about summary refs log tree commit diff
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2023-11-12 17:50:43 +0300
committerAzat Bahawi <azat@bahawi.net>2023-11-12 17:50:43 +0300
commit011c1632f3762e1bc1ecfdee9d9f3b3f44be74e5 (patch)
treee9d7d5955f25f82cdb671f1c44da663d2d839485
parent2023-11-09 (diff)
2023-11-12
Diffstat (limited to '')
-rw-r--r--flake.lock36
-rw-r--r--lib/default.nix34
-rw-r--r--modules/common/emacs/default.nix4
-rw-r--r--modules/common/emacs/doom/config.el42
-rw-r--r--modules/common/emacs/doom/init.el4
-rw-r--r--modules/common/git.nix2
-rw-r--r--modules/common/nmap.nix2
-rw-r--r--modules/nixos/alertmanager.nix5
-rw-r--r--modules/nixos/games/lutris.nix4
-rw-r--r--modules/nixos/git/default.nix6
-rw-r--r--modules/nixos/gotify.nix3
-rw-r--r--modules/nixos/grafana.nix3
-rw-r--r--modules/nixos/ipfs.nix5
-rw-r--r--modules/nixos/jackett.nix3
-rw-r--r--modules/nixos/lidarr.nix3
-rw-r--r--modules/nixos/loki.nix3
-rw-r--r--modules/nixos/nginx.nix17
-rw-r--r--modules/nixos/ntfy.nix3
-rw-r--r--modules/nixos/plausible.nix198
-rw-r--r--modules/nixos/prometheus.nix3
-rw-r--r--modules/nixos/radarr.nix3
-rw-r--r--modules/nixos/radicale.nix3
-rw-r--r--modules/nixos/rss-bridge.nix3
-rw-r--r--modules/nixos/rtorrent.nix8
-rw-r--r--modules/nixos/searx.nix3
-rw-r--r--modules/nixos/sonarr.nix3
-rw-r--r--modules/nixos/syncthing.nix3
-rw-r--r--modules/nixos/victoriametrics.nix3
-rw-r--r--nixosConfigurations/manwe/webserver.nix6
-rw-r--r--nixosConfigurations/yavanna/default.nix5
30 files changed, 230 insertions, 190 deletions
diff --git a/flake.lock b/flake.lock
index d157b10..ba36087 100644
--- a/flake.lock
+++ b/flake.lock
@@ -147,11 +147,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1699437533,
-        "narHash": "sha256-lMoPz9c89CpPVuJ95OFFesM9JagCF0soGbQatj3ZhqM=",
+        "lastModified": 1699569089,
+        "narHash": "sha256-MdOnyXrmMdVU9o7GpcbWKgehoK9L76ihp8rTikPcC1k=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "eb2b9b64238349bd351561e32e260cac15db6f9a",
+        "rev": "c8f385766ba076a096caa794309c40f89894d88a",
         "type": "github"
       },
       "original": {
@@ -309,11 +309,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1699233548,
-        "narHash": "sha256-oV0OdM6BOmPOM2CES3zZ24XFMkIrUKw4hjH50RxfWqw=",
+        "lastModified": 1699492773,
+        "narHash": "sha256-VsW4ZMGC/9LMs1iv3jVPjtbyKZ7sUejp6tpXILBXVWI=",
         "owner": "Infinidoge",
         "repo": "nix-minecraft",
-        "rev": "3888af3947c721fb51ee97f24fef891566b1552f",
+        "rev": "7be0b495e1413fdac957b1f223430190a4d27f81",
         "type": "github"
       },
       "original": {
@@ -336,11 +336,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1699406699,
-        "narHash": "sha256-Y/cuCmpmkAIhhKmoF97k4ZG4I2hRH6kcZe00BH3KN3U=",
+        "lastModified": 1699579295,
+        "narHash": "sha256-W1HsyOFLmyWw46e+cuAIazQTD6g6dgxLMIIuaBoJzF8=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "57af5d8164187dcb4015e9efc823f7bd33d9c6fc",
+        "rev": "5d33996d98e9ff45a73a6f9ed293d548f6c14a39",
         "type": "github"
       },
       "original": {
@@ -384,11 +384,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1699481204,
-        "narHash": "sha256-VthbrNgoxDUjVcMqX6IciqfrraiHIbPV1LHQvG0jnvc=",
+        "lastModified": 1699654502,
+        "narHash": "sha256-1IskzzUp5G7k76GjPJp4u46l4jLQaBQA0pY4wvwJw98=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "4e4bbb01ebfa4a1ce322f036007ec4d653071523",
+        "rev": "a27b0a663b7c4fcac7a6bbb92b6b7f21d85cd3c4",
         "type": "github"
       },
       "original": {
@@ -400,11 +400,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1699458350,
-        "narHash": "sha256-AHoi7cM4SzQTpu4ZMzt+KDoxxka/qjGPvR+0lvaLgf0=",
+        "lastModified": 1699646590,
+        "narHash": "sha256-f81xS0qN6H1ULTyArpZgdjsly4FY0BnvPXdmSb7hq+o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "da44563672fb0faca83dc56185472e56d1a21852",
+        "rev": "1d55765508b8316798429875712dc1ef5e62a2fa",
         "type": "github"
       },
       "original": {
@@ -478,11 +478,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1699481792,
-        "narHash": "sha256-7gt0Cci+AQoEWNVEMkmxALy/08hdup9/4KQ5zOYW3iE=",
+        "lastModified": 1699645538,
+        "narHash": "sha256-CKzsVfYM/9ccp0VDgzB91c33Ts8KSub7q5FWLNJouXk=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "a865eb8d6829bd7317360abcb53a94381a21eeb1",
+        "rev": "9ffcf2dd6ac13cd0469a0ac2664296f45d879ffb",
         "type": "github"
       },
       "original": {
diff --git a/lib/default.nix b/lib/default.nix
index be32e60..7fbaeec 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -14,7 +14,7 @@ lib: _: rec {
     assert exponent > 0;
       builtins.foldl' (x: _: x * base) 1 (builtins.genList (_: _) exponent);
 
