about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--.projectile1
-rw-r--r--configurations/manwe/default.nix5
-rw-r--r--configurations/melian/default.nix4
-rw-r--r--flake.lock90
-rw-r--r--flake.nix18
-rw-r--r--lib/my.nix12
-rw-r--r--modules/nixfiles/alertmanager.nix19
-rw-r--r--modules/nixfiles/common/users.nix4
-rw-r--r--modules/nixfiles/grafana.nix9
-rw-r--r--modules/nixfiles/loki.nix12
-rw-r--r--modules/nixfiles/monitoring.nix47
-rw-r--r--modules/nixfiles/nsd.nix5
-rw-r--r--modules/nixfiles/profiles/dev/containers/default.nix1
-rw-r--r--modules/nixfiles/prometheus.nix14
-rw-r--r--modules/nixfiles/promtail.nix2
-rw-r--r--modules/nixfiles/radicale.nix9
-rw-r--r--modules/nixfiles/syncthing.nix25
-rw-r--r--modules/nixfiles/wireguard.nix2
18 files changed, 117 insertions, 162 deletions
diff --git a/.projectile b/.projectile
new file mode 100644
index 0000000..f8da25c
--- /dev/null
+++ b/.projectile
@@ -0,0 +1 @@
+-/secrets
diff --git a/configurations/manwe/default.nix b/configurations/manwe/default.nix
index 50acacd..1adc93d 100644
--- a/configurations/manwe/default.nix
+++ b/configurations/manwe/default.nix
@@ -84,10 +84,7 @@ with lib; {
         job_name = "postgres";
         static_configs = [
           {
-            targets = with postgres; [
-              "${manwe.hostname}:${toString port}"
-              "${varda.hostname}:${toString port}"
-            ];
+            targets = with postgres; ["${manwe.hostname}:${toString port}"];
           }
         ];
       }
diff --git a/configurations/melian/default.nix b/configurations/melian/default.nix
index 2f3da98..cde109d 100644
--- a/configurations/melian/default.nix
+++ b/configurations/melian/default.nix
@@ -43,7 +43,6 @@ with lib; {
       key = syncthing-key-melian.path;
       cert = syncthing-cert-melian.path;
     };
-    # ipfs.enable = true; # High CPU usage is really anoying.
 
     beets.enable = true;
     bluetooth.enable = true;
@@ -55,6 +54,8 @@ with lib; {
     throttled.enable = true;
   };
 
+  # TODO Move to a separate module so that it could be reused on other desktops
+  # in the future.
   hm = {
     home.packages = with pkgs; [
       (aspellWithDicts (p: with p; [en ru]))
@@ -68,7 +69,6 @@ with lib; {
     accounts.email = {
       maildirBasePath = "${config.my.home}/mail";
 
