format

flake.nix

@@ -57,6 +57,15 @@
 
       alpine = mkConf [
         ./hardware/alpine.nix
+        ./nixos/services/anki.nix
+        ./nixos/services/forgejo.nix
+        ./nixos/services/vaultwarden.nix
+        ./nixos/services/jellyfin.nix
+        ./nixos/services/mpd.nix
+        ./nixos/services/prometheus.nix
+        ./nixos/services/grafana.nix
+        ./nixos/services/synapse.nix
+        ./nixos/services/nextcloud.nix
       ] [];
 
       vm-sway =

hardware/alpine.nix

@@ -9,17 +9,10 @@
 in {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
-    ../nixos/services/anki.nix
-    ../nixos/services/forgejo.nix
-    ../nixos/services/vaultwarden.nix
-    ../nixos/services/jellyfin.nix
-    ../nixos/services/mpd.nix
-    ../nixos/services/prometheus.nix
-    ../nixos/services/grafana.nix
-    ../nixos/services/synapse.nix
-    ../nixos/services/nextcloud.nix
   ];
 
+  networking.domain = "tristans.cloud";
+
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "sd_mod"];
   boot.initrd.kernelModules = [];
   boot.kernelModules = [];
@@ -185,11 +178,6 @@ in {
   };
 
   services.grafana.settings.server = {
-    domain = "monitor.tristans.cloud";
     http_port = 3001; # forgejo and grafana default to 3000
   };
-
-  services.nextcloud.hostName = "files.tristans.cloud";
-
-  services.forgejo.settings.server.DOMAIN = "git.tristans.cloud";
 }

lib/mkconf.nix

@@ -4,8 +4,7 @@
   user,
   userFullname,
   ...
-}: modules: home-modules:
+}: modules: home-modules: let
-let
   inherit (inputs) home-manager nixpkgs hyprland sops-nix;
 in
   nixpkgs.lib.nixosSystem {

nixos/default.nix

@@ -113,6 +113,6 @@ in {
 
   services.prometheus.exporters.node = {
     enable = true;
-    enabledCollectors = [ "systemd" ];
+    enabledCollectors = ["systemd"];
   };
 }

nixos/services/anki.nix

@@ -1,8 +1,7 @@
-{config, ...}:
+{config, ...}: let
-let
   anki = config.services.anki-sync-server;
   secrets = config.sops.secrets;
-  domain = "tristans.cloud";
+  domain = config.networking.domain;
 in {
   sops.secrets."anki/password" = {
     owner = "anki";
@@ -21,11 +20,14 @@ in {
   services.nginx.virtualHosts."anki.${domain}" = {
     forceSSL = true;
     enableACME = true;
-    locations."~".proxyPass  = "http://localhost:${toString anki.port}";
+    locations."~".proxyPass = "http://localhost:${toString anki.port}";
   };
 
   # TODO: this really ought to be part of the nixpkgs anki-sync-server module
-  users.users.anki = { group = "anki"; isSystemUser = true; };
+  users.users.anki = {
+    group = "anki";
+    isSystemUser = true;
+  };
   users.groups.anki = {};
   systemd.services.anki-sync-server.serviceConfig.User = "anki";
 }

nixos/services/forgejo.nix

@@ -8,6 +8,7 @@ in {
     settings = {
       server = {
         ROOT_URL = "https://${cfg.settings.server.DOMAIN}";
+        DOMAIN = "git.${config.networking.domain}";
       };
       service = {
         DISABLE_REGISTRATION = true;

nixos/services/grafana.nix

@@ -10,6 +10,7 @@ in {
     settings = {
       server = {
         root_url = "https://${cfg.settings.server.domain}";
+        domain = "monitor.${config.networking.domain}";
       };
       "auth.generic_oauth" = {
         enabled = true;
@@ -21,8 +22,7 @@ in {
         token_url = "https://auth.tristans.cloud/application/o/token/";
         api_url = "https://auth.tristans.cloud/application/o/userinfo/";
         redirect_url = "https://auth.tristans.cloud/application/o/grafana/end-session/";
-        role_attribute_path =
+        role_attribute_path = "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
-          "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'";
       };
     };
   };

nixos/services/nextcloud.nix

@@ -1,5 +1,8 @@
-{config, pkgs, ...}:
+{
-let
+  config,
+  pkgs,
+  ...
+}: let
   nextcloud = config.services.nextcloud;
   secrets = config.sops.secrets;
   sops = config.sops;
@@ -19,11 +22,12 @@ in {
     };
   };
 
