{ flake, pkgs, lib, ... }: let inherit (flake.config.people) user0; inherit (flake.config.services) instances; serviceCfg = instances.zookeeper; hostCfg = instances.web; in { microvm.vms = { zookeeper = { autostart = true; restartIfChanged = true; config = { system.stateVersion = "24.05"; time.timeZone = "America/Winnipeg"; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; networking.firewall.allowedTCPPorts = [ 22 ]; systemd = { services = { zookeeper = { serviceConfig = { ExecStart = lib.getExe flake.self.packages.${pkgs.system}.zookeeper; Restart = "always"; RestartSec = 2; EnvironmentFile = "/run/secrets/env"; }; wantedBy = [ "multi-user.target" ]; }; systemd-networkd.wantedBy = [ "multi-user.target" ]; }; network = { enable = true; networks."20-lan" = { matchConfig.Name = "enp0s3"; addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; routes = [ { Destination = "${hostCfg.localhost.address1}/0"; Gateway = serviceCfg.interface.gate; } ]; dns = [ "1.1.1.1" "8.8.8.8" ]; }; }; }; microvm = { vcpu = 1; mem = 1024; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = serviceCfg.interface.id; mac = serviceCfg.interface.mac; } { type = "user"; id = serviceCfg.interface.idUser; mac = serviceCfg.interface.macUser; } ]; forwardPorts = [ { from = "host"; host.port = serviceCfg.interface.ssh; guest.port = 22; } ]; shares = [ { mountPoint = "/nix/.ro-store"; proto = "virtiofs"; source = "/nix/store"; tag = "read_only_nix_store"; } { mountPoint = "/run/secrets"; proto = "virtiofs"; source = "/run/secrets/${serviceCfg.name}"; tag = "host_secrets"; } ]; }; }; }; }; sops.secrets = { "${serviceCfg.name}/env" = { owner = "root"; mode = "0600"; }; }; }