{ flake, config, ... }: let inherit (flake.config.system.device) server; inherit (flake.config.service.instance) castopod nginx web; service = castopod; localhost = web.localhost.address0; host = "${service.subdomain}.${web.domains.url1}"; in { services = { castopod = { enable = true; localDomain = host; configureNginx = false; environmentFile = config.sops.secrets."${service.name}-smtp".path; maxUploadSize = "1024M"; database = { createLocally = true; # passwordFile = config.sops.secrets."${name}-database".path; }; poolSettings = { pm = "dynamic"; "pm.max_children" = "32"; "pm.max_requests" = "500"; "pm.max_spare_servers" = "4"; "pm.min_spare_servers" = "2"; "pm.start_servers" = "2"; }; settings = { "email.fromEmail" = service.email.address0; "email.protocol" = "smtp"; "email.SMTPHost" = localhost; "email.SMTPPort" = 587; "email.SMTPUser" = "smtp.protonmail.ch"; }; }; nginx = { enable = true; virtualHosts = { "${host}" = { }; }; }; caddy = { virtualHosts = { "${host}" = { extraConfig = '' reverse_proxy ${localhost}:${toString service.ports.port0} tls ${service.ssl.cert} ${service.ssl.key} ''; }; }; }; }; sops = let sopsSecrets = ["smtp" "database"]; sopsPath = secret: { path = "${service.sops.path0}/${service.name}-${secret}"; owner = service.name; mode = "600"; }; in { secrets = builtins.listToAttrs ( map (secret: { name = "${service.name}-${secret}"; value = sopsPath secret; }) sopsSecrets ); }; fileSystems."/var/lib/${service.name}" = { device = service.paths.path0; fsType = "none"; options = ["bind"]; depends = [server.storage0.mount]; }; systemd.tmpfiles.rules = [ "Z ${service.paths.path0} 755 ${service.name} ${service.name} -" "Z ${service.sops.path0} 755 ${service.name} ${service.name} -" ]; networking = { firewall = { allowedTCPPorts = [ service.ports.port0 nginx.ports.port0 ]; }; }; users.groups.nginx = {}; }