BIG changes. Make almost every server service modular, to distribute among multiple servers

hosts/envy/default.nix

@@ -5,6 +5,7 @@
     ./disko
     ./filesystems
     ./hardware
+    ./services
     ./users
     ../../modules/system
   ];
@@ -19,19 +20,6 @@
     lanzaboote.enable = true;
     fancyboot.enable = true;
     wireless.enable = true;
-    wireguard.client.enable = true;
-    libvirtd.enable = true;
     stateVersion = "24.11";
   };
-
-  # Services to make this work as a school laptop
-  services.globalprotect.enable = true;
-
-  virtualisation.vmware.host.enable = true;
-  nixpkgs.allowUnfreePackages = [ "vmware-workstation" ];
-
-  environment.persistence."/persist".directories = [
-    "/home/${config.sysusers.main}/vmware"
-    "/home/${config.sysusers.main}/.vmware"
-  ];
 }

hosts/envy/services/default.nix

@@ -0,0 +1,19 @@
+{ config, ... }:
+{
+  services = {
+    globalprotect.enable = true;
+    wireguard.client.enable = true;
+  };
+
+  virtualisation = {
+    libvirtd.enable = true;
+    vmware.host.enable = true;
+  };
+
+  nixpkgs.allowUnfreePackages = [ "vmware-workstation" ];
+
+  environment.persistence."/persist".directories = [
+    "/home/${config.sysusers.main}/vmware"
+    "/home/${config.sysusers.main}/.vmware"
+  ];
+}

hosts/midas/default.nix

@@ -6,6 +6,7 @@
     ./filesystems
     ./firewall
     ./hardware
+    ./services
     ./users
     ../../modules/system
   ];
@@ -26,16 +27,6 @@
   system = {
     server.enable = true;
     lanzaboote.enable = true;
-    fileserver.enable = true;
-    socialserver.enable = true;
-    wireguard.server.enable = true;
     stateVersion = "24.11";
   };
-
-  services.minecraft-servers.servers = {
-    velocity.enable = true;
-    johnside.enable = true;
-    cornworld.enable = true;
-    skyblock.enable = true;
-  };
 }

hosts/midas/services/default.nix

@@ -0,0 +1,25 @@
+{ ... }:
+{
+  services = {
+    fileserver.enable = true;
+    socialserver.enable = true;
+    webserver.enable = true;
+
+    forgejo.enable = true;
+    icecast.enable = true;
+    owncast.enable = true;
+    transmission.enable = true;
+    vaultwarden.enable = true;
+    wireguard.server.enable = true;
+
+    minecraft-servers = {
+      enable = true;
+      servers = {
+        velocity.enable = true;
+        johnside.enable = true;
+        cornworld.enable = true;
+        skyblock.enable = true;
+      };
+    };
+  };
+}

hosts/pear/default.nix

@@ -5,6 +5,7 @@
     ./disko
     ./filesystems
     ./hardware
+    ./services
     ./users
     ../../modules/system
   ];
@@ -18,19 +19,6 @@
     desktop.enable = true;
     fancyboot.enable = true;
     wireless.enable = true;
-    wireguard.client.enable = true;
-    libvirtd.enable = true;
     stateVersion = "24.11";
   };
-
-  # Services to make this work as a school laptop
-  services.globalprotect.enable = true;
-
-  virtualisation.vmware.host.enable = true;
-  nixpkgs.allowUnfreePackages = [ "vmware-workstation" ];
-
-  environment.persistence."/persist".directories = [
-    "/home/${config.sysusers.main}/vmware"
-    "/home/${config.sysusers.main}/.vmware"
-  ];
 }

hosts/pear/services/default.nix

@@ -0,0 +1,19 @@
+{ config, ... }:
+{
+  services = {
+    globalprotect.enable = true;
+    wireguard.client.enable = true;
+  };
+
+  virtualisation = {
+    libvirtd.enable = true;
+    vmware.host.enable = true;
+  };
+
+  nixpkgs.allowUnfreePackages = [ "vmware-workstation" ];
+
+  environment.persistence."/persist".directories = [
+    "/home/${config.sysusers.main}/vmware"
+    "/home/${config.sysusers.main}/.vmware"
+  ];
+}

