nixfiles/hosts/hetzner-vm/containers/storage/default.nix
2023-09-18 03:56:58 +01:00

120 lines
3.4 KiB
Nix

{
self,
hostPath,
tree,
lib,
inputs,
pkgs,
...
}: let
inherit (lib.attrsets) attrValues;
containerAddresses = import "${hostPath}/data/containerAddresses.nix";
hostIP = containerAddresses.host;
containerIP = containerAddresses.containers.storage;
# 32GB
clientMaxBodySize = "${toString (8192 * 4)}M";
ports = import ./data/ports.nix;
in {
containers.storage = {
autoStart = true;
privateNetwork = true;
hostAddress = hostIP;
localAddress = containerIP;
specialArgs = {
inherit inputs;
inherit tree;
inherit self;
inherit hostPath;
};
config = {...}: {
nixpkgs.pkgs = pkgs;
imports = with tree;
[
profiles.base
inputs.home-manager-unstable.nixosModules.home-manager
profiles.sshd
modules.nixos.rclone-serve
modules.nixos.rclone-sync
modules.nixos.secrets
./secrets.nix
users.root
]
++ (with hosts.hetzner-vm.containers.storage.profiles; [
rcloneConfigs
rcloneServe
rcloneSync
users
]);
environment.systemPackages = with pkgs; [rclone];
home-manager.users.root = {
imports = with tree; [home.base home.dev.small];
home.packages = with pkgs; [vault-bin];
home.stateVersion = "23.05";
};
networking.firewall = {
enable = true;
allowedTCPPorts = attrValues ports;
};
# Manually configure nameserver. Using resolved inside the container seems to fail
# currently
environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
system.stateVersion = "23.05";
};
};
services.nginx.virtualHosts."storage-webdav.owo.monster" = {
forceSSL = true;
enableACME = true;
locations = {
"/Main/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_main}";
"/Media/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_media}";
"/MusicRO/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_webdav_music_ro}";
};
extraConfig = ''
client_max_body_size ${clientMaxBodySize};
'';
};
services.nginx.virtualHosts."storage-http.owo.monster" = {
forceSSL = true;
enableACME = true;
locations = {
"/Music/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_http_music}";
"/Public/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_http_public}";
};
extraConfig = ''
client_max_body_size ${clientMaxBodySize};
'';
};
services.nginx.virtualHosts."storage-restic.owo.monster" = {
forceSSL = true;
enableACME = true;
locations = {
"/Music/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_music}";
"/Vault/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_vault}";
"/Social/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_social}";
"/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}";
"/Piped-Finland/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped_finland}";
"/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}";
};
extraConfig = ''
client_max_body_size ${clientMaxBodySize};
'';
};
}