massive restructuring

home/yt/common.nix

@@ -1,7 +1,7 @@
 {...}: {
   imports = [
-    ./tmux.nix
-    ./zsh
+    ../tmux.nix
+    ../zsh
   ];
 
   home.sessionVariables = {

home/yt/ytnix.nix

@@ -8,7 +8,7 @@
 }: {
   imports = [
     ./common.nix
-    ./foot.nix
+    ../foot.nix
   ];
   home = {
     username = "yt";

hosts/chunk/adguard.nix

@@ -0,0 +1,16 @@
+{...}: {
+  services.adguardhome = {
+    enable = true;
+    host = "127.0.0.1";
+    port = 8082;
+    settings = {
+      http.port = "8083";
+      users = [
+        {
+          name = "cy";
+          password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC";
+        }
+      ];
+    };
+  };
+}

hosts/chunk/borg.nix

@@ -0,0 +1,27 @@
+{pkgs, ...}: {
+  services.borgbackup.jobs = {
+    crashRsync = {
+      paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"];
+      exclude = ["**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker/overlay*"];
+      repo = "de3911@de3911.rsync.net:borg/crash";
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat /run/secrets/borg/crash";
+      };
+      environment = {
+        BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
+        BORG_REMOTE_PATH = "borg1";
+      };
+      compression = "auto,zstd";
+      startAt = "daily";
+      extraCreateArgs = ["--stats"];
+      # warnings are often not that serious
+      failOnWarnings = false;
+      postHook = ''
+        ${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus
+        $(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
+        https://ntfy.cything.io/chunk
+      '';
+    };
+  };
+}

hosts/chunk/default.nix

@@ -10,6 +10,18 @@
     ./hardware-configuration.nix
     "${inputs.testpkgs}/nixos/modules/services/web-servers/caddy"
     ../common.nix
+    ./gitlab.nix
+    ./borg.nix
+    ./rclone.nix
+    ./postgres.nix
+    ./wireguard.nix
+    ./adguard.nix
+    ./hedgedoc.nix
+    ./miniflux.nix
+    ./ntfy.nix
+    ./redlib.nix
+    ./vaultwarden.nix
+    ./wireguard.nix
   ];
 
   sops.defaultSopsFile = ./secrets.yaml;
@@ -52,6 +64,8 @@
 
   system.stateVersion = "24.05";
 
+  # network stuff
+
   networking.hostName = "chunk";
   networking.networkmanager.enable = true;
   networking.firewall = {
@@ -127,222 +141,6 @@
     environmentFile = "/run/secrets/caddy";
     logFormat = lib.mkForce "level INFO";
   };
-  # systemd.services.caddy.serviceConfig = {
-  #   EnvironmentFile = "/run/secrets/caddy";
-  # };
-
-  services.postgresql = {
-    enable = true;
-    settings.port = 5432;
-    package = pkgs.postgresql_17;
-    enableTCPIP = true;
-    ensureDatabases = [
-      "hedgedoc"
-    ];
-    authentication = lib.mkForce ''
-      local all all trust
-      host  all all 127.0.0.1/32 trust
-      host  all all ::1/128 trust
-      host  all all 172.18.0.0/16 trust
-    '';
-  };
-  services.postgresqlBackup.enable = true;
 