-      # TODO Move to my.nix.
       accounts = let
         base = {
           mbsync = {
diff --git a/flake.lock b/flake.lock
index f7141a2..635a820 100644
--- a/flake.lock
+++ b/flake.lock
@@ -21,29 +21,6 @@
         "type": "github"
       }
     },
-    "alertmanager-gotify": {
-      "inputs": {
-        "flake-utils": [
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1638488371,
-        "narHash": "sha256-WTzMc8W0+U7ifcaiwejFjnDNoBoK+CcaV6VIBLK3BrI=",
-        "ref": "refs/heads/master",
-        "rev": "b752ae3ca5974ab5a2d19a59c2e2960faeff699c",
-        "revCount": 35,
-        "type": "git",
-        "url": "https://git.mbosch.me/ma27/alertmanager-gotify"
-      },
-      "original": {
-        "type": "git",
-        "url": "https://git.mbosch.me/ma27/alertmanager-gotify"
-      }
-    },
     "azahi-cc": {
       "flake": false,
       "locked": {
@@ -111,11 +88,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1659379767,
-        "narHash": "sha256-cfcutZL9YBqx2uTRfeLpic6baU/nwLlsp/hMnL/boDA=",
+        "lastModified": 1660360969,
+        "narHash": "sha256-Ta1Bi+QQjVpWn3fLK6ivXxPOOQ/r26N94AZ8GrvVQR8=",
         "owner": "nix-community",
         "repo": "emacs-overlay",
-        "rev": "e911c43b99c7b9c94ee408c38b0c6e2c6a01132e",
+        "rev": "e8ea1c440e46dcf900428543438c5fc5c0ea56e0",
         "type": "github"
       },
       "original": {
@@ -128,11 +105,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1641205782,
-        "narHash": "sha256-4jY7RCWUoZ9cKD8co0/4tFARpWB+57+r1bLLvXNJliY=",
+        "lastModified": 1627913399,
+        "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "b7547d3eed6f32d06102ead8991ec52ab0a4f1a7",
+        "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2",
         "type": "github"
       },
       "original": {
@@ -161,11 +138,11 @@
     },
     "flake-utils": {
       "locked": {
-        "lastModified": 1656928814,
-        "narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=",
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
         "type": "github"
       },
       "original": {
@@ -185,11 +162,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1659398318,
-        "narHash": "sha256-5wovS14I/DNXwfiMP402Ut2kxI58CO1wD943fboWMDw=",
+        "lastModified": 1660330190,
+        "narHash": "sha256-RgQUtZGmdb9fRkdBcI8x1KYuykbQCBaeY6ejFls7hFM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "77648a07e459adff69b2c4033a77b2cababb5843",
+        "rev": "8675cfa549e1240c9d2abb1c878bc427eefcf926",
         "type": "github"
       },
       "original": {
@@ -201,11 +178,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1659356074,
-        "narHash": "sha256-UwV6hZZEtchvtiTCCD/ODEv1226eam8kEgEyQb7xB0E=",
+        "lastModified": 1660291411,
+        "narHash": "sha256-9UfJMJeCl+T/DrOJMd1vLCoV8U3V7f9Qrv/QyH0Nn28=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "ea3efc80f8ab83cb73aec39f4e76fe87afb15a08",
+        "rev": "78f56d8ec2c67a1f80f2de649ca9aadc284f65b6",
         "type": "github"
       },
       "original": {
@@ -217,11 +194,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1659254610,
-        "narHash": "sha256-ee5W5MLWZ3kdx5hwOUs6trOJit+GeTDfG+Lg3rANKoc=",
+        "lastModified": 1660346639,
+        "narHash": "sha256-yh3woFPLemwCaF6HGQz/KkdtPRnf9LBwvbZgr0HbVe0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "67f49b2a3854e8b5e3f9df4422225daa0985f451",
+        "rev": "b4110fd26e92b7ee8cf689aaea53c822fe63e206",
         "type": "github"
       },
       "original": {
@@ -233,11 +210,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1659395920,
-        "narHash": "sha256-Am1N2FK8KJWpEg5Opt7xefw5YDRYmalWF8keybhx3pc=",
+        "lastModified": 1660378486,
+        "narHash": "sha256-z8ZklIj1ZHHULAUrQiTEzlJe8gy9y36QWzl7qS/UQDw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "ec9cb32147fbd46a4082cb119d274a0990caa390",
+        "rev": "c0b0e767f42387b7776642e4c6f8dc545865cd30",
         "type": "github"
       },
       "original": {
@@ -249,11 +226,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1659392573,
-        "narHash": "sha256-YHeOH+cypoB3ZCz7Dnh8/Nolrl2ZMSLsth2U3h+WqJ4=",
+        "lastModified": 1660370028,
+        "narHash": "sha256-UeN6M0/109T/3DrFIWbGWJkcB8Gqm8l5L1EekgbUMy0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "760d3360f77eca32cc0cdfea403e89285d82a048",
+        "rev": "15e66dc65d28652bb9f0ef361506548578713cfd",
         "type": "github"
       },
       "original": {
@@ -299,11 +276,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1659378417,
-        "narHash": "sha256-76cfWXqX2Yh8+BZYIM7ZyI7o/SfNTdz49bgT4UjGnhI=",
+        "lastModified": 1660370241,
+        "narHash": "sha256-PibpRNYYp6euRs47eVeBNzwfjNEWu6eYyG6KdEbWXco=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "b7b48e67de148d87c3a0b798977a45eacbaac3d0",
+        "rev": "62ddc6406ffcc7a9755f4bc0b1476fd3c6fe671c",
         "type": "github"
       },
       "original": {
@@ -323,11 +300,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1658611562,
-        "narHash": "sha256-jktQ3mRrFAiFzzmVxQXh+8IxZOEE4hfr7St3ncXeVy4=",
+        "lastModified": 1659629599,
+        "narHash": "sha256-c9rvaqaH3HZo/C70E7rB18YSywa4ryTtN7CZ3cuCmoA=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "f436e6dbc10bb3500775785072a40eefe057b18e",
+        "rev": "6a9402e8f233de16536349d1dd3f4595c23386a4",
         "type": "github"
       },
       "original": {
@@ -340,7 +317,6 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
-        "alertmanager-gotify": "alertmanager-gotify",
         "azahi-cc": "azahi-cc",
         "dns-nix": "dns-nix",
         "emacs-overlay": "emacs-overlay",
@@ -373,11 +349,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1655930346,
-        "narHash": "sha256-ht56HHOzEhjeIgAv5ZNFjSVX/in1YlUs0HG9c1EUXTM=",
+        "lastModified": 1658267644,
+        "narHash": "sha256-NJRe1rnlF112eZwxNASlRL8/ghwD8g+lpHIYRkWQxC8=",
         "owner": "simple-nixos-mailserver",
         "repo": "nixos-mailserver",
-        "rev": "f535d8123c4761b2ed8138f3d202ea710a334a1d",
+        "rev": "004c229ca44c069d93c92abf67ff1619fb508c6a",
         "type": "gitlab"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 5f1ad07..e107c93 100644
--- a/flake.nix
+++ b/flake.nix
@@ -86,14 +86,15 @@
       };
     };
 
