Merge pull request 'option_refactor' (#4) from option_refactor into master

Reviewed-on: #4

flake.lock

@@ -28,11 +28,11 @@
         "fromYaml": "fromYaml"
       },
       "locked": {
-        "lastModified": 1746562888,
+        "lastModified": 1755819240,
-        "narHash": "sha256-YgNJQyB5dQiwavdDFBMNKk1wyS77AtdgDk/VtU6wEaI=",
+        "narHash": "sha256-qcMhnL7aGAuFuutH4rq9fvAhCpJWVHLcHVZLtPctPlo=",
         "owner": "SenchoPens",
         "repo": "base16.nix",
-        "rev": "806a1777a5db2a1ef9d5d6f493ef2381047f2b89",
+        "rev": "75ed5e5e3fce37df22e49125181fa37899c3ccd6",
         "type": "github"
       },
       "original": {
@@ -131,11 +131,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1748383148,
+        "lastModified": 1756083905,
-        "narHash": "sha256-pGvD/RGuuPf/4oogsfeRaeMm6ipUIznI2QSILKjKzeA=",
+        "narHash": "sha256-UqYGTBgI5ypGh0Kf6zZjom/vABg7HQocB4gmxzl12uo=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "4eb2714fbed2b80e234312611a947d6cb7d70caf",
+        "rev": "b655eaf16d4cbec9c3472f62eee285d4b419a808",
         "type": "github"
       },
       "original": {
@@ -195,11 +195,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1754487366,
+        "lastModified": 1756770412,
-        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
         "type": "github"
       },
       "original": {
@@ -234,11 +234,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753121425,
+        "lastModified": 1756770412,
-        "narHash": "sha256-TVcTNvOeWWk1DXljFxVRp+E0tzG1LhrVjOGGoMHuXio=",
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "644e0fc48951a860279da645ba77fe4a6e814c5e",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
         "type": "github"
       },
       "original": {
@@ -255,11 +255,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1751413152,
+        "lastModified": 1756770412,
-        "narHash": "sha256-Tyw1RjYEsp5scoigs1384gIg6e0GoBVjms4aXFfRssQ=",
+        "narHash": "sha256-+uWLQZccFHwqpGqr2Yt5VsW/PbeJVTn9Dk6SHWhNRPw=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "77826244401ea9de6e3bac47c2db46005e1f30b5",
+        "rev": "4524271976b625a4a605beefd893f270620fd751",
         "type": "github"
       },
       "original": {
@@ -329,11 +329,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754416808,
+        "lastModified": 1757588530,
-        "narHash": "sha256-c6yg0EQ9xVESx6HGDOCMcyRSjaTpNJP10ef+6fRcofA=",
+        "narHash": "sha256-tJ7A8mID3ct69n9WCvZ3PzIIl3rXTdptn/lZmqSS95U=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "9c52372878df6911f9afc1e2a1391f55e4dfc864",
+        "rev": "b084b2c2b6bc23e83bbfe583b03664eb0b18c411",
         "type": "github"
       },
       "original": {
@@ -407,11 +407,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754593726,
+        "lastModified": 1757920978,
-        "narHash": "sha256-bo6aSfDS/GGfM/6LXCKLH/246fDSKjFnBsaRMNE+Wmc=",
+        "narHash": "sha256-Mv16aegXLulgyDunijP6SPFJNm8lSXb2w3Q0X+vZ9TY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "5de16c704b0fc8f519b2c19ed3f683a9e68f3884",
+        "rev": "11cc5449c50e0e5b785be3dfcb88245232633eb8",
         "type": "github"
       },
       "original": {
@@ -444,11 +444,11 @@
     },
     "mnw": {
       "locked": {
-        "lastModified": 1748710831,
+        "lastModified": 1756659871,
-        "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=",
+        "narHash": "sha256-v6Rh4aQ6RKjM2N02kK9Usn0Ix7+OY66vNpeklc1MnGE=",
         "owner": "Gerg-L",
         "repo": "mnw",
-        "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d",
+        "rev": "ed6cc3e48557ba18266e598a5ebb6602499ada16",
         "type": "github"
       },
       "original": {
@@ -500,11 +500,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754800038,
+        "lastModified": 1757822619,
-        "narHash": "sha256-UbLO8/0pVBXLJuyRizYOJigtzQAj8Z2bTnbKSec/wN0=",
+        "narHash": "sha256-3HIpe3P2h1AUPYcAH9cjuX0tZOqJpX01c0iDwoUYNZ8=",
         "owner": "nix-community",
         "repo": "nix-index-database",
-        "rev": "b65f8d80656f9fcbd1fecc4b7f0730f468333142",
+        "rev": "050a5feb5d1bb5b6e5fc04a7d3d816923a87c9ea",
         "type": "github"
       },
       "original": {
@@ -520,11 +520,11 @@
         "nixpkgs": "nixpkgs_3"
       },
       "locked": {
-        "lastModified": 1754583575,
+        "lastModified": 1757726013,
-        "narHash": "sha256-GLCNsMGuQQLq3B3+C+jEybyQCtV0xJytGjibNU3tg70=",
+        "narHash": "sha256-7RPKqqlc5xawEbASZh18b6HX9FogiVTPIw0KdMEjpn8=",
         "owner": "kaylorben",
         "repo": "nixcord",
-        "rev": "e049d77a74b3360791800a1d50cbe9518d96b764",
+        "rev": "2133f2ab5af34dab65f5aa17f1f343777bc71070",
         "type": "github"
       },
       "original": {
@@ -551,11 +551,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1753579242,
+        "lastModified": 1754788789,
-        "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
+        "narHash": "sha256-x2rJ+Ovzq0sCMpgfgGaaqgBSwY+LST+WbZ6TytnT9Rk=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
+        "rev": "a73b9c743612e4244d865a2fdee11865283c04e6",
         "type": "github"
       },
       "original": {
@@ -629,11 +629,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1754498491,
+        "lastModified": 1757745802,
-        "narHash": "sha256-erbiH2agUTD0Z30xcVSFcDHzkRvkRXOQ3lb887bcVrs=",
+        "narHash": "sha256-hLEO2TPj55KcUFUU1vgtHE9UEIOjRcH/4QbmfHNF820=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c2ae88e026f9525daf89587f3cbee584b92b6134",
+        "rev": "c23193b943c6c689d70ee98ce3128239ed9e32d1",
         "type": "github"
       },
       "original": {
@@ -674,11 +674,11 @@
     },
     "nixpkgs_7": {
       "locked": {
-        "lastModified": 1751792365,
+        "lastModified": 1756819007,
-        "narHash": "sha256-J1kI6oAj25IG4EdVlg2hQz8NZTBNYvIS0l4wpr9KcUo=",
+        "narHash": "sha256-12V64nKG/O/guxSYnr5/nq1EfqwJCdD2+cIGmhz3nrE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "1fd8bada0b6117e6c7eb54aad5813023eed37ccb",
+        "rev": "aaff8c16d7fc04991cac6245bee1baa31f72b1e1",
         "type": "github"
       },
       "original": {
@@ -700,11 +700,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1751906969,
+        "lastModified": 1756961635,
-        "narHash": "sha256-BSQAOdPnzdpOuCdAGSJmefSDlqmStFNScEnrWzSqKPw=",
+        "narHash": "sha256-hETvQcILTg5kChjYNns1fD5ELdsYB/VVgVmBtqKQj9A=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "ddb679f4131e819efe3bbc6457ba19d7ad116f25",
+        "rev": "6ca27b2654ac55e3f6e0ca434c1b4589ae22b370",
         "type": "github"
       },
       "original": {
@@ -724,11 +724,11 @@
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1754552918,
+        "lastModified": 1757773905,
-        "narHash": "sha256-vbT+nGdMLNAeYZ1S5WBBLJTVWosGne2VRt46rqPfB2A=",
+        "narHash": "sha256-lM1K3cJsPQyiSGI3rE/F7u02fA/JYBsinMN49IQCY1s=",
         "owner": "notashelf",
         "repo": "nvf",
-        "rev": "d61de135ce174f4e04b4e509de02e1afe040a834",
+        "rev": "7e74ee604a7c18dda21e6a809720ad37ab5bae43",
         "type": "github"
       },
       "original": {
@@ -793,11 +793,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1754597531,
+        "lastModified": 1757360005,
-        "narHash": "sha256-OpC9/PBIuL2WEJUkcuD/wVxI8r+3o6f5RylSIefjHo4=",
+        "narHash": "sha256-VwzdFEQCpYMU9mc7BSQGQe5wA1MuTYPJnRc9TQCTMcM=",
         "owner": "nix-community",
         "repo": "stylix",
-        "rev": "63bb34a66ad7d1af2e95ee20dd675896b2074c32",
+        "rev": "834a743c11d66ea18e8c54872fbcc72ce48bc57f",
         "type": "github"
       },
       "original": {
@@ -917,11 +917,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1750770351,
+        "lastModified": 1754779259,
-        "narHash": "sha256-LI+BnRoFNRa2ffbe3dcuIRYAUcGklBx0+EcFxlHj0SY=",
+        "narHash": "sha256-8KG2lXGaXLUE0F/JVwLQe7kOVm21IDfNEo0gfga5P4M=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "5a775c6ffd6e6125947b393872cde95867d85a2a",
+        "rev": "097d751b9e3c8b97ce158e7d141e5a292545b502",
         "type": "github"
       },
       "original": {
@@ -933,11 +933,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1751159871,
+        "lastModified": 1754788770,
-        "narHash": "sha256-UOHBN1fgHIEzvPmdNMHaDvdRMgLmEJh2hNmDrp3d3LE=",
+        "narHash": "sha256-LAu5nBr7pM/jD9jwFc6/kyFY4h7Us4bZz7dvVvehuwo=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "bded5e24407cec9d01bd47a317d15b9223a1546c",
+        "rev": "fb2175accef8935f6955503ec9dd3c973eec385c",
         "type": "github"
       },
       "original": {
@@ -949,11 +949,11 @@
     "tinted-zed": {
       "flake": false,
       "locked": {
-        "lastModified": 1751158968,
+        "lastModified": 1755613540,
-        "narHash": "sha256-ksOyv7D3SRRtebpXxgpG4TK8gZSKFc4TIZpR+C98jX8=",
+        "narHash": "sha256-zBFrrTxHLDMDX/OYxkCwGGbAhPXLi8FrnLhYLsSOKeY=",
         "owner": "tinted-theming",
         "repo": "base16-zed",
-        "rev": "86a470d94204f7652b906ab0d378e4231a5b3384",
+        "rev": "937bada16cd3200bdbd3a2f5776fc3b686d5cba0",
         "type": "github"
       },
       "original": {