   virtualisation.docker.enable = true;
-
-  services.borgbackup.jobs = {
-    crashRsync = {
-      paths = ["/root" "/home" "/var/backup" "/var/lib" "/var/log" "/opt" "/etc" "/vw-data"];
-      exclude = ["**/.cache" "**/node_modules" "**/cache" "**/Cache" "/var/lib/docker/overlay*"];
-      repo = "de3911@de3911.rsync.net:borg/crash";
-      encryption = {
-        mode = "repokey-blake2";
-        passCommand = "cat /run/secrets/borg/crash";
-      };
-      environment = {
-        BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519";
-        BORG_REMOTE_PATH = "borg1";
-      };
-      compression = "auto,zstd";
-      startAt = "daily";
-      extraCreateArgs = ["--stats"];
-      # warnings are often not that serious
-      failOnWarnings = false;
-      postHook = ''
-        ${pkgs.curl}/bin/curl -u $(cat /run/secrets/ntfy) -d "chunk: backup completed with exit code: $exitStatus
-        $(journalctl -u borgbackup-job-crashRsync.service|tail -n 5)" \
-        https://ntfy.cything.io/chunk
-      '';
-    };
-  };
-
-  services.vaultwarden = {
-    enable = true;
-    dbBackend = "postgresql";
-    environmentFile = "/run/secrets/vaultwarden";
-    config = {
-      ROCKET_ADDRESS = "127.0.0.1";
-      ROCKET_PORT = "8081";
-      DATA_FOLDER = "/vw-data";
-      DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden";
-    };
-  };
-
-  services.ntfy-sh = {
-    enable = true;
-    settings = {
-      listen-http = "127.0.0.1:8083";
-      base-url = "https://ntfy.cything.io";
-      upstream-base-url = "https://ntfy.sh";
-      auth-default-access = "deny-all";
-      behind-proxy = true;
-    };
-  };
-
-  systemd.services.immich-mount = {
-    enable = true;
-    description = "Mount the immich data remote";
-    after = ["network-online.target"];
-    requires = ["network-online.target"];
-    wantedBy = ["default.target"];
-    serviceConfig = {
-      Type = "notify";
-      ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
-      ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos ";
-      ExecStop = "/bin/fusermount -u /mnt/photos";
-      EnvironmentFile = "/run/secrets/rclone";
-    };
-  };
-
-  systemd.services.nextcloud-mount = {
-    enable = true;
-    description = "Mount the nextcloud data remote";
-    after = ["network-online.target"];
-    requires = ["network-online.target"];
-    wantedBy = ["default.target"];
-    serviceConfig = {
-      Type = "notify";
-      ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud";
-      ExecStop = "/bin/fusermount -u /mnt/nextcloud";
-      EnvironmentFile = "/run/secrets/rclone";
-    };
-  };
-
-  programs.fuse.userAllowOther = true;
-
-  services.hedgedoc = {
-    enable = true;
-    environmentFile = "/run/secrets/hedgedoc";
-    settings = {
-      db = {
-        username = "hedgedoc";
-        database = "hedgedoc";
-        host = "/run/postgresql";
-        dialect = "postgresql";
-      };
-      port = 8085;
-      domain = "pad.cything.io";
-      allowEmailRegister = false;
-      protocolUseSSL = true;
-    };
-  };
-
-  services.redlib = {
-    enable = true;
-    port = 8087;
-    address = "127.0.0.1";
-    settings = {
-      # settings are just env vars
-      REDLIB_ENABLE_RSS = "on";
-      REDLIB_ROBOTS_DISABLE_INDEXING = "on";
-    };
-  };
-
-  # wireguard stuff
-  networking.nat = {
-    enable = true;
-    enableIPv6 = true;
-    externalInterface = "ens18";
-    internalInterfaces = ["wg0"];
-  };
-
-  networking.wg-quick.interfaces.wg0 = {
-    address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
-    listenPort = 51820;
-    privateKeyFile = "/run/secrets/wireguard/private";
-    postUp = ''
-      ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
-      ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
-      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
-      ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
-      ${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT
-      ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
-    '';
-    preDown = ''
-      ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
-      ${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT
-      ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
-      ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
-      ${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT
-      ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
-    '';
-    peers = [
-      {
-        publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
-        allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
-        presharedKeyFile = "/run/secrets/wireguard/psk";
-      }
-      {
-        publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
-        allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
-        presharedKeyFile = "/run/secrets/wireguard/pskphone";
-      }
-    ];
-  };
-
-  # adguard
-  services.adguardhome = {
-    enable = true;
-    host = "127.0.0.1";
-    port = 8082;
-    settings = {
-      http.port = "8083";
-      users = [
-        {
-          name = "cy";
-          password = "$2y$10$BZy2zYJj5z4e8LZCq/GwuuhWUafL/MNFO.YcsAMmpDS.2krPxi7KC";
-        }
-      ];
-    };
-  };
-
-  services.miniflux = {
-    enable = true;
-    adminCredentialsFile = "/run/secrets/miniflux";
-    config = {
-      PORT = 8080;
-      BASE_URL = "https://rss.cything.io";
-      FORCE_REFRESH_INTERVAL = 0;
-    };
-  };
-
-  services.gitlab = {
-    enable = true;
-    https = true;
-    host = "git.cything.io";
-    user = "git"; # so that you can ssh with git@git.cything.io
-    group = "git";
-    port = 443; # this *not* the port gitlab will run on
-    puma.workers = 0; # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html#optimize-puma
-    sidekiq.concurrency = 10;
-    databaseUsername = "git"; # needs to be same as user
-    initialRootEmail = "hi@cything.io";
-    initialRootPasswordFile = "/run/secrets/gitlab/root";
-    secrets = {
-      secretFile = "/run/secrets/gitlab/secret";
-      otpFile = "/run/secrets/gitlab/otp";
-      jwsFile = "/run/secrets/gitlab/jws";
-      dbFile = "/run/secrets/gitlab/db";
-    };
-  };
 }

