refactor

hosts/chidi/default.nix

@@ -6,6 +6,8 @@
 	...
 }: {
 	imports = [
+		./secrets.nix
+		./syncthing.nix
 		../../modules/syncthing.nix
 		../../profiles/core.nix
 		../../profiles/darwin.nix
@@ -19,30 +21,6 @@
 	networking.hostName = "chidi";
 	networking.computerName = "Chidi";
 
-	sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt";
-
-	sops.secrets = {
-		chidi-syncthing-cert = {
-			sopsFile = ../../secrets/chidi-syncthing-cert;
-			format = "binary";
-			owner = user;
-			path = "/Users/${user}/.config/syncthing/cert.pem";
-		};
-		chidi-syncthing-key = {
-			sopsFile = ../../secrets/chidi-syncthing-key;
-			format = "binary";
-			owner = user;
-			path = "/Users/${user}/.config/syncthing/key.pem";
-		};
-	};
-
-	services.syncthing.settings.folders = {
-		"Projects/Work" = {
-			path = "/Users/${user}/Projects/Work";
-			devices = ["tahani" "chidi"];
-		};
-	};
-
 	home-manager.users.${user} = {
 		imports = [
 			inputs.nixvim.homeModules.nixvim

hosts/chidi/secrets.nix

@@ -0,0 +1,18 @@
+{user, ...}: {
+	sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt";
+
+	sops.secrets = {
+		chidi-syncthing-cert = {
+			sopsFile = ../../secrets/chidi-syncthing-cert;
+			format = "binary";
+			owner = user;
+			path = "/Users/${user}/.config/syncthing/cert.pem";
+		};
+		chidi-syncthing-key = {
+			sopsFile = ../../secrets/chidi-syncthing-key;
+			format = "binary";
+			owner = user;
+			path = "/Users/${user}/.config/syncthing/key.pem";
+		};
+	};
+}

hosts/chidi/syncthing.nix

@@ -0,0 +1,8 @@
+{user, ...}: {
+	services.syncthing.settings.folders = {
+		"Projects/Work" = {
+			path = "/Users/${user}/Projects/Work";
+			devices = ["tahani" "chidi"];
+		};
+	};
+}

hosts/jason/default.nix

@@ -4,6 +4,8 @@
 	...
 }: {
 	imports = [
+		./secrets.nix
+		./syncthing.nix
 		../../modules/syncthing.nix
 		../../profiles/core.nix
 		../../profiles/darwin.nix
@@ -17,32 +19,6 @@
 	networking.hostName = "jason";
 	networking.computerName = "Jason";
 
-	services.syncthing.settings.folders = {
-		"Projects/Personal" = {
-			path = "/Users/${user}/Projects/Personal";
-			devices = ["tahani" "jason"];
-		};
-	};
-
-	sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt";
-	sops.age.sshKeyPaths = [];
-	sops.gnupg.sshKeyPaths = [];
-
-	sops.secrets = {
-		jason-syncthing-cert = {
-			sopsFile = ../../secrets/jason-syncthing-cert;
-			format = "binary";
-			owner = user;
-			path = "/Users/${user}/.config/syncthing/cert.pem";
-		};
-		jason-syncthing-key = {
-			sopsFile = ../../secrets/jason-syncthing-key;
-			format = "binary";
-			owner = user;
-			path = "/Users/${user}/.config/syncthing/key.pem";
-		};
-	};
-
 	home-manager.users.${user} = {
 		imports = [
 			inputs.nixvim.homeModules.nixvim

hosts/jason/secrets.nix

@@ -0,0 +1,20 @@
+{user, ...}: {
+	sops.age.keyFile = "/Users/${user}/.config/sops/age/keys.txt";
+	sops.age.sshKeyPaths = [];
+	sops.gnupg.sshKeyPaths = [];
+
+	sops.secrets = {
+		jason-syncthing-cert = {
+			sopsFile = ../../secrets/jason-syncthing-cert;
+			format = "binary";
+			owner = user;
+			path = "/Users/${user}/.config/syncthing/cert.pem";
+		};
+		jason-syncthing-key = {
+			sopsFile = ../../secrets/jason-syncthing-key;
+			format = "binary";
+			owner = user;
+			path = "/Users/${user}/.config/syncthing/key.pem";
+		};
+	};
+}

