Refactor part 2

hosts/common/boot.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   boot = {

hosts/common/console.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   console = {
@@ -23,25 +23,4 @@
       "B48EAD"
     ];
   };
-
-  i18n = {
-    consoleColors = [
-      "2E3440"
-      "3B4252"
-      "434C5E"
-      "4C566A"
-      "D8DEE9"
-      "E5E9F0"
-      "ECEFF4"
-      "8FBCBB"
-      "88C0D0"
-      "81A1C1"
-      "5E81AC"
-      "BF616A"
-      "D08770"
-      "EBCB8B"
-      "A3BE8C"
-      "B48EAD"
-    ];
-  };
 }

hosts/common/default.nix

@@ -3,11 +3,13 @@
 {
   imports = [
     ./boot.nix
+    ./console.nix
     ./locale.nix
     ./networking.nix
     ./nix.nix
     ./packages.nix
     ./services.nix
     ./users.nix
+    ./virtualisation.nix
   ];
 }

hosts/common/locale.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   time.timeZone = "America/Bahia";

hosts/common/networking.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   networking = {

hosts/common/nix.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   nix = {

hosts/common/packages.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   nixpkgs.config.allowUnfree = true;

hosts/common/services.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   services = {

hosts/common/users.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   users.users = {

hosts/common/virtualisation.nix

@@ -0,0 +1,5 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  virtualisation.podman.enable = true;
+}

hosts/desktops/common/boot.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   boot = {

hosts/desktops/common/hardware.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   hardware = {

hosts/desktops/common/nix.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   environment.etc."channels/nixpkgs".source = inputs.nixpkgs.outPath;

hosts/desktops/common/packages.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   environment.systemPackages = with pkgs; [
@@ -33,7 +33,6 @@
     mpv
     nixfmt
     nix-init
-    nix-your-shell
     obs-studio
     p7zip
     prismlauncher-qt5

hosts/desktops/common/services.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 let
   plasma = pkgs.writeScriptBin "plasma" ''

hosts/desktops/common/users.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   environment.sessionVariables = rec {

hosts/desktops/common/virtualisation.nix

@@ -1,10 +1,9 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   virtualisation = {
     libvirtd.enable = true;
     waydroid.enable = true;
     lxd.enable = true;
-    docker.enable = true;
   };
 }

hosts/desktops/io.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   imports = [

hosts/desktops/io/hardware-configuration.nix

@@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, pkgs, lib, modulesPath, ... }:
 
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

hosts/desktops/rotterdam.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   imports = [

hosts/desktops/rotterdam/hardware-configuration.nix

@@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, pkgs, lib, modulesPath, ... }:
 
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

hosts/servers/alexandria.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   imports = [

hosts/servers/alexandria/actual.nix

@@ -0,0 +1,17 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  virtualisation.oci-containers.containers."actual" = {
+    image = "jlongster/actual-server:latest";
+    ports = [ "${config.ports.actual}:5006" ];
+    volumes = [ "/data/actual:/data" ];
+    extraOptions = [ "--pull=always" ];
+  };
+
+  services.nginx.virtualHosts."actual.baduhai.me" = {
+    useACMEHost = "baduhai.me";
+    forceSSL = true;
+    kTLS = true;
+    locations."/".proxyPass = "http://127.0.0.1:${config.ports.actual}";
+  };
+}

hosts/servers/alexandria/arr.nix

@@ -0,0 +1,66 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  services = {
+    bazarr = {
+      enable = true;
+      user = "user";
+      group = "hosted";
+    };
+
+    jackett.enable = true;
+
+    qbittorrent = {
+      enable = true;
+      user = "user";
+      group = "hosted";
+      port = lib.toInt "${config.ports.qbittorrent}";
+    };
+
+    radarr = {
+      enable = true;
+      user = "user";
+      group = "hosted";
+    };
+
+    sonarr = {
+      enable = true;
+      user = "user";
+      group = "hosted";
+    };
+
+    nginx.virtualHosts = {
+      "bazarr.baduhai.me" = {
+        useACMEHost = "baduhai.me";
+        forceSSL = true;
+        kTLS = true;
+        locations."/".proxyPass = "http://127.0.0.1:${config.ports.bazaar}";
+      };
+      "jackett.baduhai.me" = {
+        useACMEHost = "baduhai.me";
+        forceSSL = true;
+        kTLS = true;
+        locations."/".proxyPass = "http://127.0.0.1:${config.ports.jackett}";
+      };
+      "qbittorrent.baduhai.me" = {
+        useACMEHost = "baduhai.me";
+        forceSSL = true;
+        kTLS = true;
+        locations."/".proxyPass =
+          "http://127.0.0.1:${config.ports.qbittorrent}";
+      };
+      "radarr.baduhai.me" = {
+        useACMEHost = "baduhai.me";
+        forceSSL = true;
+        kTLS = true;
+        locations."/".proxyPass = "http://127.0.0.1:${config.ports.radarr}";
+      };
+      "sonarr.baduhai.me" = {
+        useACMEHost = "baduhai.me";
+        forceSSL = true;
+        kTLS = true;
+        locations."/".proxyPass = "http://127.0.0.1:${config.ports.sonarr}";
+      };
+    };
+  };
+}