-  environment.systemPackages = with pkgs; [ ffmpeg ];
+  environment.systemPackages = with pkgs; [ffmpeg];
 
   services.nextcloud = {
     enable = true;
     https = true;
+    hostName = "files.${config.networking.domain}";
     configureRedis = true;
     config = {
       adminpassFile = secrets."nextcloud/admin_password".path;

nixos/services/prometheus.nix

@@ -1,21 +1,21 @@
-{config, ...}:
+{config, ...}: let
-let
+  inherit (config.services) prometheus;
-  inherit ( config.services ) prometheus;
   nodes = [
     "100.65.29.110"
     "100.106.241.122"
   ];
   addPort = ip: "${ip}:${toString prometheus.exporters.node.port}";
-in
+in {
-{
   services.prometheus = {
     enable = true;
     scrapeConfigs = [
       {
         job_name = "nodes";
-        static_configs = [{
+        static_configs = [
-          targets = builtins.map addPort nodes;
+          {
-        }];
+            targets = builtins.map addPort nodes;
+          }
+        ];
       }
     ];
   };

nixos/services/synapse.nix

@@ -1,5 +1,9 @@
-{pkgs, config, lib, ...}:
+{
-let
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
   fqdn = "${hostname}.${domain}";
   domain = "tristans.cloud";
   hostname = "matrix";
@@ -12,7 +16,6 @@ let
   inherit (config) sops;
   inherit (config.services) matrix-synapse;
   inherit (sops) secrets templates;
-
 in {
   services.postgresql.enable = true;
   services.postgresql.initialScript = pkgs.writeText "synapse-init.sql" ''
@@ -32,21 +35,23 @@ in {
     "synapse/secrets.yaml" = {
       owner = "matrix-synapse";
       content = builtins.toJSON {
-        oidc_providers = [{
+        oidc_providers = [
-          idp_id = "authentik";
+          {
-          idp_name = "authentik";
+            idp_id = "authentik";
-          discover = true;
+            idp_name = "authentik";
-          issuer = "https://auth.tristans.cloud/application/o/chat/";
+            discover = true;
-          client_id = "fdad520e8c57f228aaa658aa74d5e00ba9b164a3";
+            issuer = "https://auth.tristans.cloud/application/o/chat/";
-          client_secret = sops.placeholder."synapse/oidc_client_secret";
+            client_id = "fdad520e8c57f228aaa658aa74d5e00ba9b164a3";
-          scopes = ["openid" "profile" "email"];
+            client_secret = sops.placeholder."synapse/oidc_client_secret";
-          user_mapping_provider = {
+            scopes = ["openid" "profile" "email"];
-            config = {
+            user_mapping_provider = {
-              localpart_template= "{{ user.preferred_username }}";
+              config = {
-              display_name_template= "{{ user.name|capitalize }}";
+                localpart_template = "{{ user.preferred_username }}";
+                display_name_template = "{{ user.name|capitalize }}";
+              };
             };
-          };
+          }
-        }];
+        ];
       };
     };
     "synapse/sliding_sync_env".content = ''
@@ -62,17 +67,21 @@ in {
       server_name = domain;
       baseurl = "https://${domain}";
       oidc_providers = [];
-      settings.listeners = [ {
+      settings.listeners = [
-        inherit port;
+        {
-        bind_addresses = [ "localhost" ];
+          inherit port;
-        type = "http";
+          bind_addresses = ["localhost"];
-        tls = false;
+          type = "http";
-        x_forwarded = true;
+          tls = false;
-        resources = [ {
+          x_forwarded = true;
-          names = [ "client" "federation" ];
+          resources = [
-          compress = true;
+            {
-        } ];
+              names = ["client" "federation"];
-      } ];
+              compress = true;
+            }
+          ];
+        }
+      ];
     };
   };
 

nixos/services/vaultwarden.nix

@@ -1,6 +1,6 @@
 {config, ...}: let
   cfg = config.services.vaultwarden;
-  domain = "vault.tristans.cloud";
+  domain = "vault.${config.networking.domain}";
 in {
   services.vaultwarden = {
     enable = true;

nixos/services/whatsapp.nix

@@ -0,0 +1,5 @@
+{
+  services.mautrix-whatsapp = {
+    enable = true;
+  };
+}