about summary refs log tree commit diff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--modules/nixfiles/alertmanager.nix3
-rw-r--r--modules/nixfiles/chromium.nix1
-rw-r--r--modules/nixfiles/common/tmp.nix4
-rw-r--r--modules/nixfiles/emacs/doom/config.el4
-rw-r--r--modules/nixfiles/emacs/doom/init.el10
-rw-r--r--modules/nixfiles/firefox/default.nix3
-rw-r--r--modules/nixfiles/firefox/profile.nix19
-rw-r--r--modules/nixfiles/firefox/userContent.css19
-rw-r--r--modules/nixfiles/gotify.nix14
-rw-r--r--modules/nixfiles/grafana.nix8
-rw-r--r--modules/nixfiles/hydra.nix3
-rw-r--r--modules/nixfiles/ipfs.nix11
-rw-r--r--modules/nixfiles/lidarr.nix3
-rw-r--r--modules/nixfiles/loki.nix3
-rw-r--r--modules/nixfiles/matrix/dendrite.nix3
-rw-r--r--modules/nixfiles/matrix/synapse.nix3
-rw-r--r--modules/nixfiles/nginx.nix12
-rw-r--r--modules/nixfiles/nsd.nix2
-rw-r--r--modules/nixfiles/prometheus.nix3
-rw-r--r--modules/nixfiles/radarr.nix3
-rw-r--r--modules/nixfiles/radicale.nix3
-rw-r--r--modules/nixfiles/rss-bridge.nix9
-rw-r--r--modules/nixfiles/rtorrent.nix3
-rw-r--r--modules/nixfiles/searx.nix3
-rw-r--r--modules/nixfiles/sonarr.nix3
-rw-r--r--modules/nixfiles/syncthing.nix3
-rw-r--r--modules/nixfiles/vaultwarden.nix18
-rw-r--r--modules/nixfiles/wireguard.nix13
28 files changed, 120 insertions, 66 deletions
diff --git a/modules/nixfiles/alertmanager.nix b/modules/nixfiles/alertmanager.nix
index 5d9ca30..b7dd5a3 100644
--- a/modules/nixfiles/alertmanager.nix
+++ b/modules/nixfiles/alertmanager.nix
@@ -25,8 +25,9 @@ in {
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
+      upstreams.alertmanager.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${cfg.domain}.locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyPass = "http://alertmanager";
         extraConfig = ''
           if ($internal != 1) {
             return 403;
diff --git a/modules/nixfiles/chromium.nix b/modules/nixfiles/chromium.nix
index 32045c0..0f5a93e 100644
--- a/modules/nixfiles/chromium.nix
+++ b/modules/nixfiles/chromium.nix
@@ -25,6 +25,7 @@ in {
             {id = "cnojnbdhbhnkbcieeekonklommdnndci";} # Search By Image
             {id = "doojmbjmlfjjnbmnoijecmcbfeoakpjm";} # NoScript
             {id = "eimadpbcbfnmbkopoojfekhnkhdbieeh";} # Dark Reader
+            {id = "hlepfoohegkhhmjieoechaddaejaokhf";} # Refined GitHub
             {id = "jinjaccalgkegednnccohejagnlnfdag";} # Violentmonkey
             {id = "nibjojkomfdiaoajekhjakgkdhaomnch";} # IPFS Companion
             {id = "nngceckbapebfimnlniiiahkandclblb";} # Bitwarden
diff --git a/modules/nixfiles/common/tmp.nix b/modules/nixfiles/common/tmp.nix
index 3fbf253..9527f28 100644
--- a/modules/nixfiles/common/tmp.nix
+++ b/modules/nixfiles/common/tmp.nix
@@ -1,9 +1,9 @@
 _: {
   systemd.mounts = [
     {
+      type = "tmpfs";
       what = "tmpfs";
       where = "/tmp";
-      type = "tmpfs";
       mountConfig.Options = [
         "huge=within_size"
         "mode=1777"
@@ -11,7 +11,7 @@ _: {
         "nodev"
         "nosuid"
         "rw"
-        "size=25%"
+        "size=50%"
       ];
     }
   ];
diff --git a/modules/nixfiles/emacs/doom/config.el b/modules/nixfiles/emacs/doom/config.el
index d4fb577..29eabc9 100644
--- a/modules/nixfiles/emacs/doom/config.el
+++ b/modules/nixfiles/emacs/doom/config.el
@@ -92,11 +92,11 @@
   (lsp-register-client
    (make-lsp-client :new-connection (lsp-stdio-connection '("rnix-lsp"))
                     :major-modes '(nix-mode)
-                    :server-id 'nix))
-  (add-hook! 'nix-mode-hook #'lsp!))
+                    :server-id 'nix)))
 
