diff --git a/hosts/vps-monitor/default.nix b/hosts/vps-monitor/default.nix index 34083b6..20b3433 100644 --- a/hosts/vps-monitor/default.nix +++ b/hosts/vps-monitor/default.nix @@ -8,11 +8,6 @@ system.stateVersion = "25.11"; - meta = { - domains.validate = true; - ports.validate = true; - }; - custom = { persistence.enable = true; diff --git a/hosts/vps-private/default.nix b/hosts/vps-private/default.nix index 2489fb9..134b29e 100644 --- a/hosts/vps-private/default.nix +++ b/hosts/vps-private/default.nix @@ -8,11 +8,6 @@ system.stateVersion = "25.11"; - meta = { - domains.validate = true; - ports.validate = true; - }; - custom = let privateDomain = config.custom.networking.overlay.domain; diff --git a/hosts/vps-public/default.nix b/hosts/vps-public/default.nix index bbbfa13..f80104f 100644 --- a/hosts/vps-public/default.nix +++ b/hosts/vps-public/default.nix @@ -8,11 +8,6 @@ system.stateVersion = "25.11"; - meta = { - domains.validate = true; - ports.validate = true; - }; - custom = let sproutedDomain = "sprouted.cloud"; diff --git a/modules/system/meta/domains.nix b/modules/system/meta/domains.nix deleted file mode 100644 index a2001e3..0000000 --- a/modules/system/meta/domains.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ - config, - self, - lib, - ... -}: -let - cfg = config.meta.domains; -in -{ - options.meta.domains = { - local = lib.mkOption { - type = lib.types.listOf lib.types.nonEmptyStr; - default = [ ]; - }; - global = lib.mkOption { - type = lib.types.listOf lib.types.nonEmptyStr; - default = - self.nixosConfigurations - |> lib.attrValues - |> lib.map (host: host.config.meta.domains.local) - |> lib.concatLists; - readOnly = true; - }; - validate = lib.mkEnableOption ""; - }; - - config = lib.mkIf cfg.validate { - assertions = - let - duplicateDomains = - self.nixosConfigurations - |> lib.attrValues - |> lib.map (host: host.options.meta.domains.local.definitionsWithLocations) - |> lib.concatLists - |> lib.concatMap ( - { file, value }: - value - |> lib.map (domain: { - file = self.lib.relativePath file; - inherit domain; - }) - ) - |> builtins.groupBy (entry: toString entry.domain) - |> lib.mapAttrs (_: values: values |> lib.map (value: value.file)) - |> lib.filterAttrs (_: files: lib.length files > 1); - - errorMessage = - duplicateDomains - |> lib.mapAttrsToList ( - domain: files: - "Duplicate domain `${domain}` found in:\n" - + (files |> lib.map (file: " - ${file}") |> lib.concatLines) - ) - |> lib.concatStrings; - in - lib.singleton { - assertion = duplicateDomains == { }; - message = errorMessage; - }; - }; -} diff --git a/modules/system/meta/ports.nix b/modules/system/meta/ports.nix deleted file mode 100644 index 77ff548..0000000 --- a/modules/system/meta/ports.nix +++ /dev/null @@ -1,65 +0,0 @@ -{ - config, - options, - self, - lib, - ... -}: -let - cfg = config.meta.ports; -in -{ - options.meta.ports = { - tcp = lib.mkOption { - type = lib.types.listOf lib.types.port; - default = [ ]; - }; - udp = lib.mkOption { - type = lib.types.listOf lib.types.port; - default = [ ]; - }; - validate = lib.mkEnableOption ""; - }; - - config = { - assertions = - let - findDuplicatePorts = - protocol: - options.meta.ports.${protocol}.definitionsWithLocations - |> lib.concatMap ( - { file, value }: - value - |> lib.map (port: { - file = self.lib.relativePath file; - inherit port; - }) - ) - |> builtins.groupBy (entry: toString entry.port) - |> lib.mapAttrs (_: values: values |> lib.map (value: value.file)) - |> lib.filterAttrs (_: files: lib.length files > 1); - - mkErrorMessage = - duplicatePorts: - duplicatePorts - |> lib.mapAttrsToList ( - port: files: - "Duplicate port `${port}` found in:\n" + (files |> lib.map (file: " - ${file}") |> lib.concatLines) - ) - |> lib.concatStrings; - - duplicateTcpPorts = findDuplicatePorts "tcp"; - duplicateUdpPorts = findDuplicatePorts "udp"; - in - lib.mkIf cfg.validate [ - { - assertion = duplicateTcpPorts == { }; - message = mkErrorMessage duplicateTcpPorts; - } - { - assertion = duplicateUdpPorts == { }; - message = mkErrorMessage duplicateUdpPorts; - } - ]; - }; -} diff --git a/modules/system/services/caddy.nix b/modules/system/services/caddy.nix index 2323d11..cd863fb 100644 --- a/modules/system/services/caddy.nix +++ b/modules/system/services/caddy.nix @@ -95,7 +95,7 @@ in message = "Each caddy virtual host must set exactly one of `port` or `files`"; }; - meta.ports.tcp = [ cfg.metricsPort ]; + networking.firewall.allowedTCPPorts = lib.mkIf publicHostsExist webPorts; services.caddy = { enable = true; @@ -111,11 +111,6 @@ in custom.persistence.directories = [ "/var/lib/caddy" ]; } - (lib.mkIf publicHostsExist { - meta.ports.tcp = webPorts; - networking.firewall.allowedTCPPorts = webPorts; - }) - (lib.mkIf privateHostsExist { sops.secrets = { "porkbun/api-key".owner = config.users.users.acme.name; diff --git a/modules/system/services/crowdsec/default.nix b/modules/system/services/crowdsec/default.nix index 7e00097..ffc45ed 100644 --- a/modules/system/services/crowdsec/default.nix +++ b/modules/system/services/crowdsec/default.nix @@ -38,11 +38,6 @@ in }; config = lib.mkIf cfg.enable { - meta.ports.tcp = [ - cfg.apiPort - cfg.prometheusPort - ]; - sops.secrets."crowdsec/enrollment-key" = { owner = user; restartUnits = [ "crowdsec.service" ]; diff --git a/modules/system/services/dns.nix b/modules/system/services/dns.nix index 754c84a..cb73b2e 100644 --- a/modules/system/services/dns.nix +++ b/modules/system/services/dns.nix @@ -12,11 +12,6 @@ in options.custom.services.dns.enable = lib.mkEnableOption ""; config = lib.mkIf cfg.enable { - # meta.ports = { - # tcp = [ 53 ]; - # udp = [ 53 ]; - # }; - services = { unbound = { enable = true; @@ -39,7 +34,9 @@ in |> lib.attrValues |> lib.concatMap ( host: - host.config.meta.domains.local + host.config.custom.services.caddy.virtualHosts + |> lib.attrValues + |> lib.map (vHost: vHost.domain) |> lib.filter (domain: self.lib.isPrivateDomain domain) |> lib.map (domain: "\"${domain}. A ${host.config.custom.networking.overlay.address}\"") ); diff --git a/modules/system/services/nebula/default.nix b/modules/system/services/nebula/default.nix index e362ab3..651bf9e 100644 --- a/modules/system/services/nebula/default.nix +++ b/modules/system/services/nebula/default.nix @@ -38,8 +38,6 @@ in systemdUnit = "nebula@mesh.service"; }; - meta.ports.udp = lib.optional netCfg.underlay.isPublic publicPort; - sops.secrets."nebula/host-key" = { owner = config.users.users.nebula-mesh.name; restartUnits = [ "nebula@mesh.service" ]; diff --git a/modules/system/services/resolved.nix b/modules/system/services/resolved.nix index 3002197..9782bde 100644 --- a/modules/system/services/resolved.nix +++ b/modules/system/services/resolved.nix @@ -1,22 +1,10 @@ { config, lib, ... }: -let - ports = [ - 53 - 5353 - 5355 - ]; -in { options.custom.services.resolved.enable = lib.mkEnableOption "" // { default = config.systemd.network.enable; }; config = lib.mkIf config.custom.services.resolved.enable { - meta.ports = { - tcp = ports; - udp = ports; - }; - services.resolved = { enable = true; dnssec = "allow-downgrade"; diff --git a/modules/system/services/sshd.nix b/modules/system/services/sshd.nix index 2aea658..a4621f4 100644 --- a/modules/system/services/sshd.nix +++ b/modules/system/services/sshd.nix @@ -12,8 +12,6 @@ in options.custom.services.sshd.enable = lib.mkEnableOption ""; config = lib.mkIf cfg.enable { - meta.ports.tcp = [ 22 ]; - services = { openssh = { enable = true; diff --git a/modules/system/services/syncthing.nix b/modules/system/services/syncthing.nix index 1cf3966..b2bf8bc 100644 --- a/modules/system/services/syncthing.nix +++ b/modules/system/services/syncthing.nix @@ -61,17 +61,6 @@ in } ]; - meta = { - domains.local = lib.mkIf (cfg.gui.domain != null) [ cfg.gui.domain ]; - ports = { - tcp = [ - cfg.syncPort - cfg.gui.port - ]; - udp = [ cfg.syncPort ]; - }; - }; - sops.secrets = lib.mkIf useSopsSecrets { "syncthing/cert" = { owner = config.services.syncthing.user; diff --git a/modules/system/web-services/actualbudget.nix b/modules/system/web-services/actualbudget.nix index 126726f..fc80e34 100644 --- a/modules/system/web-services/actualbudget.nix +++ b/modules/system/web-services/actualbudget.nix @@ -19,11 +19,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - users = { users.actual = { isSystemUser = true; diff --git a/modules/system/web-services/alloy.nix b/modules/system/web-services/alloy.nix index 3fea35b..9ab821c 100644 --- a/modules/system/web-services/alloy.nix +++ b/modules/system/web-services/alloy.nix @@ -63,11 +63,6 @@ in in metricsAssertions ++ logsAssertions; - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - services.alloy = { enable = true; extraFlags = [ diff --git a/modules/system/web-services/filebrowser.nix b/modules/system/web-services/filebrowser.nix index 7f239f8..c7d1821 100644 --- a/modules/system/web-services/filebrowser.nix +++ b/modules/system/web-services/filebrowser.nix @@ -29,11 +29,6 @@ in message = self.lib.mkUnprotectedMessage "Filebrowser"; }; - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - services.filebrowser = { enable = true; settings = { diff --git a/modules/system/web-services/forgejo/default.nix b/modules/system/web-services/forgejo/default.nix index 6888e07..f657248 100644 --- a/modules/system/web-services/forgejo/default.nix +++ b/modules/system/web-services/forgejo/default.nix @@ -17,11 +17,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - users = { users.git = { isSystemUser = true; diff --git a/modules/system/web-services/forgejo/ssh.nix b/modules/system/web-services/forgejo/ssh.nix index b54c908..885ab98 100644 --- a/modules/system/web-services/forgejo/ssh.nix +++ b/modules/system/web-services/forgejo/ssh.nix @@ -12,8 +12,6 @@ in }; config = lib.mkIf cfg.enable { - meta.ports.tcp = [ cfg.port ]; - services.forgejo.settings.server.SSH_PORT = cfg.port; services.openssh = { diff --git a/modules/system/web-services/freshrss.nix b/modules/system/web-services/freshrss.nix index fe3ea6b..acae4e2 100644 --- a/modules/system/web-services/freshrss.nix +++ b/modules/system/web-services/freshrss.nix @@ -29,11 +29,6 @@ in message = self.lib.mkUnprotectedMessage "FreshRSS"; }; - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - services.freshrss = { enable = true; baseUrl = "https://${cfg.domain}"; diff --git a/modules/system/web-services/gatus.nix b/modules/system/web-services/gatus.nix index bb6e87b..d2e44df 100644 --- a/modules/system/web-services/gatus.nix +++ b/modules/system/web-services/gatus.nix @@ -70,11 +70,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - sops = { secrets."healthchecks/ping-key" = { }; templates."gatus.env" = { @@ -176,7 +171,10 @@ in let defaultEndpoints = self.nixosConfigurations - |> lib.mapAttrs (_: host: host.config.meta.domains.local) + |> lib.mapAttrs ( + _: host: + host.config.custom.services.caddy.virtualHosts |> lib.attrValues |> lib.map (vHost: vHost.domain) + ) |> lib.concatMapAttrs ( hostName: domains: domains diff --git a/modules/system/web-services/grafana.nix b/modules/system/web-services/grafana.nix index c5ed60e..307833b 100644 --- a/modules/system/web-services/grafana.nix +++ b/modules/system/web-services/grafana.nix @@ -64,11 +64,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - sops.secrets."grafana/admin-password" = { owner = config.users.users.grafana.name; restartUnits = [ "grafana.service" ]; diff --git a/modules/system/web-services/it-tools.nix b/modules/system/web-services/it-tools.nix index 728bea7..00b2a02 100644 --- a/modules/system/web-services/it-tools.nix +++ b/modules/system/web-services/it-tools.nix @@ -17,8 +17,6 @@ in }; config = lib.mkIf cfg.enable { - meta.domains.local = [ cfg.domain ]; - custom.services.caddy.virtualHosts.