test: trying to get microVMs to work

modules/nixos/services/firefly-iii/default.nix

@@ -14,6 +14,7 @@ let
   host = serviceCfg.domains.url0;
   dns0 = instances.web.dns.provider0;
   dns0Path = "dns/${dns0}";
+  hostSecrets = "/opt/secrets";
 in
 {
   microvm.vms.${serviceCfg.name} = {
@@ -175,7 +176,7 @@ in
           {
             mountPoint = "/run/secrets";
             proto = "virtiofs";
-            source = "/var/lib/secrets/${serviceCfg.name}";
+            source = "${hostSecrets}/${serviceCfg.name}";
             tag = "host_secrets";
           }
         ];
@@ -201,7 +202,7 @@ in
         (secret: {
           name = "${serviceCfg.name}/${secret}";
           value = {
-            path = "/var/lib/secrets";
+            path = hostSecrets;
             owner = "root";
             mode = "600";
           };

modules/nixos/services/forgejo/default.nix

@@ -12,6 +12,7 @@ let
   host = serviceCfg.domains.url0;
   dns0 = instances.web.dns.provider0;
   dns0Path = "dns/${dns0}";
+  hostSecrets = "/opt/secrets";
 in
 {
   users.users.caddy.extraGroups = [ "acme" ];
@@ -179,7 +180,7 @@ in
           {
             mountPoint = "/run/secrets";
             proto = "virtiofs";
-            source = "/var/lib/secrets/${serviceCfg.name}";
+            source = "${hostSecrets}/${serviceCfg.name}";
             tag = "host_secrets";
           }
         ];
@@ -207,12 +208,12 @@ in
 
   sops.secrets = {
     "${serviceCfg.name}/smtp" = {
-      path = "/var/lib/secrets";
+      path = hostSecrets;
       owner = "root";
       mode = "0600";
     };
     "${serviceCfg.name}/database" = {
-      path = "/var/lib/secrets";
+      path = hostSecrets;
       owner = "root";
       mode = "0600";
     };

modules/nixos/services/vaultwarden/default.nix

@@ -12,6 +12,7 @@ let
   dns0 = instances.web.dns.provider0;
   host = serviceCfg.domains.url0;
   dns0Path = "dns/${dns0}";
+  hostSecrets = "/opt/secrets";
 in
 {
 
@@ -148,7 +149,7 @@ in
           {
             mountPoint = "/run/secrets";
             proto = "virtiofs";
-            source = "/var/lib/secrets/${serviceCfg.name}";
+            source = "${hostSecrets}/${serviceCfg.name}";
             tag = "host_secrets";
           }
         ];
@@ -184,7 +185,7 @@ in
 
   sops.secrets = {
     "${serviceCfg.name}/env" = {
-      path = "/var/lib/secrets";
+      path = hostSecrets;
       owner = "root";
       mode = "0600";
     };

systems/ceres/config/filesystem.nix

@@ -111,6 +111,7 @@ in
     directories = [
       "/var/cache"
       "/var/lib"
+      "/opt/secrets"
       {
         directory = "/etc/ssh";
         mode = "u=rwx,g=rx,o=rx";
@@ -134,7 +135,9 @@ in
 
   systemd.tmpfiles.rules = [
     "Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -"
-    "Z /mnt/storage 2775 root root -"
+    "d /mnt/storage 2775 root root -"
+    "d /opt/secrets 2775 root root -"
+
   ];
 
   services.udisks2.enable = true;