home/programs/neovim.nix

@@ -53,13 +53,17 @@
 
         ts = {
           enable = true;
-          lsp.server = "ts_ls";
+          lsp.server = "denols";
           extensions.ts-error-translator.enable = true;
         };
         clang = {
           enable = true;
           lsp.enable = true;
         };
+        typst = {
+          enable = true;
+          format.type = "typstyle";
+        };
 
         bash.enable = true;
         css.enable = true;
@@ -67,7 +71,6 @@
         markdown.enable = true;
         nix.enable = true;
         svelte.enable = true;
-        typst.enable = true;
         rust.enable = true;
         python.enable = true;
       };

home/programs/nixcord.nix

@@ -23,7 +23,7 @@
           "callTimer"
           "clearURLs"
           "copyFileContents"
-          "emoteCloner"
+          # "emoteCloner"
           "fakeNitro"
           "fixYoutubeEmbeds"
           "friendsSince"

home/programs/other.nix

@@ -13,7 +13,6 @@
       pkgs.gimp
       pkgs.inkscape
       pkgs.thunderbird
-      pkgs.stremio
     ]
     ++ lib.optional osConfig.niksos.hardware.portable.enable self.packages.${pkgs.system}.visicut;
 }

home/wayland/hyprland/binds.nix

@@ -64,6 +64,9 @@
       ]
     )
     10);
+
+  volumeUp = "${wpctl} set-volume -l '1.0' @DEFAULT_AUDIO_SINK@ 6%+";
+  volumeDown = "${wpctl} set-volume -l '1.0' @DEFAULT_AUDIO_SINK@ 6%-";
 in {
   wayland.windowManager.hyprland.settings = {
     "$m" = "ALT";
@@ -138,10 +141,20 @@ in {
 
