{ inputs, config, pkgs, ... }: let domain = "inventory.poyrecords.newedge.house"; in { imports = [ inputs.self.nixosModules.inventree ]; nixpkgs.overlays = [ inputs.self.overlays.packagesOverlay ]; nixpkgs.hostPlatform = { system = "x86_64-linux"; }; clan.core.vars.generators.inventree = { files = { secret-key = { owner = "inventree"; group = "inventree"; secret = true; }; oidc-key = { owner = "inventree"; group = "inventree"; secret = true; }; admin-password = { owner = "inventree"; group = "inventree"; secret = true; }; }; runtimeInputs = [ pkgs.pwgen pkgs.xkcdpass ]; script = '' pwgen -s 32 1 > $out/secret-key pwgen -s 32 1 > $out/oidc-key xkcdpass --numwords 4 --delimiter - --count 1 | tr -d "\n" > "$out"/admin-password ''; }; clan.core.vars.generators.nginx = { files = { sslCert = { owner = "nginx"; group = "nginx"; secret = true; }; sslKey = { owner = "nginx"; group = "nginx"; secret = true; }; }; runtimeInputs = [ pkgs.openssl ]; script = '' openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \ -keyout $out/sslKey \ -out $out/sslCert \ -subj "/CN=localhost" ''; }; networking.firewall.allowedTCPPorts = [ 80 ]; services.inventree = { enable = true; hostName = domain; config.site_url = "http://${config.services.inventree.hostName}"; secretKeyFile = config.clan.core.vars.generators.inventree.files.secret-key.path; config.oidc_private_key_file = config.clan.core.vars.generators.inventree.files.oidc-key.path; config.adminPasswordFile = config.clan.core.vars.generators.inventree.files.admin-password.path; }; services.nginx.virtualHosts."${domain}" = { forceSSL = true; sslCertificate = config.clan.core.generators.nginx.files.sslCert.path; sslCertificateKey = config.clan.core.generators.nginx.files.sslKey.path; }; system.stateVersion = "25.11"; clan.core.sops.defaultGroups = [ "admins" ]; }