From e74377e6c4a974cfd09a96dae259254b19200f48 Mon Sep 17 00:00:00 2001
From: baritone <baritone@mail.spoodythe.one>
Date: Tue, 4 Mar 2025 21:34:39 +0100
Subject: [PATCH] finally, this shit works in a vm

---
 configuration.nix     |  4 ++++
 disko.nix             |  6 +++++-
 modules/microvm.nix   | 45 +++++++++++++++++++-------------------
 modules/users.nix     |  1 +
 services/jellyfin.nix | 26 ++++++++++++++++------
 services/nginx.nix    |  7 ++++++
 services/sonarr.nix   | 50 +++++++++++++++++++++++++++++++++++++------
 7 files changed, 101 insertions(+), 38 deletions(-)

diff --git a/configuration.nix b/configuration.nix
index 776b487..d719c9e 100755
--- a/configuration.nix
+++ b/configuration.nix
@@ -11,6 +11,7 @@
     ./services/sonarr.nix
     ./services/misc.nix
 
+    ./modules/microvm.nix
     ./modules/git.nix
     ./modules/nix-settings.nix
     ./modules/zfs.nix
@@ -31,6 +32,9 @@
   programs.zsh = {
     enable = true;
     enableGlobalCompInit = true;
+    shellAliases = {
+      "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
+    };
   };
 
   programs.ssh.startAgent = true;
diff --git a/disko.nix b/disko.nix
index 18ebd42..28d5292 100755
--- a/disko.nix
+++ b/disko.nix
@@ -64,7 +64,11 @@
     zpool = {
       zroot = {
         type = "zpool";
-        rootFsOptions.mountpoint = "none";
+        rootFsOptions = {
+          mountpoint = "none";
+          acltype = "posixacl";
+          xattr = "sa";
+        };
 
         datasets = {
           root = {
diff --git a/modules/microvm.nix b/modules/microvm.nix
index eb47e9b..16d9e18 100644
--- a/modules/microvm.nix
+++ b/modules/microvm.nix
@@ -3,36 +3,35 @@
   lib,
   ...
 }: let
-  attrSets = lib.lists.imap1 (i: v: {
+  attrSet = lib.lists.imap1 (i: v: {
     name = v;
     index = i;
   }) (builtins.attrNames config.microvm.vms);
 in {
-  config.microvm.hyprvisor = "cloud-hyprvisor";
-
-  systemd.network.networks = builtins.listToAttrs attrSet ({
-    name,
-    index,
-  }: {
-    name = "30-vm${name}";
-    value = {
-      matchConfig.Name = "vm${name}";
-      address = [
-        "10.0.0.0/32"
-      ];
-      routes = [
-        {
-          Destination = "10.0.0.${toString index}/32";
-        }
-      ];
-      networkConfig = {IPv4Forwarding = true;};
-    };
-  });
+  config.systemd.network.networks = builtins.listToAttrs (builtins.map ({
+      name,
+      index,
+    }: {
+      name = "30-vm${toString index}";
+      value = {
+        matchConfig.Name = "vm${toString index}";
+        address = [
+          "10.0.0.0/32"
+        ];
+        routes = [
+          {
+            Destination = "10.0.0.${toString index}/32";
+          }
+        ];
+        networkConfig = {IPv4Forwarding = true;};
+      };
+    })
+    attrSet);
 
   # NAT (make vms accessible in host)
-  networking.nat = {
+  config.networking.nat = {
     enable = true;
-    internalIps = ["10.0.0.0/24"];
+    internalIPs = ["10.0.0.0/24"];
     externalInterface = "enp2s0";
   };
 }
diff --git a/modules/users.nix b/modules/users.nix
index c2ebfd3..2836f53 100755
--- a/modules/users.nix
+++ b/modules/users.nix
@@ -17,6 +17,7 @@
       "networkmanager"
       "audio"
       "wheel"
+      "jellyfin"
     ];
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFhTExbc9m4dCK6676wGiA8zPjE0l/9Fz2yf0IKvUvg snorre@archlinux"
diff --git a/services/jellyfin.nix b/services/jellyfin.nix
index e60af47..6323e74 100644
--- a/services/jellyfin.nix
+++ b/services/jellyfin.nix
@@ -1,12 +1,17 @@
-{pkgs, ...}: let
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}: let
   host = "127.0.0.1";
   port = 8096;
 in {
   # Enable VAAPI
-  nixpkgs.config.packageOverrides = pkgs: {
+  config.nixpkgs.config.packageOverrides = pkgs: {
     vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
   };
-  hardware.graphics = {
+  config.hardware.graphics = {
     enable = true;
     extraPackages = with pkgs; [
       intel-media-driver
@@ -17,8 +22,15 @@ in {
     ];
   };
 
