{ modulesPath, tree, config, pkgs, lib, ... }: let secrets = config.services.secrets.secrets; ports = import ./ports.nix {}; in { imports = with tree; [ users.root profiles.base profiles.sshd profiles.nix-gc profiles.nginx hosts.storage.profiles.wireguard hosts.storage.profiles.rclone-serve hosts.storage.profiles.rclone-sync ./hardware.nix ./networking.nix ./secrets.nix ]; systemd.tmpfiles.rules = [ "d /root/.config - root root" "d /root/.config/rclone - root root" "L /root/.config/rclone/rclone.conf - - - - ${secrets.rclone_config.path}" "d /home/storage/.config - storage storage" "d /home/storage/.config/rclone - storage storage" "L /home/storage/.config/rclone/rclone.conf - - - - ${secrets.rclone_config.path}" ]; home-manager.users.root = { imports = with tree; [home.base home.dev.small]; home.stateVersion = "22.05"; }; users.groups.storage = {}; users.users.storage = { isNormalUser = true; extraGroups = ["storage"]; }; systemd.services.init-secrets = { wantedBy = ["multi-user.target"]; after = ["network.target"]; path = with pkgs; [bash vault getent]; script = let vault_username = "storage"; vault_password_file = "${secrets.vault_password.path}"; config_dir = "/home/storage/.config/rclone"; config_file = "/home/storage/.config/rclone/rclone.conf"; in '' VAULT_ADDR="https://vault.owo.monster" \ vault login -no-print -method=userpass username=${vault_username} password=$(cat ${vault_password_file}) /run/current-system/sw/bin/secrets-init ''; }; systemd.services.storage-mount = { wantedBy = ["multi-user.target"]; after = ["network.target" "secrets-init.service"]; partOf = ["secrets-init.service"]; path = with pkgs; [bash rclone mount umount]; script = '' set -e umount /storage -fl || true sleep 2 rclone --config ${secrets.rclone_config.path} mount StorageBox: /storage --allow-non-empty ''; }; environment.systemPackages = with pkgs; [ rclone cifs-utils apacheHttpd restic ]; networking.hostName = "storage"; time.timeZone = "Europe/London"; system.stateVersion = "22.05"; }