port magic

nixosConfigurations/gerg-desktop/services/forgejo.nix

@@ -1,5 +1,9 @@
 { config }:
+let
+  link = config.local.links.forgejo;
+in
 {
+  local.links.forgejo = { };
   users = {
     groups.${config.services.forgejo.group} = { };
     users = {
@@ -10,7 +14,6 @@
         openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ];
       };
 
-      ${config.services.nginx.user}.extraGroups = [ config.services.forgejo.group ];
     };
   };
   services.forgejo = {
@@ -22,9 +25,8 @@
         DOMAIN = "git.gerg-l.com";
         ROOT_URL = "https://git.gerg-l.com/";
         LANDING_PAGE = "/explore/repos";
-        HTTP_ADDR = "/run/forgejo/forgejo.sock";
-        PROTOCOL = "http+unix";
-        UNIX_SOCKET_PERMISSION = "660";
+        HTTP_ADDR = link.ipv4;
+        HTTP_PORT = link.port;
       };
       ui.DEFAULT_THEME = "forgejo-dark";
       service.DISABLE_REGISTRATION = true;
@@ -35,6 +37,5 @@
     };
   };
 
-  local.nginx.proxyVhosts."git.gerg-l.com" =
-    "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
+  local.nginx.proxyVhosts."git.gerg-l.com" = link.url;
 }

nixosConfigurations/gerg-desktop/services/immich.nix

@@ -1,11 +1,11 @@
 { config, ... }:
 let
   cfg = config.services.immich;
+  link = config.local.links.immich;
 in
 {
-  systemd.tmpfiles.rules =
-
-    [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ];
+  local.links.immich = { };
+  systemd.tmpfiles.rules = [ "d ${cfg.mediaLocation} - ${cfg.user} ${cfg.group} - -" ];
 
   users.users.${cfg.user}.extraGroups = [ "postgres" ];
   services.immich = {
@@ -18,9 +18,9 @@ in
     mediaLocation = "/persist/services/immich";
     machine-learning.enable = true;
     settings = null;
-    port = 2283;
-    host = "0.0.0.0";
+    inherit (link) port;
+    host = link.ipv4;
   };
 
-  local.nginx.proxyVhosts."photos.gerg-l.com" = "http://localhost:${toString cfg.port}";
+  local.nginx.proxyVhosts."photos.gerg-l.com" = link.url;
 }

nixosConfigurations/gerg-desktop/services/miniflux.nix

@@ -1,15 +1,19 @@
 {
   config,
-  lib,
 }:
+let
+  link = config.local.links.miniflux;
+in
 {
+  local.links.miniflux = { };
+
   sops.secrets.minifluxenv = { };
 
   services.miniflux = {
     enable = true;
     config = {
       BASE_URL = "https://flux.gerg-l.com";
-      LISTEN_ADDR = "/run/miniflux/miniflux.sock";
+      LISTEN_ADDR = link.tuple;
     };
     adminCredentialsFile = config.sops.secrets.minifluxenv.path;
     createDatabaseLocally = true;
@@ -28,11 +32,5 @@
     };
   };
 
-  systemd.services.miniflux.serviceConfig = {
-    RuntimeDirectoryMode = lib.mkForce "0770";
-    DynamicUser = lib.mkForce false;
-  };
-
-  local.nginx.proxyVhosts."flux.gerg-l.com" =
-    "http://unix:${config.services.miniflux.config.LISTEN_ADDR}";
+  local.nginx.proxyVhosts."flux.gerg-l.com" = link.url;
 }

nixosConfigurations/gerg-desktop/services/nix-serve.nix

@@ -1,28 +1,22 @@
 {
   config,
   pkgs,
-  lib,
 }:
+let
+  link = config.local.links.nix-serve;
+in
 {
-  sops.secrets.store_key.owner = "nix-serve";
+  local.links.nix-serve = { };
+
+  sops.secrets.store_key = { };
 
   users = {
-    groups = {
-      builder = { };
-      nix-serve = { };
-    };
-    users = {
-      ${config.services.nginx.user}.extraGroups = [ "nix-serve" ];
-      builder = {
-        isSystemUser = true;
-        openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
-        group = "builder";
-        shell = pkgs.bashInteractive;
-      };
-      nix-serve = {
-        isSystemUser = true;
-        group = "nix-serve";
-      };
+    groups.builder = { };
+    users.builder = {
+      isSystemUser = true;
+      openssh.authorizedKeys.keys = [ config.local.keys.root_media-laptop ];
+      group = "builder";
+      shell = pkgs.bashInteractive;
     };
   };
 
@@ -38,37 +32,18 @@
 
   nix.settings = {
     trusted-users = [ "builder" ];
-    allowed-users = [ "nix-serve" ];
     keep-outputs = true;
     keep-derivations = true;
     secret-key-files = config.sops.secrets.store_key.path;
   };
 
-  systemd.services.nix-serve = {
-    description = "nix-serve binary cache server";
-    after = [ "network.target" ];
-    wantedBy = [ "multi-user.target" ];
-
-    path = [
-      config.nix.package
-      pkgs.bzip2
-    ];
-
-    serviceConfig = {
-      ExecStart = "${lib.getExe pkgs.nix-serve-ng} --socket /run/nix-serve/nix-serve.sock";
-      Restart = "always";
-      RestartSec = "5s";
-      User = "nix-serve";
-      Group = "nix-serve";
-      RuntimeDirectory = "nix-serve";
-      UMask = "0117";
-    };
-
-    environment = {
-      NIX_REMOTE = "daemon";
-      NIX_SECRET_KEY_FILE = config.sops.secrets.store_key.path;
-    };
-
+  services.nix-serve = {
+    enable = true;
+    inherit (link) port;
+    package = pkgs.nix-serve-ng;
+    bindAddress = link.ipv4;
+    secretKeyFile = config.sops.secrets.store_key.path;
   };
-  local.nginx.proxyVhosts."cache.gerg-l.com" = "http://unix:/run/nix-serve/nix-serve.sock";
+
+  local.nginx.proxyVhosts."cache.gerg-l.com" = link.url;
 }

nixosConfigurations/gerg-desktop/services/searxng.nix

@@ -1,5 +1,10 @@
 { config, pkgs }:
+let
+  link = config.local.links.searx;
+in
 {
+  local.links.searx = { };
+
   sops.secrets.searxngenv = { };
   users.users.${config.services.nginx.user}.extraGroups = [ "searx" ];
   services.searx = {
@@ -7,8 +12,7 @@
     package = pkgs.searxng;
     runInUwsgi = true;
     uwsgiConfig = {
-      socket = "/run/searx/searx.sock";
-      chmod-socket = "660";
+      http = link.tuple;
       disable-logging = true;
     };
     environmentFile = config.sops.secrets.searxngenv.path;
@@ -37,7 +41,7 @@
   };
 
   local.nginx.defaultVhosts."search.gerg-l.com" = {
-    locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};";
+    locations."/".proxyPass = link.url;
     extraConfig = "access_log off;";
   };
 }