     bindle = [
       # volume
-      ", XF86AudioRaiseVolume, exec, ${wpctl} set-volume -l '1.0' @DEFAULT_AUDIO_SINK@ 6%+"
+      ", XF86AudioRaiseVolume, exec, ${volumeUp}"
-      ", XF86AudioLowerVolume, exec, ${wpctl} set-volume -l '1.0' @DEFAULT_AUDIO_SINK@ 6%-"
+      ", XF86AudioLowerVolume, exec, ${volumeDown}"
       ",XF86MonBrightnessUp, exec, ${brightnessctl} s 10%+"
       ",XF86MonBrightnessDown, exec, ${brightnessctl} s 10%-"
     ];
+
+    gesture = [
+      "3, down, close"
+      "3, up, fullscreen"
+      "3, horizontal, workspace"
+      "4, left, dispatcher, exec, ${playerctl} previous"
+      "4, right, dispatcher, exec,  ${playerctl} next"
+      "4, up, dispatcher, exec, ${volumeUp}"
+      "4, down, dispatcher, exec, ${volumeDown}"
+    ];
   };
 }

home/wayland/hyprland/settings.nix

@@ -74,12 +74,6 @@
       };
     };
 
-    gestures = {
-      workspace_swipe = true;
-      workspace_swipe_forever = true;
-      workspace_swipe_direction_lock = false;
-    };
-
     dwindle = {
       pseudotile = true;
       preserve_split = true;
@@ -97,6 +91,7 @@
       "float, class:foot-somcli"
       "size >30% >30%, class:foot-somcli"
     ];
+
     #NOTE: Also check home/wayland/hyprland/binds + system/hardware/fingerprint
   };
 }

hosts/lapserv/default.nix

@@ -6,7 +6,39 @@
   networking.interfaces.enp2s0.wakeOnLan.enable = true;
 
   niksos = {
-    server = true;
+    # server = true;
+    server = {
+      baseDomain = "jsw.tf";
+      derek-bot.enable = true;
+      forgejo = {
+        enable = true;
+        subDomain = "git";
+      };
+      immich = {
+        enable = true;
+        subDomain = "photos";
+      };
+      jsw-bot = {
+        enable = true;
+        subDomain = "dc";
+      };
+      nextcloud = {
+        enable = true;
+        subDomain = "cloud";
+      };
+      stalwart = {
+        enable = true;
+        subDomain = "mail";
+      };
+      zitadel = {
+        enable = true;
+        subDomain = "z";
+      };
+      site = {
+        enable = true;
+        subDomain = "";
+      };
+    };
     hardware.graphics = {
       nvidia = false; #FIXME: Compile error
       intel = true;
@@ -27,5 +59,5 @@
     AllowHybridSleep=no
     AllowSuspendThenHibernate=no
   '';
-  services.logind.lidSwitchExternalPower = "ignore"; # INFO: Above apparantly wasn't enough. logind is flooding my logs.
+  services.logind.settings.Login.lidSwitchExternalPower = "ignore"; # INFO: Above apparantly wasn't enough. logind is flooding my logs.
 }

hosts/lapserv/hardware-configuration.nix

@@ -1,39 +1,44 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
 {
-  config,
+  imports =
-  lib,
+    [ (modulesPath + "/installer/scan/not-detected.nix")
-  pkgs,
+    ];
-  modulesPath,
-  ...
-}: {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
 
-  boot = {
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "sd_mod" ];
-    initrd.availableKernelModules = ["xhci_pci" "ahci" "sd_mod"];
+  boot.initrd.kernelModules = [ ];
-    initrd.kernelModules = [];
+  boot.kernelModules = [ "kvm-intel" ];
-    kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [ ];
-    extraModulePackages = [];
-  };
 
-  fileSystems = {
+  # fileSystems."/" =
-    "/" = {
+  #   { device = "/dev/disk/by-uuid/33b7e681-d92a-40db-a172-b797591a1e2e";
-      device = "/dev/disk/by-uuid/33b7e681-d92a-40db-a172-b797591a1e2e";
+  #     fsType = "ext4";
+  #   };
+  #
+  # fileSystems."/boot" =
+  #   { device = "/dev/disk/by-uuid/0BEA-7525";
+  #     fsType = "vfat";
+  #     options = [ "fmask=0022" "dmask=0022" ];
+  #   };
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/2ce4b2b1-0083-43b2-bd8d-0e8cd21b1ef6";
       fsType = "ext4";
     };
 
-    "/boot" = {
+  fileSystems."/boot" =
-      device = "/dev/disk/by-uuid/0BEA-7525";
+    { device = "/dev/disk/by-uuid/AE71-FD70";
       fsType = "vfat";
-      options = ["fmask=0022" "dmask=0022"];
+      options = [ "fmask=0022" "dmask=0022" ];
     };
-  };
-  swapDevices = [];
 
-  networking.useDHCP = lib.mkDefault true;
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/f5af06e8-e285-4565-abc3-fdd0ddde4736"; }
+    ];
+
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }

hosts/laptop/default.nix

@@ -1,13 +1,16 @@
 {
+  pkgs,
+  lib,
+  ...
+}: {
   imports = [
     ./hardware-configuration.nix
-    # ./virt.nix
+    ./virt.nix
   ];
 
   # programs.appimage.enable = true;
   # programs.evolution.enable = true; # TODO: move to appropiate place.
 
-  # ! HII
   niksos = {
     hardware = {
       joycond = false; #NOTE: enable when game night lol
@@ -39,6 +42,26 @@
   };
   home-manager.users.jsw.wayland.windowManager.hyprland.settings.monitor = ["eDP-1,2880x1920@120,0x0,1.5,vrr,1"];
 
+  #FIXME: unity
+  nixpkgs.config.permittedInsecurePackages = ["libxml2-2.13.8"];
+  environment = {
+    etc.vscode.source = lib.getExe pkgs.vscodium;
+    systemPackages = let
+      unityhub = pkgs.unityhub.overrideAttrs (prevAttrs: {
+        nativeBuildInputs = (prevAttrs.nativeBuildInputs or []) ++ [pkgs.makeBinaryWrapper];
+
+        postInstall =
+          (prevAttrs.postInstall or "")
+          + ''
+            wrapProgram $out/bin/unityhub --set GDK_SCALE 2 --set GDK_DPI_SCALE 0.5
+          '';
+      });
+    in [
+      unityhub
+    ];
+  };
+  #ENDFIXME
+
   services.udev.extraRules = ''
     # Ethernet expansion card support
     ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="0bda", ATTR{idProduct}=="8156", ATTR{power/autosuspend}="20"

hosts/minimal/default.nix

@@ -34,7 +34,7 @@
       };
     };
     neovim = false;
-    server = false;
+    # server = false;
   };
 