+  # Create folder for media
+  config.system.activationScripts."jellyfinMediaFolder" = lib.stringAfter ["var"] ''
+    mkdir -p /media
+    chmod -R 775 /media
+    chown -R jellyfin:jellyfin /media
+  '';
+
   # Enable Jellyfin
-  services.jellyfin = {
+  config.services.jellyfin = {
     enable = true;
     openFirewall = false; # We want jellyfin behind a reverse proxy
   };
@@ -31,7 +43,7 @@ in {
   #   '';
   # };
 
-  services.nginx.
+  config.services.nginx.
     virtualHosts."media.spoodythe.one" = {
     addSSL = true;
     enableACME = true;
@@ -41,6 +53,6 @@ in {
   };
 
   # Open port 80 and 443 for reverse proxy
-  networking.firewall.allowedTCPPorts = [80 443];
-  networking.firewall.allowedUDPPorts = [80 443];
+  config.networking.firewall.allowedTCPPorts = [80 443];
+  config.networking.firewall.allowedUDPPorts = [80 443];
 }
diff --git a/services/nginx.nix b/services/nginx.nix
index cc0b9ad..7bf3379 100644
--- a/services/nginx.nix
+++ b/services/nginx.nix
@@ -5,6 +5,13 @@
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+
+    virtualHosts."_" = {
+      default = true;
+      locations."/" = {
+        return = 404;
+      };
+    };
   };
 
   security.acme.acceptTerms = true;
diff --git a/services/sonarr.nix b/services/sonarr.nix
index 9fb08ca..2fe2863 100644
--- a/services/sonarr.nix
+++ b/services/sonarr.nix
@@ -1,17 +1,23 @@
-{lib, ...}: let
+{
+  pkgs,
+  lib,
+  ...
+}: let
   host = "127.0.0.1";
   port = 8989;
   vm-index = 1;
   vm-mac = "00:00:00:00:00:01";
+  vm-name = "sonarr";
 in {
-  config.microvm.autostart = ["sonarr"];
+  config.microvm.autostart = [vm-name];
 
-  config.system.activationScripts.makeSonarrDir = lib.stringAfter ["var"] ''
-    mkdir -p /var/lib/sonarr
-    chmod -R microvm /var/lib/sonarr
+  config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] ''
+    mkdir -p /var/lib/${vm-name}
+    chmod -R 777 /var/lib/${vm-name}
+    chown -R microvm /var/lib/${vm-name}
   '';
 
-  config.microvm.vms."sonarr" = {
+  config.microvm.vms.${vm-name} = {
     config = {
       system.stateVersion = "24.11";
       # Storage share configuration
@@ -23,12 +29,23 @@ in {
         }
         {
           tag = "data-dir";
-          source = "/var/lib/sonarr";
+          source = "/var/lib/${vm-name}";
           mountPoint = "/var/lib/sonarr";
           proto = "virtiofs";
         }
       ];
 
+      # Allow the service to use the share
+      system.activationScripts."chownDataDir" = lib.stringAfter ["var"] ''
+        mkdir -p /var/lib/sonarr
+        chmod -R 770 /var/lib/sonarr
+        chown -R sonarr:sonarr /var/lib/sonarr
+      '';
+
+		systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
+
+      microvm.hypervisor = "qemu";
+
       # VM Networking
       microvm.interfaces = [
         {
@@ -65,6 +82,13 @@ in {
         };
       };
 
+      networking.useDHCP = false;
+      networking.nameservers = [
+        "10.0.101.1"
+        "8.8.8.8"
+        "8.8.4.4"
+      ];
+
       # Service
       services.sonarr = {
         enable = true;
@@ -75,6 +99,18 @@ in {
       users.users."root" = {
         password = "1234";
       };
+
+      environment.systemPackages = [pkgs.dig];
+
+      services.openssh = {
+        enable = true;
+        settings = {
+          PermitRootLogin = "yes";
+          AllowUsers = null;
+          PasswordAuthentication = true;
+          KbdInteractiveAuthentication = true;
+        };
+      };
     };
   };
 }