hosts/servers/alexandria/changedetection.nix

@@ -0,0 +1,22 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  services = {
+    changedetection-io = {
+      enable = true;
+      group = "hosted";
+      behindProxy = true;
+      datastorePath = "/data/changedetection";
+      port = lib.toInt "${config.ports.changedetection-io}";
+      baseURL = "https://detect.baduhai.me";
+    };
+
+    nginx.virtualHosts."detect.baduhai.me" = {
+      useACMEHost = "baduhai.me";
+      forceSSL = true;
+      kTLS = true;
+      locations."/".proxyPass =
+        "http://127.0.0.1:${config.ports.changedetection-io}";
+    };
+  };
+}

hosts/servers/alexandria/cinny.nix

@@ -0,0 +1,17 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  virtualisation.oci-containers.containers."cinny" = {
+    image = "ghcr.io/cinnyapp/cinny:latest";
+    ports = [ "${config.ports.cinny}:80" ];
+    volumes = [ "/data/matrix/cinny-config.json:/app/config.json" ];
+    extraOptions = [ "--pull=always" ];
+  };
+
+  services.nginx.virtualHosts."cinny.baduhai.me" = {
+    useACMEHost = "baduhai.me";
+    forceSSL = true;
+    kTLS = true;
+    locations."/".proxyPass = "http://127.0.0.1:${config.ports.cinny}";
+  };
+}

hosts/servers/alexandria/containerised.nix

@@ -1,48 +0,0 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
-
-{
-  virtualisation = {
-    podman.enable = true;
-    oci-containers = {
-      backend = "podman";
-      containers = {
-        "actual" = {
-          image = "jlongster/actual-server:latest";
-          ports = [ "${config.ports.actual}:5006" ];
-          volumes = [ "/data/actual:/data" ];
-          extraOptions = [ "--pull=always" ];
-        };
-        "cinny" = {
-          image = "ghcr.io/cinnyapp/cinny:latest";
-          ports = [ "${config.ports.cinny}:80" ];
-          volumes = [ "/data/matrix/cinny-config.json:/app/config.json" ];
-          extraOptions = [ "--pull=always" ];
-        };
-        "cinny2" = {
-          image = "ghcr.io/cinnyapp/cinny:latest";
-          ports = [ "${config.ports.cinny2}:80" ];
-          volumes = [ "/data/matrix/cinny-config.json:/app/config.json" ];
-          extraOptions = [ "--pull=always" ];
-        };
-        "librespeed" = {
-          image = "lscr.io/linuxserver/librespeed:latest";
-          environment = { TZ = "America/Bahia"; };
-          ports = [ "${config.ports.librespeed}:80" ];
-          extraOptions = [ "--pull=always" ];
-        };
-        "whoogle" = {
-          image = "benbusby/whoogle-search:latest";
-          environment = {
-            HTTPS_ONLY = "1";
-            WHOOGLE_CONFIG_LANGUAGE = "lang_en";
-            WHOOGLE_CONFIG_THEME = "system";
-            WHOOGLE_CONFIG_VIEW_IMAGE = "1";
-            WHOOGLE_CONFIG_GET_ONLY = "1";
-          };
-          ports = [ "${config.ports.whoogle}:5000" ];
-          extraOptions = [ "--pull=always" ];
-        };
-      };
-    };
-  };
-}

hosts/servers/alexandria/default.nix

@@ -2,12 +2,21 @@
 
 {
   imports = [
-    ./containerised.nix
+    ./actual.nix
+    ./arr.nix
+    ./changedetection.nix
     ./hardware-configuration.nix
+    ./jellyfin.nix
+    ./librespeed.nix
     ./matrix.nix
+    ./minecraft.nix
+    ./nginx.nix
+    ./paperless.nix
     ./security.nix
     ./services.nix
     ./users.nix
     ./variables.nix
+    ./vaultwarden.nix
+    ./whoogle.nix
   ];
 }

hosts/servers/alexandria/hardware-configuration.nix

@@ -1,7 +1,7 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{ config, pkgs, lib, modulesPath, ... }:
 