-    alertmanager-gotify = {
-      type = "git";
-      url = "https://git.mbosch.me/ma27/alertmanager-gotify";
-      inputs = {
-        flake-utils.follows = "flake-utils";
-        nixpkgs.follows = "nixpkgs";
-      };
-    };
+    # TODO Integrate into Altertmanager.
+    # alertmanager-gotify = {
+    #   type = "git";
+    #   url = "https://git.mbosch.me/ma27/alertmanager-gotify";
+    #   inputs = {
+    #     flake-utils.follows = "flake-utils";
+    #     nixpkgs.follows = "nixpkgs";
+    #   };
+    # };
 
     flake-utils = {
       type = "github";
@@ -180,6 +181,7 @@
           overlays = [self.overlays.default];
         };
       in {
+        # TODO Add the rest of `self.overlay`.
         packages.default = pkgs.nixfiles.override {
           nixfilesSrc = ".";
         };
diff --git a/lib/my.nix b/lib/my.nix
index f7c4141..165074b 100644
--- a/lib/my.nix
+++ b/lib/my.nix
@@ -70,6 +70,13 @@ with lib;
                   };
                 };
 
+                # TODO Automate filling of this from the NSD service module.
+                # Right now I need to copy domain defenitions from there to here
+                # manually.
+                #
+                # Something like taking `config.services.nsd.zones[$domain]` and
+                # filtering for actual subdomains. We can remove this option
+                # altogether then.
                 domains = mkOption {
                   description = "External domains that resovle to this address.";
                   type = listOf str;
@@ -128,10 +135,13 @@ with lib;
                 publicKey = "[REDACTED]";
               };
               domains = with my.domain; [
+                "alertmanager.${shire}"
                 "frodo.${rohan}"
                 "frodo.${gondor}"
                 "gotify.${shire}"
-                "monitoring.${shire}"
+                "grafana.${shire}"
+                "loki.${shire}"
+                "prometheus.${shire}"
                 azahi
                 rohan
                 gondor
diff --git a/modules/nixfiles/alertmanager.nix b/modules/nixfiles/alertmanager.nix
index e067cd1..d903ee3 100644
--- a/modules/nixfiles/alertmanager.nix
+++ b/modules/nixfiles/alertmanager.nix
@@ -18,21 +18,15 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; nullOr str;
-      default = config.nixfiles.modules.monitoring.domain;
-    };
-
-    path = mkOption {
-      description = "Path.";
-      type = with types; str;
-      default = "/alertmanager";
+      default = "alertmanager.${config.networking.domain}";
     };
   };
 
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
-      virtualHosts.${cfg.domain}.locations.${path} = {
-        proxyPass = "http://127.0.0.1:${toString port}${path}";
+      virtualHosts.${cfg.domain}.locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
         extraConfig = ''
           if ($internal != 1) {
             return 403;
@@ -50,13 +44,8 @@ in {
         listenAddress = "127.0.0.1";
         inherit (cfg) port;
 
