{ config, flake, pkgs, ... }: let inherit (flake.config.people) user0; inherit (flake.config.services) instances; serviceCfg = instances.projectSite; host = flake.inputs.linkpage.secrets.domains.projectsite; websitePkg = flake.inputs.linkpage.packages.${pkgs.system}.websiteFrontend; in { systemd.tmpfiles.rules = [ "d ${serviceCfg.mntPaths.path0} 0755 microvm wheel - -" ]; microvm.vms.${serviceCfg.name} = { autostart = true; config = { system.stateVersion = "25.05"; networking.firewall.allowedTCPPorts = [ 22 80 ]; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; environment.etc."website".source = websitePkg; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; systemd = { network = { enable = true; networks."10-enp" = { matchConfig.Name = "enp0s3"; addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; gateway = [ serviceCfg.interface.gate ]; }; }; }; services.caddy = { enable = true; virtualHosts.":80".extraConfig = '' root * /etc/website file_server try_files {path} /index.html ''; }; microvm = { vcpu = 2; mem = 3072; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = serviceCfg.interface.id; mac = serviceCfg.interface.mac; } ]; shares = [ { source = "/nix/store"; mountPoint = "/nix/.ro-store"; tag = "ro-store"; proto = "virtiofs"; } ]; }; }; }; services.caddy = { enable = true; virtualHosts.${host}.extraConfig = '' reverse_proxy ${serviceCfg.interface.ip}:80 tls /var/lib/acme/${host}/fullchain.pem /var/lib/acme/${host}/key.pem ''; }; security.acme.certs.${host} = { dnsProvider = instances.web.dns.provider1; environmentFile = config.sops.secrets."dns/${instances.web.dns.provider1}".path; }; }