hosts/prophet/default.nix

@@ -16,8 +16,12 @@
   };
 
   system = {
-    mailserver.enable = true;
+    server.enable = true;
-    wireguard.client.enable = true;
     stateVersion = "24.05";
   };
+
+  services = {
+    mailserver.enable = true;
+    wireguard.client.enable = true;
+  };
 }

hosts/redmond/default.nix

@@ -19,9 +19,10 @@
     lanzaboote.enable = true;
     fancyboot.enable = true;
     wireless.enable = true;
-    wireguard.client.enable = true;
     stateVersion = "24.05";
   };
 
+  services.wireguard.client.enable = true;
+
   environment.sessionVariables.WLR_RENDERER = lib.mkForce "gles2";
 }

hosts/tower/default.nix

@@ -25,8 +25,9 @@
   system = {
     desktop.enable = true;
     lanzaboote.enable = true;
-    libvirtd.enable = true;
     video.nvidia.enable = true;
     stateVersion = "24.05";
   };
+
+  virtualisation.libvirtd.enable = true;
 }

modules/system/devices/networking/default.nix

@@ -3,7 +3,6 @@
   imports = [
     ./ips
     ./wireless
-    ./wireguard
   ];
 
   networking = {

modules/system/devices/networking/wireguard/default.nix

@@ -1,7 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./client
-    ./server
-  ];
-}

modules/system/services/general/libvirtd/default.nix

@@ -1,10 +1,7 @@
 { config, lib, pkgs, ... }:
 {
-  options.system.libvirtd.enable = lib.mkEnableOption "Enable libvirtd services";
+  config = lib.mkIf config.virtualisation.libvirtd.enable {
-
-  config = lib.mkIf config.system.libvirtd.enable {
     virtualisation.libvirtd = {
-      enable = true;
       onBoot = "ignore";
       onShutdown = "shutdown";
       qemu = {
@@ -19,6 +16,13 @@
 
     programs.virt-manager.enable = true;
 
+    networking.firewall.trustedInterfaces = [
+      "virbr0"
+      "virbr1"
+    ];
+
+    systemd.tmpfiles.rules = [ "f /dev/shm/looking-glass 0660 - libvirtd -" ];
+
     environment.persistence."/persist".directories = [
       "/var/lib/libvirt/dnsmasq"
       "/var/lib/libvirt/nwfilter"
@@ -27,13 +31,5 @@
       "/var/lib/libvirt/storage"
       "/var/lib/libvirt/swtpm"
     ];
-
-    # Needed to make NAT work
-    networking.firewall.trustedInterfaces = [
-      "virbr0"
-      "virbr1"
-    ];
-
-    systemd.tmpfiles.rules = [ "f /dev/shm/looking-glass 0660 - libvirtd -" ];
   };
 }

modules/system/services/general/tlp/default.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
-  services.tlp.enable = true;
+  services.tlp.enable = config.system.desktop.enable;
 }

modules/system/services/server/default.nix

@@ -8,10 +8,11 @@
     ./mailserver
     ./minecraft
     ./mysql
+    ./nginx
     ./owncast
     ./socialserver
     ./transmission
     ./vaultwarden
-    ./webserver
+    ./wireguard
   ];
 }

modules/system/services/server/fileserver/default.nix

@@ -1,6 +1,6 @@
 { lib, ... }: 
 {
-  options.system.fileserver.enable = lib.mkEnableOption "Enable file serving services";
+  options.services.fileserver.enable = lib.mkEnableOption "Enable file serving services";
 
   imports = [
     ./jellyfin

modules/system/services/server/fileserver/jellyfin/default.nix

@@ -5,7 +5,7 @@
     ./user
   ];
 
-  config = lib.mkIf config.system.fileserver.enable {
+  config = lib.mkIf config.services.fileserver.enable {
     services.jellyfin.enable = true;
     environment.persistence."/persist".directories = [ "/var/lib/jellyfin" ];
   };

modules/system/services/server/fileserver/nextcloud/default.nix

@@ -5,7 +5,7 @@
     ./user
   ];
 
