Remove meta.ports and meta.domains modules

2026-01-22 12:34:24 +01:00 · 2026-01-21 23:25:16 +01:00 · 2026-01-21 23:25:16 +01:00 · b487ec8ae7
commit b487ec8ae7
parent d8abea9e18
31 changed files with 8 additions and 273 deletions
--- a/modules/system/meta/domains.nix
+++ b/modules/system/meta/domains.nix
@ -1,62 +0,0 @@
-{
-  config,
-  self,
-  lib,
-  ...
-}:
-let
-  cfg = config.meta.domains;
-in
-{
-  options.meta.domains = {
-    local = lib.mkOption {
-      type = lib.types.listOf lib.types.nonEmptyStr;
-      default = [ ];
-    };
-    global = lib.mkOption {
-      type = lib.types.listOf lib.types.nonEmptyStr;
-      default =
-        self.nixosConfigurations
-        |> lib.attrValues
-        |> lib.map (host: host.config.meta.domains.local)
-        |> lib.concatLists;
-      readOnly = true;
-    };
-    validate = lib.mkEnableOption "";
-  };
-
-  config = lib.mkIf cfg.validate {
-    assertions =
-      let
-        duplicateDomains =
-          self.nixosConfigurations
-          |> lib.attrValues
-          |> lib.map (host: host.options.meta.domains.local.definitionsWithLocations)
-          |> lib.concatLists
-          |> lib.concatMap (
-            { file, value }:
-            value
-            |> lib.map (domain: {
-              file = self.lib.relativePath file;
-              inherit domain;
-            })
-          )
-          |> builtins.groupBy (entry: toString entry.domain)
-          |> lib.mapAttrs (_: values: values |> lib.map (value: value.file))
-          |> lib.filterAttrs (_: files: lib.length files > 1);
-
-        errorMessage =
-          duplicateDomains
-          |> lib.mapAttrsToList (
-            domain: files:
-            "Duplicate domain `${domain}` found in:\n"
-            + (files |> lib.map (file: "  - ${file}") |> lib.concatLines)
-          )
-          |> lib.concatStrings;
-      in
-      lib.singleton {
-        assertion = duplicateDomains == { };
-        message = errorMessage;
-      };
-  };
-}
--- a/modules/system/meta/ports.nix
+++ b/modules/system/meta/ports.nix
@ -1,65 +0,0 @@
-{
-  config,
-  options,
-  self,
-  lib,
-  ...
-}:
-let
-  cfg = config.meta.ports;
-in
-{
-  options.meta.ports = {
-    tcp = lib.mkOption {
-      type = lib.types.listOf lib.types.port;
-      default = [ ];
-    };
-    udp = lib.mkOption {
-      type = lib.types.listOf lib.types.port;
-      default = [ ];
-    };
-    validate = lib.mkEnableOption "";
-  };
-
-  config = {
-    assertions =
-      let
-        findDuplicatePorts =
-          protocol:
-          options.meta.ports.${protocol}.definitionsWithLocations
-          |> lib.concatMap (
-            { file, value }:
-            value
-            |> lib.map (port: {
-              file = self.lib.relativePath file;
-              inherit port;
-            })
-          )
-          |> builtins.groupBy (entry: toString entry.port)
-          |> lib.mapAttrs (_: values: values |> lib.map (value: value.file))
-          |> lib.filterAttrs (_: files: lib.length files > 1);
-
-        mkErrorMessage =
-          duplicatePorts:
-          duplicatePorts
-          |> lib.mapAttrsToList (
-            port: files:
-            "Duplicate port `${port}` found in:\n" + (files |> lib.map (file: "  - ${file}") |> lib.concatLines)
-          )
-          |> lib.concatStrings;
-
-        duplicateTcpPorts = findDuplicatePorts "tcp";
-        duplicateUdpPorts = findDuplicatePorts "udp";
-      in
-      lib.mkIf cfg.validate [
-        {
-          assertion = duplicateTcpPorts == { };
-          message = mkErrorMessage duplicateTcpPorts;
-        }
-        {
-          assertion = duplicateUdpPorts == { };
-          message = mkErrorMessage duplicateUdpPorts;
-        }
-      ];
-  };
-}
--- a/modules/system/services/caddy.nix
+++ b/modules/system/services/caddy.nix
@ -95,7 +95,7 @@ in
          message = "Each caddy virtual host must set exactly one of `port` or `files`";
        };

-        meta.ports.tcp = [ cfg.metricsPort ];
+        networking.firewall.allowedTCPPorts = lib.mkIf publicHostsExist webPorts;

        services.caddy = {
          enable = true;
@ -111,11 +111,6 @@ in
        custom.persistence.directories = [ "/var/lib/caddy" ];
      }

