From 7c48cded1d632daad82a224897e49bfbabf3de04 Mon Sep 17 00:00:00 2001 From: Nick Date: Mon, 10 Nov 2025 03:43:05 -0600 Subject: [PATCH] test: trying to get microVMs to work --- modules/nixos/services/firefly-iii/default.nix | 5 ++--- modules/nixos/services/forgejo/default.nix | 6 ++---- modules/nixos/services/vaultwarden/default.nix | 5 ++--- systems/ceres/config/filesystem.nix | 12 ------------ 4 files changed, 6 insertions(+), 22 deletions(-) diff --git a/modules/nixos/services/firefly-iii/default.nix b/modules/nixos/services/firefly-iii/default.nix index aa58ec0..97d485b 100755 --- a/modules/nixos/services/firefly-iii/default.nix +++ b/modules/nixos/services/firefly-iii/default.nix @@ -125,7 +125,7 @@ in tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + # "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "Z /var/lib/postgresql 755 postgres postgres -" ]; }; @@ -176,7 +176,7 @@ in { mountPoint = "/run/secrets"; proto = "virtiofs"; - source = "${hostSecrets}/${serviceCfg.name}"; + source = "/run/secrets/${serviceCfg.name}"; tag = "host_secrets"; } ]; @@ -202,7 +202,6 @@ in (secret: { name = "${serviceCfg.name}/${secret}"; value = { - path = hostSecrets; owner = "root"; mode = "600"; }; diff --git a/modules/nixos/services/forgejo/default.nix b/modules/nixos/services/forgejo/default.nix index bcfe6e1..ad903f3 100644 --- a/modules/nixos/services/forgejo/default.nix +++ b/modules/nixos/services/forgejo/default.nix @@ -128,7 +128,7 @@ in tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" - "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" + # "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "Z /var/lib/postgresql 0755 postgres postgres -" ]; }; @@ -180,7 +180,7 @@ in { mountPoint = "/run/secrets"; proto = "virtiofs"; - source = "${hostSecrets}/${serviceCfg.name}"; + source = "/run/secrets/${serviceCfg.name}"; tag = "host_secrets"; } ]; @@ -208,12 +208,10 @@ in sops.secrets = { "${serviceCfg.name}/smtp" = { - path = hostSecrets; owner = "root"; mode = "0600"; }; "${serviceCfg.name}/database" = { - path = hostSecrets; owner = "root"; mode = "0600"; }; diff --git a/modules/nixos/services/vaultwarden/default.nix b/modules/nixos/services/vaultwarden/default.nix index bae4bc2..39e9a56 100755 --- a/modules/nixos/services/vaultwarden/default.nix +++ b/modules/nixos/services/vaultwarden/default.nix @@ -12,7 +12,7 @@ let dns0 = instances.web.dns.provider0; host = serviceCfg.domains.url0; dns0Path = "dns/${dns0}"; - hostSecrets = "/opt/secrets"; + hostSecrets = "/var/lib/secrets/${serviceCfg.name}"; in { @@ -149,7 +149,7 @@ in { mountPoint = "/run/secrets"; proto = "virtiofs"; - source = "${hostSecrets}/${serviceCfg.name}"; + source = "/run/secrets/${serviceCfg.name}"; tag = "host_secrets"; } ]; @@ -185,7 +185,6 @@ in sops.secrets = { "${serviceCfg.name}/env" = { - path = hostSecrets; owner = "root"; mode = "0600"; }; diff --git a/systems/ceres/config/filesystem.nix b/systems/ceres/config/filesystem.nix index 3a4c33e..65c216c 100755 --- a/systems/ceres/config/filesystem.nix +++ b/systems/ceres/config/filesystem.nix @@ -77,10 +77,6 @@ in neededForBoot = true; }; - "/opt/secrets" = { - neededForBoot = true; - }; - } // (builtins.listToAttrs ( builtins.concatMap (drive: map (folder: sambaMounts drive folder) sambaFolders) sambaDrives @@ -121,12 +117,6 @@ in mode = "u=rwx,g=rx,o=rx"; user = "root"; } - { - directory = "/opt/secrets"; - mode = "u=rwx,g=rx,o=rx"; - user = "root"; - } - ]; hideMounts = true; users.${user0} = { @@ -146,8 +136,6 @@ in systemd.tmpfiles.rules = [ "Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -" "d /mnt/storage 2775 root root -" - "d /opt/secrets 0755 root root -" - ]; services.udisks2.enable = true;