Recreated options

2025-08-29 11:05:27 +02:00 · 2025-08-29 11:05:27 +02:00 · fc8178ed80
commit fc8178ed80
parent 0b839e082a
22 changed files with 325 additions and 205 deletions
--- a/hosts/lapserv/default.nix
+++ b/hosts/lapserv/default.nix
@ -6,7 +6,39 @@
  networking.interfaces.enp2s0.wakeOnLan.enable = true;

  niksos = {
-    server = true;
+    # server = true;
+    server = {
+      baseDomain = "jsw.tf";
+      derek-bot.enable = true;
+      forgejo = {
+        enable = true;
+        subDomain = "git";
+      };
+      immich = {
+        enable = true;
+        subDomain = "photos";
+      };
+      jsw-bot = {
+        enable = true;
+        subDomain = "dc";
+      };
+      nextcloud = {
+        enable = true;
+        subDomain = "cloud";
+      };
+      stalwart = {
+        enable = true;
+        subDomain = "mail";
+      };
+      zitadel = {
+        enable = true;
+        subDomain = "z";
+      };
+      site = {
+        enable = true;
+        subDomain = "";
+      };
+    };
    hardware.graphics = {
      nvidia = false; #FIXME: Compile error
      intel = true;
--- a/hosts/minimal/default.nix
+++ b/hosts/minimal/default.nix
@ -34,7 +34,7 @@
      };
    };
    neovim = false;
-    server = false;
+    # server = false;
  };

  #NOTE: Old info
--- a/secrets/bread-dcbot.age
+++ b/secrets/bread-dcbot.age
--- a/secrets/dcbot.age
+++ b/secrets/dcbot.age
@ -1,16 +0,0 @@
-age-encryption.org/v1
-> ssh-ed25519 GQzYWA a0CqbXhMIeFmKsMSnQzPWJcdi0hH8caayThGHtKNdjc
-ZfRN0ukqXH8L1E1pWBU+tw0LmPxsb6/4FoeERCKEYCk
-> ssh-ed25519 MfR7VA WO0CmKh4CQY1ZLtgDbGIhxfbC8C/C9Vw4p4UGkZTzSs
-0oQbzzz8A6WJRbFqEPR6WStMRRGtFy2eEXIJ1WCqvIg
-> ssh-ed25519 +cvRTg ZYBJwTDV8zwZIpqY7sZIszS3saww0OV4RwVREVNxWHg
-PW9gzG2odI4G2I5zz+Gr2vaouPB6796RWDJzYZNFREQ
-> ssh-ed25519 WCPLrA p8I1d6YXg5pN6Ljeq/wsY5jj4rPaSvD+/au+vEUsgh4
-U0aiqeildEqF8SNh0L4hGIq3rQxY4HcSnDvluwldDpQ
-> ssh-ed25519 7/ziYw 7DGE8Zr0qMGh3P5lUSRYT+AdgRges037cLjHbbPPnTc
-daC7dau5IHSZr/HmjszbWrQNsVJOQILqNS/Yn1YE/zM
-> ssh-ed25519 VQy60Q cAuS4VLmDC9iCZ+7e+/5WVIxrvBa7ZChCz2pPSSY/TY
-ut6SAJSZMm9/YElx7SShyMufrBYAlb/IyQp0g4ADMa4
--- DQrDZ/cXaadnKTDN8MrGuTokHttdMbOzs2IPYTIOPw4
-Ôú9èçEJG($Ç'_±z·3õ<33>§!;\Ûkç<6B><C3A7>IâEæ3„%”!zŒíÄþO£‚ôŠú«*’®ÂÂãÝ.,ó	à•…`û+',À*ÝÞÄÑml%g?â¥0°'ñ-<MíwYŒj]SR‡aÕ©V–£Í(çk”—yü6Â@`j9jÈ~¨[úò_º½Dz±¨Ìd^¨"\Ú7ÍóéÔîlóÂþO#ÇƒÏcW=ô‚a~K],0![ßG¨~4ª™!XÅ›Ê|ÿó·(CÌ4)g^-¢5D”n¶lI·m C§,ê-9ƒš4¢åÓbI:–	1áõÝUx»ôe¡ôMÄêã’¡X(¯ÿÊ¼5²mí‚Œ[ÖBXHãâ f_ä‹J{Ôuóf<C3B3>OT”D^¸*Y3³-<2D>ƒ•³ƒŠ¹e-OB¤t
Á‘.Qaáˆ²{m¼ð$W7ÝL>r¿Â•'‰>€b6º¹D©;w*.uYž‡µ°÷ÃXß`A**Œ2¨$T<>ïtÔŒM<C592>Â_1NÜÆ‹dã 
-<06>@cJsÎåtÄ,Ð…hÏïaº¯ÇJŠ<4A>pØå§j:æ¼sG@P/¼¾LœÜ4˜¥ö>XRÞ{f¶íJB>ƒ–Ãzï&÷ÖÀ;|’‚û«v‹œÎçÎšJ<C5A1>ÙS•¥Úì±Î¶AÄ,7ÉE{MEõwí<77>PªÉ:ÿG‰òcœŠYžR¯ç³³ z£@³Xô„æÕ<C3A6>*½j%MM•ÄµšB¦´`HzŸéÝSëKUWy+xûGÇDåÈ“¯Ém÷ï~›¬Ö›êóÉû¹‰·>ó%Î]RƒŸ;9”–¶¿8åœV…¾ÉL›c (<28>RÌXäRùrŽl˜!eSAÊ§G3jhw¼œ•˜ƒ»£ª›Ò,ã2b1
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -14,35 +14,35 @@ in {
    password.file = ./password.age;

