{ tree, lib, inputs, pkgs, config, ... }: let hostIP = "192.168.100.10"; containerIP = "192.168.100.13"; # Using secrets from Host secrets = config.services.secrets.secrets; ports = import ./data/ports.nix {}; in { networking.nat.forwardPorts = [ { sourcePort = 6600; destination = "${containerIP}\:6600"; } ]; containers.music = { autoStart = true; privateNetwork = true; hostAddress = hostIP; localAddress = containerIP; bindMounts = lib.mkMerge (lib.forEach ["mpd_control_password"] (secret_name: let path = "${secrets.${secret_name}.path}"; in { "${path}" = { hostPath = "${path}"; }; })); config = { config, pkgs, ... }: { _module.args = { inherit inputs; inherit tree; host_secrets = secrets; }; imports = with tree; [ profiles.base inputs.home-manager-unstable.nixosModules.home-manager profiles.sshd modules.nixos.secrets users.root ] ++ (with hosts.hetzner-vm.containers.music; [ profiles.music-sync profiles.mpd ]); # For Shared Secrets systemd.tmpfiles.rules = [ "d ${config.services.secrets.secretsDir} - root root" ]; networking.firewall = { enable = true; allowedTCPPorts = [22] ++ lib.mapAttrsToList (_name: value: value) ports; }; home-manager.users.root = { imports = with tree; [home.base home.dev.small]; home.packages = with pkgs; [vault]; home.stateVersion = "22.05"; }; # Manually configure nameserver. Using resolved inside the container seems to fail # currently environment.etc."resolv.conf".text = "nameserver 8.8.8.8"; system.stateVersion = "22.05"; }; }; services.nginx.virtualHosts."stream.owo.monster" = let extraConfig = '' auth_basic "Music Password"; auth_basic_user_file ${secrets.music_stream_passwd.path}; ''; in { forceSSL = true; enableACME = true; locations = lib.mkMerge ([ { "/mpd/flac" = { proxyPass = "http://${containerIP}:${toString ports.mpd-flac}"; inherit extraConfig; }; } ] ++ (lib.forEach ["low" "medium" "high"] (quality: { "/mpd/opus-${quality}" = { proxyPass = "http://${containerIP}:${toString ports."mpd-opus-${quality}"}"; inherit extraConfig; }; }))); }; # For permissions of secrets users.users."mpd" = { uid = config.ids.uids.mpd; group = "mpd"; }; users.groups."mpd" = { gid = config.ids.gids.mpd; }; networking.firewall.allowedTCPPorts = [6600]; }