-  mapListToAttrs = f: xs:
+  mapListToAttrs = f: attrs:
     builtins.listToAttrs (map (name: {
         name =
           if builtins.isList name
@@ -22,25 +22,25 @@ lib: _: rec {
           else name;
         value = f name;
       })
-      xs);
+      attrs);
 
   mkTcpMem = min: ini: max:
     assert min <= ini && ini <= max;
       lib.concatMapStrings (x: toString x + " ") (map (pow 2) [min ini max]);
 
-  # TODO Move these to the NGINX module.
-  nginxInternalOnly = ''
-    if ($internal != 1) {
-      return 403;
-    }
-    access_log off;
-  '';
-  nginxAppendHead = text: ''
-    sub_filter '</head>' '${lib.concatStrings text}</head>';
-    sub_filter_once on;
-  '';
-  htmlPlausibleScript = {
-    domain ? "$host",
-    src ? "https://plausible.shire.net/js/script.js",
-  }: ''<script defer data-domain="${domain}" src="${src}"></script>'';
+  moduleFromRef = module: ref: sha256: {
+    disabledModules = [module];
+    imports = [
+      (let
+        src = builtins.fetchTarball {
+          url = let
+            cons = lib.splitString ":" ref;
+            owner = lib.head cons;
+            branch = lib.last cons;
+          in "https://github.com/${owner}/nixpkgs/archive/refs/heads/${branch}.tar.gz";
+          inherit sha256;
+        };
+      in "${src}/nixos/modules/${module}")
+    ];
+  };
 }
diff --git a/modules/common/emacs/default.nix b/modules/common/emacs/default.nix
index e7597ad..c5cf7ed 100644
--- a/modules/common/emacs/default.nix
+++ b/modules/common/emacs/default.nix
@@ -195,6 +195,10 @@ in {
                   '')
                 muAccounts;
             in ''
+              ;; A stupid hack. This needs to be fixed upstream in either Doom
+              ;; or Nixpkgs.
+              (add-to-list 'load-path "${pkgs.mu.mu4e}/share/emacs/site-lisp/mu4e")
+
               (setq mu4e-root-maildir "${maildirBasePath}")
 