hosts/chunk/gitlab.nix

@@ -0,0 +1,21 @@
+{...}: {
+  services.gitlab = {
+    enable = true;
+    https = true;
+    host = "git.cything.io";
+    user = "git"; # so that you can ssh with git@git.cything.io
+    group = "git";
+    port = 443; # this *not* the port gitlab will run on
+    puma.workers = 0; # https://docs.gitlab.com/omnibus/settings/memory_constrained_envs.html#optimize-puma
+    sidekiq.concurrency = 10;
+    databaseUsername = "git"; # needs to be same as user
+    initialRootEmail = "hi@cything.io";
+    initialRootPasswordFile = "/run/secrets/gitlab/root";
+    secrets = {
+      secretFile = "/run/secrets/gitlab/secret";
+      otpFile = "/run/secrets/gitlab/otp";
+      jwsFile = "/run/secrets/gitlab/jws";
+      dbFile = "/run/secrets/gitlab/db";
+    };
+  };
+}

hosts/chunk/hedgedoc.nix

@@ -0,0 +1,18 @@
+{...}: {
+  services.hedgedoc = {
+    enable = true;
+    environmentFile = "/run/secrets/hedgedoc";
+    settings = {
+      db = {
+        username = "hedgedoc";
+        database = "hedgedoc";
+        host = "/run/postgresql";
+        dialect = "postgresql";
+      };
+      port = 8085;
+      domain = "pad.cything.io";
+      allowEmailRegister = false;
+      protocolUseSSL = true;
+    };
+  };
+}

hosts/chunk/miniflux.nix

@@ -0,0 +1,11 @@
+{...}: {
+  services.miniflux = {
+    enable = true;
+    adminCredentialsFile = "/run/secrets/miniflux";
+    config = {
+      PORT = 8080;
+      BASE_URL = "https://rss.cything.io";
+      FORCE_REFRESH_INTERVAL = 0; # don't rate limit me
+    };
+  };
+}

hosts/chunk/ntfy.nix

@@ -0,0 +1,12 @@
+{...}: {
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      listen-http = "127.0.0.1:8083";
+      base-url = "https://ntfy.cything.io";
+      upstream-base-url = "https://ntfy.sh";
+      auth-default-access = "deny-all";
+      behind-proxy = true;
+    };
+  };
+}

