depot/ops/nixos/lib/minotarproxy.nix

# SPDX-FileCopyrightText: 2021 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ depot, lib, ... }:
let
  aliasIPs = map (n: "92.118.29.${toString n}") (lib.range 1 253);
in {
  networking.interfaces.lo.ipv4.addresses = (
    map (address: { inherit address; prefixLength = 32; }) aliasIPs);
  networking.firewall.allowedTCPPorts = [
    80 443
  ];

  users.users.minotarproxy.isSystemUser = true;

  systemd.services.minotarproxy = {
    description = "Minotar proxy";
    wants = ["network-online.target"];
    wantedBy = ["multi-user.target"];
    serviceConfig = {
      ExecStart = ''${depot.go.minotarproxy}/bin/minotarproxy --logtostderr --server_bind=92.118.29.225:443 --autocert_insecure_bind=92.118.29.225:80 --autocert_domain=minotarproxy.lukegb.xyz --outbound_bind="${builtins.concatStringsSep "," aliasIPs}" --autocert_cache_dir=/run/minotarproxy'';
      User = "minotarproxy";
      Restart = "always";
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
    };
  };
  systemd.tmpfiles.rules = [
    "d /run/minotarproxy 0700 minotarproxy - -"
  ];
}