 {
   imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];

hosts/servers/alexandria/jellyfin.nix

@@ -0,0 +1,19 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  services = {
+    jellyfin = {
+      enable = true;
+      user = "user";
+      group = "hosted";
+      openFirewall = true;
+    };
+
+    nginx.virtualHosts."jellyfin.baduhai.me" = {
+      useACMEHost = "baduhai.me";
+      forceSSL = true;
+      kTLS = true;
+      locations."/".proxyPass = "http://127.0.0.1:${config.ports.jellyfin}";
+    };
+  };
+}

hosts/servers/alexandria/librespeed.nix

@@ -0,0 +1,17 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  virtualisation.oci-containers.containers."librespeed" = {
+    image = "lscr.io/linuxserver/librespeed:latest";
+    environment = { TZ = "America/Bahia"; };
+    ports = [ "${config.ports.librespeed}:80" ];
+    extraOptions = [ "--pull=always" ];
+  };
+
+  services.nginx.virtualHosts."librespeed.baduhai.me" = {
+    useACMEHost = "baduhai.me";
+    forceSSL = true;
+    kTLS = true;
+    locations."/".proxyPass = "http://127.0.0.1:${config.ports.librespeed}";
+  };
+}

hosts/servers/alexandria/matrix.nix

@@ -1,7 +1,8 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
-  services.matrix-conduit = {
+  services = {
+    matrix-conduit = {
       enable = true;
       extraEnvironment = { RUST_MIN_STACK = "16777216"; };
       package = pkgs.unstable.matrix-conduit;
@@ -16,7 +17,7 @@
       };
     };
 
-  services.nginx.virtualHosts."matrix.baduhai.me" = {
+    nginx.virtualHosts."matrix.baduhai.me" = {
       useACMEHost = "baduhai.me";
       forceSSL = true;
       kTLS = true;
@@ -35,4 +36,12 @@
         extraConfig = "add_header Access-Control-Allow-Origin *;";
       };
     };
+  };
+
+  virtualisation.oci-containers.containers."cinny2" = {
+    image = "ghcr.io/cinnyapp/cinny:latest";
+    ports = [ "${config.ports.cinny2}:80" ];
+    volumes = [ "/data/matrix/cinny-config.json:/app/config.json" ];
+    extraOptions = [ "--pull=always" ];
+  };
 }

hosts/servers/alexandria/minecraft.nix

@@ -0,0 +1,19 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  services.minecraft-server = {
+    enable = true;
+    eula = true;
+    declarative = true;
+    openFirewall = true;
+    package = pkgs.papermc;
+    serverProperties = {
+      motd = "Bem-vindo a Alexandria";
+      difficulty = "hard";
+      gamemode = "survival";
+      online-mode = "false";
+      spawn-protection = "0";
+    };
+    dataDir = "/data/minecraft";
+  };
+}

hosts/servers/alexandria/nginx.nix

@@ -0,0 +1,18 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+    group = "hosted";
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts."baduhai.me" = {
+      useACMEHost = "baduhai.me";
+      forceSSL = true;
+      kTLS = true;
+      root = inputs.homepage;
+    };
+  };
+}

hosts/servers/alexandria/paperless.nix

@@ -0,0 +1,28 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  services = {
+    paperless = {
+      enable = true;
+      dataDir = "/data/paperless/data";
+      mediaDir = "/data/paperless/media";
+      passwordFile = config.age.secrets.paperless-pass.path;
+      port = lib.toInt "${config.ports.paperless}";
+      consumptionDirIsPublic = true;
+      extraConfig = { PAPERLESS_OCR_LANGUAGE = "eng+por+deu"; };
+    };
+
+    nginx.virtualHosts."paperless.baduhai.me" = {
+      useACMEHost = "baduhai.me";
+      forceSSL = true;
+      kTLS = true;
+      locations."/".proxyPass = "http://127.0.0.1:${config.ports.paperless}";
+    };
+  };
+
+  age.secrets.paperless-pass = {
+    file = ../../../secrets/paperless-pass.age;
+    owner = "paperless";
+    group = "hosted";
+  };
+}

hosts/servers/alexandria/security.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   age.secrets.cloudflare-creds = {

hosts/servers/alexandria/services.nix

@@ -1,221 +1,8 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
-  age.secrets = {
+  services.postgresql.enable = true;
-    paperless-pass = {
-      file = ../../../secrets/paperless-pass.age;
-      owner = "paperless";
-      group = "hosted";
-    };
-  };
 