   #NOTE: Old info

secrets/dcbot.age

@@ -1,16 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 GQzYWA a0CqbXhMIeFmKsMSnQzPWJcdi0hH8caayThGHtKNdjc
-ZfRN0ukqXH8L1E1pWBU+tw0LmPxsb6/4FoeERCKEYCk
--> ssh-ed25519 MfR7VA WO0CmKh4CQY1ZLtgDbGIhxfbC8C/C9Vw4p4UGkZTzSs
-0oQbzzz8A6WJRbFqEPR6WStMRRGtFy2eEXIJ1WCqvIg
--> ssh-ed25519 +cvRTg ZYBJwTDV8zwZIpqY7sZIszS3saww0OV4RwVREVNxWHg
-PW9gzG2odI4G2I5zz+Gr2vaouPB6796RWDJzYZNFREQ
--> ssh-ed25519 WCPLrA p8I1d6YXg5pN6Ljeq/wsY5jj4rPaSvD+/au+vEUsgh4
-U0aiqeildEqF8SNh0L4hGIq3rQxY4HcSnDvluwldDpQ
--> ssh-ed25519 7/ziYw 7DGE8Zr0qMGh3P5lUSRYT+AdgRges037cLjHbbPPnTc
-daC7dau5IHSZr/HmjszbWrQNsVJOQILqNS/Yn1YE/zM
--> ssh-ed25519 VQy60Q cAuS4VLmDC9iCZ+7e+/5WVIxrvBa7ZChCz2pPSSY/TY
-ut6SAJSZMm9/YElx7SShyMufrBYAlb/IyQp0g4ADMa4
---- DQrDZ/cXaadnKTDN8MrGuTokHttdMbOzs2IPYTIOPw4
-Ôú9èçEJG($Ç'_±z·3õ<33>§!;\Ûkç<6B><C3A7>IâEæ3„%”!zŒíÄþO£‚ôŠú«*’®ÂÂãÝ.,ó	à•…`û+',À*ÝÞÄÑml%g?â¥0°'ñ-<MíwYŒj]SR‡aÕ©V–£Í(çk
”—yü6Â@`j9jÈ~¨[úò_º½Dz±¨Ìd^¨"\Ú7ÍóéÔîlóÂþO#ǃÏcW=ô‚a~K],0![ßG¨~4ª™!XÅ›Ê|ÿó·(CÌ4)g^-¢5D”n¶lI·m 
C§,ê-9ƒš4¢åÓbI:–	1áõÝUx»ôe¡ôMÄêã’¡X(¯ÿʼ5²mí‚Œ[ÖBXHãâ f_ä‹J{Ôuóf<C3B3>OT”D^¸*Y3³-<2D>ƒ•³ƒŠ¹e-OB¤t
Á‘.Qaሲ{m¼ð$W7ÝL>r¿Â•'‰>€b6º¹D©;w*.uYž‡µ°÷ÃXß`A**Œ2¨$T<>ï
tÔŒM<C592>Â_1NÜÆ‹dã 
-<06>@cJsÎåtÄ,Ð…hÏïaº¯ÇJŠ<4A>pØå§j:æ¼sG@P/¼¾LœÜ4˜¥ö>XRÞ{f¶íJB>ƒ–Ãzï&÷ÖÀ;|’‚û«v‹œÎçΚJ<C5A1>ÙS•¥Úì±Î¶AÄ,7ÉE{ME
õwí<77>PªÉ:ÿG‰òcœŠYžR¯ç³³ z£@³Xô„æÕ<C3A6>*½j%­MM•ÄµšB¦´`HzŸéÝSëKUWy+xûGÇDåÈ“¯Ém÷ï~›¬Ö›êóÉû¹‰·>ó%Î]RƒŸ;9”–¶¿8åœV…¾ÉL›c (<28>RÌXäRùrŽl˜!eSAʧG3jhw¼œ•˜ƒ»£ª›Ò,ã2b1

secrets/default.nix

@@ -3,9 +3,9 @@
   lib,
   ...
 }: let
-  inherit (lib) mkIf;
   inherit (config.niksos) server;
 
+  isEnabled = x: lib.mkIf server.${x}.enable;
   serviceUser = x: config.systemd.services.${x}.serviceConfig.User;
   abstrServiceUser = x: config.services.${x}.user;
   abstrServiceGroup = x: config.services.${x}.group;
@@ -14,35 +14,35 @@ in {
     password.file = ./password.age;
 
     # NOTE: server things
-    dcbot = mkIf server {
+    jsw-bot = isEnabled "jsw-bot" {
-      file = ./dcbot.age;
+      file = ./jsw-bot.age;
-      owner = serviceUser "dcbot"; #
+      owner = serviceUser "jsw-bot"; #
     };
-    bread-dcbot = mkIf server {
+    derek-bot = isEnabled "derek-bot" {
-      file = ./bread-dcbot.age;
+      file = ./derek-bot.age;
-      owner = "bread-dcbot";
+      owner = "derek-bot";
     };
-    matrix-registration = mkIf server {
+    # matrix-registration = isEnabled "matrix" {
-      file = ./matrix-registration.age;
+    #   file = ./matrix-registration.age;
-      owner = abstrServiceUser "matrix-continuwuity";
+    #   owner = abstrServiceUser "matrix-continuwuity";
-    };
+    # };
-    mail-admin = mkIf server {
+    mail-admin = isEnabled "stalwart" {
       # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart.
       file = ./mail-admin.age;
     };
-    zitadel-key = mkIf server {
+    zitadel-key = isEnabled "zitadel" {
       file = ./zitadel-key.age;
       owner = abstrServiceUser "zitadel";
     };
-    forgejo-mailpass = mkIf server {
+    forgejo-mailpass = isEnabled "forgejo" {
       file = ./forgejo-mailpass.age;
       owner = abstrServiceUser "forgejo";
     };
-    immich-oidc = mkIf server {
+    immich-oidc = isEnabled "immich" {
       file = ./immich-oidc.age;
       owner = abstrServiceUser "immich";
     };
-    nextcloud-admin-pass = mkIf server {
+    nextcloud-admin-pass = isEnabled "nextcloud" {
       file = ./nextcloud-admin-pass.age;
       owner = "nextcloud"; #NOTE: not a clear 'nextcloud.service' or 'services.nextcloud.user'.
     };

