Akkoma on vps

hosts/vps1/akkotest.nix

@@ -0,0 +1,156 @@
+{ config, pkgs, lib, ... }:
+let
+  rootDomain = "lgmrszd.xyz";
+  hostAddress = "192.168.100.10";
+  localAddress = "192.168.100.11";
+  localPort = 4000;
+  domain = "akko429164.testdrive.${rootDomain}";
+in 
+{
+  imports = [
+    ./akkoma/akkontainer.nix
+  ];
+
+
+  services.nginx.virtualHosts."${domain}" = {
+    serverName = "${domain}";
+    forceSSL = true;
+    useACMEHost = "${rootDomain}";
+    locations."/" = {
+      proxyPass = "http://${localAddress}:${toString localPort}";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+    };
+  };
+
+  sops.secrets = 
+  let
+    sopsFile = ../../secrets/akkotest-vps.yaml;
+    format = "yaml";
+    sopsPrefix = "akkotest-vps";
+    mkSopsSecret = secretList: builtins.listToAttrs(map 
+    (name: {
+      name = "${sopsPrefix}/${name}";
+      value = {
+        inherit sopsFile;
+        inherit format;
+      };
+    })
+    secretList);
+  in mkSopsSecret [
+    "vapid-private"
+    "vapid-public"
+    "liveview-salt"
+    "signing-salt"
+    "jwt-signer"
+    "key-base"
+  ];
+
+  myAkkomaContainerOptions = {
+    enable = true;
+    # hostAddress = "192.168.100.10";
+    # localAddress = "192.168.100.11";
+    # localPort = 4000;
+    # domain = "akkotest.local";
+    inherit hostAddress;
+    inherit localAddress;
+    inherit localPort;
+    inherit domain;
+    containerName = "akkotest";
+  };
+
+  users = {
+    users."akkoma" = {
+      description = "Fake Akkoma user to set up files permissions";
+      group = "akkoma";
+      isSystemUser = true;
+      uid = 1234;
+    };
+    groups."akkoma" = { gid = 1234; };
+  };
+
+  containers.akkotest =
+  let
+    outerConfig = config;
+    hostDataPrefix = "/data/akkotest";
+    containerDataPrefix = "/data/akkotest";
+  in 
+  {
+    ephemeral = true;
+    privateNetwork = true;
+    inherit hostAddress;
+    inherit localAddress;
+    allowedDevices = [
+      {
+        modifier = "rwm";
+        node = "/dev/fuse";
+      }
+    ];
+    bindMounts."/dev/fuse" = {};
+    bindMounts.static = {
+      hostPath = "/data/akkotest/static_i";
+      mountPoint = "/data/akkoma/static_i";
+      isReadOnly = false;
+    };
+    bindMounts.db = {
+      hostPath = "/data/akkotest/postgresql";
+      mountPoint = "/data/postgresql";
+      isReadOnly = false;
+    };
+    bindMounts.uploads = {
+      hostPath = "/data/akkotest/uploads";
+      mountPoint = "/data/akkoma/uploads";
+      isReadOnly = false;
+    };
+    # bindMounts.secrets = {
+    #   hostPath = "/data/secrets_akkotest";
+    #   mountPoint = "/var/akkosecrets";
+    #   isReadOnly = true;
+    # };
+    bindMounts."/run/secrets/akkotest-vps" = {
+      isReadOnly = true;
+    };
+
+    config = 
+    { config, pkgs, ... }:
+    {
+      imports = [
+        ./akkoma/akkontainer.nix
+        ./akkoma/akkoma.nix
+        ./akkoma/akkoma-static.nix
+        ../../modules/akkoma-patches.nix
+      ];
+      users = {
+        users."akkoma" = {
+          description = "Akkoma user";
+          group = "akkoma";
+          isSystemUser = true;
+          uid = 1234;
+        };
+        groups."akkoma" = { gid = 1234; };
+      };
+      # myAkkomaContainerOptions = outerConfig.myAkkomaContainerOptions.mkInnerConfig;
+      # myAkkomaContainerOptions = {
+      #   inherit hostAddress;
+      #   inherit localAddress;
+      #   inherit localPort;
+      #   inherit domain;
+      #   isContainer = true;
+      # };
+      environment.systemPackages = with pkgs; [ zip unzip ];
+      systemd.tmpfiles.rules = [
+        "d /data/postgresql 700 postgres postgres -"
+        # "d /data/uploads 700 akkoma akkoma -"
+        # "d /var/akkosecrets 500 akkoma akkoma -"
+       ];
+      services.postgresql = {
+        enable = true;
+        package = pkgs.postgresql_15;
+        dataDir = "/data/postgresql";
+      };
+      networking.firewall.allowedTCPPorts = [
+        localPort
+      ];
+    };
+  };
+}