{ pkgs, config, ... }: let containerStateDir = "/data"; hostStateDir = "/opt/tangd"; domain = ""; serviceAddress = "10.10.42.12"; in { services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://${serviceAddress}:${toString servicePort}"; }; }; containers."tang" = { autoStart = true; ephemeral = true; bindMounts."${containerStateDir}" = { hostPath = hostStateDir; isReadOnly = false; }; config = { config, pkgs, ... }: { networking.firewall.enable = false; users.groups."_tang" = {} ; users.users."_tang" = { group = "_tang"; isSystemUser = true; }; environment.systemPackages = [ "${pkgs.jose}" ]; systemd.services."tangd@" = { enable = true; serviceConfig = { ExecStartPre = "${pkgs.bash}/bin/bash -c \"mkdir -p ${containerStateDir}/tang-db\""; ExecStart = "${pkgs.tang}/libexec/tangd ${containerStateDir}/tang-db"; StandardInput = "socket"; StandardOutput = "socket"; StandardError = "journal"; User = "_tang"; Group = "_tang"; }; }; systemd.sockets."tangd" = { enable = true; listenStreams = [ "${toString servicePort}" ]; wantedBy = [ "sockets.target" ]; socketConfig = { Accept = true; }; }; system.stateVersion = "22.11"; }; }; }