-  config = lib.mkIf config.system.fileserver.enable {
+  config = lib.mkIf config.services.fileserver.enable {
     services.nextcloud = {
       enable = true;
       package = pkgs.nextcloud30;

modules/system/services/server/fileserver/nfs/default.nix

@@ -2,14 +2,13 @@
 {
   imports = [ ./user ];
 
-  config = lib.mkIf config.system.fileserver.enable {
+  config = lib.mkIf config.services.fileserver.enable {
     services.nfs.server = {
       enable = true;
       exports = ''
         /storage/Files *(rw,sync,no_subtree_check)
         /storage/Media *(rw,sync,no_subtree_check)
         /storage/Music *(rw,sync,no_subtree_check)
-        /srv/minecraft *(rw,sync,no_subtree_check)
       '';
     };
     networking.nftables.tables.nfs = {

modules/system/services/server/forgejo/default.nix

@@ -2,9 +2,8 @@
 {
   imports = [ ./nginx ];
 
-  config = lib.mkIf config.system.server.enable {
+  config = lib.mkIf config.services.forgejo.enable {
     services.forgejo = {
-      enable = true;
       package = pkgs.forgejo;
       settings = {
         server = {

modules/system/services/server/icecast/default.nix

@@ -6,7 +6,6 @@
   ];
 
   services.icecast = {
-    enable = config.system.server.enable;
     listen.port = 73;
     hostname = "radio.nixfox.ca";
     admin = {

modules/system/services/server/mailserver/default.nix

@@ -6,5 +6,5 @@
     ./simplenix
   ];
 
-  options.system.mailserver.enable = lib.mkEnableOption "Enable Simple NixOS Mailserver";
+  options.services.mailserver.enable = lib.mkEnableOption "Enable Simple NixOS Mailserver";
 }

modules/system/services/server/mailserver/go-autoconfig/default.nix

@@ -3,7 +3,7 @@
   imports = [ ./nginx ];
 
   services.go-autoconfig = {
-    enable = config.system.mailserver.enable;
+    enable = config.services.mailserver.enable;
     settings = {
       service_addr = ":1323";
       domain = "autoconfig.nixfox.ca";

modules/system/services/server/mailserver/go-autoconfig/nginx/default.nix

@@ -1,6 +1,6 @@
 { config, lib, ... }: 
 {
-  services.nginx.virtualHosts."autoconfig.nixfox.ca" = lib.mkIf config.mailserver.enable {
+  services.nginx.virtualHosts."autoconfig.nixfox.ca" = lib.mkIf config.services.go-autoconfig.enable {
     enableACME = true;
     forceSSL = true;
     locations."/" = {

modules/system/services/server/mailserver/roundcube/default.nix

@@ -1,6 +1,6 @@
 { config, lib, ... }: 
 {
-  config = lib.mkIf config.system.mailserver.enable {
+  config = lib.mkIf config.services.mailserver.enable {
     services.roundcube = {
       enable = true;
       hostName = "mail.nixfox.ca";

modules/system/services/server/mailserver/simplenix/default.nix

@@ -5,7 +5,7 @@
     mailserver.nixosModule
   ];
 
-  config = lib.mkIf config.system.mailserver.enable {
+  config = lib.mkIf config.services.mailserver.enable {
     mailserver = {
       enable = true;
       domains = [

modules/system/services/server/minecraft/default.nix

@@ -5,15 +5,21 @@
     minecraft.nixosModules.minecraft-servers
   ];
 
-  config = lib.mkIf config.system.server.enable {
+  config = lib.mkIf config.services.minecraft-servers.enable {
     nixpkgs = {
       overlays = [ minecraft.overlay ];
       allowUnfreePackages = [ "minecraft-server" ];
     };
 
