refactor

hosts/apu/configuration.nix

@@ -3,18 +3,6 @@
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
 
 { lib, pkgs, config, ... }:
-let
-  nginxVhost = options: {
-    http2 = true;
-    forceSSL = true;
-    enableACME = true;
-    acmeRoot = null;
-  } // options;
-
-  nginxProxy = options: {
-    proxyWebsockets = true;
-  } // options;
-in
 {
   boot.loader.grub.enable = true;
   boot.loader.grub.device = "/dev/sda";
@@ -72,12 +60,16 @@ in
     };
   };
 
-  modules.firewall.rules = {
-    koti = [ "dhcp" "dns" "ssh" ];
-    gast = [ "dhcp" "dns" ];
-    iot = [ "dhcp" "dns" ];
-    cfg = [ "dhcp" "dns" ];
-    "tailscale*" = [ "ssh" "web" ];
+  modules.firewall = {
+    enable = true;
+    interfaces = {
+      koti = [ "dhcp" "dns" "ssh" "web" ];
+      gast = [ "dhcp" "dns" ];
+      iot = [ "dhcp" "dns" ];
+      cfg = [ "dhcp" "dns" ];
+      "tailscale*" = [ "ssh" "web" ];
+    };
+    allInterfaces = [ ];
   };
 
   systemd.network = {
@@ -228,31 +220,12 @@ in
     };
   };
 
-  services.nginx.virtualHosts."koti.repomaa.com" = nginxVhost {
-    extraConfig = ''
-      proxy_buffering off;
-    '';
-    locations."/" = nginxProxy {
-      proxyPass = "http://127.0.0.1:8123";
-    };
-  };
-
-  services.nginx = {
+  modules.webserver = {
     enable = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-    recommendedBrotliSettings = true;
-    recommendedGzipSettings = true;
-    recommendedZstdSettings = true;
-    recommendedOptimisation = true;
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      dnsProvider = "hetzner";
-      environmentFile = "/var/secrets/lego";
-      email = "admin@j.repomaa.com";
+    acme.dnsChallenge = true;
+    vHosts."koti.repomaa.com" = {
+      proxyBuffering = false;
+      locations."/".proxy = "http://127.0.0.1:8123";
     };
   };