nixos/hosts/fw/modules/lms.nix

{ pkgs, config, lib, python3Packages, ... }:

let
  lmsDomain     = "lms.cloonar.com";
  networkPrefix = config.networkPrefix;
in
{
  security.acme.certs."${lmsDomain}" = {
    group = "nginx";
  };

  sops.secrets.lms-spotify = { };

  containers.lms = {
    autoStart      = true;
    ephemeral      = false;
    privateNetwork = true;
    hostBridge     = "server";

    hostAddress  = "${networkPrefix}.97.2";
    localAddress = "${networkPrefix}.97.21/24";

    extraFlags = [ "--capability=CAP_NET_ADMIN" ];

    bindMounts = {
      "/var/lib/acme/lms/" = {
        hostPath   = config.security.acme.certs.${lmsDomain}.directory;
        isReadOnly = true;
      };
      "/run/secrets/lms-spotify" = {
        hostPath = config.sops.secrets.lms-spotify.path;
      };
    };

    config = { pkgs, lib, config, ... }:
    let
    in
    {
      networking = {
        hostName = "lms";
        useHostResolvConf = false;
        defaultGateway = {
          address = "${networkPrefix}.97.1";
          interface = "eth0";
        };
        nameservers = [ "${networkPrefix}.97.1" ];
        firewall.enable = false;
      };

      environment.systemPackages = with pkgs; [
        slimserver      # Logitech/Lyrion Media Server
      ];

      services.slimserver = {
        enable  = true;
        package = pkgs.slimserver;
      };

      # make LMS discoverable via mDNS/Avahi
      services.avahi = {
        enable               = true;
        publish.enable       = true;
        publish.userServices = true;
      };

      services.nginx.enable = true;
      services.nginx.virtualHosts."${lmsDomain}" = {
        sslCertificate        = "/var/lib/acme/lms/fullchain.pem";
        sslCertificateKey     = "/var/lib/acme/lms/key.pem";
        sslTrustedCertificate = "/var/lib/acme/lms/chain.pem";
        forceSSL              = true;
        extraConfig           = "proxy_buffering off;";

        locations."/".extraConfig = ''
          proxy_pass         http://127.0.0.1:9000/;
          proxy_set_header   Host $host;
          proxy_redirect     http:// https://;
          proxy_http_version 1.1;
          proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header   Upgrade $http_upgrade;
          proxy_set_header   Connection $connection_upgrade;
        '';
      };

      system.stateVersion = "23.05";
    };
  };
}