    # NOTE: server things
-    dcbot = mkIf server {
-      file = ./dcbot.age;
-      owner = serviceUser "dcbot"; #
+    jsw-bot = mkIf server.jsw-bot.enable {
+      file = ./jsw-bot.age;
+      owner = serviceUser "jsw-bot"; #
    };
-    bread-dcbot = mkIf server {
-      file = ./bread-dcbot.age;
-      owner = "bread-dcbot";
+    derek-bot = mkIf server.derek-bot.enable {
+      file = ./derek-bot.age;
+      owner = "derek-bot";
    };
-    matrix-registration = mkIf server {
-      file = ./matrix-registration.age;
-      owner = abstrServiceUser "matrix-continuwuity";
-    };
-    mail-admin = mkIf server {
+    # matrix-registration = mkIf server.matrix.enable {
+    #   file = ./matrix-registration.age;
+    #   owner = abstrServiceUser "matrix-continuwuity";
+    # };
+    mail-admin = mkIf server.stalwart.enable {
      # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart.
      file = ./mail-admin.age;
    };
-    zitadel-key = mkIf server {
+    zitadel-key = mkIf server.zitadel.enable {
      file = ./zitadel-key.age;
      owner = abstrServiceUser "zitadel";
    };
-    forgejo-mailpass = mkIf server {
+    forgejo-mailpass = mkIf server.forgejo.enable {
      file = ./forgejo-mailpass.age;
      owner = abstrServiceUser "forgejo";
    };
-    immich-oidc = mkIf server {
+    immich-oidc = mkIf server.immich.enable {
      file = ./immich-oidc.age;
      owner = abstrServiceUser "immich";
    };
-    nextcloud-admin-pass = mkIf server {
+    nextcloud-admin-pass = mkIf server.nextcloud.enable {
      file = ./nextcloud-admin-pass.age;
      owner = "nextcloud"; #NOTE: not a clear 'nextcloud.service' or 'services.nextcloud.user'.
    };
--- a/secrets/derek-bot.age
+++ b/secrets/derek-bot.age
--- a/secrets/jsw-bot.age
+++ b/secrets/jsw-bot.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -14,8 +14,8 @@ let
  keys = users ++ devices;
 in {
  "password.age".publicKeys = keys;
-  "dcbot.age".publicKeys = keys;
-  "bread-dcbot.age".publicKeys = keys;
+  "jsw-bot.age".publicKeys = keys;
+  "derek-bot.age".publicKeys = keys;
  "matrix-registration.age".publicKeys = keys;
  "mail-admin.age".publicKeys = keys;
  "zitadel-key.age".publicKeys = keys;
--- a/system/server/caddy.nix
+++ b/system/server/caddy.nix
@ -3,13 +3,15 @@
  lib,
  ...
 }: let
-  cfg = config.niksos.server;
+  inherit (config.services.caddy) enable;
+  inherit (lib) mkIf;
 in {
+  config = mkIf enable {
    services.caddy = {
-    enable = cfg;
      email = "jurnwubben@gmail.com";
      enableReload = false;
    };

