{ config, flake, ... }: let inherit (flake.config.people) user0; inherit (flake.config.services) instances; serviceCfg = instances.jellyfin; hostCfg = instances.web; dns0 = instances.web.dns.provider0; host = serviceCfg.domains.url0; dns0Path = "dns/${dns0}"; in { microvm.vms = { ${serviceCfg.name} = { autostart = true; restartIfChanged = true; config = { system.stateVersion = "25.05"; time.timeZone = "America/Winnipeg"; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; services = { jellyfin = { enable = true; openFirewall = true; }; openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; }; }; }; networking.firewall.allowedTCPPorts = [ 22 serviceCfg.ports.port0 serviceCfg.ports.port1 serviceCfg.ports.port2 ]; # fileSystems."/tmp" = { # device = "tmpfs"; # fsType = "tmpfs"; # options = [ # "size=4G" # "mode=1777" # ]; # }; systemd = { network = { enable = true; networks."20-lan" = { matchConfig.Name = "enp0s6"; addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; routes = [ { Destination = "${hostCfg.localhost.address1}/0"; Gateway = serviceCfg.interface.gate; } ]; dns = [ "1.1.1.1" "8.8.8.8" ]; }; }; tmpfiles.rules = [ "Z ${serviceCfg.varPaths.path0} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "Z ${serviceCfg.varPaths.path2} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "d ${serviceCfg.varPaths.path1} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "Z ${serviceCfg.varPaths.path2} 0775 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; microvm = { vcpu = 8; mem = 8192; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = serviceCfg.interface.id; mac = serviceCfg.interface.mac; } { type = "user"; id = serviceCfg.interface.idUser; mac = serviceCfg.interface.macUser; } ]; forwardPorts = [ { from = "host"; host.port = serviceCfg.interface.ssh; guest.port = 22; } ]; shares = [ { mountPoint = "/nix/.ro-store"; proto = "virtiofs"; source = "/nix/store"; tag = "read_only_nix_store"; } { mountPoint = serviceCfg.varPaths.path0; proto = "virtiofs"; source = "${serviceCfg.mntPaths.path0}/data"; tag = "${serviceCfg.name}_data"; } { mountPoint = serviceCfg.varPaths.path1; proto = "virtiofs"; source = "${serviceCfg.mntPaths.path0}/cache"; tag = "${serviceCfg.name}_cache"; } { mountPoint = serviceCfg.varPaths.path2; proto = "virtiofs"; source = "${serviceCfg.mntPaths.path0}/media"; tag = "${serviceCfg.name}_media"; } ]; }; }; }; }; security.acme.certs."${host}" = { dnsProvider = dns0; environmentFile = config.sops.secrets.${dns0Path}.path; group = "caddy"; }; services = { caddy = { virtualHosts = { "${host}" = { extraConfig = '' reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { header_up X-Real-IP {remote_host} } tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} encode zstd gzip ''; }; }; }; }; users.users.caddy.extraGroups = [ "acme" ]; systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/data 0755 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/cache 0755 microvm wheel - -" "d ${serviceCfg.mntPaths.path0}/media 0775 microvm wheel - -" ]; }