               ${mu4eAccounts}
diff --git a/modules/common/emacs/doom/config.el b/modules/common/emacs/doom/config.el
index df8b82e..7cecfba 100644
--- a/modules/common/emacs/doom/config.el
+++ b/modules/common/emacs/doom/config.el
@@ -2,32 +2,35 @@
 ;;; Misc
 ;;
 
-(setq display-line-numbers-type t)
+(setq frame-title-format '("GNU Emacs"))
 
-(setq scroll-margin 10
-      hscroll-margin 10)
+(setq-hook! 'prog-mode-hook
+  display-line-numbers-type 'relative
+  scroll-margin 10
+  hscroll-margin 10)
 
-(setq browse-url-generic-program (executable-find "firefox")
-      browse-url-browser-function 'browse-url-generic)
+(when IS-LINUX
+  (setq browse-url-generic-program (executable-find "firefox")
+        browse-url-browser-function 'browse-url-generic))
 
 ;;
 ;;; Doom-specific
 ;;
 
-;; Make it more default-ey.
-(setq frame-title-format '("Emacs")
-      icon-title-format frame-title-format)
-
-(setq doom-theme 'doom-tomorrow-night)
-
-(setq +format-on-save-enabled-modes '(not nix-mode json-mode yaml-mode))
+(setq doom-theme 'doom-tomorrow-night
+      doom-modeline-icon nil
+      doom-modeline-indent-info t
+      doom-modeline-total-line-number t
+      doom-modeline-height 30)
 
 ;;
 ;;; LSP
 ;;
 
 (setq lsp-enable-suggest-server-download nil
-      lsp-file-watch-threshold 512)
+      lsp-enable-file-watchers t
+      lsp-file-watch-threshold 2048
+      lsp-modeline-code-actions-enable nil)
 
 ;;
 ;;; Org
@@ -174,12 +177,13 @@
 
 (setq circe-network-options
       (mapcar (lambda (server)
-                `(,server :server-buffer-name ,server
-                          :host "shire.net"
-                          :port 6667
-                          :user ,(concat circe-default-user "/" server)
-                          :pass ,(lambda (&rest _)
-                                   (+pass-get-secret "server/soju.manwe.shire.net/azahi"))))
+                `(,server
+                  :server-buffer-name ,server
+                  :host "shire.net"
+                  :port 6667
+                  :user ,(concat circe-default-user "/" server)
+                  :pass ,(lambda (&rest _)
+                           (+pass-get-secret "server/soju.manwe.shire.net/azahi"))))
               '("libera" "oftc" "hackint" "rizon")))
 
 ;;
diff --git a/modules/common/emacs/doom/init.el b/modules/common/emacs/doom/init.el
index 3b26e0d..0acd008 100644
--- a/modules/common/emacs/doom/init.el
+++ b/modules/common/emacs/doom/init.el
@@ -14,8 +14,8 @@
        hl-todo
        hydra
        indent-guides
-       (ligatures +extra)
-       (modeline +light)
+       ligatures
+       modeline
        ;; nav-flash
        ophints
        (popup +defaults)
diff --git a/modules/common/git.nix b/modules/common/git.nix
index da33eb2..4ed7c03 100644
--- a/modules/common/git.nix
+++ b/modules/common/git.nix
@@ -116,7 +116,7 @@ in {
             fuck = "!${git} reset --hard && ${git} clean --force -dx";
             get = "pull --all --recurse-submodules --autostash";
             gud = ''commit -m "git gud"'';
-            refresh = "clean --force -X";
+            refresh = "clean --force -dx";
             tree = "log --graph --date=relative --pretty=tformat:'%Cred%h%Creset -%C(auto)%d%Creset %s %Cgreen(%an %ad)%Creset'";
             uncommit = "reset --soft HEAD~1";
             untrack = "rm --cache --";
diff --git a/modules/common/nmap.nix b/modules/common/nmap.nix
index 03586c0..c13a9bc 100644
--- a/modules/common/nmap.nix
+++ b/modules/common/nmap.nix
@@ -14,7 +14,7 @@ in {
     hm = {
       home = {
         file = {
-          ".nmap/scripts/vulners/vulners.nse".source = "${inputs.nmap-vulners}/vulners.nse";
+          ".nmap/scripts/vulners".source = inputs.nmap-vulners;
           ".nmap/scripts/vulscan/vulscan.nse".source = "${inputs.nmap-vulscan}/vulscan.nse";
         };
 