-        extraFlags = [
-          "--web.external-url=http${
-            optionalString acme "s"
-          }://${cfg.domain}${cfg.path}"
-        ];
+        extraFlags = ["--web.external-url=https://${cfg.domain}"];
 
-        # TODO Make an option.
         configuration = {
           global = {
             smtp_from = "alertmanager@${my.domain.shire}";
diff --git a/modules/nixfiles/common/users.nix b/modules/nixfiles/common/users.nix
index 0878db6..c761f55 100644
--- a/modules/nixfiles/common/users.nix
+++ b/modules/nixfiles/common/users.nix
@@ -6,12 +6,16 @@ with lib; {
     mutableUsers = false;
 
     users = {
+      # This will unset the root password so that it would be impossible to
+      # login as it directory. The root user will still be accessable via
+      # `sudo`.
       root.hashedPassword = "[REDACTED]";
 
       ${my.username} = {
         isNormalUser = true;
         uid = 1000;
         description = my.fullname;
+        # TODO Consider switching to passwordFile
         inherit (my) hashedPassword;
         openssh.authorizedKeys.keys = [my.ssh.key];
         extraGroups = ["wheel"];
diff --git a/modules/nixfiles/grafana.nix b/modules/nixfiles/grafana.nix
index 4340f04..c2954bd 100644
--- a/modules/nixfiles/grafana.nix
+++ b/modules/nixfiles/grafana.nix
@@ -19,7 +19,7 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; nullOr str;
-      default = null;
+      default = "grafana.${config.networking.domain}";
     };
   };
 
@@ -40,7 +40,10 @@ in {
     nixfiles.modules = {
       nginx = {
         enable = true;
-        virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+        virtualHosts.${cfg.domain}.locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString cfg.port}";
+          proxyWebsockets = true;
+        };
       };
       postgresql.enable = true;
     };
@@ -68,6 +71,8 @@ in {
           secretKeyFile = grafana-key.path;
           adminPasswordFile = grafana-admin-password.path;
         };
+
+        extraOptions.LOG_LEVEL = "warn";
       };
 
       postgresql = {
diff --git a/modules/nixfiles/loki.nix b/modules/nixfiles/loki.nix
index 27217bd..c1dc136 100644
--- a/modules/nixfiles/loki.nix
+++ b/modules/nixfiles/loki.nix
@@ -8,7 +8,6 @@ with lib; let
   cfg = config.nixfiles.modules.loki;
 in {
   options.nixfiles.modules.loki = {
-    # TODO Figure out why this shit refuses to work with my configuraiton.
     enable = mkEnableOption "Whether to enable Loki.";
 
     port = mkOption {
@@ -20,20 +19,14 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; str;
-      default = config.nixfiles.modules.monitoring.domain;
-    };
-
-    path = mkOption {
-      description = "Path.";
-      type = with types; str;
-      default = "/loki";
+      default = "loki.${config.networking.domain}";
     };
   };
 
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
-      virtualHosts.${domain}.locations.${path} = {
+      virtualHosts.${domain}.locations."/" = {
         proxyPass = "http://127.0.0.1:${toString port}";
         extraConfig = ''
           if ($internal != 1) {
@@ -52,7 +45,6 @@ in {
         server = rec {
           http_listen_address = "127.0.0.1";
           http_listen_port = cfg.port;
-          http_path_prefix = cfg.path;
 
           grpc_listen_address = "127.0.0.1";
           grpc_listen_port = http_listen_port + 1;
diff --git a/modules/nixfiles/monitoring.nix b/modules/nixfiles/monitoring.nix
index 6db74d4..ceb40d0 100644
--- a/modules/nixfiles/monitoring.nix
+++ b/modules/nixfiles/monitoring.nix
@@ -7,39 +7,19 @@
 with lib; let
   cfg = config.nixfiles.modules.monitoring;
 in {
-  options.nixfiles.modules.monitoring = {
-    enable = mkEnableOption ''
-      Whether to enable custom monitoring stack.
+  options.nixfiles.modules.monitoring.enable = mkEnableOption ''
+    Whether to enable custom monitoring stack.
 
