{ lib, pkgs, config, ... }: let hostname = "web-02"; json = pkgs.formats.json { }; impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; in { microvm.vms = { web = { pkgs = import pkgs.path { config = { permittedInsecurePackages = [ # needed for matrix "olm-3.2.16" ]; allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "n8n" ]; }; }; config = { microvm = { mem = 4096; # hypervisor = "cloud-hypervisor"; shares = [ { source = "/nix/store"; mountPoint = "/nix/.ro-store"; tag = "ro-store"; proto = "virtiofs"; } { source = "/var/lib/microvms/persist/web-02"; mountPoint = "/persist"; tag = "persist"; proto = "virtiofs"; } ]; volumes = [ { image = "rootfs.img"; mountPoint = "/"; size = 102400; } ]; interfaces = [ { type = "tap"; id = "vm-${hostname}"; mac = "02:00:00:00:01:01"; } ]; }; imports = [ "${impermanence}/nixos.nix" ../network-prefix.nix ../../utils/modules/sops.nix ../../utils/modules/lego/lego.nix # ../../utils/modules/borgbackup.nix ./phpldapadmin.nix ./zammad.nix ./proxies.nix ./matrix.nix ./n8n.nix ]; networkPrefix = config.networkPrefix; sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; sops.defaultSopsFile = ./secrets.yaml; time.timeZone = "Europe/Vienna"; systemd.network.networks."10-lan" = { matchConfig.PermanentMACAddress = "02:00:00:00:01:01"; address = [ "${config.networkPrefix}.97.5/24" ]; gateway = [ "${config.networkPrefix}.97.1" ]; dns = [ "${config.networkPrefix}.97.1" ]; }; fileSystems."/persist".neededForBoot = lib.mkForce true; environment.persistence."/persist-local" = { directories = [ "/var/lib/zammad" "/var/lib/postgresql" "/var/lib/n8n" "/var/log" "/var/lib/systemd/coredump" ]; }; environment.systemPackages = with pkgs; [ vim # my preferred editor ]; networking.hostName = hostname; services.openssh = { enable = true; hostKeys = [ { path = "/persist/etc/ssh/ssh_host_ed25519_key"; type = "ed25519"; } { path = "/persist/etc/ssh/ssh_host_rsa_key"; type = "rsa"; bits = 4096; } ]; }; users.users.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" ]; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; }; # backups # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg"; networking.firewall = { enable = true; allowedTCPPorts = [ 22 80 443 ]; }; system.stateVersion = "22.05"; }; }; }; }