test: trying to get microVMs to work

2025-12-07 05:27:13 -06:00 · 2025-11-10 03:43:05 -06:00 · 2025-11-10 03:43:05 -06:00 · 7c48cded1d
commit 7c48cded1d
parent 6b3a861d28
4 changed files with 6 additions and 22 deletions
--- a/modules/nixos/services/firefly-iii/default.nix
+++ b/modules/nixos/services/firefly-iii/default.nix
@ -125,7 +125,7 @@ in
        tmpfiles.rules = [
          "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
-          "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
+          # "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
          "Z /var/lib/postgresql 755 postgres postgres -"
        ];
      };
@ -176,7 +176,7 @@ in
          {
            mountPoint = "/run/secrets";
            proto = "virtiofs";
-            source = "${hostSecrets}/${serviceCfg.name}";
+            source = "/run/secrets/${serviceCfg.name}";
            tag = "host_secrets";
          }
        ];
@ -202,7 +202,6 @@ in
        (secret: {
          name = "${serviceCfg.name}/${secret}";
          value = {
            path = hostSecrets;
            owner = "root";
            mode = "600";
          };
--- a/modules/nixos/services/forgejo/default.nix
+++ b/modules/nixos/services/forgejo/default.nix
@ -128,7 +128,7 @@ in
        tmpfiles.rules = [
          "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
-          "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
+          # "Z ${serviceCfg.secretPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -"
          "Z /var/lib/postgresql 0755 postgres postgres -"
        ];
      };
@ -180,7 +180,7 @@ in
          {
            mountPoint = "/run/secrets";
            proto = "virtiofs";
-            source = "${hostSecrets}/${serviceCfg.name}";
+            source = "/run/secrets/${serviceCfg.name}";
            tag = "host_secrets";
          }
        ];
@ -208,12 +208,10 @@ in
  sops.secrets = {
    "${serviceCfg.name}/smtp" = {
      path = hostSecrets;
      owner = "root";
      mode = "0600";
    };
    "${serviceCfg.name}/database" = {
      path = hostSecrets;
      owner = "root";
      mode = "0600";
    };
--- a/modules/nixos/services/vaultwarden/default.nix
+++ b/modules/nixos/services/vaultwarden/default.nix
@ -12,7 +12,7 @@ let
  dns0 = instances.web.dns.provider0;
  host = serviceCfg.domains.url0;
  dns0Path = "dns/${dns0}";
-  hostSecrets = "/opt/secrets";
+  hostSecrets = "/var/lib/secrets/${serviceCfg.name}";
 in
 {
@ -149,7 +149,7 @@ in
          {
            mountPoint = "/run/secrets";
            proto = "virtiofs";
-            source = "${hostSecrets}/${serviceCfg.name}";
+            source = "/run/secrets/${serviceCfg.name}";
            tag = "host_secrets";
          }
        ];
@ -185,7 +185,6 @@ in
  sops.secrets = {
    "${serviceCfg.name}/env" = {
      path = hostSecrets;
      owner = "root";
      mode = "0600";
    };
--- a/systems/ceres/config/filesystem.nix
+++ b/systems/ceres/config/filesystem.nix
@ -77,10 +77,6 @@ in
      neededForBoot = true;
    };
    "/opt/secrets" = {
      neededForBoot = true;
    };
  }
  // (builtins.listToAttrs (
    builtins.concatMap (drive: map (folder: sambaMounts drive folder) sambaFolders) sambaDrives
@ -121,12 +117,6 @@ in
        mode = "u=rwx,g=rx,o=rx";
        user = "root";
      }
      {
        directory = "/opt/secrets";
        mode = "u=rwx,g=rx,o=rx";
        user = "root";
      }
    ];
    hideMounts = true;
    users.${user0} = {
@ -146,8 +136,6 @@ in
  systemd.tmpfiles.rules = [
    "Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -"
    "d /mnt/storage 2775 root root -"
    "d /opt/secrets 0755 root root -"
  ];
  services.udisks2.enable = true;