Attempt to set up guacamole

docs/ports.md

@@ -1,26 +0,0 @@
-# Ports
-
-The idea is to always use consecutive ports, but never go back and try to recycle older no longer used ports (for the sake of keeping things clean).
-
-| Port | Description                                                                 |
-| ---- | --------------------------------------------------------------------------- |
-| 8401 | [whoogle](../hosts/nixos/lapetus/services/whoogle.nix)                      |
-| 8402 | [intray api](../hosts/nixos/lapetus/services/intray.nix)                    |
-| 8403 | [intray](../hosts/nixos/lapetus/services/intray.nix)                        |
-| 8404 | [smos](../hosts/nixos/lapetus/services/smos.nix)                            |
-| 8405 | [smos docs](../hosts/nixos/lapetus/services/smos.nix)                       |
-| 8406 | [smos api](../hosts/nixos/lapetus/services/smos.nix)                        |
-| 8407 | [whoogle](../hosts/nixos/lapetus/services/whoogle.nix)                      |
-| 8408 | [vaultwarden](../hosts/nixos/lapetus/services/vaultwarden.nix)              |
-| 8409 | [grafana](../hosts/nixos/lapetus/services/grafana.nix)                      |
-| 8410 | [prometheus](../hosts/nixos/lapetus/services/prometheus.nix)                |
-| 8411 | [prometheus node exporter](../hosts/nixos/lapetus/services/prometheus.nix)  |
-| 8412 | [prometheus nginx exporter](../hosts/nixos/lapetus/services/prometheus.nix) |
-| 8413 | [commafeed](../hosts/nixos/lapetus/services/commafeed.nix)                  |
-| 8414 | [invidious](../hosts/nixos/lapetus/services/invidious.nix)                  |
-| 8415 | [radicale](../hosts/nixos/lapetus/services/radicale.nix)                    |
-| 8416 | [redlib](../hosts/nixos/lapetus/services/redlib.nix)                        |
-| 8417 | [qbittorrent](../hosts/nixos/lapetus/services/qbittorrent.nix)              |
-| 8418 | [microbin](../hosts/nixos/lapetus/services/microbin.nix)                    |
-| 8419 | [forgejo](../hosts/nixos/lapetus/services/forgejo.nix)                      |
-| 8420 | [jupyterjub](../hosts/nixos/lapetus/services/jupyter.nix)                   |

hosts/nixos/common/global/default.nix

@@ -16,6 +16,7 @@ let
     ./nix.nix
     ./locale.nix
     ./persistence.nix
+    ./ports.nix
     ./wireless
 
     ../../../../common

hosts/nixos/common/global/ports.nix

@@ -0,0 +1,26 @@
+# The idea is to always use consecutive ports, but never go back and try to
+# recycle older no longer used ports (for the sake of keeping things clean).
+{
+  satellite.ports = {
+    whoogle = 8401;
+    intray-api = 8402;
+    intray-client = 8403;
+    smos-docs = 8404;
+    smos-api = 8405;
+    smos-client = 8406;
+    vaultwarden = 8407;
+    actual = 8408;
+    grafana = 8409;
+    prometheus = 8410;
+    prometheus-node-exporter = 8411;
+    prometheus-nginx-exporter = 8412;
+    commafeed = 8413;
+    invidious = 8414;
+    radicale = 8415;
+    redlib = 8416;
+    qbittorrent = 8417;
+    microbin = 8418;
+    forgejo = 8419;
+    jupyterhub = 8420;
+  };
+}

hosts/nixos/common/optional/services/nginx.nix

@@ -1,5 +1,6 @@
 {
   imports = [ ./acme.nix ];
+  satellite.nginx.domain = "moonythm.dev"; # Root domain used throughout my config
   services.nginx = {
     enable = true;
     recommendedGzipSettings = true;

hosts/nixos/lapetus/default.nix

@@ -2,31 +2,39 @@
   imports = [
     ../common/global
     ../common/users/pilot.nix
+    ../common/optional/oci.nix
+    ../common/optional/services/acme.nix
     ../common/optional/services/kanata.nix
+    ../common/optional/services/nginx.nix
+    ../common/optional/services/postgres.nix
     ../common/optional/services/restic
 
-    ./services/syncthing.nix
+    # ./services/commafeed.nix
-    ./services/whoogle.nix
+    # ./services/ddclient.nix
-    ./services/pounce.nix
-    ./services/intray.nix
-    ./services/smos.nix
-    ./services/vaultwarden.nix
     ./services/actual.nix
-    ./services/homer.nix
+    ./services/cloudflared.nix
-    ./services/zfs.nix
-    ./services/prometheus.nix
-    ./services/grafana.nix
-    ./services/commafeed.nix
-    ./services/invidious.nix
     ./services/diptime.nix
+    ./services/forgejo.nix
+    ./services/grafana.nix
+    ./services/guacamole
+    ./services/homer.nix
+    ./services/intray.nix
+    ./services/invidious.nix
+    ./services/jellyfin.nix
+    ./services/jupyter.nix
+    ./services/microbin.nix
+    ./services/pounce.nix
+    ./services/prometheus.nix
+    ./services/prometheus.nix
+    ./services/qbittorrent.nix # turned on/off depending on whether my vpn is paid for
     ./services/radicale.nix
     ./services/redlib.nix
-    ./services/jellyfin.nix
+    ./services/smos.nix
-    ./services/qbittorrent.nix # turned on/off depending on whether my vpn is paid for
+    ./services/syncthing.nix
-    ./services/microbin.nix
+    ./services/vaultwarden.nix
-    ./services/forgejo.nix
+    ./services/whoogle.nix
-    ./services/jupyter.nix
+    ./services/zfs.nix
-    # ./services/ddclient.nix
+
     ./filesystems
     ./hardware
   ];

