Laser , 1 month ago

Even when using in a basic way, I think it has one very tangible advantage: the fact that you can “compartmentalize” different aspects of your configuration.

Let’s say I set up a specific web service that I want to put behind a reverse proxy, and it uses a specific folder that doesn’t exist yet, like Navidrome which is a web-based audio player. It requires a set of adjustments of different system parts. My nix file for it looks like this:

<span style="color:#323232;">{ config, ... }:
</span><span style="color:#323232;">
</span><span style="color:#323232;">let
</span><span style="color:#323232;">  domain = "music." + toString config.networking.domain;
</span><span style="color:#323232;">in
</span><span style="color:#323232;">  {
</span><span style="color:#323232;">    services.navidrome = {
</span><span style="color:#323232;">      enable = true;
</span><span style="color:#323232;">      settings = {
</span><span style="color:#323232;">        Address = "127.0.0.1";
</span><span style="color:#323232;">        Port = 4533;
</span><span style="color:#323232;">        MusicFolder = "/srv/music";
</span><span style="color:#323232;">        BaseUrl = "https://" + domain;
</span><span style="color:#323232;">        EnableSharing = true;
</span><span style="color:#323232;">        Prometheus.Enabled = true;
</span><span style="color:#323232;">        LogLevel = "debug";
</span><span style="color:#323232;">        ReverseProxyWhitelist = "127.0.0.1/32";
</span><span style="color:#323232;">      };
</span><span style="color:#323232;">    };
</span><span style="color:#323232;">
</span><span style="color:#323232;">    services.nginx = {
</span><span style="color:#323232;">      upstreams = {
</span><span style="color:#323232;">        navidrome = {
</span><span style="color:#323232;">          servers = {
</span><span style="color:#323232;">            "127.0.0.1:${toString config.services.navidrome.settings.Port}" = {};
</span><span style="color:#323232;">          };
</span><span style="color:#323232;">        };
</span><span style="color:#323232;">      };
</span><span style="color:#323232;">    };
</span><span style="color:#323232;">
</span><span style="color:#323232;">    services.nginx.virtualHosts."${domain}" = {
</span><span style="color:#323232;">      onlySSL = true;
</span><span style="color:#323232;">      useACMEHost = config.networking.domain;
</span><span style="color:#323232;">      extraConfig = ''
</span><span style="color:#323232;">        include ${./authelia/server.conf};
</span><span style="color:#323232;">      '';
</span><span style="color:#323232;">      locations."/" = {
</span><span style="color:#323232;">        proxyPass = "http://navidrome";
</span><span style="color:#323232;">        recommendedProxySettings = false;
</span><span style="color:#323232;">        extraConfig = ''
</span><span style="color:#323232;">          include ${./authelia/proxy.conf};
</span><span style="color:#323232;">          include ${./authelia/location.conf};
</span><span style="color:#323232;">        '';
</span><span style="color:#323232;">      };
</span><span style="color:#323232;">    };
</span><span style="color:#323232;">
</span><span style="color:#323232;">    systemd.tmpfiles.settings."navidrome-music-dir"."${toString config.services.navidrome.settings.MusicFolder}" = {
</span><span style="color:#323232;">      d = {
</span><span style="color:#323232;">        user = "laser";
</span><span style="color:#323232;">        mode = "0755";
</span><span style="color:#323232;">      };
</span><span style="color:#323232;">    };
</span><span style="color:#323232;">    systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/run/systemd/resolve/stub-resolv.conf"];
</span><span style="color:#323232;">      
</span><span style="color:#323232;">    security.acme.certs."${config.networking.domain}".extraDomainNames = [ "${domain}" ];
</span><span style="color:#323232;">  }
</span>

All settings related to the service are contained in a single file. Don’t want it anymore? Comment it out from my main configuration (or whereever it’s imported from) and most traces of it are gone, the exception being the folder that was created using systemd.tmpfiles. No manually deleting the link from sites-available or editing the list of domains for my certificate. The next generation will look like the service never existed.

And in my configuration, at least the port could be changed and everything would still work – I guess there is room for improvement, but this does what I want pretty well.