${cfg.domain}.files = "${pkgs.it-tools}/lib"; }; } diff --git a/modules/system/web-services/memos.nix b/modules/system/web-services/memos.nix index 8704e67..9b5e407 100644 --- a/modules/system/web-services/memos.nix +++ b/modules/system/web-services/memos.nix @@ -24,11 +24,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - services.memos = { enable = true; settings = options.services.memos.settings.default // { diff --git a/modules/system/web-services/ntfy.nix b/modules/system/web-services/ntfy.nix index a8f6eec..9cc9dd1 100644 --- a/modules/system/web-services/ntfy.nix +++ b/modules/system/web-services/ntfy.nix @@ -16,11 +16,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - services.ntfy-sh = { enable = true; settings = lib.mkForce { diff --git a/modules/system/web-services/outline.nix b/modules/system/web-services/outline.nix index 3f7179a..fb662c6 100644 --- a/modules/system/web-services/outline.nix +++ b/modules/system/web-services/outline.nix @@ -22,11 +22,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - sops.secrets."outline/gitlab-auth-secret" = { owner = config.users.users.outline.name; restartUnits = [ "outline.service" ]; diff --git a/modules/system/web-services/personal-blog.nix b/modules/system/web-services/personal-blog.nix index a4ff641..1930a2d 100644 --- a/modules/system/web-services/personal-blog.nix +++ b/modules/system/web-services/personal-blog.nix @@ -19,8 +19,6 @@ in }; config = lib.mkIf cfg.enable { - meta.domains.local = [ cfg.domain ]; - systemd.services.generate-blog = { serviceConfig.Type = "oneshot"; wantedBy = [ "multi-user.target" ]; diff --git a/modules/system/web-services/privatebin.nix b/modules/system/web-services/privatebin.nix index 3751b52..7285fa9 100644 --- a/modules/system/web-services/privatebin.nix +++ b/modules/system/web-services/privatebin.nix @@ -20,11 +20,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - services = { privatebin = { enable = true; diff --git a/modules/system/web-services/radicale.nix b/modules/system/web-services/radicale.nix index ce371b9..ee4163a 100644 --- a/modules/system/web-services/radicale.nix +++ b/modules/system/web-services/radicale.nix @@ -25,11 +25,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - sops.secrets."radicale/htpasswd" = { owner = config.users.users.radicale.name; restartUnits = [ "radicale.service" ]; diff --git a/modules/system/web-services/stirling-pdf.nix b/modules/system/web-services/stirling-pdf.nix index 4212ac6..a0efb72 100644 --- a/modules/system/web-services/stirling-pdf.nix +++ b/modules/system/web-services/stirling-pdf.nix @@ -26,11 +26,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - services.stirling-pdf = { enable = true; environment = { diff --git a/modules/system/web-services/uptime-kuma.nix b/modules/system/web-services/uptime-kuma.nix index 13f6763..bb1522e 100644 --- a/modules/system/web-services/uptime-kuma.nix +++ b/modules/system/web-services/uptime-kuma.nix @@ -16,11 +16,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - services.uptime-kuma = { enable = true; settings.PORT = toString cfg.port; diff --git a/modules/system/web-services/victorialogs.nix b/modules/system/web-services/victorialogs.nix index 23c92df..80c9dc9 100644 --- a/modules/system/web-services/victorialogs.nix +++ b/modules/system/web-services/victorialogs.nix @@ -16,11 +16,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - users = { users.victorialogs = { isSystemUser = true; diff --git a/modules/system/web-services/victoriametrics.nix b/modules/system/web-services/victoriametrics.nix index 42877a5..0aae07b 100644 --- a/modules/system/web-services/victoriametrics.nix +++ b/modules/system/web-services/victoriametrics.nix @@ -16,11 +16,6 @@ in }; config = lib.mkIf cfg.enable { - meta = { - domains.local = [ cfg.domain ]; - ports.tcp = [ cfg.port ]; - }; - users = { users.victoriametrics = { isSystemUser = true;