hosts/nixos/lapetus/secrets.yaml

@@ -8,6 +8,7 @@ microbin_env: ENC[AES256_GCM,data:nxiE9GIvEb0xgqomDdMyy2UtG25pt7h+6JUZkAgIejZbJf
 forgejo_mail_password: ENC[AES256_GCM,data:linrpmA8b+8e1+tWNl0=,iv:Mk7suPq0Jt960Zl9s2jj3SSAKt4t8Lv4eKdIo0o8JbE=,tag:TZ0qGJIVSFSUt/0cqamvdw==,type:str]
 javi_password: ENC[AES256_GCM,data:5Ifh/DclUz0/AL69Th/GckolrjerLOnDW77SOf+/L3v39T+EOYgK2GDNKtWGGWYX5sdxZ9JwLS3ZVsIOnN4zjFhgV+GChJWkkzjdpJEtpHlmmBKlyS31Fw7SixVkL3y3VJhw72aVv3bMKQ==,iv:FzAmvIlrhna5InsQCRrWVdrKZGmHMb0njWdvgBurdYs=,tag:/Iguu2FbdV/4RSGTnFdyYA==,type:str]
 vpn_env: ENC[AES256_GCM,data:+61Ft1xj1WnaGH6SdUj3sQunDeTWTQ/G2GVQr1KxXVmLehAdO3W2qwqPRsq0qaad3E6eXd7kMU78w1/9fXM34mJXArmXNPW1X+0549+NX4t3QVP83cIRw6B5vwlWMIA8ixEk46a+t7/C6A10hqpyhqHmeyQEOwJvG+Pou61lBmhSkMQy5gjH4ZNsHHZV0/6ZxSk0yAPQq76cPz4dFvyDzdonLnb+2s1KhHC3D7P6SfuWnfJ1EglrDT8R+A==,iv:mw26zTyFnq9CjN06eRmBTWNjh6SRDY7WOCyhBCmyglg=,tag:cPJvzgtruQNLSg7B+br6xQ==,type:str]
+guacamole_users: ENC[AES256_GCM,data:owqflMMpGLUWPcab8JDlQ12zOuCrfkohxims8we9gKuFX28hrjN1wCmgFDGgX5VqWp07SOKdQVI05xMMO2e9pYgUpeKx5FIa/S/4Q/RNelwWPLmhxqGyEt59L5IBgTfgW5qQMvsl1Q7Xgf8X5bFFUSRmzAx0RFamMPqr71vwPphT7XNnPT8QWQo/2bEUqH0Tb5ITkb1FRSMQzIempuKe4K+awISIDAMwLf87esnoHx+dzQQQObSkKGNDpZ39+IUmeyvTIgN7uWQ349jIzkjNTVMzMUWdpDM6Mn9NwQA8m9BXns9vAe03Ama5cQ0ei64eZSb5uYki0BIV2pYccmIBn4Y/QgfMi5F/L9khr94iiVfH6EWtrDIpVwFt9TNZA/gHbOkQVPyHUMGOpCn2tK5ifFDK0URH5E7WM66BiL3yKd7B9SvQuEN8bnFn64QgiYxSp5NxxGx1ZLE7pzSCEtXkWkCYDHe0xDpOUd+zEfOIeQo7Cdn7y5QaXFyrcwryprYb5Hx/5TtTkCm/+r9nl7BbMKnPLblJvsA77/7pws8xcLgNSAR0ROWqB88vauI1uvwdWN5U5VxsEJmoNQXQKOLOtiQ2mFfIY3DYdHtw1L26ISIYOU6XR7jI/MwOBPO94izEW/j1SwGNgMN5Aydu0RRUhyK9RojjR5CEYjyuqclcD0asJ4faYQn8GvnXJPKF/+U7C6O1g6/ejl3fjwyWRb4kreIATdRfZH+m3nVHgSMvPNk8aPlIs51+SIYMtzf32lKp/AVn2hFKF5g+r2rhWH13Lt9poUg2l//l3jPDY1hpc6dm/5H9ZIGKIqcBlYxqnQngUu51lGO0r6z7u/EsIbInnd5TLK5JrTfnuLuwbyo1yetT2J0MNumy9FcrTsDK4+7DEdAJUxPBRrzllgi+hrnDlVLgLH+7y/gc8lB0cE53GBBXp1N7SfJ1,iv:RFuPux63nSefW3+F08jb94q/NwIKE9g/DGjN++oMdXc=,tag:tCCUIttbK5wfbNpjzY0Bgw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -32,8 +33,8 @@ sops:
             RHZ6alYrUU5BZ2xlMkdGR1dWRG5aeGMKJdsdtVZ6Mk9Vo3a+tS+rzAgaF2wpH+8U
             lWhA+c0Kbe8EJT8hm7Vr8PqBmElz4V9AnXSCTp7D+Cu4pfWsHopLUQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-31T23:18:45Z"
+    lastmodified: "2024-06-13T13:36:09Z"
-    mac: ENC[AES256_GCM,data:IUiFsu7+ANxUSr5hR6L3lwK+hP2LpGQFPliGOC3XyhxjLsEkbdCi/CqkaJH7tWZTSUoxMPtdn8JC8mGsnW0puhB6YWA26dbXjlvKGWO+02wcMONy3+prW8v7KLXWe513wsLx1fHOjHMchZj/p8gagOGw19aoGdsTNXnQczwPumo=,iv:hH5R9KFTWvps0JC8iKOkDJMeOfdatFHkz6LedeyY9WE=,tag:2pLvEplrGHpBHbtVfFxCfQ==,type:str]
+    mac: ENC[AES256_GCM,data:3YUMJJaAeU6S7BwB5FzUuke3SKMZ0naRtRQoAnSRMMj39dQmg20rQy8F5cWsPvQAbDhOnY/1t3IxGbc8LGQkapcJJhbLiWuQmnPylZuMIgXhsnEzSyZ195FJcTGP5JTfmUb0GZ29MSBAlqRcZb0IDZjbOpVigp5BbD+s64HpdFE=,iv:p1pg4A1JEX3YlvoG6ncaavbJvURPlkAQM/jKbE+9sgE=,tag:WvULhegnyz/HXRfCEP6DiQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