-    services.minecraft-servers = {
+    services = {
-      enable = true;
+      minecraft-servers.eula = true;
-      eula = true;
+      mysql = {
+        ensureDatabases = [ "minecraft" ];
+        ensureUsers = [{
+          name = "minecraft";
+          ensurePermissions."minecraft.*" = "ALL PRIVILEGES";
+        }];
+      };
     };
 
     environment.persistence."/persist".directories = [ "/srv/minecraft" ];

modules/system/services/server/mysql/default.nix

@@ -4,17 +4,6 @@
     services.mysql = {
       enable = true;
       package = pkgs.mariadb;
-      ensureDatabases = [
-        "minecraft"
-      ];
-      ensureUsers = [
-        {
-          name = "minecraft";
-          ensurePermissions = {
-            "minecraft.*" = "ALL PRIVILEGES";
-          };
-        }
-      ];
     };
     environment.persistence."/persist".directories = [
       "/var/lib/mysql"

modules/system/services/server/nginx/default.nix

@@ -1,12 +1,15 @@
 { config, lib, ... }:
 {
   imports = [
+    ./acme
     ./rtmp
     ./user
     ./virtualhosts
   ];
 
-  config = lib.mkIf (config.system.server.enable || config.system.mailserver.enable) {
+  options.services.webserver.enable = lib.mkEnableOption "Enable nginx related services";
+
+  config = lib.mkIf config.system.server.enable {
     services.nginx = {
       enable = true;
       recommendedTlsSettings = true;
@@ -15,11 +18,11 @@
       recommendedProxySettings = true;
     };
 
-    environment.persistence."/persist".directories = [ "/var/www" ];
-
     networking.firewall.allowedTCPPorts = [
       80
       443
     ];
+
+    environment.persistence."/persist".directories = [ "/var/www" ];
   };
 }

modules/system/services/server/nginx/rtmp/default.nix

@@ -1,8 +1,6 @@
 { config, lib, pkgs, ... }:
 {
-  options.system.rtmp.enable = lib.mkEnableOption "Enable an RTMP server using Nginx";
+  config = lib.mkIf config.services.webserver.enable {
-
-  config = lib.mkIf config.system.rtmp.enable {
     services.nginx = {
       package = (pkgs.nginx.override {
         modules = with pkgs.nginxModules; [ rtmp ];

modules/system/services/server/nginx/virtualhosts/files/default.nix

@@ -1,6 +1,6 @@
 { config, lib, ... }:
 {
-  services.nginx.virtualHosts."jimbosfiles.com" = lib.mkIf config.system.server.enable {
+  services.nginx.virtualHosts."jimbosfiles.com" = lib.mkIf config.services.webserver.enable {
     enableACME = true;
     addSSL = true;
     globalRedirect = "www.nixfox.ca";

modules/system/services/server/nginx/virtualhosts/nixfox/default.nix

@@ -1,6 +1,6 @@
 { config, lib, ... }:
 {
-  services.nginx.virtualHosts = lib.mkIf config.system.server.enable {
+  services.nginx.virtualHosts = lib.mkIf config.services.webserver.enable {
     "www.nixfox.ca" = {
       enableACME = true;
       addSSL = true;

modules/system/services/server/owncast/default.nix

@@ -2,9 +2,8 @@
 {
   imports = [ ./nginx ];
 
-  config = lib.mkIf config.system.socialserver.enable {
+  config = lib.mkIf config.services.owncast.enable {
     services.owncast = {
-      enable = true;
       port = 8060;
       rtmp-port = 1945;
     };

modules/system/services/server/socialserver/default.nix

@@ -5,5 +5,5 @@
     ./matrix
   ];
 
-  options.system.socialserver.enable = lib.mkEnableOption "Enable social media like services";
+  options.services.socialserver.enable = lib.mkEnableOption "Enable social media like services";
 }

modules/system/services/server/socialserver/mastodon/default.nix

@@ -1,6 +1,6 @@
 { config, lib, pkgs, ... }:
 {
-  config = lib.mkIf config.system.socialserver.enable {
+  config = lib.mkIf config.services.socialserver.enable {
     services.mastodon = {
       enable = true;
       localDomain = "social.nixfox.ca";

modules/system/services/server/socialserver/matrix/synapse/default.nix

@@ -2,7 +2,7 @@
 {
   imports = [ ./nginx ];
 
