tighten service boundaries and clean up config structure

modules/_hosts/michael/backups.nix

@@ -0,0 +1,58 @@
+{
+	config,
+	lib,
+	pkgs,
+	...
+}: {
+	services.restic.backups.gitea = {
+		repository = "s3:s3.eu-central-003.backblazeb2.com/michael-gitea-repositories";
+		paths = ["/var/lib/gitea"];
+		exclude = [
+			"/var/lib/gitea/log"
+			"/var/lib/gitea/data/gitea.db"
+			"/var/lib/gitea/data/gitea.db-shm"
+			"/var/lib/gitea/data/gitea.db-wal"
+		];
+		passwordFile = config.sops.secrets.michael-gitea-restic-password.path;
+		environmentFile = config.sops.secrets.michael-gitea-restic-env.path;
+		pruneOpts = [
+			"--keep-daily 7"
+			"--keep-weekly 4"
+			"--keep-monthly 6"
+		];
+		timerConfig = {
+			OnCalendar = "daily";
+			Persistent = true;
+			RandomizedDelaySec = "1h";
+		};
+	};
+
+	systemd.services.restic-backups-gitea = {
+		wants = ["restic-init-gitea.service"];
+		after = ["restic-init-gitea.service"];
+		serviceConfig = {
+			User = lib.mkForce "gitea";
+			Group = lib.mkForce "gitea";
+		};
+	};
+
+	systemd.services.restic-init-gitea = {
+		description = "Initialize Restic repository for Gitea backups";
+		wantedBy = ["multi-user.target"];
+		after = ["network-online.target"];
+		wants = ["network-online.target"];
+		path = [pkgs.restic];
+		serviceConfig = {
+			Type = "oneshot";
+			User = "gitea";
+			Group = "gitea";
+			RemainAfterExit = true;
+			EnvironmentFile = config.sops.secrets.michael-gitea-restic-env.path;
+		};
+		script = ''
+			export RESTIC_PASSWORD=$(cat ${config.sops.secrets.michael-gitea-restic-password.path})
+			restic -r s3:s3.eu-central-003.backblazeb2.com/michael-gitea-repositories snapshots &>/dev/null || \
+				restic -r s3:s3.eu-central-003.backblazeb2.com/michael-gitea-repositories init
+		'';
+	};
+}

