{ config, flake, pkgs, ... }: let inherit (flake.config.people) user0; inherit (flake.config.services) instances; serviceCfg = instances.projectSite; host = flake.inputs.linkpage.secrets.domains.projectsite; websitePkg = flake.inputs.linkpage.packages.${pkgs.system}.websiteFrontend; in { systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -" ]; microvm.vms.${serviceCfg.name} = { autostart = true; config = { system.stateVersion = "25.05"; networking.firewall.allowedTCPPorts = [ 22 8080 ]; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; environment.etc."website".source = websitePkg; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; systemd = { network = { enable = true; networks."10-enp" = { matchConfig.Name = "enp0s3"; addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; gateway = [ serviceCfg.interface.gate ]; }; }; services.website = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { ExecStart = "${pkgs.miniserve}/bin/miniserve /etc/website --index index.html -p 8080"; Restart = "always"; }; }; }; microvm = { vcpu = 2; mem = 3072; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = serviceCfg.interface.id; mac = serviceCfg.interface.mac; } ]; shares = [ { source = "/nix/store"; mountPoint = "/nix/.ro-store"; tag = "ro-store"; proto = "virtiofs"; } ]; }; }; }; services.caddy = { enable = true; virtualHosts.${host}.extraConfig = '' reverse_proxy ${serviceCfg.interface.ip}:8080 ''; }; security.acme.certs.${host} = { dnsProvider = instances.web.dns.provider1; environmentFile = config.sops.secrets."dns/${instances.web.dns.provider1}".path; }; }