hosts/nixos/lapetus/services/actual.nix

@@ -1,23 +1,15 @@
 { config, ... }:
-let
+let dataDir = "/persist/state/var/lib/actual";
-  port = 8408;
-  host = "actual.moonythm.dev";
-  dataDir = "/persist/state/var/lib/actual";
 in
 {
-  imports = [
+  satellite.nginx.at.actual.port = config.satellite.ports.actual;
-    ../../common/optional/services/nginx.nix
-    ../../common/optional/oci.nix
-  ];
-
-  services.nginx.virtualHosts.${host} = config.satellite.proxy port { };
   systemd.tmpfiles.rules = [ "d ${dataDir}" ];
 
   virtualisation.oci-containers.containers.actual = {
     image = "actualbudget/actual-server:latest";
     autoStart = true;
 
-    ports = [ "${toString port}:5006" ]; # server:docker
+    ports = [ "${toString config.satellite.nginx.at.actual.port}:5006" ]; # server:docker
     volumes = [ "${dataDir}:/data" ]; # server:docker
   };
 }

hosts/nixos/lapetus/services/commafeed.nix

@@ -1,18 +1,11 @@
 { config, ... }:
 let
-  port = 8413;
+  port = config.satellite.ports.commafeed;
-  host = "rss.moonythm.dev";
   dataDir = "/persist/state/var/lib/commafeed";
 in
 {
-  imports = [
-    ../../common/optional/services/nginx.nix
-    ../../common/optional/oci.nix
-  ];
-
   systemd.tmpfiles.rules = [ "d ${dataDir}" ];
-  services.nginx.virtualHosts.${host} = config.satellite.proxy port
+  satellite.nginx.at.rss.port = port;
-    { proxyWebsockets = true; };
 
   virtualisation.oci-containers.containers.commafeed = {
     image = "athou/commafeed:latest";
@@ -27,7 +20,7 @@ in
 
     # https://github.com/Athou/commafeed/blob/master/commafeed-server/config.yml.example
     environment = {
-      CF_APP_PUBLICURL = "https://${host}";
+      CF_APP_PUBLICURL = "https://${config.satellite.nginx.at.rss.host}";
       CF_APP_ALLOWREGISTRATIONS = "false"; # I already made an account
       CF_APP_MAXENTRIESAGEDAYS = "0"; # Fetch old entries
 

hosts/nixos/lapetus/services/ddclient.nix

@@ -1,8 +1,6 @@
 # DDClient is a dynamic dns service
 { config, pkgs, ... }:
 {
-  imports = [ ../../common/optional/services/acme.nix ];
-
   services.ddclient = {
     enable = true;
     interval = "1m";