-  networking.firewall.allowedTCPPorts = lib.mkIf cfg [80 443];
+    networking.firewall.allowedTCPPorts = [80 443];
+  };
 }
--- a/system/server/default.nix
+++ b/system/server/default.nix
@ -1,16 +1,24 @@
-{lib, ...}: {
+{lib, ...}: let
+  inherit (lib) mkOption types;
+in {
  imports = [
    # ./matrix.nix
-    ./bot.nix
+    # ./temp.nix
+    ./jsw-bot.nix
    ./caddy.nix
-    ./derekBot.nix
+    ./derek-bot.nix
    ./forgejo.nix
    ./immich.nix
    ./index
    ./mail.nix
    ./nextcloud.nix
-    ./temp.nix
    ./zitadel.nix
  ];
-  options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
+  options.niksos.server = {
+    baseDomain = mkOption {
+      type = types.lines;
+      description = "Set's the apex domain for the webservices. Do not include 'https' or a slash at the end. Just 'example.com'.";
+      example = "example.com";
+    };
+  };
 }
--- a/system/server/derek-bot.nix
+++ b/system/server/derek-bot.nix
@ -4,26 +4,26 @@
  lib,
  ...
 }: let
-  cfg = config.niksos.server;
-  userGroup = "bread-dcbot";
+  name = "derek-bot";
+  cfg = config.niksos.server.${name}.enable;
+
+  userGroup = name;
  gitRepo = "https://github.com/The-Breadening/Breadener";

-  bash = lib.getExe pkgs.bash;
+  inherit (lib) getExe mkEnableOption mkIf;
+  bash = getExe pkgs.bash;
+
  varLib = "/var/lib/";
-  mainDir =
-    varLib
-    + (
-      if !cfg
-      then ""
-      else userGroup
-    )
-    + "/";
-  programDir = mainDir + "program";
-  denoDir = mainDir + "deno";
-  tokenDir = mainDir + "Breadener-token";
+  mainDir = "${varLib}${userGroup}";
+  programDir = "${mainDir}/program";
+  denoDir = "${mainDir}/deno";
+  tokenDir = "${mainDir}/Breadener-token";
+
  path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.deno pkgs.git]);
 in {
-  config = lib.mkIf config.niksos.server {
+  options.niksos.server.${name}.enable = mkEnableOption name;
+
+  config = mkIf cfg {
    systemd.services.${userGroup} = {
      enable = true;
      after = ["network.target"];
@ -39,7 +39,7 @@ in {
        export PATH=${path}

        cd "${mainDir}"
-        chown -R ${userGroup}:${userGroup} ${mainDir}* || echo
+        chown -R ${userGroup}:${userGroup} ${mainDir}/* || echo

        rm -rf "${tokenDir}" || echo
        mkdir -p "${denoDir}" "${tokenDir}"
@ -48,7 +48,7 @@ in {
        if [ ! -d "${programDir}" ]; then
          git clone "${gitRepo}" "${programDir}"
        fi
-        chmod -R 750 ${mainDir}* || echo
+        chmod -R 750 ${mainDir}/* || echo


        cd "${programDir}"
--- a/system/server/forgejo.nix
+++ b/system/server/forgejo.nix
@ -3,17 +3,24 @@
  lib,
  ...
 }: let
-  DOMAIN = "git.jsw.tf";
+  name = "forgejo";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
+
+  DOMAIN = cfg.domain;
 in {
+  options = import ./lib/webOptions.nix {inherit config lib name;};
  config =
-    lib.mkIf config.niksos.server
+    lib.mkIf cfg.enable
    {
-      services.caddy.virtualHosts.${DOMAIN}.extraConfig = ''
+      services.caddy = {
+        enable = true;
+        virtualHosts.${DOMAIN}.extraConfig = ''
          request_body {
              max_size 512M
          }
          reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR}
        '';
+      };

      services.forgejo = {
        enable = true;
@ -52,12 +59,13 @@ in {
            DEFAULT_ACTIONS_URL = "github";
          };
          mailer = {
+            #FIXME: Only enable if stalwart is enabled by default.
            ENABLED = true;
            SUBJECT_PREFIX = "JSWGit";
            PROTOCOL = "smtps";
-            SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
+            SMTP_ADDR = "mail.${cfg.baseDomain}"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
            SMTP_PORT = 465;
-            FROM = "git@jsw.tf";
+            FROM = "git@${cfg.baseDomain}";
            USER = "git";
            PASSWD_URI = "file:${config.age.secrets.forgejo-mailpass.path}";
          };
--- a/system/server/immich.nix
+++ b/system/server/immich.nix
@ -4,23 +4,29 @@
  pkgs,
  ...
 }: let
+  name = "immich";
  inherit (lib) mkIf mkForce mkDefault;