-      Currently this configures and enables Grafana, Loki, Prometheus and
-      Alertmanager.
-    '';
-
-    domain = mkOption {
-      description = "Domain name sans protocol scheme.";
-      type = with types; nullOr str;
-      default = "monitoring.${config.networking.domain}";
-    };
-  };
+    Currently this configures and enables Grafana, Loki, Prometheus and
+    Alertmanager.
+  '';
 
   config = mkIf cfg.enable {
     nixfiles.modules = {
-      grafana = {
-        enable = true;
-        inherit (cfg) domain;
-      };
-      loki = {
-        enable = true;
-        inherit (cfg) domain;
-      };
-      prometheus = {
-        enable = true;
-        inherit (cfg) domain;
-      };
-      alertmanager = {
-        enable = true;
-        inherit (cfg) domain;
-      };
+      grafana.enable = true;
+      loki.enable = true;
+      prometheus.enable = true;
+      alertmanager.enable = true;
     };
 
     services = {
@@ -50,14 +30,14 @@ in {
             name = "Prometheus";
             type = "prometheus";
             access = "proxy";
-            url = with prometheus; "https://${domain}${path}";
+            url = "https://${prometheus.domain}";
             isDefault = true;
           }
           {
             name = "Loki";
             type = "loki";
             access = "proxy";
-            url = with loki; "https://${domain}${path}";
+            url = "https://${loki.domain}";
           }
         ];
         # TODO Move dashboards to this repository.
@@ -100,13 +80,12 @@ in {
         ];
       };
 
-      loki.configuration.ruler.alertmanager_url = with config.nixfiles.modules.alertmanager; "https://${domain}${path}";
+      loki.configuration.ruler.alertmanager_url = "https://${config.nixfiles.modules.alertmanager.domain}";
 
       prometheus.alertmanagers = [
         {
           scheme = "https";
-          path_prefix = config.nixfiles.modules.alertmanager.path;
-          static_configs = [{targets = [cfg.domain];}];
+          static_configs = [{targets = [config.nixfiles.modules.alertmanager.domain];}];
         }
       ];
     };
diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix
index f328b5c..c8ed44b 100644
--- a/modules/nixfiles/nsd.nix
+++ b/modules/nixfiles/nsd.nix
@@ -99,9 +99,12 @@ in {
                       ns1 = manwe;
                       # ns2 = varda;
 
+                      alertmanager = manwe;
                       flood = yavanna;
                       gotify = manwe;
-                      monitoring = manwe;
+                      grafana = manwe;
+                      loki = manwe;
+                      prometheus = manwe;
                       radicale = varda;
                       rss-bridge = varda;
                       vaultwarden = varda;
diff --git a/modules/nixfiles/profiles/dev/containers/default.nix b/modules/nixfiles/profiles/dev/containers/default.nix
index d0e7ed7..3196654 100644
--- a/modules/nixfiles/profiles/dev/containers/default.nix
+++ b/modules/nixfiles/profiles/dev/containers/default.nix
@@ -26,6 +26,7 @@ in {
           WERF_LOG_PRETTY = "false";
           WERF_LOG_VERBOSE = "true";
           WERF_SYNCHRONIZATION = ":local";
+          WERF_TELEMETRY = 0;
         };
 
         file.".minikube/config/config.json".text = generators.toJSON {} {
diff --git a/modules/nixfiles/prometheus.nix b/modules/nixfiles/prometheus.nix
index b67dd2e..96e74f7 100644
--- a/modules/nixfiles/prometheus.nix
+++ b/modules/nixfiles/prometheus.nix
@@ -18,20 +18,14 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; str;
-      default = config.nixfiles.modules.monitoring.domain;
-    };
-
-    path = mkOption {
-      description = "Path.";
-      type = with types; str;
-      default = "/prometheus";
+      default = "prometheus.${config.networking.domain}";
     };
   };
 