hosts/nixos/lapetus/services/diptime.nix

@@ -1,12 +1,9 @@
 # I couldn't find a hosted version of this
 { pkgs, config, ... }: {
-  imports = [ ../../common/optional/services/nginx.nix ];
+  satellite.nginx.at.diptime.files = pkgs.fetchFromGitHub {
-
-  services.nginx.virtualHosts."diptime.moonythm.dev" =
-    config.satellite.static (pkgs.fetchFromGitHub {
     owner = "bhickey";
     repo = "diplomatic-timekeeper";
     rev = "d6ea7b9d9e94ee6d2db8e4e7cff5f8f1c3f04464";
     sha256 = "09s6awz5m6hzpc6jp96c118i372430c7b41acm5m62bllcvrj9vk";
-    });
+  };
 }

hosts/nixos/lapetus/services/forgejo.nix

@@ -1,6 +1,6 @@
 { lib, config, ... }:
 let
-  port = 8419;
+  port = config.satellite.ports.forgejo;
   host = "git.moonythm.dev";
   cfg = config.services.forgejo;
 in

hosts/nixos/lapetus/services/grafana.nix

@@ -1,5 +1,6 @@
 { config, pkgs, ... }:
 let
+  port = config.satellite.ports.grafana;
   secret = name: "$__file{${config.sops.secrets.${name}.path}}";
   sopsSettings = {
     sopsFile = ../secrets.yaml;
@@ -7,11 +8,6 @@ let
   };
 in
 {
-  imports = [
-    ../../common/optional/services/nginx.nix
-    ./prometheus.nix
-  ];
-
   sops.secrets.grafana_smtp_pass = sopsSettings;
   sops.secrets.grafana_discord_webhook = sopsSettings;
 
@@ -21,9 +17,9 @@ in
 
     settings = {
       server = rec {
-        domain = "grafana.moonythm.dev";
+        domain = config.satellite.nginx.at.grafana.host;
         root_url = "https://${domain}";
-        http_port = 8409;
+        http_port = port;
       };
 
       # {{{ Smtp
@@ -90,8 +86,7 @@ in
   };
   # }}}
   # {{{ Networking & storage
-  services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} =
+  satellite.nginx.at.grafana.port = port;
-    config.satellite.proxy config.services.grafana.settings.server.http_port { };
 
   environment.persistence."/persist/state".directories = [{
     directory = config.services.grafana.dataDir;

hosts/nixos/lapetus/services/guacamole/default.nix

@@ -0,0 +1,14 @@
+{ config, ... }:
+{
+  sops.secrets.guacamoleUsers.sopsFile = ../../secrets.yaml;
+  satellite.nginx.at.guacamole.port = 8443; # default tomcat port
+
+  services.guacamole-server = {
+    enable = true;
+    services.guacamole-server.userMappingXml = config.sops.secrets.guacamoleUsers.path;
+  };
+
+  services.guacamole-client = {
+    enable = true;
+  };
+}

hosts/nixos/lapetus/services/guacamole/ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4xXKQ07lTMuCIg9Grejp2+o50Fo1ptxyK1oGnWt8jA adrielus@tethys

hosts/nixos/lapetus/services/homer.nix

@@ -20,10 +20,7 @@ let
   icon = file: "assets/${iconPath}/${file}";
 in
 {
-  imports = [ ../../common/optional/services/nginx.nix ];
+  satellite.nginx.at.lab.files = pkgs.homer.withAssets {
-
-  services.nginx.virtualHosts."lab.moonythm.dev" =
-    config.satellite.static (pkgs.homer.withAssets {
     extraAssets = [ iconPath ];
     config = {
       title = "✨ The celestial citadel ✨";
@@ -60,6 +57,12 @@ in
               logo = icon "syncthing.png";
               url = "https://lapetus.syncthing.moonythm.dev";
             }
+            {
+              name = "Guacamole";
+              subtitle = "Server remote access";
+              logo = icon "guacamole.png";
+              url = "https://guacamole.moonythm.dev";
+            }
           ];
         }
         # }}}
@@ -115,7 +118,7 @@ in
           ];
         }
         # }}}
-          # {{{ Pillars
+        # {{{ Tooling
         {
           name = "Tooling";
           icon = fa "toolbox";
@@ -142,7 +145,7 @@ in
               name = "Microbin";
               subtitle = "Code & file sharing";
               logo = icon "microbin.png";
-                url = "https://cal.moonythm.dev";
+              url = "https://bin.moonythm.dev";
             }
             {
               name = "Forgejo";
@@ -150,6 +153,12 @@ in
               logo = icon "forgejo.svg";
               url = "https://git.moonythm.dev";
             }
+            {
+              name = "Jupyterhub";
+              subtitle = "Notebook collaboration suite";
+              logo = icon "jupyter.png";
+              url = "https://jupyter.moonythm.dev";
+            }
           ];
         }
         # }}}
@@ -199,5 +208,5 @@ in
         # }}}
       ];
     };
-    });
+  };
 }

hosts/nixos/lapetus/services/intray.nix

@@ -1,15 +1,11 @@
 { inputs, config, ... }:
 let
   username = "prescientmoon";
-  apiHost = "api.intray.moonythm.dev";
+  apiPort = config.satellite.ports.intray-api;
-  apiPort = 8402;
+  webPort = config.satellite.ports.intray-client;
-  webPort = 8403;
 in
 {
-  imports = [
+  imports = [ inputs.intray.nixosModules.x86_64-linux.default ];
-    ../../common/optional/services/nginx.nix
-    inputs.intray.nixosModules.x86_64-linux.default
-  ];
 
