{ config, flake, pkgs, lib, ... }: let inherit (flake.config.people) user0; inherit (flake.config.services) instances; serviceCfg = instances.upRootNutrition; host = serviceCfg.domains.url0; websitePkg = flake.self.packages.${pkgs.system}.website; in { microvm.vms.${serviceCfg.name} = { autostart = true; config = { system.stateVersion = "25.05"; networking.firewall.allowedTCPPorts = [ 22 80 ]; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; environment.etc."website".source = websitePkg; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; systemd = { network = { enable = true; networks."10-enp" = { matchConfig.Name = "enp0s3"; addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; gateway = [ serviceCfg.interface.gate ]; }; }; }; services.caddy = { enable = true; virtualHosts.":80".extraConfig = '' root * /etc/website file_server try_files {path} /index.html ''; }; microvm = { vcpu = 1; mem = 1024; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = serviceCfg.interface.id; mac = serviceCfg.interface.mac; } ]; shares = [ { source = "/nix/store"; mountPoint = "/nix/.ro-store"; tag = "ro-store"; proto = "virtiofs"; } ]; }; }; }; services.caddy = { virtualHosts.${host}.extraConfig = '' reverse_proxy ${serviceCfg.interface.ip}:80 tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} ''; }; security.acme.certs.${host} = { dnsProvider = instances.web.dns.provider0; environmentFile = config.sops.secrets."dns/${instances.web.dns.provider0}".path; }; }