{ modulesPath, tree, config, pkgs, lib, ... }: { imports = with tree; [ users.root users.chaos profiles.base profiles.tailscale profiles.sshd ./hardware.nix ./misc.nix ]; users.groups.storage = { }; users.users.storage = { isNormalUser = true; extraGroups = [ "storage" ]; }; systemd.services.populate-rclone-config = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; path = with pkgs; [ bash rclone vault getent jq ]; script = let vault_username = "storage"; vault_password_file = "/secrets/vault_password"; in '' mkdir -p /home/storage/.config/rclone VAULT_ADDR="https://vault.owo.monster" bash ${ ./populate-rclone-config.sh } ${vault_username} ${vault_password_file} ${ ./rclone_config.template } /home/storage/.config/rclone/rclone.conf chown storage:storage /home/storage/.config/rclone/rclone.conf chmod 660 /home/storage/.config/rclone/rclone.conf ''; }; systemd.services.storage-mount = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; wants = [ "populate-rclone-config.service" ]; path = with pkgs; [ bash rclone mount umount ]; script = '' set -e umount /storage -fl || true sleep 2 rclone --config /home/storage/.config/rclone/rclone.conf mount StorageBox: /storage --allow-non-empty ''; }; security.acme = { defaults = { email = "chaoticryptidz@owo.monster"; }; acceptTerms = true; }; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = ""; clientMaxBodySize = "512m"; serverNamesHashBucketSize = 1024; }; networking.firewall.allowedTCPPorts = [ 80 443 ]; services.rclone-serve = { enable = true; remotes = [ { user = "storage"; remote = "StorageBox:"; type = "webdav"; wants = [ "populate-rclone-config.service" ]; extraArgs = [ "--addr=:4242" "--htpasswd=/secrets/webdav_htpasswd" ]; } { user = "storage"; remote = "StorageBox:Chaos-Backups/HetznerVM"; type = "restic"; wants = [ "populate-rclone-config.service" ]; extraArgs = [ "--addr=:4243" "--htpasswd=/secrets/restic_hetznervm_htpasswd" "--baseurl=/HetznerVM/" ]; } { user = "storage"; remote = "StorageBox:Chaos-Backups/Music"; type = "restic"; wants = [ "populate-rclone-config.service" ]; extraArgs = [ "--addr=:4244" "--htpasswd=/secrets/restic_music_htpasswd" "--baseurl=/Music/" ]; } ]; }; services.nginx.virtualHosts."storage-webdav.owo.monster" = { forceSSL = true; enableACME = true; locations = { "/".proxyPass = "http://localhost:4242"; }; }; services.nginx.virtualHosts."storage-restic.owo.monster" = { forceSSL = true; enableACME = true; locations = { "/HetznerVM/".proxyPass = "http://localhost:4243"; "/Music/".proxyPass = "http://localhost:4244"; }; }; services.rclone-sync = { enable = true; user = "storage"; sync_jobs = [ { source = "StorageBox:Chaos-Backups"; dest = "B2-Chaos-Backups:"; wants = [ "populate-rclone-config.service" ]; timerConfig = { OnStartupSec = "60"; OnCalendar = "4h"; }; } { source = "StorageBox:Chaos-Photos"; dest = "B2-Chaos-Photos:"; wants = [ "populate-rclone-config.service" ]; timerConfig = { OnStartupSec = "60"; OnCalendar = "4h"; }; } ]; }; environment.systemPackages = with pkgs; [ rclone cifs-utils apacheHttpd restic ]; home-manager.users.root = { imports = with tree; [ home.base home.dev.small ]; home.stateVersion = "22.05"; }; home-manager.users.chaos = { imports = with tree; [ home.base home.dev.small ]; home.stateVersion = "22.05"; }; networking.hostName = "storage"; time.timeZone = "Europe/London"; system.stateVersion = "21.11"; }