hosts/jason/syncthing.nix

@@ -0,0 +1,8 @@
+{user, ...}: {
+	services.syncthing.settings.folders = {
+		"Projects/Personal" = {
+			path = "/Users/${user}/Projects/Personal";
+			devices = ["tahani" "jason"];
+		};
+	};
+}

hosts/michael/default.nix

@@ -11,6 +11,8 @@
 		(modulesPath + "/profiles/qemu-guest.nix")
 		./disk-config.nix
 		./hardware-configuration.nix
+		./openssh.nix
+		./secrets.nix
 		../../profiles/core.nix
 		../../profiles/fail2ban.nix
 		../../profiles/gitea.nix
@@ -20,11 +22,6 @@
 		inputs.sops-nix.nixosModules.sops
 	];
 
-	sops.secrets.litestream = {
-		sopsFile = ../../secrets/michael-litestream;
-		format = "binary";
-	};
-
 	home-manager.users.${user} = {
 		pkgs,
 		lib,
@@ -52,13 +49,5 @@
 		];
 	};
 
-	services.openssh = {
-		enable = true;
-		settings = {
-			PermitRootLogin = "yes";
-			PasswordAuthentication = false;
-		};
-	};
-
 	networking.hostName = hostname;
 }

hosts/michael/openssh.nix

@@ -0,0 +1,9 @@
+{...}: {
+	services.openssh = {
+		enable = true;
+		settings = {
+			PermitRootLogin = "yes";
+			PasswordAuthentication = false;
+		};
+	};
+}

hosts/michael/secrets.nix

@@ -0,0 +1,6 @@
+{...}: {
+	sops.secrets.litestream = {
+		sopsFile = ../../secrets/michael-litestream;
+		format = "binary";
+	};
+}

hosts/mindy/default.nix

@@ -11,6 +11,9 @@
 		(modulesPath + "/profiles/qemu-guest.nix")
 		./disk-config.nix
 		./hardware-configuration.nix
+		./openssh.nix
+		./pgbackrest.nix
+		./secrets.nix
 		../../modules/pgbackrest.nix
 		../../profiles/core.nix
 		../../profiles/fail2ban.nix
@@ -21,19 +24,6 @@
 		inputs.sops-nix.nixosModules.sops
 	];
 
-	sops.secrets.mindy-pgbackrest = {
-		sopsFile = ../../secrets/mindy-pgbackrest;
-		format = "binary";
-		owner = "postgres";
-		group = "postgres";
-	};
-
-	my.pgbackrest = {
-		enable = true;
-		secretFile = "/run/secrets/mindy-pgbackrest";
-		s3.bucket = "mindy-pgbackrest";
-	};
-
 	home-manager.users.${user} = {
 		pkgs,
 		lib,
@@ -61,14 +51,6 @@
 		];
 	};
 
-	services.openssh = {
-		enable = true;
-		settings = {
-			PermitRootLogin = "yes";
-			PasswordAuthentication = false;
-		};
-	};
-
 	virtualisation.docker.enable = true;
 
 	networking.hostName = hostname;

hosts/mindy/openssh.nix

@@ -0,0 +1,9 @@
+{...}: {
+	services.openssh = {
+		enable = true;
+		settings = {
+			PermitRootLogin = "yes";
+			PasswordAuthentication = false;
+		};
+	};
+}

hosts/mindy/pgbackrest.nix

@@ -0,0 +1,7 @@
+{...}: {
+	my.pgbackrest = {
+		enable = true;
+		secretFile = "/run/secrets/mindy-pgbackrest";
+		s3.bucket = "mindy-pgbackrest";
+	};
+}