-  cfg = config.niksos.server;
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
+
  oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
  config-dir = "/run/immich-conf";
-  url = "photos.jsw.tf";
-  httpsUrl = "https://" + url;
+  httpsUrl = "https://" + cfg.domain;
 in {
+  options = import ./lib/webOptions.nix {inherit config lib name;};
+
  config =
-    mkIf cfg
+    mkIf cfg.enable
    {
-      users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
-      services.caddy.virtualHosts.${url}.extraConfig = ''
+      services.caddy = {
+        enable = true;
+        virtualHosts.${cfg.domain}.extraConfig = ''
          reverse_proxy localhost:9002
        '';
+      };

-      services.immich = mkIf cfg {
+      users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
+      services.immich = {
        enable = true;

        port = 9002;
--- a/system/server/index/default.nix
+++ b/system/server/index/default.nix
@ -2,8 +2,13 @@
  config,
  lib,
  ...
-}: {
-  services.caddy.virtualHosts."jsw.tf" = lib.mkIf config.niksos.server {
+}: let
+  name = "site";
+  cfg = import ../lib/extractWebOptions.nix {inherit config name;};
+in {
+  options = import ../lib/webOptions.nix {inherit config lib name;};
+  config = lib.mkIf cfg.enable {
+    services.caddy.virtualHosts.${cfg.domain} = {
      extraConfig = ''
        header Content-Type text/html
        respond <<HTML
@ -11,4 +16,5 @@
        HTML 200
      '';
    };
+  };
 }
--- a/system/server/jsw-bot.nix
+++ b/system/server/jsw-bot.nix
@ -5,8 +5,13 @@
  inputs,
  ...
 }: let
-  deno = lib.getExe pkgs.deno;
-  bash = lib.getExe pkgs.bash;
+  name = "jsw-bot";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
+
+  inherit (lib) getExe mkIf optional;
+  inherit (config.niksos.server) nextcloud;
+
+  bash = getExe pkgs.bash;

  mainDir = "/var/lib/dcbot/";
  programDir = mainDir + "program";
@ -15,10 +20,14 @@

  path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.typst pkgs.deno]);
 in {
-  config = lib.mkIf config.niksos.server {
-    systemd.services.dcbot = {
+  options = import ./lib/webOptions.nix {
+    inherit config lib name;
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.${name} = {
      enable = true;
-      after = ["network.target"];
+      after = ["network.target"]; #FIXME: doesn't start after network.
      wantedBy = ["default.target"];
      description = "Jsw's slaafje, discord bot.";

@ -33,35 +42,37 @@ in {
        cd "${mainDir}"
        mkdir -p "${programDir}" "${dataDir}" "${denoDir}"

-        chown -R dcbot:dcbot ${mainDir}* || echo
+        chown -R ${name}:${name} ${mainDir}* || echo
        chmod -R 750 ${mainDir}* || echo
        cp --no-preserve=mode,ownership -r ${inputs.dcbot}/* "${programDir}/"

        rm "${dataDir}/.env" || echo
-        ln -s "${config.age.secrets.dcbot.path}" "${dataDir}/.env"
+        ln -s "${config.age.secrets.jsw-bot.path}" "${dataDir}/.env"

        cd "${programDir}"
        DENO_DIR=${denoDir} deno i
      '';

      serviceConfig = {
-        StateDirectory = "dcbot";
+        StateDirectory = name;
        ExecStart = "${bash} -c 'cd ${dataDir} && deno run -A ${programDir}/src/main.ts'";
-        User = "dcbot";
-        Group = "dcbot";
+        User = name;
+        Group = name;
        Restart = "always";
      };
    };