-  config = lib.mkIf config.system.socialserver.enable {
+  config = lib.mkIf config.services.socialserver.enable {
     services.matrix-synapse = {
       enable = true;
       settings = {

modules/system/services/server/transmission/default.nix

@@ -2,15 +2,12 @@
 {
   imports = [ ./nginx ];
 
-  config = lib.mkIf config.system.server.enable {
+  config = lib.mkIf config.services.transmission.enable {
     services.transmission = {
-      enable = true;
       credentialsFile = pkgs.writeText "credentials" config.secrets.transmissionCredFile;
       openPeerPorts = true;
       settings.rpc-authentication-required = true;
     };
-    environment.persistence."/persist".directories = [
+    environment.persistence."/persist".directories = [ "/var/lib/transmission" ];
-      "/var/lib/transmission"
-    ];
   };
 }

modules/system/services/server/vaultwarden/default.nix

@@ -2,25 +2,22 @@
 {
   imports = [ ./nginx ];
 
-  config = lib.mkIf config.system.server.enable {
+  config = lib.mkIf config.services.vaultwarden.enable {
-    services.vaultwarden = {
+    services.vaultwarden.config = {
-      enable = true;
+      domain = "https://pass.nixfox.ca";
-      config = {
+      signupsAllowed = false;
-        domain = "https://pass.nixfox.ca";
+      rocketAddress = "127.0.0.1";
-        signupsAllowed = false;
+      rocketPort = 8222;
-        rocketAddress = "127.0.0.1";
-        rocketPort = 8222;
 
-        # Smtp email
+      # Smtp email
-        smtpHost = "mx.nixfox.ca";
+      smtpHost = "mx.nixfox.ca";
-        smtpFrom = "noreply@nixfox.ca";
+      smtpFrom = "noreply@nixfox.ca";
-        smtpFromName = "Vaultwarden";
+      smtpFromName = "Vaultwarden";
-        smtpUsername = "noreply@nixfox.ca";
+      smtpUsername = "noreply@nixfox.ca";
-        smtpPassword = config.secrets.mailPass.nixfoxNoReply;
+      smtpPassword = config.secrets.mailPass.nixfoxNoReply;
-        smtpSecurity = "starttls";
+      smtpSecurity = "starttls";
-        smtpPort = 587;
+      smtpPort = 587;
-        smtpTimeout = 15;
+      smtpTimeout = 15;
-      };
     };
 
     environment.persistence."/persist".directories = [ "/var/lib/vaultwarden" ];

modules/system/services/server/webserver/default.nix

@@ -1,9 +0,0 @@
-{ lib, ... }: 
-{
-  imports = [
-    ./acme
-    ./nginx
-  ];
-
-  options.system.webserver.enable = lib.mkEnableOption "Enable nginx related services";
-}

modules/system/services/server/wireguard/client/default.nix

@@ -1,8 +1,6 @@
 { config, lib, ... }:
 {
-  options.system.wireguard.client.enable = lib.mkEnableOption "Enable the Wireguard client";
+  config = lib.mkIf config.services.wireguard.client.enable {
-
-  config = lib.mkIf config.system.wireguard.client.enable {
     networking = {
       firewall.trustedInterfaces = [ "wgc" ];
       wg-quick.interfaces.wgc = {

modules/system/services/server/wireguard/default.nix

@@ -0,0 +1,12 @@
+{ lib, ... }:
+{
+  imports = [
+    ./client
+    ./server
+  ];
+
+  options.services.wireguard = with lib; {
+    client.enable = mkEnableOption "Enable Wireguard client";
+    server.enable = mkEnableOption "Enable Wireguard server";
+  };
+}

modules/system/services/server/wireguard/server/default.nix

@@ -1,13 +1,11 @@
 { config, lib, ... }:
 {
-  options.system.wireguard.server.enable = lib.mkEnableOption "Enable the Wireguard server";
+  config = lib.mkIf config.services.wireguard.server.enable {
-
-  config = lib.mkIf config.system.wireguard.server.enable {
     networking = {
       firewall.allowedUDPPorts = [ 51820 ];
 
       nat = {
-        enable = config.system.wireguard.server.enable;
+        enable = true;
         internalInterfaces = [ "wgs" ];
       };