{ pkgs, configVars, lib, ... }: let containerName = "backup-server"; containerIp = configVars.networking.addresses.backup-server.ip; gatewayIp = configVars.networking.addresses.gateway.ip; pubKeys = lib.filesystem.listFilesRecursive ../../users/keys; backupContainerData = configVars.locations.backupContainerData; in { networking.nat.enable = true; networking.nat.internalInterfaces = ["ve-+"]; networking.nat.externalInterface = "br0"; environment.persistence."/persist" = { hideMounts = true; directories = [ "/var/lib/nixos-containers/${containerName}" ]; }; containers."${containerName}" = { autoStart = true; privateNetwork = true; hostBridge = "br0"; nixpkgs = pkgs.path; bindMounts = { "/srv/backup" = { hostPath = backupContainerData; isReadOnly = false; }; }; config = { pkgs, lib, ... }: { networking = { defaultGateway = "${gatewayIp}"; interfaces.eth0.ipv4.addresses = [ { "address" = "${containerIp}"; "prefixLength" = 24; } ]; firewall = { enable = true; allowedTCPPorts = [ 8000 ]; }; useHostResolvConf = lib.mkForce false; }; services.resolved.enable = true; environment.systemPackages = [ pkgs.vim pkgs.git pkgs.python311 pkgs.restic pkgs.apacheHttpd ]; services.prometheus = { exporters = { node = { enable = true; enabledCollectors = ["systemd"]; openFirewall = true; }; }; }; services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users = { root = { openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key); }; }; services.restic.server = { enable = true; listenAddress = "0.0.0.0:8000"; dataDir = "/srv/backup/restic"; }; system.stateVersion = "24.05"; }; }; }