-    services.caddy.virtualHosts."dc.jsw.tf" = {
-      serverAliases = ["www.dc.jsw.tf"];
+    services.caddy = {
+      enable = true;
+      virtualHosts.${cfg.domain} = {
        extraConfig = ''
          reverse_proxy :9001
        '';
      };
+    };

    users.groups."dcbot" = {
-      members = ["nextcloud"]; #TODO: if config.niksos.server.nextcloud
+      members = optional nextcloud.enable "nextcloud"; #TODO: if config.niksos.server.nextcloud
      #NOTE: for nextcloud mounted folder
    };
    users.users."dcbot" = {
--- a/system/server/lib/extractWebOptions.nix
+++ b/system/server/lib/extractWebOptions.nix
@ -0,0 +1,18 @@
+{
+  config,
+  name,
+}: let
+  inherit (config.niksos) server;
+  inherit (server) baseDomain;
+  cfg = server.${name};
+
+  subDomain =
+    if cfg.subDomain == ""
+    then ""
+    else "${cfg.subDomain}.";
+in
+  {
+    domain = "${subDomain}.${baseDomain}";
+    inherit baseDomain;
+  }
+  // cfg
--- a/system/server/lib/webOptions.nix
+++ b/system/server/lib/webOptions.nix
@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  name,
+}: let
+  inherit (lib) mkEnableOption mkOption types;
+in {
+  niksos.server.${name} = {
+    enable = mkEnableOption name;
+    subDomain = mkOption {
+      type = types.lines;
+      description = "What subdomain to use for ${name}";
+      example = name;
+    };
+  };
+}
--- a/system/server/mail.nix
+++ b/system/server/mail.nix
@ -2,10 +2,15 @@
  config,
  lib,
  ...
-}: {
+}: let
+  name = "stalwart";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
+in {
  #FIXME: revert when stopped using docker for stalwart. https://github.com/NixOS/nixpkgs/issues/416091 (look at older commits for previous code.)

-  config = lib.mkIf config.niksos.server {
+  options = import ./lib/webOptions.nix {inherit lib config name;};
+
+  config = lib.mkIf cfg.enable {
    virtualisation.oci-containers.containers.stalwart = {
      image = "docker.io/stalwartlabs/stalwart:latest";
      labels = {
@ -22,8 +27,11 @@
      465
    ];

-    services.caddy.virtualHosts."mail.jsw.tf".extraConfig = ''
+    services.caddy = {
+      enable = true;
+      virtualHosts.${cfg.domain}.extraConfig = ''
        reverse_proxy http://127.0.0.1:9003
      '';
    };
+  };
 }
--- a/system/server/matrix.nix
+++ b/system/server/matrix.nix
@ -3,37 +3,38 @@
  lib,
  ...
 }: let
-  database = {
-    connection_string = "postgres:///dendrite?host=/run/postgresql";
-    max_open_conns = 97;
-    max_idle_conns = 5;
-    conn_max_lifetime = -1;
-  };
-  host = "matrix.jsw.tf";
+  name = "matrix";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
 in {
-  config = lib.mkIf config.niksos.server {
+  options = import ./lib/webOptions.nix {inherit config lib name;};
+
+  config = lib.mkIf cfg.enable {
    services = {
      matrix-continuwuity = {
        enable = true;
        group = "caddy"; # Permissions for socket
+        #FIXME: caddy should be part of matrix group, not other way around
        settings.global = {
          unix_socket_path = "/run/continuwuity/continuwuity.sock";
-          server_name = host;
+          server_name = cfg.domain;
          allow_registration = true;
          registration_token_file = config.age.secrets.matrix-registration.path;
          new_user_displayname_suffix = "";
        };
      };

-      caddy.virtualHosts = {
-        ${host}.extraConfig = ''
+      caddy = {
+        enable = true;
+        virtualHosts = {
+          ${cfg.domain}.extraConfig = ''
            header /.well-known/matrix/* Content-Type application/json
            header /.well-known/matrix/* Access-Control-Allow-Origin *
-          respond /.well-known/matrix/server `{"m.server": "${host}:443"}`
-          respond /.well-known/matrix/client `{"m.homeserver": {"base_url": "https://${host}"}}`
+            respond /.well-known/matrix/server `{"m.server": "${cfg.domain}:443"}`
+            respond /.well-known/matrix/client `{"m.homeserver": {"base_url": "https://${cfg.domain}"}}`
            reverse_proxy /_matrix/* unix//run/continuwuity/continuwuity.sock
          '';
        };
      };
    };
+  };
 }
--- a/system/server/nextcloud.nix
+++ b/system/server/nextcloud.nix
@ -4,18 +4,24 @@
  lib,
  ...
 }: let
-  inherit (config.niksos) server;
-  host = "cloud.jsw.tf";
-  nginxRoot = config.services.nginx.virtualHosts.${host}.root;
+  name = "nextcloud";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
+
+  inherit (cfg) enable domain;
+
+  nginxRoot = config.services.nginx.virtualHosts.${domain}.root;
  fpmSocket = config.services.phpfpm.pools.nextcloud.socket;
  imaginaryPort = 9004;
 in {
-  config = lib.mkIf server {
+  options = import ./lib/webOptions.nix {inherit config lib name;};
+
+  config = lib.mkIf enable {
    users.groups.nextcloud.members = ["nextcloud" "caddy"];
+
    services = {
      nextcloud = {
        enable = true;
-        hostName = host;
+        hostName = domain;