hosts/mindy/secrets.nix

@@ -0,0 +1,8 @@
+{...}: {
+	sops.secrets.mindy-pgbackrest = {
+		sopsFile = ../../secrets/mindy-pgbackrest;
+		format = "binary";
+		owner = "postgres";
+		group = "postgres";
+	};
+}

hosts/tahani/adguardhome.nix

@@ -0,0 +1,21 @@
+{...}: {
+	services.adguardhome = {
+		enable = true;
+		port = 10000;
+		settings = {
+			dns = {
+				upstream_dns = [
+					"1.1.1.1"
+					"1.0.0.1"
+				];
+			};
+			filtering = {
+				protection_enabled = true;
+				filtering_enabled = true;
+				safe_search = {
+					enabled = false;
+				};
+			};
+		};
+	};
+}

hosts/tahani/default.nix

@@ -1,12 +1,17 @@
 {
-	config,
-	hostname,
-	user,
 	inputs,
+	pkgs,
+	user,
 	constants,
 	...
 }: {
 	imports = [
+		./adguardhome.nix
+		./networking.nix
+		./openssh.nix
+		./paperless.nix
+		./secrets.nix
+		./syncthing.nix
 		../../profiles/core.nix
 		../../profiles/nixos.nix
 		../../profiles/syncthing.nix
@@ -54,91 +59,5 @@
 		programs.git.settings.user.email = "christoph@schmatzler.com";
 	};
 
-	services.adguardhome = {
+	virtualisation.docker.enable = true;
-		enable = true;
-		port = 10000;
-		settings = {
-			dns = {
-				upstream_dns = [
-					"1.1.1.1"
-					"1.0.0.1"
-				];
-			};
-			filtering = {
-				protection_enabled = true;
-				filtering_enabled = true;
-				safe_search = {
-					enabled = false;
-				};
-			};
-		};
-	};
-
-	virtualisation.docker = {
-		enable = true;
-	};
-
-	services.openssh = {
-		enable = true;
-		settings = {
-			PermitRootLogin = "prohibit-password";
-			PasswordAuthentication = false;
-		};
-	};
-
-	fileSystems."/" = {
-		device = "/dev/disk/by-label/NIXROOT";
-		fsType = "ext4";
-	};
-
-	fileSystems."/boot" = {
-		device = "/dev/disk/by-label/NIXBOOT";
-		fsType = "vfat";
-	};
-
-	networking = {
-		hostName = hostname;
-		useDHCP = false;
-		interfaces.eno1.ipv4.addresses = [
-			{
-				address = "192.168.1.10";
-				prefixLength = 24;
-			}
-		];
-		defaultGateway = "192.168.1.1";
-		nameservers = ["1.1.1.1"];
-		firewall = {
-			enable = true;
-			trustedInterfaces = ["eno1" "tailscale0"];
-			allowedUDPPorts = [config.services.tailscale.port];
-			allowedTCPPorts = [22 5555];
-			checkReversePath = "loose";
-		};
-	};
-
-	sops.secrets = {
-		tahani-syncthing-cert = {
-			sopsFile = ../../secrets/tahani-syncthing-cert;
-			format = "binary";
-			owner = user;
-			path = "/home/${user}/.config/syncthing/cert.pem";
-		};
-		tahani-syncthing-key = {
-			sopsFile = ../../secrets/tahani-syncthing-key;
-			format = "binary";
-			owner = user;
-			path = "/home/${user}/.config/syncthing/key.pem";
-		};
-	};
-
-	services.syncthing.settings.folders = {
-		"Projects/Personal" = {
-			path = "/home/${user}/Projects/Personal";
-			devices = ["tahani" "jason"];
-		};
-		"Projects/Work" = {
-			path = "/home/${user}/Projects/Work";
-			devices = ["tahani" "chidi"];
-		};
-	};
 }