secrets/secrets.nix

@@ -14,8 +14,8 @@ let
   keys = users ++ devices;
 in {
   "password.age".publicKeys = keys;
-  "dcbot.age".publicKeys = keys;
+  "jsw-bot.age".publicKeys = keys;
-  "bread-dcbot.age".publicKeys = keys;
+  "derek-bot.age".publicKeys = keys;
   "matrix-registration.age".publicKeys = keys;
   "mail-admin.age".publicKeys = keys;
   "zitadel-key.age".publicKeys = keys;

switch.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 NH_FLAKE=$(mktemp -d)
-git clone . "$NH_FLAKE" #TODO: replace . with valid bash for script dir.
+cp -r . "$NH_FLAKE" #TODO: replace . with valid bash for script dir.
 
 cd "$NH_FLAKE" || exit
 git lfs install

system/hardware/fingerprint.nix

@@ -13,10 +13,10 @@ in {
   config = mkIf hardware.fingerprint {
     services = {
       fprintd.enable = true;
-      logind.extraConfig = mkIf hypr ''
+      logind.settings.Login = mkIf hypr {
         # don’t shutdown when power button is short-pressed
-        HandlePowerKey=ignore
+        HandlePowerKey = "ignore";
-      '';
+      };
     };
 
     home-manager.users.jsw.wayland.windowManager.hyprland.settings = mkIf hypr {

system/hardware/power.nix

@@ -9,7 +9,7 @@
 in {
   config = lib.mkIf cfg.enable {
     services = {
-      logind = {
+      logind.settings.Login = {
         powerKey = "suspend-then-hibernate";
         powerKeyLongPress = "poweroff";
       };

system/nix/default.nix

@@ -20,7 +20,7 @@
   nix = let
     flakeInputs = lib.filterAttrs (_: v: lib.isType "flake" v) inputs;
   in {
-    package = pkgs.lix;
+    # package = pkgs.lix;
 
     # pin the registry to avoid downloading and evaling a new nixpkgs version every time
     registry = lib.mapAttrs (_: v: {flake = v;}) flakeInputs;
@@ -31,7 +31,7 @@
     settings = {
       auto-optimise-store = true;
       builders-use-substitutes = true;
-      experimental-features = ["nix-command" "flakes" "repl-flake"];
+      experimental-features = ["nix-command" "flakes"];
       flake-registry = "/etc/nix/registry.json";
 
       # for direnv GC roots

system/server/caddy.nix

@@ -3,13 +3,15 @@
   lib,
   ...
 }: let
-  cfg = config.niksos.server;
+  inherit (config.services.caddy) enable;
+  inherit (lib) mkIf;
 in {
-  services.caddy = {
+  config = mkIf enable {
-    enable = cfg;
+    services.caddy = {
-    email = "jurnwubben@gmail.com";
+      email = "jurnwubben@gmail.com";
-    enableReload = false;
+      enableReload = false;
-  };
+    };
 
-  networking.firewall.allowedTCPPorts = lib.mkIf cfg [80 443];
+    networking.firewall.allowedTCPPorts = [80 443];
+  };
 }

system/server/default.nix

@@ -1,16 +1,24 @@
-{lib, ...}: {
+{lib, ...}: let
+  inherit (lib) mkOption types;
+in {
   imports = [
     # ./matrix.nix
-    ./bot.nix
+    # ./temp.nix
+    ./jsw-bot.nix
     ./caddy.nix
-    ./derekBot.nix
+    ./derek-bot.nix
     ./forgejo.nix
     ./immich.nix
     ./index
     ./mail.nix
     ./nextcloud.nix
-    ./temp.nix
     ./zitadel.nix
   ];
-  options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option.
+  options.niksos.server = {
+    baseDomain = mkOption {
+      type = types.lines;
+      description = "Set's the apex domain for the webservices. Do not include 'https' or a slash at the end. Just 'example.com'.";
+      example = "example.com";
+    };
+  };
 }

system/server/derek-bot.nix

@@ -4,26 +4,26 @@
   lib,
   ...
 }: let
-  cfg = config.niksos.server;
+  name = "derek-bot";
-  userGroup = "bread-dcbot";
+  cfg = config.niksos.server.${name}.enable;
+
+  userGroup = name;
   gitRepo = "https://github.com/The-Breadening/Breadener";
 
-  bash = lib.getExe pkgs.bash;
+  inherit (lib) getExe mkEnableOption mkIf;
+  bash = getExe pkgs.bash;
+
   varLib = "/var/lib/";
-  mainDir =
+  mainDir = "${varLib}${userGroup}";
-    varLib
+  programDir = "${mainDir}/program";
-    + (
+  denoDir = "${mainDir}/deno";
-      if !cfg
+  tokenDir = "${mainDir}/Breadener-token";
-      then ""
+
-      else userGroup
-    )
-    + "/";
-  programDir = mainDir + "program";
-  denoDir = mainDir + "deno";
-  tokenDir = mainDir + "Breadener-token";
   path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.deno pkgs.git]);
 in {
-  config = lib.mkIf config.niksos.server {
+  options.niksos.server.${name}.enable = mkEnableOption name;
+
+  config = mkIf cfg {
     systemd.services.${userGroup} = {
       enable = true;
       after = ["network.target"];
@@ -39,7 +39,7 @@ in {
         export PATH=${path}
 
         cd "${mainDir}"
-        chown -R ${userGroup}:${userGroup} ${mainDir}* || echo
+        chown -R ${userGroup}:${userGroup} ${mainDir}/* || echo
 
         rm -rf "${tokenDir}" || echo
         mkdir -p "${denoDir}" "${tokenDir}"
@@ -48,13 +48,18 @@ in {
         if [ ! -d "${programDir}" ]; then
           git clone "${gitRepo}" "${programDir}"
         fi
-        chmod -R 750 ${mainDir}* || echo
+        chmod -R 750 ${mainDir}/* || echo
 
 
         cd "${programDir}"
         git fetch
         git reset --hard origin/HEAD
 
+        cat > .env <<EOF
+        DATABASE_PATH='../daataabaasaa.db'
+        SECRETS_PATH='../Breadener-token/prodBot.json'
+        EOF
+
         DENO_DIR=${denoDir} deno i
       '';
 