modules/_hosts/michael/gitea.nix

@@ -0,0 +1,114 @@
+{
+	config,
+	lib,
+	...
+}: {
+	sops.secrets = {
+		michael-gitea-litestream = {
+			sopsFile = ../../../secrets/michael-gitea-litestream;
+			format = "binary";
+			owner = "gitea";
+			group = "gitea";
+			path = "/run/secrets/michael-gitea-litestream";
+		};
+		michael-gitea-restic-password = {
+			sopsFile = ../../../secrets/michael-gitea-restic-password;
+			format = "binary";
+			owner = "gitea";
+			group = "gitea";
+			path = "/run/secrets/michael-gitea-restic-password";
+		};
+		michael-gitea-restic-env = {
+			sopsFile = ../../../secrets/michael-gitea-restic-env;
+			format = "binary";
+			owner = "gitea";
+			group = "gitea";
+			path = "/run/secrets/michael-gitea-restic-env";
+		};
+	};
+
+	networking.firewall.allowedTCPPorts = [80 443];
+
+	services.redis.servers.gitea = {
+		enable = true;
+		port = 6380;
+		bind = "127.0.0.1";
+		settings = {
+			maxmemory = "64mb";
+			maxmemory-policy = "allkeys-lru";
+		};
+	};
+
+	services.gitea = {
+		enable = true;
+		database = {
+			type = "sqlite3";
+			path = "/var/lib/gitea/data/gitea.db";
+		};
+		settings = {
+			server = {
+				ROOT_URL = "https://git.schmatzler.com/";
+				DOMAIN = "git.schmatzler.com";
+				HTTP_ADDR = "127.0.0.1";
+				HTTP_PORT = 3000;
+				LANDING_PAGE = "explore";
+			};
+			service.DISABLE_REGISTRATION = true;
+			security.INSTALL_LOCK = true;
+			cache = {
+				ADAPTER = "redis";
+				HOST = "redis://127.0.0.1:6380/0?pool_size=100&idle_timeout=180s";
+				ITEM_TTL = "16h";
+			};
+			"cache.last_commit" = {
+				ITEM_TTL = "8760h";
+				COMMITS_COUNT = 100;
+			};
+			session = {
+				PROVIDER = "redis";
+				PROVIDER_CONFIG = "redis://127.0.0.1:6380/1?pool_size=100&idle_timeout=180s";
+				COOKIE_SECURE = true;
+				SAME_SITE = "strict";
+			};
+			api.ENABLE_SWAGGER = false;
+		};
+	};
+
+	services.litestream = {
+		enable = true;
+		environmentFile = config.sops.secrets.michael-gitea-litestream.path;
+		settings = {
+			dbs = [
+				{
+					path = "/var/lib/gitea/data/gitea.db";
+					replicas = [
+						{
+							type = "s3";
+							bucket = "michael-gitea-litestream";
+							path = "gitea";
+							endpoint = "s3.eu-central-003.backblazeb2.com";
+						}
+					];
+				}
+			];
+		};
+	};
+
+	systemd.services.litestream.serviceConfig = {
+		User = lib.mkForce "gitea";
+		Group = lib.mkForce "gitea";
+	};
+
+	services.caddy = {
+		enable = true;
+		virtualHosts."git.schmatzler.com".extraConfig = ''
+			header {
+				Strict-Transport-Security "max-age=31536000; includeSubDomains"
+				X-Content-Type-Options "nosniff"
+				X-Frame-Options "DENY"
+				Referrer-Policy "strict-origin-when-cross-origin"
+			}
+			reverse_proxy localhost:3000
+		'';
+	};
+}

modules/_hosts/tahani/adguardhome.nix

@@ -1,7 +1,7 @@
-{
+{config, ...}: {
 	services.adguardhome = {
 		enable = true;
-		host = "0.0.0.0";
+		host = "127.0.0.1";
 		port = 10000;
 		settings = {
 			dhcp = {
@@ -57,4 +57,13 @@
 			];
 		};
 	};
+
+	services.caddy.virtualHosts."adguard.manticore-hippocampus.ts.net" = {
+		extraConfig = ''
+			tls {
+				get_certificate tailscale
+			}
+			reverse_proxy localhost:${toString config.services.adguardhome.port}
+		'';
+	};
 }

modules/_hosts/tahani/paperless.nix

@@ -25,8 +25,11 @@
 	virtualisation.oci-containers = {
 		backend = "docker";
 		containers.paperless-ai = {
-			image = "clusterzx/paperless-ai:latest";
+			image = "clusterzx/paperless-ai:v3.0.9";
 			autoStart = true;
+			ports = [
+				"127.0.0.1:3000:3000"
+			];
 			volumes = [
 				"paperless-ai-data:/app/data"
 			];
@@ -36,11 +39,10 @@
 				PAPERLESS_AI_PORT = "3000";
 				# Initial setup wizard will configure the rest
 				PAPERLESS_AI_INITIAL_SETUP = "yes";
-				# Paperless-ngx API URL accessible from container (using host network)
-				PAPERLESS_API_URL = "http://127.0.0.1:${toString config.services.paperless.port}/api";
+				PAPERLESS_API_URL = "http://host.docker.internal:${toString config.services.paperless.port}/api";
 			};
 			extraOptions = [
-				"--network=host"
+				"--add-host=host.docker.internal:host-gateway"
 			];
 		};
 	};
@@ -57,7 +59,7 @@
 
 	services.paperless = {
 		enable = true;
-		address = "0.0.0.0";
+		address = "127.0.0.1";
 		passwordFile = config.sops.secrets.tahani-paperless-password.path;
 		settings = {
 			PAPERLESS_DBENGINE = "sqlite";