test: trying to get microVMs to work

2025-12-06 21:17:14 -06:00 · 2025-11-10 01:55:02 -06:00 · 2025-11-10 01:55:02 -06:00 · bc73d3bc98
commit bc73d3bc98
parent 72bb3fbe34
4 changed files with 14 additions and 8 deletions
--- a/modules/nixos/services/firefly-iii/default.nix
+++ b/modules/nixos/services/firefly-iii/default.nix
@ -14,6 +14,7 @@ let
  host = serviceCfg.domains.url0;
  dns0 = instances.web.dns.provider0;
  dns0Path = "dns/${dns0}";
+  hostSecrets = "/opt/secrets";
 in
 {
  microvm.vms.${serviceCfg.name} = {
@ -175,7 +176,7 @@ in
          {
            mountPoint = "/run/secrets";
            proto = "virtiofs";
-            source = "/var/lib/secrets/${serviceCfg.name}";
+            source = "${hostSecrets}/${serviceCfg.name}";
            tag = "host_secrets";
          }
        ];
@ -201,7 +202,7 @@ in
        (secret: {
          name = "${serviceCfg.name}/${secret}";
          value = {
-            path = "/var/lib/secrets";
+            path = hostSecrets;
            owner = "root";
            mode = "600";
          };
--- a/modules/nixos/services/forgejo/default.nix
+++ b/modules/nixos/services/forgejo/default.nix
@ -12,6 +12,7 @@ let
  host = serviceCfg.domains.url0;
  dns0 = instances.web.dns.provider0;
  dns0Path = "dns/${dns0}";
+  hostSecrets = "/opt/secrets";
 in
 {
  users.users.caddy.extraGroups = [ "acme" ];
@ -179,7 +180,7 @@ in
          {
            mountPoint = "/run/secrets";
            proto = "virtiofs";
-            source = "/var/lib/secrets/${serviceCfg.name}";
+            source = "${hostSecrets}/${serviceCfg.name}";
            tag = "host_secrets";
          }
        ];
@ -207,12 +208,12 @@ in

  sops.secrets = {
    "${serviceCfg.name}/smtp" = {
-      path = "/var/lib/secrets";
+      path = hostSecrets;
      owner = "root";
      mode = "0600";
    };
    "${serviceCfg.name}/database" = {
-      path = "/var/lib/secrets";
+      path = hostSecrets;
      owner = "root";
      mode = "0600";
    };
--- a/modules/nixos/services/vaultwarden/default.nix
+++ b/modules/nixos/services/vaultwarden/default.nix
@ -12,6 +12,7 @@ let
  dns0 = instances.web.dns.provider0;
  host = serviceCfg.domains.url0;
  dns0Path = "dns/${dns0}";
+  hostSecrets = "/opt/secrets";
 in
 {

@ -148,7 +149,7 @@ in
          {
            mountPoint = "/run/secrets";
            proto = "virtiofs";
-            source = "/var/lib/secrets/${serviceCfg.name}";
+            source = "${hostSecrets}/${serviceCfg.name}";
            tag = "host_secrets";
          }
        ];
@ -184,7 +185,7 @@ in

  sops.secrets = {
    "${serviceCfg.name}/env" = {
-      path = "/var/lib/secrets";
+      path = hostSecrets;
      owner = "root";
      mode = "0600";
    };
--- a/systems/ceres/config/filesystem.nix
+++ b/systems/ceres/config/filesystem.nix
@ -111,6 +111,7 @@ in
    directories = [
      "/var/cache"
      "/var/lib"
+      "/opt/secrets"
      {
        directory = "/etc/ssh";
        mode = "u=rwx,g=rx,o=rx";
@ -134,7 +135,9 @@ in

  systemd.tmpfiles.rules = [
    "Z ${config.home-manager.users.${user0}.home.homeDirectory} 0755 ${user0} users -"
-    "Z /mnt/storage 2775 root root -"
+    "d /mnt/storage 2775 root root -"
+    "d /opt/secrets 2775 root root -"
+
  ];

  services.udisks2.enable = true;