   # {{{ Configure intray 
   services.intray.production = {
@@ -22,13 +18,13 @@ in
     web-server = {
       enable = true;
       port = webPort;
-      api-url = "https://${apiHost}";
+      api-url = config.satellite.nginx.at."api.intray".url;
     };
   };
   # }}}
   # {{{ Networking & storage
-  services.nginx.virtualHosts.${apiHost} = config.satellite.proxy apiPort { };
+  satellite.nginx.at."intray".port = webPort;
-  services.nginx.virtualHosts."intray.moonythm.dev" = config.satellite.proxy webPort { };
+  satellite.nginx.at."api.intray".port = apiPort;
 
   environment.persistence."/persist/state".directories = [
     "/www/intray/production/data"

hosts/nixos/lapetus/services/invidious.nix

@@ -1,22 +1,16 @@
 { config, pkgs, ... }: {
-  imports = [
-    ../../common/optional/services/nginx.nix
-    ../../common/optional/services/postgres.nix
-  ];
-
   sops.secrets.invidious_hmac_key.sopsFile = ../secrets.yaml;
   sops.templates."invidious_hmac_key.json" = {
     content = ''{ "hmac_key": "${config.sops.placeholder.invidious_hmac_key}" }'';
     mode = "0444"; # I don't care about this key that much, as I'm the only user of this instance
   };
 
-  services.nginx.virtualHosts.${config.services.invidious.domain} =
+  satellite.nginx.at.yt.port = config.satellite.ports.invidious;
-    config.satellite.proxy config.services.invidious.port { };
 
   services.invidious = {
     enable = true;
-    domain = "yt.moonythm.dev";
+    domain = config.satellite.nginx.at.yt.host;
-    port = 8414;
+    port = config.satellite.nginx.at.yt.port;
     hmacKeyFile = config.sops.templates."invidious_hmac_key.json".path;
 
     settings = {

hosts/nixos/lapetus/services/jellyfin.nix

@@ -1,9 +1,6 @@
 { config, pkgs, ... }: {
-  imports = [ ../../common/optional/services/nginx.nix ];
+  # This is the default port, and can only be changed via the GUI
-
+  satellite.nginx.at.media.port = 8096;
-  services.nginx.virtualHosts."media.moonythm.dev" =
-    config.satellite.proxy 8096 { }; # This is the default port, and can only be changed via the GUI
-
   services.jellyfin.enable = true;
 
   # {{{ Storage 

hosts/nixos/lapetus/services/jupyter.nix

@@ -18,7 +18,7 @@ in
 
   services.jupyterhub = {
     enable = true;
-    port = 8420;
+    port = config.satellite.ports.jupyterhub;
 
     jupyterhubEnv = appEnv;
     jupyterlabEnv = appEnv;

hosts/nixos/lapetus/services/microbin.nix

@@ -1,11 +1,9 @@
 { config, lib, ... }:
 let
-  port = 8418;
+  port = config.satellite.ports.microbin;
   host = "bin.moonythm.dev";
 in
 {
-  imports = [ ./cloudflared.nix ];
-
   sops.secrets.microbin_env.sopsFile = ../secrets.yaml;
   satellite.cloudflared.targets.${host}.port = port;
 

hosts/nixos/lapetus/services/prometheus.nix

@@ -1,14 +1,10 @@
 { config, pkgs, ... }:
-let host = "prometheus.moonythm.dev";
-in
 {
-  imports = [ ../../common/optional/services/nginx.nix ];
-
   # {{{ Main config
   services.prometheus = {
     enable = true;
-    port = 8410;
+    port = config.satellite.ports.prometheus;
-    webExternalUrl = "https://${host}";
+    webExternalUrl = config.satellite.nginx.at.prometheus.url;
 
     # {{{ Base exporters
     exporters = {
@@ -16,12 +12,12 @@ in
       node = {
         enable = true;
         enabledCollectors = [ "systemd" ];
-        port = 8411;
+        port = config.satellite.ports.prometheus-node-exporter;
       };
 
       nginx = {
         enable = true;
-        port = 8412;
+        port = config.satellite.ports.prometheus-nginx-exporter;
       };
     };
 