diff --git a/modules/nixos/alertmanager.nix b/modules/nixos/alertmanager.nix
index c8f0bf2..acbf7df 100644
--- a/modules/nixos/alertmanager.nix
+++ b/modules/nixos/alertmanager.nix
@@ -2,6 +2,7 @@
   config,
   inputs,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -28,12 +29,12 @@ in {
   config = mkIf cfg.enable {
     nixfiles.modules = {
       ntfy.enable = true;
-      nginx = with cfg; {
+      nginx = {
         enable = true;
         upstreams.alertmanager.servers."127.0.0.1:${toString cfg.port}" = {};
         virtualHosts.${cfg.domain} = {
           locations."/".proxyPass = "http://alertmanager";
-          extraConfig = nginxInternalOnly;
+          extraConfig = libNginx.config.internalOnly;
         };
       };
     };
diff --git a/modules/nixos/games/lutris.nix b/modules/nixos/games/lutris.nix
index ad1e43e..feaeefa 100644
--- a/modules/nixos/games/lutris.nix
+++ b/modules/nixos/games/lutris.nix
@@ -17,7 +17,9 @@ in {
     };
 
     hm.home.packages = with pkgs; [
-      lutris
+      (lutris.override {
+        extraPkgs = _: [wine];
+      })
       vkBasalt
       winetricks
     ];
diff --git a/modules/nixos/git/default.nix b/modules/nixos/git/default.nix
index 4268f82..67cc07b 100644
--- a/modules/nixos/git/default.nix
+++ b/modules/nixos/git/default.nix
@@ -1,5 +1,7 @@
 {
   config,
+  libNginx,
+  libPlausible,
   lib,
   pkgs,
   ...
@@ -73,9 +75,9 @@ in {
             fastcgi_param QUERY_STRING $args;
             fastcgi_param HTTP_HOST $server_name;
 