-      (lib.mkIf publicHostsExist {
-        meta.ports.tcp = webPorts;
-        networking.firewall.allowedTCPPorts = webPorts;
-      })
-
      (lib.mkIf privateHostsExist {
        sops.secrets = {
          "porkbun/api-key".owner = config.users.users.acme.name;
--- a/modules/system/services/crowdsec/default.nix
+++ b/modules/system/services/crowdsec/default.nix
@ -38,11 +38,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta.ports.tcp = [
-      cfg.apiPort
-      cfg.prometheusPort
-    ];
-
    sops.secrets."crowdsec/enrollment-key" = {
      owner = user;
      restartUnits = [ "crowdsec.service" ];
--- a/modules/system/services/dns.nix
+++ b/modules/system/services/dns.nix
@ -12,11 +12,6 @@ in
  options.custom.services.dns.enable = lib.mkEnableOption "";

  config = lib.mkIf cfg.enable {
-    # meta.ports = {
-    #   tcp = [ 53 ];
-    #   udp = [ 53 ];
-    # };
-
    services = {
      unbound = {
        enable = true;
@ -39,7 +34,9 @@ in
                  |> lib.attrValues
                  |> lib.concatMap (
                    host:
-                    host.config.meta.domains.local
+                    host.config.custom.services.caddy.virtualHosts
+                    |> lib.attrValues
+                    |> lib.map (vHost: vHost.domain)
                    |> lib.filter (domain: self.lib.isPrivateDomain domain)
                    |> lib.map (domain: "\"${domain}. A ${host.config.custom.networking.overlay.address}\"")
                  );
--- a/modules/system/services/nebula/default.nix
+++ b/modules/system/services/nebula/default.nix
@ -38,8 +38,6 @@ in
      systemdUnit = "nebula@mesh.service";
    };

-    meta.ports.udp = lib.optional netCfg.underlay.isPublic publicPort;
-
    sops.secrets."nebula/host-key" = {
      owner = config.users.users.nebula-mesh.name;
      restartUnits = [ "nebula@mesh.service" ];
--- a/modules/system/services/resolved.nix
+++ b/modules/system/services/resolved.nix
@ -1,22 +1,10 @@
 { config, lib, ... }:
-let
-  ports = [
-    53
-    5353
-    5355
-  ];
-in
 {
  options.custom.services.resolved.enable = lib.mkEnableOption "" // {
    default = config.systemd.network.enable;
  };

  config = lib.mkIf config.custom.services.resolved.enable {
-    meta.ports = {
-      tcp = ports;
-      udp = ports;
-    };
-
    services.resolved = {
      enable = true;
      dnssec = "allow-downgrade";
--- a/modules/system/services/sshd.nix
+++ b/modules/system/services/sshd.nix
@ -12,8 +12,6 @@ in
  options.custom.services.sshd.enable = lib.mkEnableOption "";

  config = lib.mkIf cfg.enable {
-    meta.ports.tcp = [ 22 ];
-
    services = {
      openssh = {
        enable = true;
--- a/modules/system/services/syncthing.nix
+++ b/modules/system/services/syncthing.nix
@ -61,17 +61,6 @@ in
      }
    ];

-    meta = {
-      domains.local = lib.mkIf (cfg.gui.domain != null) [ cfg.gui.domain ];
-      ports = {
-        tcp = [
-          cfg.syncPort
-          cfg.gui.port
-        ];
-        udp = [ cfg.syncPort ];
-      };
-    };
-
    sops.secrets = lib.mkIf useSopsSecrets {
      "syncthing/cert" = {
        owner = config.services.syncthing.user;
--- a/modules/system/web-services/actualbudget.nix
+++ b/modules/system/web-services/actualbudget.nix
@ -19,11 +19,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    users = {
      users.actual = {
        isSystemUser = true;
--- a/modules/system/web-services/alloy.nix
+++ b/modules/system/web-services/alloy.nix
@ -63,11 +63,6 @@ in
      in
      metricsAssertions ++ logsAssertions;

-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    services.alloy = {
      enable = true;
      extraFlags = [
--- a/modules/system/web-services/filebrowser.nix
+++ b/modules/system/web-services/filebrowser.nix
@ -29,11 +29,6 @@ in
      message = self.lib.mkUnprotectedMessage "Filebrowser";
    };