        # Need to manually increment with every major upgrade.
        package = pkgs.nextcloud31;
@ -77,12 +83,12 @@ in {
          dbtype = "pgsql";
        };
      };
-      imaginary = {
-        enable = true;
-        port = imaginaryPort;
-        address = "localhost";
-        settings.returnSize = true;
-      };
+      # imaginary = { #FIXME: doesn't start.
+      #   enable = true;
+      #   port = imaginaryPort;
+      #   address = "localhost";
+      #   settings.returnSize = true;
+      # };

      nginx.enable = lib.mkForce false;
      phpfpm.pools.nextcloud.settings = let
@ -91,7 +97,10 @@ in {
        "listen.owner" = user;
        "listen.group" = group;
      };
-      caddy.virtualHosts."${host}".extraConfig = ''
+
+      caddy = {
+        enable = true;
+        virtualHosts.${domain}.extraConfig = ''
          encode zstd gzip

          root * ${nginxRoot}
@ -145,4 +154,5 @@ in {
        '';
      };
    };
+  };
 }
--- a/system/server/temp.nix
+++ b/system/server/temp.nix
@ -1,14 +1,15 @@
+#WARNING: deprecated
 {
-  config,
-  pkgs,
-  lib,
-  inputs,
-  ...
-}: {
-  config = lib.mkIf config.niksos.server {
-    # NOTE: allows me to spin up temporarily services.
-    services.caddy.virtualHosts."temp.jsw.tf".extraConfig = ''
-      reverse_proxy :8000
-    '';
-  };
+  #   config,
+  #   pkgs,
+  #   lib,
+  #   inputs,
+  #   ...
+  # }: {
+  #   config = lib.mkIf config.niksos.server {
+  #     # NOTE: allows me to spin up temporarily services.
+  #     services.caddy.virtualHosts."temp.jsw.tf".extraConfig = ''
+  #       reverse_proxy :8000
+  #     '';
+  #   };
 }
--- a/system/server/zitadel.nix
+++ b/system/server/zitadel.nix
@ -3,15 +3,22 @@
  lib,
  ...
 }: let
-  ExternalDomain = "z.jsw.tf";
+  name = "zitadel";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
+
  Port = 9000;
 in {
+  options = import ./lib/webOptions.nix {inherit config lib name;};
+
  config =
-    lib.mkIf config.niksos.server
+    lib.mkIf cfg.enable
    {
-      services.caddy.virtualHosts.${ExternalDomain}.extraConfig = ''
+      services.caddy = {
+        enable = true;
+        virtualHosts.${cfg.domain}.extraConfig = ''
          reverse_proxy localhost:${builtins.toString Port}
        '';
+      };

      # services.zitadel = {
      #   enable = true;
@ -32,8 +39,10 @@ in {
          enable = true;
          masterKeyFile = config.age.secrets.zitadel-key.path;
          settings = {
-            inherit Port ExternalDomain;
+            inherit Port;
+            ExternalDomain = cfg.domain;
            ExternalPort = 443;
+
            Database.postgres = {
              Host = "/var/run/postgresql/";
              Port = 5432;
@ -53,9 +62,9 @@ in {
          steps.FirstInstance = {
            InstanceName = "jsw";
            Org = {
-              Name = "jsw";
+              Name = "jsw-admin";
              Human = {
-                UserName = "jsw@jsw.tf";
+                UserName = "jsw-admin@jsw.tf";
                FirstName = "Jurn";
                LastName = "Wubben";
                Email.Verified = true;