-            ${nginxAppendHead [
+            ${libNginx.config.appendHead [
               ''<meta name="go-import" content="$host$uri git https://$host$uri">''
-              (htmlPlausibleScript {inherit (cfg.server) domain;})
+              (libPlausible.htmlPlausibleScript {inherit (cfg.server) domain;})
             ]}
           '';
           "~* ^.+(cgit.css|robots.txt)$".extraConfig = ''
diff --git a/modules/nixos/gotify.nix b/modules/nixos/gotify.nix
index db47bb4..41e1956 100644
--- a/modules/nixos/gotify.nix
+++ b/modules/nixos/gotify.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -29,7 +30,7 @@ in {
               proxyPass = "http://gotify";
               proxyWebsockets = true;
             };
-            extraConfig = nginxInternalOnly;
+            extraConfig = libNginx.config.internalOnly;
           };
         };
         postgresql = {
diff --git a/modules/nixos/grafana.nix b/modules/nixos/grafana.nix
index c191e38..ae79d17 100644
--- a/modules/nixos/grafana.nix
+++ b/modules/nixos/grafana.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   inputs,
   lib,
   ...
@@ -56,7 +57,7 @@ in {
               proxyPass = "http://grafana";
               proxyWebsockets = true;
             };
-            extraConfig = nginxInternalOnly;
+            extraConfig = libNginx.config.internalOnly;
           };
         };
         postgresql = {
diff --git a/modules/nixos/ipfs.nix b/modules/nixos/ipfs.nix
index 43ddb70..bf93a3c 100644
--- a/modules/nixos/ipfs.nix
+++ b/modules/nixos/ipfs.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   lib,
   this,
   ...
@@ -129,7 +130,7 @@ in {
         virtualHosts = {
           ${cfg.domain} = {
             locations."/".proxyPass = "http://kubo_gateway";
-            extraConfig = nginxInternalOnly;
+            extraConfig = libNginx.config.internalOnly;
           };
           "api.${cfg.domain}" = {
             locations = {
@@ -138,7 +139,7 @@ in {
                 optionalString config.nixfiles.modules.acme.enable "s"
               }://api.${cfg.domain}/webui";
             };
-            extraConfig = nginxInternalOnly;
+            extraConfig = libNginx.config.internalOnly;
           };
         };
       };
diff --git a/modules/nixos/jackett.nix b/modules/nixos/jackett.nix
index f8e45ba..772e0e9 100644
--- a/modules/nixos/jackett.nix
+++ b/modules/nixos/jackett.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -24,7 +25,7 @@ in {
       upstreams.jackett.servers."127.0.0.1:9117" = {};
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://jackett";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/lidarr.nix b/modules/nixos/lidarr.nix
index ffa0735..b0c833c 100644
--- a/modules/nixos/lidarr.nix
+++ b/modules/nixos/lidarr.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -24,7 +25,7 @@ in {
       upstreams.lidarr.servers."127.0.0.1:8686" = {};
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://lidarr";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/loki.nix b/modules/nixos/loki.nix
index 90a051c..c5194e1 100644
--- a/modules/nixos/loki.nix
+++ b/modules/nixos/loki.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   lib,
   pkgs,
   ...
@@ -31,7 +32,7 @@ in {
       upstreams.loki.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${domain} = {
         locations."/".proxyPass = "http://loki";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/nginx.nix b/modules/nixos/nginx.nix
index 9ca6936..05c6a06 100644
--- a/modules/nixos/nginx.nix
+++ b/modules/nixos/nginx.nix
@@ -25,6 +25,23 @@ in {
   };
 
   config = mkIf cfg.enable {
+    _module.args.libNginx.config = {
+      internalOnly = ''
+        if ($internal != 1) {
+          return 403;
+        }
+        access_log off;
+      '';
+      appendHead = text: ''
+        sub_filter '</head>' '${lib.concatStrings text}</head>';
+        sub_filter_once on;
+      '';
+      noProxyBuffering = ''
+        proxy_buffering off;
+        proxy_cache off;
+      '';
+    };
+
     services = {
       nginx = {
         enable = true;
diff --git a/modules/nixos/ntfy.nix b/modules/nixos/ntfy.nix
index 1682b7e..037f84a 100644
--- a/modules/nixos/ntfy.nix
+++ b/modules/nixos/ntfy.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   this,
   ...
 }:
@@ -55,7 +56,7 @@ in {
             deny all;
           '';
         };
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/plausible.nix b/modules/nixos/plausible.nix
index 6553462..91bdff9 100644
--- a/modules/nixos/plausible.nix
+++ b/modules/nixos/plausible.nix
@@ -6,126 +6,124 @@
 }:
 with lib; let
   cfg = config.nixfiles.modules.plausible;
-in {
-  options.nixfiles.modules.plausible = {
-    enable = mkEnableOption "Plausible Analytics";
+in
+  {
+    options.nixfiles.modules.plausible = {
+      enable = mkEnableOption "Plausible Analytics";
 
-    port = mkOption {
-      description = "Port.";
-      type = with types; port;
-      default = 8000;
-    };
+      port = mkOption {
+        description = "Port.";
+        type = with types; port;
+        default = 8000;
+      };
 
-    domain = mkOption {
-      description = "Domain name sans protocol scheme.";
-      type = with types; nullOr str;
-      default = "plausible.${config.networking.domain}";
+      domain = mkOption {
+        description = "Domain name sans protocol scheme.";
+        type = with types; nullOr str;
+        default = "plausible.${config.networking.domain}";
+      };
     };
-  };
 
