nixos-config/systems/x86_64-linux/stargate/services/ente.nix

{
  pkgs,
  lib,
  config,
  ...
}:
let
domain = "ente.kylekrein.com";
in
{
    sops.secrets."services/minio" = {owner = "minio";};
    services.minio = {
        enable = true;
    	# ente's config must match this region!
    	region = "us-east-1";
	listenAddress = ":21939";
	consoleAddress = ":21940";
    # Please use a file, agenix or sops-nix to securely store your root user password!
    # MINIO_ROOT_USER=your_root_user
    # MINIO_ROOT_PASSWORD=a_randomly_generated_long_password
    rootCredentialsFile = config.sops.secrets."services/minio".path;
  };

  systemd.services.minio.environment.MINIO_SERVER_URL = "https://s3.kylekrein.com";

  services.nginx = {
   virtualHosts."web.s3.kylekrein.com" = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass = "http://localhost:21940";
    };
    virtualHosts."s3.kylekrein.com" = {
      forceSSL = true;
      enableACME = true;
      locations."/".proxyPass = "http://localhost:21939";
      # determine max file upload size
      extraConfig = ''
        client_max_body_size 16G;
        proxy_buffering off;
        proxy_request_buffering off;
      '';
    };
  };
  sops.secrets."services/ente/minio/user" = {owner = "ente";};
  sops.secrets."services/ente/minio/password" = {owner = "ente";};
  sops.secrets."services/ente/encryption" = {owner = "ente";};
  sops.secrets."services/ente/hash" = {owner = "ente";};
  sops.secrets."services/ente/jwt" = {owner = "ente";};
    services.ente = {
        web = {
	    enable = true;
	    domains = {
	        photos = "photos.${domain}";
	        albums = "albums.${domain}";
	        cast = "cast.${domain}";
	        api = "api.${domain}";
		accounts = "accounts.${domain}";
	    };
	};
	api = {
	    enable = true;
	    domain = "api.${domain}";
	    enableLocalDB = true;
	    nginx.enable = true;
	    settings = {
	        apps.accounts = "https://accounts.${domain}";
		apps.cast = "https://cast.${domain}";
		public-albums = "https://albums.${domain}";
		s3 = {
          	    b2-eu-cen = {
		        are_local_buckets = false;
                    	use_path_style_urls = true;
            	        endpoint = "https://s3.kylekrein.com";
            		region = "us-east-1";
            		bucket = "ente";
            		key._secret = config.sops.secrets."services/ente/minio/user".path;
            		secret._secret = config.sops.secrets."services/ente/minio/password".path;
          	    };
        	};
        	key = {
          	    # generate with: openssl rand -base64 32
          	    encryption._secret = config.sops.secrets."services/ente/encryption".path;
          	    # generate with: openssl rand -base64 64
          	    hash._secret = config.sops.secrets."services/ente/hash".path;
        	};
        	# generate with: openssl rand -base64 32
        	jwt.secret._secret = config.sops.secrets."services/ente/jwt".path;
		internal = {
		    admin = 1580559962386438;
		    disable-registration = true;
		};
	    };
	};
    };
}