{ pkgs, config, ... }: let serviceAddress = "10.10.41.11"; containerStateDir = "/data"; hostStateDir = "/srv/container/lrad"; in { containers."lrad" = { privateNetwork = true; hostAddress = "10.10.41.1"; localAddress = serviceAddress; bindMounts."${containerStateDir}" = { hostPath = hostStateDir; isReadOnly = false; }; config = { config, pkgs, ... }: { networking.firewall.allowedTCPPorts = [ 63080 ]; #users.users."tang".isSystemUser = true; systemd.services."tangd" = { enable = true; # TODO: require data/tangd to exist serviceConfig = { ExecStart = "${pkgs.tang}/bin/tangd ${containerStateDir}/data/tangd"; StandardInput = "socket"; StandardOutput = "socket"; StandardError = "journal"; User = "tang"; }; }; systemd.sockets."tangd" = { enable = true; listenStreams = [ "63080" ]; wantedBy = [ "sockets.target" ]; socketConfig = { Accept = true; }; }; }; }; }