From bc73d3bc98ddc0e572976edb39b1dd4cd577e23d Mon Sep 17 00:00:00 2001 From: Nick Date: Mon, 10 Nov 2025 01:55:02 -0600 Subject: [PATCH] test: trying to get microVMs to work --- modules/nixos/services/firefly-iii/default.nix | 5 +++-- modules/nixos/services/forgejo/default.nix | 7 ++++--- modules/nixos/services/vaultwarden/default.nix | 5 +++-- systems/ceres/config/filesystem.nix | 5 ++++- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/modules/nixos/services/firefly-iii/default.nix b/modules/nixos/services/firefly-iii/default.nix index 11312a5..aa58ec0 100755 --- a/modules/nixos/services/firefly-iii/default.nix +++ b/modules/nixos/services/firefly-iii/default.nix @@ -14,6 +14,7 @@ let host = serviceCfg.domains.url0; dns0 = instances.web.dns.provider0; dns0Path = "dns/${dns0}"; + hostSecrets = "/opt/secrets"; in { microvm.vms.${serviceCfg.name} = { @@ -175,7 +176,7 @@ in { mountPoint = "/run/secrets"; proto = "virtiofs"; - source = "/var/lib/secrets/${serviceCfg.name}"; + source = "${hostSecrets}/${serviceCfg.name}"; tag = "host_secrets"; } ]; @@ -201,7 +202,7 @@ in (secret: { name = "${serviceCfg.name}/${secret}"; value = { - path = "/var/lib/secrets"; + path = hostSecrets; owner = "root"; mode = "600"; }; diff --git a/modules/nixos/services/forgejo/default.nix b/modules/nixos/services/forgejo/default.nix index 7acb016..bcfe6e1 100644 --- a/modules/nixos/services/forgejo/default.nix +++ b/modules/nixos/services/forgejo/default.nix @@ -12,6 +12,7 @@ let host = serviceCfg.domains.url0; dns0 = instances.web.dns.provider0; dns0Path = "dns/${dns0}"; + hostSecrets = "/opt/secrets"; in { users.users.caddy.extraGroups = [ "acme" ]; @@ -179,7 +180,7 @@ in { mountPoint = "/run/secrets"; proto = "virtiofs"; - source = "/var/lib/secrets/${serviceCfg.name}"; + source = "${hostSecrets}/${serviceCfg.name}"; tag = "host_secrets"; } ]; @@ -207,12 +208,12 @@ in sops.secrets = { "${serviceCfg.name}/smtp" = { - path = "/var/lib/secrets"; + path = hostSecrets; owner = "root"; mode = "0600"; }; "${serviceCfg.name}/database" = { - path = "/var/lib/secrets"; + path = hostSecrets; owner = "root"; mode = "0600"; }; diff --git a/modules/nixos/services/vaultwarden/default.nix b/modules/nixos/services/vaultwarden/default.nix index 369036d..6fc55cd 100755 --- a/modules/nixos/services/vaultwarden/default.nix +++ b/modules/nixos/services/vaultwarden/default.nix @@ -12,6 +12,7 @@ let dns0 = instances.web.dns.provider0; host = serviceCfg.domains.url0; dns0Path = "dns/${dns0}"; + hostSecrets = "/opt/secrets"; in { @@ -148,7 +149,7 @@ in { mountPoint = "/run/secrets"; proto = "virtiofs"; - source = "/var/lib/secrets/${serviceCfg.name}"; + source = "${hostSecrets}/${serviceCfg.name}"; tag = "host_secrets"; } ]; @@ -184,7 +185,7 @@ in sops.secrets = { "${serviceCfg.name}/env" = { - path = "/var/lib/secrets"; + path = hostSecrets; owner = "root"; mode = "0600"; }; diff --git a/systems/ceres/config/filesystem.nix b/systems/ceres/config/filesystem.nix index aa0e4ea..acd00b1 100755 --- a/systems/ceres/config/filesystem.nix +++ b/systems/ceres/config/filesystem.nix @@ -111,6 +111,7 @@ in directories = [ "/var/cache" "/var/lib" + "/opt/secrets" { directory = "/etc/ssh"; mode = "u=rwx,g=rx,o=rx"; @@ -134,7 +135,9 @@ in systemd.tmpfiles.rules = [ "Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -" - "Z /mnt/storage 2775 root root -" + "d /mnt/storage 2775 root root -" + "d /opt/secrets 2775 root root -" + ]; services.udisks2.enable = true;