{ pkgs, lib, config, ... }: let enabled = config.mod.whib-backend.enable; in { options = { mod.whib-backend = { enable = lib.mkEnableOption "enable WHIB backend"; }; }; config = lib.mkIf enabled { assertions = [ { assertion = config.services.nginx.enable; message = "Option 'config.services.nginx' must be enabled"; } ]; services.whib-backend = { enable = true; backend = { signingKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-signing-key.path})"; domain = "api.whib.ppp.pm"; useACMEHost = "api.whib.ppp.pm"; }; postgres = { database = "whib"; host = "postgres"; port = "5432"; user = "whib"; password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-postgres-password.path})"; backup = { interval = "*-*-* 00:00:00 UTC"; gpgPassphraseFile = config.age.secrets.whib-gpg-key.path; backblazeBucket = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-bucket.path})"; backblazeKeyID = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key-id.path})"; backblazeKey = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-backblaze-key.path})"; }; }; grafana = { domain = "grafana.whib.ppp.pm"; useACMEHost = "grafana.whib.ppp.pm"; password = "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.whib-grafana-password.path})"; }; }; age.secrets = { "whib-signing-key".file = ../../../../secrets/tadpole/whib-signing-key.age; "whib-postgres-password".file = ../../../../secrets/tadpole/whib-postgres-password.age; "whib-grafana-password".file = ../../../../secrets/tadpole/whib-grafana-password.age; "whib-gpg-key".file = ../../../../secrets/tadpole/whib-gpg-key.age; "whib-backblaze-bucket".file = ../../../../secrets/tadpole/whib-backblaze-bucket.age; "whib-backblaze-key-id".file = ../../../../secrets/tadpole/whib-backblaze-key-id.age; "whib-backblaze-key".file = ../../../../secrets/tadpole/whib-backblaze-key.age; }; }; }