{ modulesPath, tree, config, pkgs, lib, ... }: let secrets = config.services.secrets.secrets; ports = (import ./ports.nix { }); in { imports = with tree; [ users.root profiles.base profiles.sshd profiles.nix-gc profiles.nginx hosts.storage.profiles.wireguard hosts.storage.profiles.rclone-serve hosts.storage.profiles.rclone-sync ./hardware.nix ./networking.nix ./secrets.nix ]; systemd.tmpfiles.rules = [ "d /caches - storage storage" "d /caches/main_webdav_serve - storage storage" ]; users.groups.storage = { }; users.users.storage = { isNormalUser = true; extraGroups = [ "storage" ]; }; systemd.services.init-secrets = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; path = with pkgs; [ bash vault getent ]; script = let vault_username = "storage"; vault_password_file = "${secrets.vault_password.path}"; config_dir = "/home/storage/.config/rclone"; config_file = "/home/storage/.config/rclone/rclone.conf"; in '' VAULT_ADDR="https://vault.owo.monster" \ vault login -no-print -method=userpass username=${vault_username} password=$(cat ${vault_password_file}) /run/current-system/sw/bin/secrets-init mkdir -p ${config_dir} rm ${config_file} || true ln -s ${secrets.rclone_config.path} ${config_file} ''; }; systemd.services.storage-mount = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" "secrets-init.service" ]; partOf = [ "secrets-init.service" ]; path = with pkgs; [ bash rclone mount umount ]; script = '' set -e umount /storage -fl || true sleep 2 rclone --config /home/storage/.config/rclone/rclone.conf mount StorageBox: /storage --allow-non-empty ''; }; environment.systemPackages = with pkgs; [ rclone cifs-utils apacheHttpd restic ]; home-manager.users.root = { imports = with tree; [ home.base home.dev.small ]; home.stateVersion = "22.05"; }; networking.hostName = "storage"; time.timeZone = "Europe/London"; system.stateVersion = "21.11"; }