hosts/tahani/networking.nix

@@ -0,0 +1,31 @@
+{config, hostname, ...}: {
+	networking = {
+		hostName = hostname;
+		useDHCP = false;
+		interfaces.eno1.ipv4.addresses = [
+			{
+				address = "192.168.1.10";
+				prefixLength = 24;
+			}
+		];
+		defaultGateway = "192.168.1.1";
+		nameservers = ["1.1.1.1"];
+		firewall = {
+			enable = true;
+			trustedInterfaces = ["eno1" "tailscale0"];
+			allowedUDPPorts = [config.services.tailscale.port];
+			allowedTCPPorts = [22 5555];
+			checkReversePath = "loose";
+		};
+	};
+
+	fileSystems."/" = {
+		device = "/dev/disk/by-label/NIXROOT";
+		fsType = "ext4";
+	};
+
+	fileSystems."/boot" = {
+		device = "/dev/disk/by-label/NIXBOOT";
+		fsType = "vfat";
+	};
+}

hosts/tahani/openssh.nix

@@ -0,0 +1,9 @@
+{...}: {
+	services.openssh = {
+		enable = true;
+		settings = {
+			PermitRootLogin = "prohibit-password";
+			PasswordAuthentication = false;
+		};
+	};
+}

hosts/tahani/paperless.nix

@@ -0,0 +1,26 @@
+{config, ...}: {
+	services.redis.servers.paperless = {
+		enable = true;
+		port = 6379;
+		bind = "127.0.0.1";
+		settings = {
+			maxmemory = "256mb";
+			maxmemory-policy = "allkeys-lru";
+		};
+	};
+
+	services.paperless = {
+		enable = true;
+		address = "0.0.0.0";
+		passwordFile = config.sops.secrets.tahani-paperless-password.path;
+		settings = {
+			PAPERLESS_DBENGINE = "sqlite";
+			PAPERLESS_REDIS = "redis://127.0.0.1:6379";
+			PAPERLESS_CONSUMER_IGNORE_PATTERN = [
+				".DS_STORE/*"
+				"desktop.ini"
+			];
+			PAPERLESS_OCR_LANGUAGE = "deu+eng";
+		};
+	};
+}

hosts/tahani/secrets.nix

@@ -0,0 +1,20 @@
+{user, ...}: {
+	sops.secrets = {
+		tahani-syncthing-cert = {
+			sopsFile = ../../secrets/tahani-syncthing-cert;
+			format = "binary";
+			owner = user;
+			path = "/home/${user}/.config/syncthing/cert.pem";
+		};
+		tahani-syncthing-key = {
+			sopsFile = ../../secrets/tahani-syncthing-key;
+			format = "binary";
+			owner = user;
+			path = "/home/${user}/.config/syncthing/key.pem";
+		};
+		tahani-paperless-password = {
+			sopsFile = ../../secrets/tahani-paperless-password;
+			format = "binary";
+		};
+	};
+}

hosts/tahani/syncthing.nix

@@ -0,0 +1,12 @@
+{user, ...}: {
+	services.syncthing.settings.folders = {
+		"Projects/Personal" = {
+			path = "/home/${user}/Projects/Personal";
+			devices = ["tahani" "jason"];
+		};
+		"Projects/Work" = {
+			path = "/home/${user}/Projects/Work";
+			devices = ["tahani" "chidi"];
+		};
+	};
+}