@@ -38,9 +34,7 @@ in
   };
   # }}}
   # {{{ Networking & storage
-  services.nginx.virtualHosts.${host} =
+  satellite.nginx.at.prometheus.port = config.services.prometheus.port;
-    config.satellite.proxy config.services.prometheus.port
-      { proxyWebsockets = true; };
 
   environment.persistence."/persist/state".directories = [{
     directory = "/var/lib/prometheus2";

hosts/nixos/lapetus/services/qbittorrent.nix

@@ -3,27 +3,20 @@
 # https://www.reddit.com/r/HomeServer/comments/xapl93/a_minimal_configuration_stepbystep_guide_to_media/
 { config, pkgs, ... }:
 let
-  port = 8417;
+  port = config.satellite.ports.qbittorrent;
   dataDir = "/persist/data/media";
   configDir = "/persist/state/var/lib/qbittorrent";
 in
 {
-  imports = [
+  # {{{ Networking & storage
-    ../../common/optional/services/nginx.nix
+  satellite.nginx.at.qbit.port = port;
-    ../../common/optional/oci.nix
-  ];
-
   sops.secrets.vpn_env.sopsFile = ../secrets.yaml;
-
-  services.nginx.virtualHosts."qbit.moonythm.dev" =
-    config.satellite.proxy port { proxyWebsockets = true; };
-
   systemd.tmpfiles.rules = [
     "d ${dataDir} 777 ${config.users.users.pilot.name} users"
     "d ${configDir}"
   ];
-
+  # }}}
-  # {{{ qbit
+  # {{{ Qbit
   virtualisation.oci-containers.containers.qbittorrent = {
     image = "linuxserver/qbittorrent:latest";
     extraOptions = [ "--network=container:gluetun" ];
@@ -37,7 +30,7 @@ in
     };
   };
   # }}}
-  # {{{ vpn
+  # {{{ Vpn
   virtualisation.oci-containers.containers.gluetun = {
     image = "qmcgaw/gluetun";
     extraOptions = [

hosts/nixos/lapetus/services/radicale.nix

@@ -1,6 +1,6 @@
 { config, ... }:
 let
-  port = 8415;
+  port = config.satellite.ports.radicale;
   dataDir = "/persist/data/radicale";
 in
 {
@@ -14,7 +14,5 @@ in
   };
 
   systemd.tmpfiles.rules = [ "d ${dataDir} 0700 radicale radicale" ];
-
+  satellite.nginx.at.cal.port = port;
-  services.nginx.virtualHosts."cal.moonythm.dev" =
-    config.satellite.proxy port { };
 }

hosts/nixos/lapetus/services/redlib.nix

@@ -1,13 +1,9 @@
 { config, lib, upkgs, ... }:
-let port = 8416;
+let port = config.satellite.ports.redlib;
 in
 {
-  imports = [ ../../common/optional/services/nginx.nix ];
-
-  services.nginx.virtualHosts."redlib.moonythm.dev" =
-    config.satellite.proxy port { };
-
   services.libreddit.enable = true;
+  satellite.nginx.at.redlib.port = port;
   systemd.services.libreddit.serviceConfig.ExecStart =
     lib.mkForce "${upkgs.redlib}/bin/redlib --port ${toString port}";
 }

hosts/nixos/lapetus/services/smos.nix

@@ -1,20 +1,8 @@
 { inputs, config, ... }:
-let
+let username = "prescientmoon";
-  username = "prescientmoon";
-  docsHost = "docs.smos.moonythm.dev";
-  apiHost = "api.smos.moonythm.dev";
-  webHost = "smos.moonythm.dev";
-  docsPort = 8404;
-  apiPort = 8405;
-  webPort = 8406;
-
-  https = host: "https://${host}";
 in
 {
-  imports = [
+  imports = [ inputs.smos.nixosModules.x86_64-linux.default ];
-    ../../common/optional/services/nginx.nix
-    inputs.smos.nixosModules.x86_64-linux.default
-  ];
 
   # {{{ Configure smos 
   services.smos.production = {
@@ -24,16 +12,16 @@ in
     docs-site = {
       enable = true;
       openFirewall = false;
-      port = docsPort;
+      port = config.satellite.nginx.at."docs.smos".port;
-      api-url = https apiHost;
+      api-url = config.satellite.nginx.at."api.smos".url;
-      web-url = https webHost;
+      web-url = config.satellite.nginx.at."smos".url;
     };
     # }}}
     # {{{ Api server
     api-server = {
       enable = true;
       openFirewall = false;
-      port = apiPort;
+      port = config.satellite.nginx.at."api.smos".port;
       admin = username;
 
       max-backups-per-user = 5;
@@ -45,25 +33,18 @@ in
     web-server = {
       enable = true;
       openFirewall = false;
-      port = webPort;
+      port = config.satellite.nginx.at."smos".port;
-      docs-url = https docsHost;
+      docs-url = config.satellite.nginx.at."docs.smos".url;
-      api-url = https apiHost;
+      api-url = config.satellite.nginx.at."api.smos".url;
-      web-url = https webHost;
+      web-url = config.satellite.nginx.at."smos".url;
     };
     # }}}
   };
   # }}}
   # {{{ Networking & storage
-  services.nginx.virtualHosts.${docsHost} = config.satellite.proxy docsPort { };
+  satellite.nginx.at."docs.smos".port = config.satellite.ports.smos-docs;
-  services.nginx.virtualHosts.${apiHost} = config.satellite.proxy apiPort { };
+  satellite.nginx.at."api.smos".port = config.satellite.ports.smos-api;
-  services.nginx.virtualHosts.${webHost} = config.satellite.proxy webPort {
+  satellite.nginx.at."smos".port = config.satellite.ports.smos-client;
-    proxyWebsockets = true;
-
-    # Just to make sure we don't run into 413 errors on big syncs
-    extraConfig = ''
-      client_max_body_size 0;
-    '';
-  };
 
