterfaces = [ "wg0" ];
+      externalInterface = "enp10s0";
+      internalInterfaces = [
+        "wg0"
+        "br-vms"
+      ];
    };

    wireguard.interfaces = {