@@ -64,7 +69,7 @@ in {
         User = userGroup;
         Group = userGroup;
         Restart = "always";
-        RuntimeMaxSec = 6 * 60 * 60; # 6h * 60min * 60s
+        RuntimeMaxSec = 1 * 60 * 60; # 1h * 60min * 60s
       };
     };
 

system/server/forgejo.nix

@@ -3,17 +3,24 @@
   lib,
   ...
 }: let
-  DOMAIN = "git.jsw.tf";
+  name = "forgejo";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
+
+  DOMAIN = cfg.domain;
 in {
+  options = import ./lib/webOptions.nix {inherit config lib name;};
   config =
-    lib.mkIf config.niksos.server
+    lib.mkIf cfg.enable
     {
-      services.caddy.virtualHosts.${DOMAIN}.extraConfig = ''
+      services.caddy = {
-        request_body {
+        enable = true;
-            max_size 512M
+        virtualHosts.${DOMAIN}.extraConfig = ''
-        }
+          request_body {
-        reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR}
+              max_size 512M
-      '';
+          }
+          reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR}
+        '';
+      };
 
       services.forgejo = {
         enable = true;
@@ -52,12 +59,13 @@ in {
             DEFAULT_ACTIONS_URL = "github";
           };
           mailer = {
+            #FIXME: Only enable if stalwart is enabled by default.
             ENABLED = true;
             SUBJECT_PREFIX = "JSWGit";
             PROTOCOL = "smtps";
-            SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
+            SMTP_ADDR = "mail.${cfg.baseDomain}"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module.
             SMTP_PORT = 465;
-            FROM = "git@jsw.tf";
+            FROM = "git@${cfg.baseDomain}";
             USER = "git";
             PASSWD_URI = "file:${config.age.secrets.forgejo-mailpass.path}";
           };

system/server/immich.nix

@@ -4,23 +4,29 @@
   pkgs,
   ...
 }: let
+  name = "immich";
   inherit (lib) mkIf mkForce mkDefault;
 
-  cfg = config.niksos.server;
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
+
   oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*";
   config-dir = "/run/immich-conf";
-  url = "photos.jsw.tf";
+  httpsUrl = "https://" + cfg.domain;
-  httpsUrl = "https://" + url;
 in {
-  config =
+  options = import ./lib/webOptions.nix {inherit config lib name;};
-    mkIf cfg
-    {
-      users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
-      services.caddy.virtualHosts.${url}.extraConfig = ''
-        reverse_proxy localhost:9002
-      '';
 
-      services.immich = mkIf cfg {
+  config =
+    mkIf cfg.enable
+    {
+      services.caddy = {
+        enable = true;
+        virtualHosts.${cfg.domain}.extraConfig = ''
+          reverse_proxy localhost:9002
+        '';
+      };
+
+      users.users.${config.services.immich.user}.extraGroups = ["video" "render"];
+      services.immich = {
         enable = true;
 
         port = 9002;

system/server/index/default.nix

@@ -2,13 +2,19 @@
   config,
   lib,
   ...
-}: {
+}: let
-  services.caddy.virtualHosts."jsw.tf" = lib.mkIf config.niksos.server {
+  name = "site";
-    extraConfig = ''
+  cfg = import ../lib/extractWebOptions.nix {inherit config name;};
-      header Content-Type text/html
+in {
-      respond <<HTML
+  options = import ../lib/webOptions.nix {inherit config lib name;};
-        ${builtins.readFile ./index.html}
+  config = lib.mkIf cfg.enable {
-      HTML 200
+    services.caddy.virtualHosts.${cfg.domain} = {
-    '';
+      extraConfig = ''
+        header Content-Type text/html
+        respond <<HTML
+          ${builtins.readFile ./index.html}
+        HTML 200
+      '';
+    };
   };
 }

system/server/jsw-bot.nix

@@ -5,20 +5,29 @@
   inputs,
   ...
 }: let
-  deno = lib.getExe pkgs.deno;
+  name = "jsw-bot";
-  bash = lib.getExe pkgs.bash;
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
 
-  mainDir = "/var/lib/dcbot/";
+  inherit (lib) getExe mkIf optional;
+  inherit (config.niksos.server) nextcloud;
+
+  bash = getExe pkgs.bash;
+
+  mainDir = "/var/lib/${name}/";
   programDir = mainDir + "program";
   dataDir = mainDir + "data";
   denoDir = mainDir + "deno";
 
   path = builtins.concatStringsSep ":" (map (x: "${x}/bin/") [pkgs.coreutils pkgs.typst pkgs.deno]);
 in {
-  config = lib.mkIf config.niksos.server {
+  options = import ./lib/webOptions.nix {
-    systemd.services.dcbot = {
+    inherit config lib name;
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.${name} = {
       enable = true;
-      after = ["network.target"];
+      after = ["network.target"]; #FIXME: doesn't start after network.
       wantedBy = ["default.target"];
       description = "Jsw's slaafje, discord bot.";
 
@@ -33,39 +42,41 @@ in {
         cd "${mainDir}"
         mkdir -p "${programDir}" "${dataDir}" "${denoDir}"
 
-        chown -R dcbot:dcbot ${mainDir}* || echo
+        chown -R ${name}:${name} ${mainDir}* || echo
         chmod -R 750 ${mainDir}* || echo
         cp --no-preserve=mode,ownership -r ${inputs.dcbot}/* "${programDir}/"
 
         rm "${dataDir}/.env" || echo
-        ln -s "${config.age.secrets.dcbot.path}" "${dataDir}/.env"
+        ln -s "${config.age.secrets.jsw-bot.path}" "${dataDir}/.env"
 
         cd "${programDir}"
         DENO_DIR=${denoDir} deno i
       '';
 
       serviceConfig = {
-        StateDirectory = "dcbot";
+        StateDirectory = name;
         ExecStart = "${bash} -c 'cd ${dataDir} && deno run -A ${programDir}/src/main.ts'";
-        User = "dcbot";
+        User = name;
-        Group = "dcbot";
+        Group = name;
         Restart = "always";
       };
     };
 