-  config = let
-    db = "plausible";
-  in
-    mkIf cfg.enable {
-      secrets = {
-        plausible-key = {
-          file = "${inputs.self}/secrets/plausible-key";
-          mode = "0444"; # The user is dynamic so the file must be world-readable.
+    config = let
+      db = "plausible";
+    in
+      mkIf cfg.enable {
+        _module.args.libPlausible = {
+          htmlPlausibleScript = {
+            domain ? "$host",
+            src ? "https://${cfg.domain}/js/script.js",
+          }: ''<script defer data-domain="${domain}" src="${src}"></script>'';
         };
-        plausible-admin-password = {
-          file = "${inputs.self}/secrets/plausible-admin-password";
-          mode = "0444"; # The user is dynamic so the file must be world-readable.
-        };
-        plausible-smtp-password = {
-          file = "${inputs.self}/secrets/smtp-password";
-          mode = "0444"; # The user is dynamic so the file must be world-readable.
-        };
-        plausible-release-cookie = {
-          file = "${inputs.self}/secrets/plausible-release-cookie";
-          mode = "0444"; # The user is dynamic so the file must be world-readable.
+
+        secrets = {
+          plausible-key.file = "${inputs.self}/secrets/plausible-key";
+          plausible-admin-password.file = "${inputs.self}/secrets/plausible-admin-password";
+          plausible-smtp-password.file = "${inputs.self}/secrets/smtp-password";
         };
-      };
 
-      nixfiles.modules = {
-        nginx = {
-          enable = true;
-          upstreams.plausible.servers."127.0.0.1:${toString cfg.port}" = {};
-          virtualHosts.${cfg.domain}.locations."/" = {
-            proxyPass = "http://plausible";
-            proxyWebsockets = true;
+        nixfiles.modules = {
+          nginx = {
+            enable = true;
+            upstreams.plausible.servers."127.0.0.1:${toString cfg.port}" = {};
+            virtualHosts.${cfg.domain}.locations."/" = {
+              proxyPass = "http://plausible";
+              proxyWebsockets = true;
+            };
+          };
+          postgresql = {
+            enable = true;
+            extraPostStart = [
+              ''
+                $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
+                $PSQL "${db}" -tAc 'CREATE EXTENSION IF NOT EXISTS citext'
+              ''
+            ];
           };
+          clickhouse.enable = true;
         };
-        postgresql = {
-          enable = true;
-          extraPostStart = [
-            ''
-              $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
-              $PSQL "${db}" -tAc 'CREATE EXTENSION IF NOT EXISTS citext'
-            ''
+
+        services.postgresql = {
+          ensureDatabases = [db];
+          ensureUsers = [
+            {
+              name = db;
+              ensurePermissions."DATABASE \"${db}\"" = "ALL";
+            }
           ];
         };
-        clickhouse.enable = true;
-      };
 
-      services.postgresql = {
-        ensureDatabases = [db];
-        ensureUsers = [
-          {
-            name = db;
-            ensurePermissions."DATABASE \"${db}\"" = "ALL";
-          }
-        ];
-      };
-
-      services.plausible = {
-        enable = true;
+        services.plausible = {
+          enable = true;
 
-        adminUser = {
-          name = "admin";
-          email = "admin@${my.domain.shire}";
-          passwordFile = config.secrets.plausible-admin-password.path;
-          activate = false;
-        };
+          adminUser = {
+            name = "admin";
+            email = "admin@${my.domain.shire}";
+            passwordFile = config.secrets.plausible-admin-password.path;
+            activate = false;
+          };
 
-        mail = {
-          email = "admin+plausible@${my.domain.shire}";
-          smtp = {
-            hostAddr = my.domain.shire;
-            hostPort = 465;
-            enableSSL = true;
-            user = "azahi@${my.domain.shire}";
-            passwordFile = config.secrets.plausible-smtp-password.path;
+          mail = {
+            email = "admin+plausible@${my.domain.shire}";
+            smtp = {
+              hostAddr = my.domain.shire;
+              hostPort = 465;
+              enableSSL = true;
+              user = "azahi@${my.domain.shire}";
+              passwordFile = config.secrets.plausible-smtp-password.path;
+            };
           };
-        };
 
