{ pkgs, config, lib, python3Packages, ... }: let lmsDomain = "lms.cloonar.com"; networkPrefix = config.networkPrefix; in { security.acme.certs."${lmsDomain}" = { group = "nginx"; }; sops.secrets.lms-spotify = { }; containers.lms = { autoStart = true; ephemeral = false; privateNetwork = true; hostBridge = "server"; hostAddress = "${networkPrefix}.97.2"; localAddress = "${networkPrefix}.97.21/24"; extraFlags = [ "--capability=CAP_NET_ADMIN" ]; bindMounts = { "/var/lib/acme/lms/" = { hostPath = config.security.acme.certs.${lmsDomain}.directory; isReadOnly = true; }; "/run/secrets/lms-spotify" = { hostPath = config.sops.secrets.lms-spotify.path; }; }; config = { pkgs, lib, config, ... }: let in { networking = { hostName = "lms"; useHostResolvConf = false; defaultGateway = { address = "${networkPrefix}.97.1"; interface = "eth0"; }; nameservers = [ "${networkPrefix}.97.1" ]; firewall.enable = false; }; environment.systemPackages = with pkgs; [ slimserver # Logitech/Lyrion Media Server ]; services.slimserver = { enable = true; package = pkgs.slimserver; }; # make LMS discoverable via mDNS/Avahi services.avahi = { enable = true; publish.enable = true; publish.userServices = true; }; services.nginx.enable = true; services.nginx.virtualHosts."${lmsDomain}" = { sslCertificate = "/var/lib/acme/lms/fullchain.pem"; sslCertificateKey = "/var/lib/acme/lms/key.pem"; sslTrustedCertificate = "/var/lib/acme/lms/chain.pem"; forceSSL = true; extraConfig = "proxy_buffering off;"; locations."/".extraConfig = '' proxy_pass http://127.0.0.1:9000/; proxy_set_header Host $host; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; ''; }; system.stateVersion = "23.05"; }; }; }