{ config, flake, ... }: let inherit (flake.config.people) user0; inherit (flake.config.services) instances; serviceCfg = instances.jellyfin; id = 993; in { jellyfinVM = { user, ip, mac, userMac, ssh, mnt, host, }: { microvm.vms = { "${serviceCfg.name}-${user}" = { autostart = true; restartIfChanged = true; config = { system.stateVersion = "25.05"; time.timeZone = "America/Winnipeg"; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; services = { jellyfin = { enable = true; openFirewall = true; }; openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "prohibit-password"; }; }; }; users.users.jellyfin = { isSystemUser = true; group = serviceCfg.name; uid = id; }; users.groups.jellyfin = { gid = id; }; networking.firewall.allowedTCPPorts = [ 22 serviceCfg.ports.port0 serviceCfg.ports.port1 serviceCfg.ports.port2 ]; fileSystems."/tmp" = { device = "tmpfs"; fsType = "tmpfs"; options = [ "size=6G" "mode=1777" ]; }; systemd = { network = { enable = true; networks."20-lan" = { matchConfig.Name = "enp0s6"; addresses = [ { Address = "${ip}/24"; } ]; routes = [ { Destination = "0.0.0.0/0"; Gateway = "192.168.50.1"; } ]; dns = [ "1.1.1.1" "8.8.8.8" ]; }; }; tmpfiles.rules = [ "d /var/cache/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "d /var/lib/${serviceCfg.name} 0755 ${serviceCfg.name} ${serviceCfg.name} -" "d /var/lib/${serviceCfg.name}-media 0755 ${serviceCfg.name} ${serviceCfg.name} -" ]; }; systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; microvm = { vcpu = 4; mem = 1024 * 3; hypervisor = "qemu"; interfaces = [ { type = "tap"; id = "vm-jf-${user}"; mac = mac; } { type = "user"; id = "vmuser-cloud"; mac = userMac; } ]; forwardPorts = [ { from = "host"; host.port = ssh; guest.port = 22; } ]; shares = [ { mountPoint = "/nix/.ro-store"; proto = "virtiofs"; source = "/nix/store"; tag = "read_only_nix_store"; } { mountPoint = "/var/lib/${serviceCfg.name}"; proto = "virtiofs"; source = "${mnt}/${serviceCfg.name}/data"; tag = "${serviceCfg.name}_${user}_data"; } { mountPoint = "/var/cache/${serviceCfg.name}"; proto = "virtiofs"; source = "${mnt}/${serviceCfg.name}/cache"; tag = "${serviceCfg.name}_${user}_cache"; } { mountPoint = "/var/lib/${serviceCfg.name}-media"; proto = "virtiofs"; source = "${mnt}/${serviceCfg.name}/media"; tag = "${serviceCfg.name}_${user}_media"; } ]; }; }; }; }; users = { groups.jellyfin = { gid = id; members = [ user0 ]; }; users = { jellyfin = { isSystemUser = true; group = serviceCfg.name; uid = id; }; caddy.extraGroups = [ "acme" ]; }; }; systemd.tmpfiles.rules = [ "d ${mnt}/${serviceCfg.name} 0755 microvm wheel - -" "d ${mnt}/${serviceCfg.name}/data 0755 microvm wheel - -" "d ${mnt}/${serviceCfg.name}/cache 0755 microvm wheel - -" "d ${mnt}/${serviceCfg.name}/media 0775 microvm wheel - -" ]; }; }