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
-      virtualHosts.${domain}.locations.${path} = {
+      virtualHosts.${domain}.locations."/" = {
         proxyPass = with cfg; "http://127.0.0.1:${toString port}";
         extraConfig = ''
           if ($internal != 1) {
@@ -48,9 +42,7 @@ in {
       inherit port;
 
       extraFlags = [
-        "--web.external-url=http${
-          optionalString config.nixfiles.modules.acme.enable "s"
-        }://${domain}${path}"
+        "--web.external-url=https://${domain}"
         "--storage.tsdb.retention.size=50GB"
         "--storage.tsdb.retention.time=1y"
         "--storage.tsdb.wal-compression"
diff --git a/modules/nixfiles/promtail.nix b/modules/nixfiles/promtail.nix
index ba4e635..e3d7428 100644
--- a/modules/nixfiles/promtail.nix
+++ b/modules/nixfiles/promtail.nix
@@ -14,7 +14,7 @@ in {
       url = mkOption {
         description = "Address of a listening Loki service.";
         type = with types; str;
-        default = with config.nixfiles.modules.loki; "https://${domain}${path}";
+        default = "https://${config.nixfiles.modules.loki.domain}";
       };
     };
   };
diff --git a/modules/nixfiles/radicale.nix b/modules/nixfiles/radicale.nix
index 8286be1..ed1fc4f 100644
--- a/modules/nixfiles/radicale.nix
+++ b/modules/nixfiles/radicale.nix
@@ -29,7 +29,14 @@ in {
 
       nixfiles.modules.nginx = {
         enable = true;
-        virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:${toString port}";
+        virtualHosts.${cfg.domain}.locations."/" = {
+          proxyPass = "http://127.0.0.1:${toString port}";
+          extraConfig = ''
+            if ($internal != 1) {
+              return 403;
+            }
+          '';
+        };
       };
 
       services.radicale = {
diff --git a/modules/nixfiles/syncthing.nix b/modules/nixfiles/syncthing.nix
index 5a973cc..44465d9 100644
--- a/modules/nixfiles/syncthing.nix
+++ b/modules/nixfiles/syncthing.nix
@@ -17,14 +17,14 @@ in {
       default = "syncthing.${config.networking.fqdn}";
     };
 
-    # TODO Make this simpler.
+    # TODO Set this automatically shire on the hostname.
     cert = mkOption {
       description = "Path to the cert file.";
       type = with types; nullOr string;
       default = null;
     };
 
-    # TODO Make this simpler.
+    # TODO Set this automatically shire on the hostname.
     key = mkOption {
       description = "Path to the key file.";
       type = with types; nullOr string;
@@ -84,21 +84,14 @@ in {
           };
           trashcan = {
             type = "trashcan";
-            params.cleanoutDays = "30";
-          };
-          void = {
-            type = "external";
-            params.versionPath = with pkgs;
-              writeShellScriptBin "backup" ''
-                ${coreutils-full}/bin/rm -rf $1/$2
-              '';
+            params.cleanoutDays = "7";
           };
         in
           with config.hm.xdg.userDirs; {
             share = {
               path = publicShare;
               devices = notHeadless;
-              versioning = void;
+              versioning = trashcan;
             };
             pass = {
               path =
@@ -124,7 +117,7 @@ in {
             vidya = {
               path = "${documents}/vidya";
               devices = notOther;
-              versioning = void;
+              versioning = trashcan;
             };
           };
 
@@ -134,9 +127,13 @@ in {
             insecureSkipHostcheck = this.isHeadless;
           };
           options = {
-            # Only local discovery is used over VPN.
-            globalAnnounceEnabled = false;
+            autoUpgradeIntervalH = 0;
+            crashReportingEnabled = false;
+            globalAnnounceEnabled = false; # We don't need that with Wireguard.
             relaysEnabled = false;
+            setLowPriority = this.isHeadless;
+            stunKeepaliveMinS = 0;
+            stunKeepaliveStartS = 0;
             urAccepted = -1;
           };
         };
diff --git a/modules/nixfiles/wireguard.nix b/modules/nixfiles/wireguard.nix
index 1da3e74..e35d0ee 100644
--- a/modules/nixfiles/wireguard.nix
+++ b/modules/nixfiles/wireguard.nix
@@ -9,7 +9,7 @@ with lib; let
   cfg = config.nixfiles.modules.wireguard;
 in {
   options.nixfiles.modules.wireguard = {
-    # TODO Make this simpler.
+    # TODO Set this automatically shire on the hostname.
     privateKeyFile = mkOption {
       description = "Path to the private key file.";
       type = with types; nullOr string;

Consider giving Nix/NixOS a try! <3