secrets/tahani-paperless-password

@@ -0,0 +1,30 @@
+{
+	"data": "ENC[AES256_GCM,data:w1+tiWkOFY8BYUcu5UjS4YmQbkxZC2LA2uBP,iv:kX8gWrABHeYKHkkqihidB/dx42TPGB+vxB+6N8Vse/c=,tag:z5vxVu0PuYfDUwTX4mwvEg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbWZmSjFCRWFaWVVVeGx6\nMlhuT2hZOUdFN0E3MDBSUVNlUVFVRWNmNDJBCkVFSGlHdnVPVUY0VEdrLzZYbDBW\na3ZuQlJiOSs2N1RpRTMwR3ZuaG1aRjQKLS0tIGo2RmxFd0JleEZ3NjhWaTJES1hP\nZEtGUk1KUEhnWW44ajA2eW4wUlUzWUkKTJemTSLHVRi54LQetmzvAGm4V02laedc\n8WnphqOGIkIDIt/pwI7kUsbA/4fW8J0DxWi7OMDHIEx8Mxyt6Uzr+A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age187jl7e4k9n4guygkmpuqzeh0wenefwrfkpvuyhvwjrjwxqpzassqq3x67j",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsTy9zUEY4Y1dlcFowZDNS\nVlprUXNQS3RwWmRvRGFScjlCK1FYSVM1VUJJCnlWZzRMZUV1RnJJQk9CNmNUbURh\nODdkUjZUanJJcU1OMDIyaEUycXdZR2cKLS0tIEh0ZzUxRmJMejFLWkdab0NKQlNz\nbC9OMmIvZEtNcG1ZRFJHa1V5a0x4SHcKgNv/ANu7HCgMBECFpGxRRPB3F+BPVo7p\n6Nb6wGxXHKIuxBU/3N4FXFYBvuI8rdfyOY9IThk031CDJ+BNnnaRxw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1dqt3znmzcgghsjjzzax0pf0eyu95h0p7kaf5v988ysjv7fl7lumsatl048",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3VjdHSDBPWlNpUklEUEFq\nMUo5Qk5YaHFJNDNUeUUzQjhkMGwwc2ZNZW5FClFHUG5MLzYrTlVZdzE3VlNRaWhv\nMmIwSmxFZzJEUkVNck9UUStrVkE1UHcKLS0tIDF3RkVPOXlTZkRDQXFKZmQyQnl3\nQkdIbm5meW82VTNSZmdIWEFDTUF3SnMKfG7t8fdn5+LqojTAs8LAS1e4exQXKxwf\nbobGHEwgUZOwCE16yNNDZNysFsejZuZBpnCYekozq6HnaiM6K17Fqw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ez6j3r5wdp0tjy7n5qzv5vfakdc2nh2zeu388zu7a80l0thv052syxq5e2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT0lQQ29KeDVub2tCVXZ0\nK0sxWU1QcDY3SEtBWkU3aExETFJ5cjA2a0Z3CnVnUEg2YkdQa1VSV0ZscmxOaDFP\nYTNjQmtlcExhL2VZR21Sb3FNbU05TEUKLS0tIFp3N3lsZitZMkduMFlISllwWnpC\naVFBNmhpVVhyL1RpYmxCK0tWVlF5Q0kKWKOJ1w98Gy54slamOg7DpuItgNLj2cxW\nX8QUb51DhFwDl5tSOp7QqaggcXgdyhytwWdd6lHYhp0LKyhELbJnnw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tlymdmaukhwupzrhszspp26lgd8s64rw4vu9lwc7gsgrjm78095s9fe9l3",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXL1VLZ1ZXRGM3amo3UFNt\nd3IxR1FXWDgzRWFBUlNYR242NVBBTzgzWUI0CjNzMjJDNk1CaEE2dmdMVzNvNVVK\nTzJsc25DNXh1NnlGRUtKVzdNVEhqemcKLS0tIG5GTE5rZnV1ZWFXZElIVzBLb1RB\nejVPZmRnR1ZHRDFaL2tpZzE1SzRQSmMKiqIZ9ZNqDt+Gn/oEm/qY+lE5Ej/S52SE\ntZ+ew0obHabv4pmtjkJmVvlGYKzmMpZlI9T+rCsKViXSvUP4E0IUWg==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-12-20T21:46:17Z",
+		"mac": "ENC[AES256_GCM,data:j7G9ZsXE3Wrqhq4jIBKa6M+uO+OuKssdMzaQNCIKbhn5sE56Cwg2E396FFx+rrZD5ahYKxATr/pXcgH1DlsMGWKtMK+zPQRGrahknSIDbYD/BWBoeGFfaTddW2OohxWoRjl96ODZ29xd72nQewxMhIjG8S848C5fxjeaqraPxiM=,iv:evDbKdSIMdwbZp2Ld8wfVtAedw3y3Leru4CxDC57NhI=,tag:DRsRWYbcehJjpAWJVrAy0A==,type:str]",
+		"version": "3.11.0"
+	}
+}