-    services.caddy.virtualHosts."dc.jsw.tf" = {
+    services.caddy = {
-      serverAliases = ["www.dc.jsw.tf"];
+      enable = true;
-      extraConfig = ''
+      virtualHosts.${cfg.domain} = {
-        reverse_proxy :9001
+        extraConfig = ''
-      '';
+          reverse_proxy :9001
+        '';
+      };
     };
 
-    users.groups."dcbot" = {
+    users.groups.${name} = {
-      members = ["nextcloud"]; #TODO: if config.niksos.server.nextcloud
+      members = optional nextcloud.enable "nextcloud"; #TODO: if config.niksos.server.nextcloud
       #NOTE: for nextcloud mounted folder
     };
-    users.users."dcbot" = {
+    users.users.${name} = {
-      group = "dcbot";
+      group = name;
       isSystemUser = true;
     };
   };

system/server/lib/extractWebOptions.nix

@@ -0,0 +1,18 @@
+{
+  config,
+  name,
+}: let
+  inherit (config.niksos) server;
+  inherit (server) baseDomain;
+  cfg = server.${name};
+
+  subDomain =
+    if cfg.subDomain == ""
+    then ""
+    else "${cfg.subDomain}.";
+in
+  cfg // 
+  {
+    domain = "${subDomain}${baseDomain}";
+    inherit baseDomain subDomain;
+  }

system/server/lib/webOptions.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  name,
+}: let
+  inherit (lib) mkEnableOption mkOption types;
+in {
+  niksos.server.${name} = {
+    enable = mkEnableOption name;
+    subDomain = mkOption {
+      type = types.lines;
+      description = "What subdomain to use for ${name}";
+      example = name;
+    };
+  };
+}

system/server/mail.nix

@@ -2,10 +2,15 @@
   config,
   lib,
   ...
-}: {
+}: let
+  name = "stalwart";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
+in {
   #FIXME: revert when stopped using docker for stalwart. https://github.com/NixOS/nixpkgs/issues/416091 (look at older commits for previous code.)
 
-  config = lib.mkIf config.niksos.server {
+  options = import ./lib/webOptions.nix {inherit lib config name;};
+
+  config = lib.mkIf cfg.enable {
     virtualisation.oci-containers.containers.stalwart = {
       image = "docker.io/stalwartlabs/stalwart:latest";
       labels = {
@@ -22,8 +27,11 @@
       465
     ];
 
-    services.caddy.virtualHosts."mail.jsw.tf".extraConfig = ''
+    services.caddy = {
-      reverse_proxy http://127.0.0.1:9003
+      enable = true;
-    '';
+      virtualHosts.${cfg.domain}.extraConfig = ''
+        reverse_proxy http://127.0.0.1:9003
+      '';
+    };
   };
 }

system/server/matrix.nix

@@ -3,36 +3,37 @@
   lib,
   ...
 }: let
-  database = {
+  name = "matrix";
-    connection_string = "postgres:///dendrite?host=/run/postgresql";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
-    max_open_conns = 97;
-    max_idle_conns = 5;
-    conn_max_lifetime = -1;
-  };
-  host = "matrix.jsw.tf";
 in {
-  config = lib.mkIf config.niksos.server {
+  options = import ./lib/webOptions.nix {inherit config lib name;};
+
+  config = lib.mkIf cfg.enable {
     services = {
       matrix-continuwuity = {
         enable = true;
         group = "caddy"; # Permissions for socket
+        #FIXME: caddy should be part of matrix group, not other way around
         settings.global = {
           unix_socket_path = "/run/continuwuity/continuwuity.sock";
-          server_name = host;
+          server_name = cfg.domain;
           allow_registration = true;
           registration_token_file = config.age.secrets.matrix-registration.path;
           new_user_displayname_suffix = "";
         };
       };
 
-      caddy.virtualHosts = {
+      caddy = {
-        ${host}.extraConfig = ''
+        enable = true;
-          header /.well-known/matrix/* Content-Type application/json
+        virtualHosts = {
-          header /.well-known/matrix/* Access-Control-Allow-Origin *
+          ${cfg.domain}.extraConfig = ''
-          respond /.well-known/matrix/server `{"m.server": "${host}:443"}`
+            header /.well-known/matrix/* Content-Type application/json
-          respond /.well-known/matrix/client `{"m.homeserver": {"base_url": "https://${host}"}}`
+            header /.well-known/matrix/* Access-Control-Allow-Origin *
-          reverse_proxy /_matrix/* unix//run/continuwuity/continuwuity.sock
+            respond /.well-known/matrix/server `{"m.server": "${cfg.domain}:443"}`
-        '';
+            respond /.well-known/matrix/client `{"m.homeserver": {"base_url": "https://${cfg.domain}"}}`
+            reverse_proxy /_matrix/* unix//run/continuwuity/continuwuity.sock
+          '';
+        };
       };
     };
   };

system/server/nextcloud.nix

@@ -4,18 +4,24 @@
   lib,
   ...
 }: let
-  inherit (config.niksos) server;
+  name = "nextcloud";
-  host = "cloud.jsw.tf";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
-  nginxRoot = config.services.nginx.virtualHosts.${host}.root;
+
+  inherit (cfg) enable domain;
+
+  nginxRoot = config.services.nginx.virtualHosts.${domain}.root;
   fpmSocket = config.services.phpfpm.pools.nextcloud.socket;
   imaginaryPort = 9004;
 in {
-  config = lib.mkIf server {
+  options = import ./lib/webOptions.nix {inherit config lib name;};
+
+  config = lib.mkIf enable {
     users.groups.nextcloud.members = ["nextcloud" "caddy"];
+
     services = {
       nextcloud = {
         enable = true;
-        hostName = host;
+        hostName = domain;
 