hosts/chunk/postgres.nix

@@ -0,0 +1,22 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  services.postgresql = {
+    enable = true;
+    settings.port = 5432;
+    package = pkgs.postgresql_17;
+    enableTCPIP = true;
+    ensureDatabases = [
+      "hedgedoc"
+    ];
+    authentication = lib.mkForce ''
+      local all all trust
+      host  all all 127.0.0.1/32 trust
+      host  all all ::1/128 trust
+      host  all all 172.18.0.0/16 trust
+    '';
+  };
+  services.postgresqlBackup.enable = true;
+}

hosts/chunk/rclone.nix

@@ -0,0 +1,31 @@
+{pkgs, ...}: {
+  systemd.services.immich-mount = {
+    enable = true;
+    description = "Mount the immich data remote";
+    after = ["network-online.target"];
+    requires = ["network-online.target"];
+    wantedBy = ["default.target"];
+    serviceConfig = {
+      Type = "notify";
+      ExecStartPre = "/usr/bin/env mkdir -p /mnt/photos";
+      ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --transfers=32 --dir-cache-time 720h --poll-interval 0 --vfs-cache-mode writes photos: /mnt/photos ";
+      ExecStop = "/bin/fusermount -u /mnt/photos";
+      EnvironmentFile = "/run/secrets/rclone";
+    };
+  };
+
+  systemd.services.nextcloud-mount = {
+    enable = true;
+    description = "Mount the nextcloud data remote";
+    after = ["network-online.target"];
+    requires = ["network-online.target"];
+    wantedBy = ["default.target"];
+    serviceConfig = {
+      Type = "notify";
+      ExecStart = "${pkgs.rclone}/bin/rclone mount --config /home/yt/.config/rclone/rclone.conf --uid 33 --gid 0 --allow-other --file-perms 0770 --dir-perms 0770 --transfers=32 rsyncnet:nextcloud /mnt/nextcloud";
+      ExecStop = "/bin/fusermount -u /mnt/nextcloud";
+      EnvironmentFile = "/run/secrets/rclone";
+    };
+  };
+  programs.fuse.userAllowOther = true;
+}

hosts/chunk/redlib.nix

@@ -0,0 +1,12 @@
+{...}: {
+  services.redlib = {
+    enable = true;
+    port = 8087;
+    address = "127.0.0.1";
+    settings = {
+      # settings are just env vars
+      REDLIB_ENABLE_RSS = "on";
+      REDLIB_ROBOTS_DISABLE_INDEXING = "on";
+    };
+  };
+}

hosts/chunk/vaultwarden.nix

@@ -0,0 +1,13 @@
+{...}: {
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "postgresql";
+    environmentFile = "/run/secrets/vaultwarden";
+    config = {
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = "8081";
+      DATA_FOLDER = "/vw-data";
+      DATABASE_URL = "postgresql://vaultwarden:vaultwarden@127.0.0.1:5432/vaultwarden";
+    };
+  };
+}

hosts/chunk/wireguard.nix

@@ -0,0 +1,42 @@
+{pkgs, ...}: {
+  networking.nat = {
+    enable = true;
+    enableIPv6 = true;
+    externalInterface = "ens18";
+    internalInterfaces = ["wg0"];
+  };
+
+  networking.wg-quick.interfaces.wg0 = {
+    address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
+    listenPort = 51820;
+    privateKeyFile = "/run/secrets/wireguard/private";
+    postUp = ''
+      ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
+      ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/ip6tables -A FORWARD -o wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -o ens18 -j MASQUERADE
+    '';
+    preDown = ''
+      ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/iptables -D FORWARD -o wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
+      ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/ip6tables -D FORWARD -o wg0 -j ACCEPT
+      ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -o ens18 -j MASQUERADE
+    '';
+    peers = [
+      {
+        publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
+        allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
+        presharedKeyFile = "/run/secrets/wireguard/psk";
+      }
+      {
+        publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
+        allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
+        presharedKeyFile = "/run/secrets/wireguard/pskphone";
+      }
+    ];
+  };
+}