   environment.persistence."/persist/state".directories = [
     "/www/smos/production"

hosts/nixos/lapetus/services/syncthing.nix

@@ -2,16 +2,11 @@
 let port = 8384;
 in
 {
-  imports = [
-    ../../common/optional/services/syncthing.nix
-    ../../common/optional/services/nginx.nix
-  ];
-
   services.syncthing = {
     settings.folders = { };
     guiAddress = "127.0.0.1:${toString port}";
     settings.gui.insecureSkipHostcheck = true;
   };
 
-  services.nginx.virtualHosts."lapetus.syncthing.moonythm.dev" = config.satellite.proxy port { };
+  satellite.nginx.at."lapetus.syncthing".port = port;
 }

hosts/nixos/lapetus/services/vaultwarden.nix

@@ -1,13 +1,6 @@
 { config, ... }:
-let
-  port = 8407;
-  host = "warden.moonythm.dev";
-in
 {
-  imports = [ ../../common/optional/services/nginx.nix ];
+  satellite.nginx.at.warden.port = config.satellite.ports.vaultwarden;
-
-  services.nginx.virtualHosts.${host} =
-    config.satellite.proxy port { proxyWebsockets = true; };
 
   # {{{ Secrets 
   sops.secrets.vaultwarden_env = {
@@ -21,11 +14,11 @@ in
     enable = true;
     environmentFile = config.sops.secrets.vaultwarden_env.path;
     config = {
-      DOMAIN = "https://${host}";
+      DOMAIN = "https://${config.satellite.nginx.at.warden.host}";
+      ROCKET_PORT = config.satellite.nginx.at.warden.port;
       ROCKET_ADDRESS = "127.0.0.1";
-      ROCKET_PORT = port;
 
-      SIGNUPS_ALLOWED = true;
+      SIGNUPS_ALLOWED = false;
       SHOW_PASSWORD_HINT = false;
 
       SMTP_SECURITY = "force_tls";

hosts/nixos/lapetus/services/whoogle.nix

@@ -1,7 +1,5 @@
 { lib, config, ... }:
-let
+let websiteBlocklist = [
-  port = 8401;
-  websiteBlocklist = [
   "www.saashub.com"
   "slant.co"
   "nix-united.com"
@@ -12,28 +10,23 @@ let
   "linuxiac.com"
   "www.linuxlinks.com"
   "sourceforge.net"
-  ];
+];
 in
 {
-  imports = [
-    ../../common/optional/services/nginx.nix
-    ../../common/optional/oci.nix
-  ];
-
   virtualisation.oci-containers.containers.whoogle-search = {
     image = "benbusby/whoogle-search";
     autoStart = true;
-    ports = [ "${toString port}:5000" ]; # server:docker
+    ports = [ "${toString config.satellite.nginx.at.search.port}:5000" ]; # server:docker
     environment = {
       WHOOGLE_UPDATE_CHECK = "0";
       WHOOGLE_CONFIG_DISABLE = "0";
       WHOOGLE_CONFIG_BLOCK = lib.concatStringsSep "," websiteBlocklist;
       WHOOGLE_CONFIG_THEME = "system";
       WHOOGLE_ALT_WIKI = ""; # disable redirecting wikipedia links
-      WHOOGLE_ALT_RD = "redlib.moonythm.dev";
+      WHOOGLE_ALT_RD = config.satellite.nginx.at.redlib.host;
-      WHOOGLE_ALT_YT = "yt.moonythm.dev";
+      WHOOGLE_ALT_YT = config.satellite.nginx.at.yt.host;
     };
   };
 
-  services.nginx.virtualHosts."search.moonythm.dev" = config.satellite.proxy port { };
+  satellite.nginx.at.search.port = config.satellite.ports.whoogle;
 }

modules/README.md

@@ -26,7 +26,8 @@ This directory contains custom module definitions used throughout my config.
 | Name                                   | Attribute               | Description                                 |
 | -------------------------------------- | ----------------------- | ------------------------------------------- |
 | [pounce](./nixos/pounce.nix)           | `services.pounce`       | Module for pounce & calico configuration    |
-| [nginx](./nixos/nginx.nix)             | `satellite.proxy`       | Helpers for nginx configuration             |
+| [nginx](./nixos/nginx.nix)             | `satellite.nginx`       | Helpers for nginx configuration             |
+| [ports](./nixos/ports.nix)             | `satellite.ports`       | Global port specification                   |
 | [cloudflared](./nixos/cloudflared.nix) | `satellite.cloudflared` | Helpers for cloudflare tunnel configuration |
 | [pilot](./nixos/pilot.nix)             | `satellite.pilot`       | Defined the concept of a "main user"        |
 