-        database = {
-          clickhouse = {
-            setup = false;
-            url = "http://127.0.0.1:8123/default";
+          database = {
+            clickhouse = {
+              setup = false;
+              url = "http://127.0.0.1:8123/default";
+            };
+
+            postgres = {
+              setup = true;
+              dbname = db;
+            };
           };
 
-          postgres = {
-            setup = true;
-            dbname = db;
+          server = {
+            baseUrl = "https://${cfg.domain}";
+            disableRegistration = true;
+            listenAddress = "127.0.0.1";
+            inherit (cfg) port;
+            secretKeybaseFile = config.secrets.plausible-key.path;
           };
         };
 
-        server = {
-          baseUrl = "https://${cfg.domain}";
-          disableRegistration = true;
-          inherit (cfg) port;
-          secretKeybaseFile = config.secrets.plausible-key.path;
+        systemd.services.plausible = rec {
+          after = [
+            "postgresql.service"
+            "clickhouse.service"
+          ];
+          requires = after;
         };
-
-        releaseCookiePath = config.secrets.plausible-release-cookie.path;
       };
-
-      systemd.services.plausible = rec {
-        after = [
-          "postgresql.service"
-          "clickhouse.service"
-        ];
-        requires = after;
-      };
-    };
-}
+  }
+  // lib.moduleFromRef
+  "services/web-apps/plausible.nix"
+  "nh2:plausible-listen-address-no-distributed-erlang"
+  "080c1rdz99xj8y876cw1p3zxmmaqq75jhrpf9f5z1da8v7yvs078"
diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix
index 6de294f..5e61e73 100644
--- a/modules/nixos/prometheus.nix
+++ b/modules/nixos/prometheus.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   lib,
   ...
 }:
@@ -28,7 +29,7 @@ in {
       upstreams.prometheus.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${domain} = {
         locations."/".proxyPass = "http://prometheus";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/radarr.nix b/modules/nixos/radarr.nix
index 1551934..72abfac 100644
--- a/modules/nixos/radarr.nix
+++ b/modules/nixos/radarr.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -24,7 +25,7 @@ in {
       upstreams.radarr.servers."127.0.0.1:7878" = {};
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://radarr";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/radicale.nix b/modules/nixos/radicale.nix
index d072899..3c6a230 100644
--- a/modules/nixos/radicale.nix
+++ b/modules/nixos/radicale.nix
@@ -1,4 +1,5 @@
 {
+  libNginx,
   config,
   inputs,
   lib,
@@ -34,7 +35,7 @@ in {
         upstreams.radicale.servers."127.0.0.1:${toString port}" = {};
         virtualHosts.${cfg.domain} = {
           locations."/".proxyPass = "http://radicale";
-          extraConfig = nginxInternalOnly;
+          extraConfig = libNginx.config.internalOnly;
         };
       };
 
diff --git a/modules/nixos/rss-bridge.nix b/modules/nixos/rss-bridge.nix
index 1fcaac8..486f2bf 100644
--- a/modules/nixos/rss-bridge.nix
+++ b/modules/nixos/rss-bridge.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -21,7 +22,7 @@ in {
 
     nixfiles.modules.nginx = {
       enable = true;
-      virtualHosts.${cfg.domain}.extraConfig = nginxInternalOnly;
+      virtualHosts.${cfg.domain}.extraConfig = libNginx.config.internalOnly;
     };
 
     services.rss-bridge = {
diff --git a/modules/nixos/rtorrent.nix b/modules/nixos/rtorrent.nix
index a4cade7..5d2dba5 100644
--- a/modules/nixos/rtorrent.nix
+++ b/modules/nixos/rtorrent.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   pkgs,
   ...
 }:
@@ -225,13 +226,10 @@ in {
                 "/".tryFiles = "$uri /index.html";
                 "/api" = {
                   proxyPass = "http://flood";
-                  extraConfig = ''
-                    proxy_buffering off;
-                    proxy_cache off;
-                  '';
+                  extraConfig = libNginx.config.noProxyBuffering;
                 };
               };
-              extraConfig = nginxInternalOnly;
+              extraConfig = libNginx.config.internalOnly;
             };
           };
 