-  services = {
+  # Workaround for upstream bug in NetworkManager-wait-online.service
-    bazarr = {
+  systemd.services.NetworkManager-wait-online.enable = false;
-      enable = true;
-      user = "user";
-      group = "hosted";
-    };
-
-    changedetection-io = {
-      enable = true;
-      group = "hosted";
-      behindProxy = true;
-      datastorePath = "/data/changedetection";
-      port = lib.toInt "${config.ports.changedetection-io}";
-      baseURL = "https://detect.baduhai.me";
-    };
-
-    jackett.enable = true;
-
-    jellyfin = {
-      enable = true;
-      user = "user";
-      group = "hosted";
-      openFirewall = true;
-    };
-
-    minecraft-server = {
-      enable = true;
-      eula = true;
-      declarative = true;
-      openFirewall = true;
-      package = pkgs.papermc;
-      serverProperties = {
-        motd = "Bem-vindo a Alexandria";
-        difficulty = "hard";
-        gamemode = "survival";
-        online-mode = "false";
-        spawn-protection = "0";
-      };
-      dataDir = "/data/minecraft";
-    };
-
-    nginx = {
-      enable = true;
-      group = "hosted";
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      virtualHosts = {
-        "baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          root = inputs.homepage;
-        };
-        "bazarr.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass = "http://127.0.0.1:${config.ports.bazaar}";
-        };
-        "bitwarden.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass =
-            "http://127.0.0.1:${config.ports.vaultwarden}";
-        };
-        "cinny.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass = "http://127.0.0.1:${config.ports.cinny}";
-        };
-        "detect.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass =
-            "http://127.0.0.1:${config.ports.changedetection-io}";
-        };
-        "jackett.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass = "http://127.0.0.1:${config.ports.jackett}";
-        };
-        "jellyfin.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass = "http://127.0.0.1:${config.ports.jellyfin}";
-        };
-        "actual.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass = "http://127.0.0.1:${config.ports.actual}";
-        };
-        "librespeed.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass =
-            "http://127.0.0.1:${config.ports.librespeed}";
-        };
-        "n8n.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass = "http://127.0.0.1:${config.ports.n8n}";
-        };
-        "paperless.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass =
-            "http://127.0.0.1:${config.ports.paperless}";
-        };
-        "qbittorrent.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass =
-            "http://127.0.0.1:${config.ports.qbittorrent}";
-        };
-        "radarr.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass = "http://127.0.0.1:${config.ports.radarr}";
-        };
-        "shiori.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass = "http://127.0.0.1:${config.ports.shiori}";
-        };
-        "sonarr.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass = "http://127.0.0.1:${config.ports.sonarr}";
-        };
-        "sync.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass =
-            "http://127.0.0.1:${config.ports.syncthing}";
-        };
-        "whoogle.baduhai.me" = {
-          useACMEHost = "baduhai.me";
-          forceSSL = true;
-          kTLS = true;
-          locations."/".proxyPass = "http://127.0.0.1:${config.ports.whoogle}";
-        };
-      };
-    };
-
-    paperless = {
-      enable = true;
-      dataDir = "/data/paperless/data";
-      mediaDir = "/data/paperless/media";
-      passwordFile = config.age.secrets.paperless-pass.path;
-      port = lib.toInt "${config.ports.paperless}";
-      consumptionDirIsPublic = true;
-      extraConfig = { PAPERLESS_OCR_LANGUAGE = "eng+por+deu"; };
-    };
-
-    postgresql.enable = true;
-
-    qbittorrent = {
-      enable = true;
-      user = "user";
-      group = "hosted";
-      port = lib.toInt "${config.ports.qbittorrent}";
-    };
-
-    radarr = {
-      enable = true;
-      user = "user";
-      group = "hosted";
-    };
-
-    shiori = {
-      enable = true;
-      port = lib.toInt "${config.ports.shiori}";
-    };
-
-    sonarr = {
-      enable = true;
-      user = "user";
-      group = "hosted";
-    };
-
-    vaultwarden = {
-      enable = true;
-      config = {
-        DOMAIN = "https://bitwarden.baduhai.me";
-        SIGNUPS_ALLOWED = true;
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = "${config.ports.vaultwarden}";
-      };
-    };
-  };
-
-  systemd.services.NetworkManager-wait-online.enable =
-    false; # Workaround for upstream bug in NetworkManager-wait-online.service
 }

