c3d2-web: microvmify, fix

flake.nix

@@ -579,7 +579,7 @@
         c3d2-web = nixosSystem' {
           modules = [
             { _module.args = { inherit nixpkgs; }; }
-            ./config/lxc-container.nix
+            self.nixosModules.microvm
             ./hosts/containers/c3d2-web
             { nixpkgs.overlays = [ secrets.overlays.c3d2-web ]; }
           ];

hosts/containers/c3d2-web/default.nix

@@ -5,15 +5,13 @@ let
   deployCommand = "${pkgs.systemd}/bin/systemctl start deploy-c3d2-web.service";
 in
 {
+  c3d2.deployment = {
+    server = "server10";
+    mounts = [ "etc" "home" "var"];
+  };
   boot.tmpOnTmpfs = true;
   # Network setup
   networking.hostName = "c3d2-web";
-  networking.useNetworkd = true;
-  networking.interfaces.eth0.ipv4.addresses = [{
-    address = config.c3d2.hosts."${config.networking.hostName}".ip4;
-    prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len;
-  }];
-  networking.defaultGateway = "172.20.73.1";
   networking.firewall.allowedTCPPorts = [
     # http/https
     80 443
@@ -161,11 +159,14 @@ in
       # Build at least once
       touch ${config.users.users.c3d2-web.home}/deploy-pending
 
-      TEMP=$(mktemp -d)
-      cd $TEMP
-
-      git clone --depth=1 https://gitea.c3d2.de/c3d2/c3d2-web.git
-      cd c3d2-web
+      if [ ! -d c3d2-web ]; then
+        git clone --depth=1 https://gitea.c3d2.de/c3d2/c3d2-web.git
+        cd c3d2-web
+      else
+        cd c3d2-web
+        git fetch origin
+        git reset --hard origin/master
+      fi
 
       # Loop in case the webhook was called while we were building
       while [ -e ${config.users.users.c3d2-web.home}/deploy-pending ]; do
@@ -230,7 +231,8 @@ in
       Group = config.users.users.c3d2-web.group;
       PrivateTmp = true;
       ProtectSystem = "full";
-      ReadWritePaths = webroot;
+      WorkingDirectory = config.users.users.c3d2-web.home;
+      ReadWritePaths = [ webroot config.users.users.c3d2-web.home ];
     };
   };