modules/nixos/default.nix

@@ -3,6 +3,7 @@
 {
   # example = import ./example.nix;
   cloudflared = import ./cloudflared.nix;
+  ports = import ./ports.nix;
   nginx = import ./nginx.nix;
   pilot = import ./pilot.nix;
   pounce = import ./pounce.nix;

modules/nixos/nginx.nix

@@ -1,25 +1,85 @@
-{ lib, ... }: {
+{ config, lib, ... }:
-  options.satellite.proxy = lib.mkOption {
+let cfg = config.satellite.nginx;
-    type = lib.types.functionTo (lib.types.functionTo lib.types.anything);
+in
-    description = "Helper function for generating a quick proxy config";
+{
+  options.satellite.nginx = {
+    domain = lib.mkOption {
+      description = "Root domain to use as a default for configurations.";
+      type = lib.types.str;
     };
 
-  options.satellite.static = lib.mkOption {
+    at = lib.mkOption {
-    type = lib.types.functionTo lib.types.anything;
+      description = "Per-subdomain nginx configuration";
-    description = "Helper function for generating a quick file serving config";
+      type = lib.types.attrsOf (lib.types.submodule ({ name, config, ... }: {
+        options.name = lib.mkOption {
+          description = "Attribute name leading to this submodule";
+          type = lib.types.str;
         };
 
-  config.satellite.proxy = port: extra: {
+        config.name = name;
+
+        options.host = lib.mkOption {
+          description = "Host to route requests from";
+          type = lib.types.str;
+          default = "${name}.${cfg.domain}";
+        };
+
+        options.url = lib.mkOption {
+          description = "External https url used to access this host";
+          type = lib.types.str;
+        };
+
+        config.url = "https://${config.host}";
+
+        options.port = lib.mkOption {
+          description = "Port to proxy requests to";
+          type = lib.types.nullOr lib.types.port;
+          default = null;
+        };
+
+        options.files = lib.mkOption {
+          description = "Path to serve files from";
+          type = lib.types.nullOr lib.types.path;
+          default = null;
+        };
+      }));
+      default = { };
+    };
+  };
+
+  config = {
+    assertions =
+      let assertSingleTarget = config:
+        {
+          assertion = (config.port == null) == (config.files != null);
+          message = ''
+            Precisely one of the options 'satellite.nginx.at.${config.name}.port'
+            and 'satellite.nginx.at.${config.name}.files' must be specified.
+          '';
+        };
+      in lib.mapAttrsToList (_: assertSingleTarget) cfg.at;
+
+    services.nginx.virtualHosts =
+      let mkNginxConfig = { host, port, files }: {
+        name = host;
+        value =
+          let extra =
+            if port != null then {
+              locations."/" = {
+                proxyPass = "http://localhost:${toString port}";
+                proxyWebsockets = true;
+              };
+            }
+            else {
+              root = files;
+            };
+          in
+          {
             enableACME = true;
             acmeRoot = null;
             forceSSL = true;
-    locations."/" = { proxyPass = "http://localhost:${toString port}"; } // extra;
+          } // extra;
       };
-
+      in lib.attrsets.mapAttrs' (_: mkNginxConfig) cfg.at;
-  config.satellite.static = root: {
-    inherit root;
-    enableACME = true;
-    acmeRoot = null;
-    forceSSL = true;
   };
 }

modules/nixos/ports.nix

@@ -0,0 +1,9 @@
+# Generic interface for working specifying a single-source of truth for ports!
+{ lib, ... }:
+{
+  options.satellite.ports = lib.mkOption {
+    description = "Record of custom app-port mappings to use throughput the config";
+    type = lib.types.lazyAttrsOf lib.types.port;
+    default = { };
+  };
+}

scripts/dns/dns.txt

@@ -16,6 +16,7 @@ cal                IN CNAME  lapetus
 diptime            IN CNAME  lapetus
 docs.smos          IN CNAME  lapetus
 grafana            IN CNAME  lapetus
+guacamole          IN CNAME  lapetus
 intray             IN CNAME  lapetus
 irc                IN CNAME  lapetus
 jupyter            IN CNAME  lapetus
@@ -37,8 +38,8 @@ tunnel.lapetus     IN CNAME  347d9ead-a523-4f8b-bca7-3066e31e2952.cfargotunnel.c
 
 ; lapetus services using cloudflare tunnels
 bin                IN CNAME  tunnel.lapetus
-jupyter            IN CNAME  tunnel.lapetus
 git                IN CNAME  tunnel.lapetus
+jupyter            IN CNAME  tunnel.lapetus
 
 ; github pages
 doffycup           IN CNAME  prescientmoon.github.io.

scripts/rebuild.sh

@@ -1,2 +1,2 @@
 #!/usr/bin/env bash
-sudo nixos-rebuild switch --flake .#$hostname --show-trace --fast
+sudo nixos-rebuild switch --flake .#$HOSTNAME --show-trace --fast

scripts/repl.sh

@@ -0,0 +1,2 @@
+#!/usr/bin/env bash
+nix repl ".#nixosConfigurations.$1.config"