hosts/servers/alexandria/shiori.nix

@@ -0,0 +1,17 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  services = {
+    shiori = {
+      enable = true;
+      port = lib.toInt "${config.ports.shiori}";
+    };
+
+    nginx.virtualHosts."shiori.baduhai.me" = {
+      useACMEHost = "baduhai.me";
+      forceSSL = true;
+      kTLS = true;
+      locations."/".proxyPass = "http://127.0.0.1:${config.ports.shiori}";
+    };
+  };
+}

hosts/servers/alexandria/users.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   users = {

hosts/servers/alexandria/variables.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 let
   mkStringOption = default:
@@ -18,12 +18,11 @@ in {
     librespeed = mkStringOption "8003";
     paperless = mkStringOption "8004";
     shiori = mkStringOption "8005";
-    syncthing = mkStringOption "8006";
+    cinny2 = mkStringOption "8006";
-    jellyfin = mkStringOption "8096";
     whoogle = mkStringOption "8007";
     qbittorrent = mkStringOption "8008";
     actual = mkStringOption "8009";
-    cinny2 = mkStringOption "8010";
+    jellyfin = mkStringOption "8096";
     sonarr = mkStringOption "8989";
     jackett = mkStringOption "9117";
   };

hosts/servers/alexandria/vaultwarden.nix

@@ -0,0 +1,22 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  services = {
+    vaultwarden = {
+      enable = true;
+      config = {
+        DOMAIN = "https://bitwarden.baduhai.me";
+        SIGNUPS_ALLOWED = true;
+        ROCKET_ADDRESS = "127.0.0.1";
+        ROCKET_PORT = "${config.ports.vaultwarden}";
+      };
+    };
+
+    nginx.virtualHosts."bitwarden.baduhai.me" = {
+      useACMEHost = "baduhai.me";
+      forceSSL = true;
+      kTLS = true;
+      locations."/".proxyPass = "http://127.0.0.1:${config.ports.vaultwarden}";
+    };
+  };
+}

hosts/servers/alexandria/whoogle.nix

@@ -0,0 +1,23 @@
+{ inputs, config, pkgs, lib, ... }:
+
+{
+  virtualisation.oci-containers.containers."whoogle" = {
+    image = "benbusby/whoogle-search:latest";
+    environment = {
+      HTTPS_ONLY = "1";
+      WHOOGLE_CONFIG_LANGUAGE = "lang_en";
+      WHOOGLE_CONFIG_THEME = "system";
+      WHOOGLE_CONFIG_VIEW_IMAGE = "1";
+      WHOOGLE_CONFIG_GET_ONLY = "1";
+    };
+    ports = [ "${config.ports.whoogle}:5000" ];
+    extraOptions = [ "--pull=always" ];
+  };
+
+  services.nginx.virtualHosts."whoogle.baduhai.me" = {
+    useACMEHost = "baduhai.me";
+    forceSSL = true;
+    kTLS = true;
+    locations."/".proxyPass = "http://127.0.0.1:${config.ports.whoogle}";
+  };
+}

hosts/servers/common/boot.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   boot.kernelPackages = pkgs.linuxPackages_hardened;

hosts/servers/common/nix.nix

@@ -1,4 +1,4 @@
-{ specialArgs, inputs, config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   environment.etc."channels/nixpkgs".source = inputs.nixpkgs-stable.outPath;

secrets/secrets.nix

@@ -1,14 +1,16 @@
 let
-  io = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCIrKJk5zWzWEHvLMPMK8T3PyeBjsCsqzxPN+OrXfhA";
+  io =
-  rotterdam = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7zAxgU8LNi5/O5XgoOcLKjbNMmO2S7jAuCI9Nr/V4v"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCIrKJk5zWzWEHvLMPMK8T3PyeBjsCsqzxPN+OrXfhA";
+  rotterdam =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK7zAxgU8LNi5/O5XgoOcLKjbNMmO2S7jAuCI9Nr/V4v";
   desktops = [ io rotterdam ];
 
-  alexandria = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA";
+  alexandria =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK95QueW+jp1ZmF299Xr3XkgHJ6dL7aZVsfWxqbOKVKA";
   servers = [ alexandria ];
 
   all-hosts = desktops ++ servers;
-in
+in {
-{
   "cloudflare-creds.age".publicKeys = all-hosts;
   "paperless-pass.age".publicKeys = all-hosts;
 }

users/common/programs.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   programs = {

users/desktops/common/programs.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ inputs, config, pkgs, lib, ... }:
 
 {
   fonts.fontconfig.enable = true;

users/desktops/user.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ ... }:
 
 {
   imports = [

users/servers/user.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ ... }:
 
 {
   imports = [