From 10843c1efc1547a4474a35a9f98dd86141b0e4a5 Mon Sep 17 00:00:00 2001
From: Alexander Kobjolke <me@failco.de>
Date: Sat, 20 Jan 2024 19:51:48 +0100
Subject: [PATCH 1/3] thrall: Extract haskell.nix config

- iohk public key and cache
---
 hosts/thrall/default.nix | 7 +------
 modules/iohk.nix         | 9 +++++++++
 2 files changed, 10 insertions(+), 6 deletions(-)
 create mode 100644 modules/iohk.nix

diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix
index db917a5..1151964 100644
--- a/hosts/thrall/default.nix
+++ b/hosts/thrall/default.nix
@@ -11,14 +11,9 @@ in {
     ./hardware-configuration.nix
     ../../modules/upgrade-pg-cluster.nix
     ../../modules/nix-config.nix
+    ../../modules/iohk.nix
   ];
 
-  # Binary Cache for Haskell.nix
-  nix.settings.trusted-public-keys =
-    [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
-
-  #nix.binaryCaches = [ "https://hydra.iohk.io" ];
-
   # Use the GRUB 2 boot loader.
   boot.loader.grub.enable = true;
   # boot.loader.grub.efiSupport = true;
diff --git a/modules/iohk.nix b/modules/iohk.nix
new file mode 100644
index 0000000..b4215c9
--- /dev/null
+++ b/modules/iohk.nix
@@ -0,0 +1,9 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # Binary Cache for Haskell.nix
+  nix.settings.trusted-public-keys =
+    [ "hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=" ];
+
+  nix.settings.substituters = lib.mkAfter [ "https://hydra.iohk.io" ];
+}

From 5c1e8ea969e6a3becf64985e8b6db04d00a62987 Mon Sep 17 00:00:00 2001
From: Alexander Kobjolke <me@failco.de>
Date: Sun, 21 Jan 2024 10:52:56 +0100
Subject: [PATCH 2/3] thrall: Extract timezone configuration

---
 hosts/thrall/default.nix | 11 ++++-------
 modules/timezone.nix     |  5 +++++
 2 files changed, 9 insertions(+), 7 deletions(-)
 create mode 100644 modules/timezone.nix

diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix
index 1151964..2b1df41 100644
--- a/hosts/thrall/default.nix
+++ b/hosts/thrall/default.nix
@@ -3,15 +3,14 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, pkgs, ... }:
-let
-  extIface = "ens3";
-  ledgerVHost = "ledger.failco.de";
+let ledgerVHost = "ledger.failco.de";
 in {
   imports = [
     ./hardware-configuration.nix
     ../../modules/upgrade-pg-cluster.nix
     ../../modules/nix-config.nix
     ../../modules/iohk.nix
+    ../../modules/timezone.nix
   ];
 
   # Use the GRUB 2 boot loader.
@@ -23,9 +22,6 @@ in {
   boot.loader.grub.device = "/dev/vda"; # or "nodev" for efi only
   # boot.loader.systemd-boot.enable = true;
 
-  # Set your time zone.
-  time.timeZone = "Europe/Berlin";
-
   age.secrets = {
     mailPass.file = ../../secrets/mailPass.age;
     paperless-mail.file = ../../secrets/paperless-mail.age;
@@ -41,7 +37,8 @@ in {
   # The global useDHCP flag is deprecated, therefore explicitly set to false here.
   # Per-interface useDHCP will be mandatory in the future, so this generated config
   # replicates the default behaviour.
-  networking = {
+  networking = let extIface = "ens3";
+  in {
     hostName = "thrall";
     domain = "failco.de";
     wireless.enable = false;
diff --git a/modules/timezone.nix b/modules/timezone.nix
new file mode 100644
index 0000000..8323310
--- /dev/null
+++ b/modules/timezone.nix
@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  time.timeZone = lib.mkDefault "Europe/Berlin";
+}

From a951a1e3fbaebf7c2ea66b4ecbc6a47aab91c55c Mon Sep 17 00:00:00 2001
From: Alexander Kobjolke <me@failco.de>
Date: Mon, 22 Jan 2024 21:19:09 +0100
Subject: [PATCH 3/3] thrall: Extract modules

---
 hosts/thrall/default.nix | 39 ++++++++++++++++++++-------------------
 modules/keybase.nix      |  5 +++++
 modules/ssh.nix          |  5 +++++
 3 files changed, 30 insertions(+), 19 deletions(-)
 create mode 100644 modules/keybase.nix
 create mode 100644 modules/ssh.nix

diff --git a/hosts/thrall/default.nix b/hosts/thrall/default.nix
index 2b1df41..29f0322 100644
--- a/hosts/thrall/default.nix
+++ b/hosts/thrall/default.nix
@@ -3,7 +3,9 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, pkgs, ... }:
-let ledgerVHost = "ledger.failco.de";
+let
+  authorityFromUrl = url:
+    builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
 in {
   imports = [
     ./hardware-configuration.nix
@@ -11,6 +13,8 @@ in {
     ../../modules/nix-config.nix
     ../../modules/iohk.nix
     ../../modules/timezone.nix
+    ../../modules/keybase.nix
+    ../../modules/ssh.nix
   ];
 
   # Use the GRUB 2 boot loader.
@@ -137,14 +141,12 @@ in {
     htop
     tmux
     git
-    #agenix.defaultPackage.x86_64-linux
     restic # fast and secure backup
     rclone
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
-  # programs.mtr.enable = true;
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
@@ -163,20 +165,15 @@ in {
 
   # List services that you want to enable:
 
-  # depending on wireguard
   services.kresd = {
     enable = true;
     listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
   };
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
   services.lorri.enable = true;
 
   # configure backup via restic to gdrive
   services.restic.backups = { };
-  services.keybase = { enable = true; };
 
   services.nginx = {
     enable = true;
@@ -226,27 +223,31 @@ in {
     };
 
     # gitea
-    "git.failco.de" = {
+    "${config.services.gitea.settings.server.DOMAIN}" = {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://127.0.0.1:3001/";
+        proxyPass = "http://127.0.0.1:${
+            toString config.services.gitea.settings.server.HTTP_PORT
+          }/";
         proxyWebsockets = true;
       };
     };
 
     # paperless
-    "docs.failco.de" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:3002/";
-        proxyWebsockets = true;
+    "${authorityFromUrl config.services.paperless.extraConfig.PAPERLESS_URL}" =
+      {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass =
+            "http://127.0.0.1:${toString config.services.paperless.port}/";
+          proxyWebsockets = true;
+        };
       };
-    };
 
     # hledger
-    "${ledgerVHost}" = {
+    "${authorityFromUrl config.services.hledger-web.baseUrl}" = {
       forceSSL = true;
       enableACME = true;
       basicAuthFile = config.age.secrets.hledger-web.path;
@@ -297,7 +298,7 @@ in {
 
   services.hledger-web = {
     enable = true;
-    baseUrl = "https://${ledgerVHost}";
+    baseUrl = "https://ledger.failco.de";
     port = 3003;
     capabilities = {
       view = true;
diff --git a/modules/keybase.nix b/modules/keybase.nix
new file mode 100644
index 0000000..c652d72
--- /dev/null
+++ b/modules/keybase.nix
@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.keybase.enable = true;
+}
diff --git a/modules/ssh.nix b/modules/ssh.nix
new file mode 100644
index 0000000..3ae6158
--- /dev/null
+++ b/modules/ssh.nix
@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.openssh.enable = true;
+}