         # Need to manually increment with every major upgrade.
         package = pkgs.nextcloud31;
@@ -77,12 +83,12 @@ in {
           dbtype = "pgsql";
         };
       };
-      imaginary = {
+      # imaginary = { #FIXME: doesn't start.
-        enable = true;
+      #   enable = true;
-        port = imaginaryPort;
+      #   port = imaginaryPort;
-        address = "localhost";
+      #   address = "localhost";
-        settings.returnSize = true;
+      #   settings.returnSize = true;
-      };
+      # };
 
       nginx.enable = lib.mkForce false;
       phpfpm.pools.nextcloud.settings = let
@@ -91,58 +97,62 @@ in {
         "listen.owner" = user;
         "listen.group" = group;
       };
-      caddy.virtualHosts."${host}".extraConfig = ''
-        encode zstd gzip
 
-        root * ${nginxRoot}
+      caddy = {
+        enable = true;
+        virtualHosts.${domain}.extraConfig = ''
+          encode zstd gzip
 
-        redir /.well-known/carddav /remote.php/dav 301
+          root * ${nginxRoot}
-        redir /.well-known/caldav /remote.php/dav 301
-        redir /.well-known/* /index.php{uri} 301
-        redir /remote/* /remote.php{uri} 301
 
-        header {
+          redir /.well-known/carddav /remote.php/dav 301
-          Strict-Transport-Security max-age=31536000
+          redir /.well-known/caldav /remote.php/dav 301
-          Permissions-Policy interest-cohort=()
+          redir /.well-known/* /index.php{uri} 301
-          X-Content-Type-Options nosniff
+          redir /remote/* /remote.php{uri} 301
-          X-Frame-Options SAMEORIGIN
-          Referrer-Policy no-referrer
-          X-XSS-Protection "1; mode=block"
-          X-Permitted-Cross-Domain-Policies none
-          X-Robots-Tag "noindex, nofollow"
-          -X-Powered-By
-        }
 
-        php_fastcgi unix/${fpmSocket} {
+          header {
-          root ${nginxRoot}
+            Strict-Transport-Security max-age=31536000
-          env front_controller_active true
+            Permissions-Policy interest-cohort=()
-          env modHeadersAvailable true
+            X-Content-Type-Options nosniff
-        }
+            X-Frame-Options SAMEORIGIN
+            Referrer-Policy no-referrer
+            X-XSS-Protection "1; mode=block"
+            X-Permitted-Cross-Domain-Policies none
+            X-Robots-Tag "noindex, nofollow"
+            -X-Powered-By
+          }
 
-        @forbidden {
+          php_fastcgi unix/${fpmSocket} {
-          path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
+            root ${nginxRoot}
-          path /.* /autotest* /occ* /issue* /indie* /db_* /console*
+            env front_controller_active true
-          not path /.well-known/*
+            env modHeadersAvailable true
-        }
+          }
-        error @forbidden 404
 
-        @immutable {
+          @forbidden {
-          path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+            path /build/* /tests/* /config/* /lib/* /3rdparty/* /templates/* /data/*
-          query v=*
+            path /.* /autotest* /occ* /issue* /indie* /db_* /console*
-        }
+            not path /.well-known/*
-        header @immutable Cache-Control "max-age=15778463, immutable"
+          }
+          error @forbidden 404
 
-        @static {
+          @immutable {
-          path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+            path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
-          not query v=*
+            query v=*
-        }
+          }
-        header @static Cache-Control "max-age=15778463"
+          header @immutable Cache-Control "max-age=15778463, immutable"
 
-        @woff2 path *.woff2
+          @static {
-        header @woff2 Cache-Control "max-age=604800"
+            path *.css *.js *.mjs *.svg *.gif *.png *.jpg *.ico *.wasm *.tflite
+            not query v=*
+          }
+          header @static Cache-Control "max-age=15778463"
 
-        file_server
+          @woff2 path *.woff2
-      '';
+          header @woff2 Cache-Control "max-age=604800"
+
+          file_server
+        '';
+      };
     };
   };
 }

system/server/temp.nix

@@ -1,14 +1,15 @@
+#WARNING: deprecated
 {
-  config,
+  #   config,
-  pkgs,
+  #   pkgs,
-  lib,
+  #   lib,
-  inputs,
+  #   inputs,
-  ...
+  #   ...
-}: {
+  # }: {
-  config = lib.mkIf config.niksos.server {
+  #   config = lib.mkIf config.niksos.server {
-    # NOTE: allows me to spin up temporarily services.
+  #     # NOTE: allows me to spin up temporarily services.
-    services.caddy.virtualHosts."temp.jsw.tf".extraConfig = ''
+  #     services.caddy.virtualHosts."temp.jsw.tf".extraConfig = ''
-      reverse_proxy :8000
+  #       reverse_proxy :8000
-    '';
+  #     '';
-  };
+  #   };
 }

system/server/zitadel.nix

@@ -3,15 +3,22 @@
   lib,
   ...
 }: let
-  ExternalDomain = "z.jsw.tf";
+  name = "zitadel";
+  cfg = import ./lib/extractWebOptions.nix {inherit config name;};
+
   Port = 9000;
 in {
+  options = import ./lib/webOptions.nix {inherit config lib name;};
+
   config =
-    lib.mkIf config.niksos.server
+    lib.mkIf cfg.enable
     {
-      services.caddy.virtualHosts.${ExternalDomain}.extraConfig = ''
+      services.caddy = {
-        reverse_proxy localhost:${builtins.toString Port}
+        enable = true;
-      '';
+        virtualHosts.${cfg.domain}.extraConfig = ''
+          reverse_proxy localhost:${builtins.toString Port}
+        '';
+      };
 
       # services.zitadel = {
       #   enable = true;
@@ -32,8 +39,10 @@ in {
           enable = true;
           masterKeyFile = config.age.secrets.zitadel-key.path;
           settings = {
-            inherit Port ExternalDomain;
+            inherit Port;
+            ExternalDomain = cfg.domain;
             ExternalPort = 443;
+
             Database.postgres = {
               Host = "/var/run/postgresql/";
               Port = 5432;
@@ -53,9 +62,9 @@ in {
           steps.FirstInstance = {
             InstanceName = "jsw";
             Org = {
-              Name = "jsw";
+              Name = "jsw-admin";
               Human = {
-                UserName = "jsw@jsw.tf";
+                UserName = "jsw-admin@jsw.tf";
                 FirstName = "Jurn";
                 LastName = "Wubben";
                 Email.Verified = true;