-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    services.filebrowser = {
      enable = true;
      settings = {
--- a/modules/system/web-services/forgejo/default.nix
+++ b/modules/system/web-services/forgejo/default.nix
@ -17,11 +17,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    users = {
      users.git = {
        isSystemUser = true;
--- a/modules/system/web-services/forgejo/ssh.nix
+++ b/modules/system/web-services/forgejo/ssh.nix
@ -12,8 +12,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta.ports.tcp = [ cfg.port ];
-
    services.forgejo.settings.server.SSH_PORT = cfg.port;

    services.openssh = {
--- a/modules/system/web-services/freshrss.nix
+++ b/modules/system/web-services/freshrss.nix
@ -29,11 +29,6 @@ in
      message = self.lib.mkUnprotectedMessage "FreshRSS";
    };

-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    services.freshrss = {
      enable = true;
      baseUrl = "https://${cfg.domain}";
--- a/modules/system/web-services/gatus.nix
+++ b/modules/system/web-services/gatus.nix
@ -70,11 +70,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    sops = {
      secrets."healthchecks/ping-key" = { };
      templates."gatus.env" = {
@ -176,7 +171,10 @@ in
        let
          defaultEndpoints =
            self.nixosConfigurations
-            |> lib.mapAttrs (_: host: host.config.meta.domains.local)
+            |> lib.mapAttrs (
+              _: host:
+              host.config.custom.services.caddy.virtualHosts |> lib.attrValues |> lib.map (vHost: vHost.domain)
+            )
            |> lib.concatMapAttrs (
              hostName: domains:
              domains
--- a/modules/system/web-services/grafana.nix
+++ b/modules/system/web-services/grafana.nix
@ -64,11 +64,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    sops.secrets."grafana/admin-password" = {
      owner = config.users.users.grafana.name;
      restartUnits = [ "grafana.service" ];
--- a/modules/system/web-services/it-tools.nix
+++ b/modules/system/web-services/it-tools.nix
@ -17,8 +17,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta.domains.local = [ cfg.domain ];
-
    custom.services.caddy.virtualHosts.${cfg.domain}.files = "${pkgs.it-tools}/lib";
  };
 }
--- a/modules/system/web-services/memos.nix
+++ b/modules/system/web-services/memos.nix
@ -24,11 +24,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    services.memos = {
      enable = true;
      settings = options.services.memos.settings.default // {
--- a/modules/system/web-services/ntfy.nix
+++ b/modules/system/web-services/ntfy.nix
@ -16,11 +16,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    services.ntfy-sh = {
      enable = true;
      settings = lib.mkForce {
--- a/modules/system/web-services/outline.nix
+++ b/modules/system/web-services/outline.nix
@ -22,11 +22,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    sops.secrets."outline/gitlab-auth-secret" = {
      owner = config.users.users.outline.name;
      restartUnits = [ "outline.service" ];
--- a/modules/system/web-services/personal-blog.nix
+++ b/modules/system/web-services/personal-blog.nix
@ -19,8 +19,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta.domains.local = [ cfg.domain ];
-
    systemd.services.generate-blog = {
      serviceConfig.Type = "oneshot";
      wantedBy = [ "multi-user.target" ];
--- a/modules/system/web-services/privatebin.nix
+++ b/modules/system/web-services/privatebin.nix
@ -20,11 +20,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    services = {
      privatebin = {
        enable = true;
--- a/modules/system/web-services/radicale.nix
+++ b/modules/system/web-services/radicale.nix
@ -25,11 +25,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    sops.secrets."radicale/htpasswd" = {
      owner = config.users.users.radicale.name;
      restartUnits = [ "radicale.service" ];
--- a/modules/system/web-services/stirling-pdf.nix
+++ b/modules/system/web-services/stirling-pdf.nix
@ -26,11 +26,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    services.stirling-pdf = {
      enable = true;
      environment = {
--- a/modules/system/web-services/uptime-kuma.nix
+++ b/modules/system/web-services/uptime-kuma.nix
@ -16,11 +16,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    services.uptime-kuma = {
      enable = true;
      settings.PORT = toString cfg.port;
--- a/modules/system/web-services/victorialogs.nix
+++ b/modules/system/web-services/victorialogs.nix
@ -16,11 +16,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    users = {
      users.victorialogs = {
        isSystemUser = true;
--- a/modules/system/web-services/victoriametrics.nix
+++ b/modules/system/web-services/victoriametrics.nix
@ -16,11 +16,6 @@ in
  };

  config = lib.mkIf cfg.enable {
-    meta = {
-      domains.local = [ cfg.domain ];
-      ports.tcp = [ cfg.port ];
-    };
-
    users = {
      users.victoriametrics = {
        isSystemUser = true;