diff --git a/modules/nixos/searx.nix b/modules/nixos/searx.nix
index 9462d5d..5c37f58 100644
--- a/modules/nixos/searx.nix
+++ b/modules/nixos/searx.nix
@@ -2,6 +2,7 @@
   config,
   inputs,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -35,7 +36,7 @@ in {
       upstreams.searx.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://searx";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/sonarr.nix b/modules/nixos/sonarr.nix
index 2d2feb9..5cd8931 100644
--- a/modules/nixos/sonarr.nix
+++ b/modules/nixos/sonarr.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  libNginx,
   ...
 }:
 with lib; let
@@ -24,7 +25,7 @@ in {
       upstreams.sonarr.servers."127.0.0.1:8989" = {};
       virtualHosts.${cfg.domain} = {
         locations."/".proxyPass = "http://sonarr";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/modules/nixos/syncthing.nix b/modules/nixos/syncthing.nix
index 8815f98..755e2db 100644
--- a/modules/nixos/syncthing.nix
+++ b/modules/nixos/syncthing.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   inputs,
   lib,
   this,
@@ -137,7 +138,7 @@ in {
         upstreams.syncthing.servers.${config.services.syncthing.guiAddress} = {};
         virtualHosts.${cfg.domain} = {
           locations."/".proxyPass = "http://syncthing";
-          extraConfig = nginxInternalOnly;
+          extraConfig = libNginx.config.internalOnly;
         };
       };
     })
diff --git a/modules/nixos/victoriametrics.nix b/modules/nixos/victoriametrics.nix
index 509ee17..89d3ddb 100644
--- a/modules/nixos/victoriametrics.nix
+++ b/modules/nixos/victoriametrics.nix
@@ -1,5 +1,6 @@
 {
   config,
+  libNginx,
   lib,
   ...
 }:
@@ -28,7 +29,7 @@ in {
       upstreams.victoriametrics.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${domain} = {
         locations."/".proxyPass = "http://victoriametrics";
-        extraConfig = nginxInternalOnly;
+        extraConfig = libNginx.config.internalOnly;
       };
     };
 
diff --git a/nixosConfigurations/manwe/webserver.nix b/nixosConfigurations/manwe/webserver.nix
index 5ea2418..324036a 100644
--- a/nixosConfigurations/manwe/webserver.nix
+++ b/nixosConfigurations/manwe/webserver.nix
@@ -1,4 +1,6 @@
 {
+  libNginx,
+  libPlausible,
   inputs,
   lib,
   ...
@@ -79,7 +81,9 @@ with lib; {
           serverAliases = ["frodo.${gondor}" "frodo.${rohan}"];
           locations."/" = {
             root = inputs.azahi-cc;
-            extraConfig = nginxAppendHead [(htmlPlausibleScript {domain = azahi;})];
+            extraConfig = libNginx.config.appendHead [
+              (libPlausible.htmlPlausibleScript {domain = azahi;})
+            ];
           };
         };
       }
diff --git a/nixosConfigurations/yavanna/default.nix b/nixosConfigurations/yavanna/default.nix
index 4aacb9d..6f0d848 100644
--- a/nixosConfigurations/yavanna/default.nix
+++ b/nixosConfigurations/yavanna/default.nix
@@ -31,11 +31,6 @@ with lib; {
     listenAddress = this.wireguard.ipv4.address;
     environment.CONFIG = "/var/lib/lidarr/.config/Lidarr/config.xml";
   };
-  systemd.services.prometheus-exportarr-lidarr-exporter.serviceConfig = {
-    ProcSubset = "pid";
-    ProtectProc = "invisible";
-    SystemCallFilter = ["@system-service" "~@privileged"];
-  };
 
   boot.loader.grub = {
     enable = true;

Consider giving Nix/NixOS a try! <3