hosts/thrall/default.nix

@@ -3,7 +3,9 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
 { config, pkgs, ... }:
-let ledgerVHost = "ledger.failco.de";
+let
+  authorityFromUrl = url:
+    builtins.head (pkgs.lib.drop 1 (pkgs.lib.splitString "://" url));
 in {
   imports = [
     ./hardware-configuration.nix
@@ -11,6 +13,8 @@ in {
     ../../modules/nix-config.nix
     ../../modules/iohk.nix
     ../../modules/timezone.nix
+    ../../modules/keybase.nix
+    ../../modules/ssh.nix
   ];
 
   # Use the GRUB 2 boot loader.
@@ -137,14 +141,12 @@ in {
     htop
     tmux
     git
-    #agenix.defaultPackage.x86_64-linux
     restic # fast and secure backup
     rclone
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
   # started in user sessions.
-  # programs.mtr.enable = true;
   programs.gnupg.agent = {
     enable = true;
     enableSSHSupport = true;
@@ -163,20 +165,15 @@ in {
 
   # List services that you want to enable:
 
-  # depending on wireguard
   services.kresd = {
     enable = true;
     listenPlain = [ "[::1]:53" "127.0.0.1:53" "10.0.0.1:53" ];
   };
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
   services.lorri.enable = true;
 
   # configure backup via restic to gdrive
   services.restic.backups = { };
-  services.keybase = { enable = true; };
 
   services.nginx = {
     enable = true;
@@ -226,27 +223,31 @@ in {
     };
 
     # gitea
-    "git.failco.de" = {
+    "${config.services.gitea.settings.server.DOMAIN}" = {
       forceSSL = true;
       enableACME = true;
       locations."/" = {
-        proxyPass = "http://127.0.0.1:3001/";
+        proxyPass = "http://127.0.0.1:${
+            toString config.services.gitea.settings.server.HTTP_PORT
+          }/";
         proxyWebsockets = true;
       };
     };
 
     # paperless
-    "docs.failco.de" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:3002/";
-        proxyWebsockets = true;
+    "${authorityFromUrl config.services.paperless.extraConfig.PAPERLESS_URL}" =
+      {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass =
+            "http://127.0.0.1:${toString config.services.paperless.port}/";
+          proxyWebsockets = true;
+        };
       };
-    };
 
     # hledger
-    "${ledgerVHost}" = {
+    "${authorityFromUrl config.services.hledger-web.baseUrl}" = {
       forceSSL = true;
       enableACME = true;
       basicAuthFile = config.age.secrets.hledger-web.path;
@@ -297,7 +298,7 @@ in {
 
   services.hledger-web = {
     enable = true;
-    baseUrl = "https://${ledgerVHost}";
+    baseUrl = "https://ledger.failco.de";
     port = 3003;
     capabilities = {
       view = true;

modules/keybase.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.keybase.enable = true;
+}

modules/ssh.nix

@@ -0,0 +1,5 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.openssh.enable = true;
+}