{ flake, config, ... }: let inherit (flake.config.machines.devices) ceres ; inherit (flake.config.services.instances) smtp kanboard web; service = kanboard; localhost = web.localhost.address0; host = "${service.subdomain}.${web.domains.url0}"; in { services = { kanboard = { enable = true; domain = web.localhost.address1; # dataDir = "/var/lib/${service.name}"; # settings = { # HTTP_PROXY_HOSTNAME = host; # HTTP_PROXY_PORT = service.ports.port0; # MAIL_SMTP_HOSTNAME = smtp.hostname; # MAIL_TRANSPORT = "smtp"; # MAIL_SMTP_PORT = smtp.ports.port0; # MAIL_SMTP_USERNAME = service.email.address0; # MAIL_FROM = service.email.address0; # MAIL_SMTP_PASSWORD = config.sops.secrets."${service.name}-smtp".path; # MAIL_SMTP_ENCRYPTION = "tls"; # }; }; caddy = { virtualHosts = { "${host}" = { extraConfig = '' reverse_proxy ${localhost}:${toString service.ports.port0} route { encode zstd gzip php_fastcgi unix//run/php/php7.2-fpm.sock try_files {path} {path}/index.php /index.php?{query} file_server } tls ${service.ssl.cert} ${service.ssl.key} ''; }; }; }; }; # sops = # let # sopsPath = secret: { # path = "${service.sops.path0}/${service.name}-${secret}"; # owner = service.name; # mode = "600"; # }; # in # { # secrets = builtins.listToAttrs ( # map # (secret: { # name = "${service.name}-${secret}"; # value = sopsPath secret; # }) # [ # "smtp" # ] # ); # }; # fileSystems."/var/lib/${service.name}" = { # device = service.paths.path0; # fsType = "none"; # options = [ # "bind" # ]; # depends = [ # ceres.storage0.mount # ]; # }; # systemd.tmpfiles.rules = [ # "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" # "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" # ]; # users.users.${service.name}.extraGroups = [ # "caddy" # "postgres" # ]; networking = { firewall = { allowedTCPPorts = [ service.ports.port0 ]; }; }; }