 ;;
 ;;; YAML
+
 ;;
 
 (setq-hook! 'yaml-mode-hook +format-with-lsp nil)
diff --git a/modules/nixfiles/emacs/doom/init.el b/modules/nixfiles/emacs/doom/init.el
index 9ad69c6..b547cb9 100644
--- a/modules/nixfiles/emacs/doom/init.el
+++ b/modules/nixfiles/emacs/doom/init.el
@@ -86,14 +86,14 @@
        emacs-lisp
        (go +lsp +tree-sitter)
        ;; graphql
-       (haskell +lsp)
+       (haskell +lsp +tree-sitter)
        (java +lsp +tree-sitter)
        (javascript +lsp +tree-sitter)
-       (json +tree-sitter)
-       (latex +lsp +tree-sitter)
+       json
+       (latex +lsp)
        (lua +lsp +tree-sitter)
        markdown
-       (nix +lsp +tree-sitter)
+       (nix +lsp)
        (org +hugo
             +journal
             +noter
@@ -109,7 +109,7 @@
        ;; (scheme +racket)
        (sh +lsp +tree-sitter)
        (web +lsp +tree-sitter)
-       (yaml +tree-sitter)
+       yaml
        (zig +lsp +tree-sitter)
 
        :email
diff --git a/modules/nixfiles/firefox/default.nix b/modules/nixfiles/firefox/default.nix
index d7afdae..6e42d76 100644
--- a/modules/nixfiles/firefox/default.nix
+++ b/modules/nixfiles/firefox/default.nix
@@ -32,7 +32,7 @@ in {
           };
         };
 
-        profiles.default = (import ./profile.nix) config.nixfiles.modules lib;
+        profiles.default = (import ./profile.nix) config lib;
 
         extensions = with pkgs.nur.repos.rycee.firefox-addons;
           [
@@ -41,6 +41,7 @@ in {
             ipfs-companion
             noscript
             privacy-redirect
+            refined-github
             stylus
             ublock-origin
             violentmonkey
diff --git a/modules/nixfiles/firefox/profile.nix b/modules/nixfiles/firefox/profile.nix
index 3382b85..6735db3 100644
--- a/modules/nixfiles/firefox/profile.nix
+++ b/modules/nixfiles/firefox/profile.nix
@@ -1,8 +1,8 @@
-modules: lib:
+config: lib:
 with lib; let
   mkCssWithRoot = css:
     mkMerge [
-      (with modules.profiles.common.colourScheme; ''
+      (with config.colourScheme; ''
         :root {
             --black: ${black};
             --red: ${red};
@@ -23,7 +23,7 @@ with lib; let
             --background: ${background};
             --foreground: ${foreground};
       '')
-      (with modules.fonts.fontScheme; ''
+      (with config.fontScheme; ''
             --sans-serif-font-family: "${sansSerifFont.family}", "${sansSerifFontFallback.family}", sans-serif;
             --sans-serif-font-size: ${toString sansSerifFont.size};
             --serif-font-family: "${serifFont.family}", "${serifFontFallback.family}", serif;
@@ -39,10 +39,13 @@ in {
 
   isDefault = true;
 
+  # A way to change the look of the Firefox itself.
   userChrome = mkCssWithRoot ./userChrome.css;
 
+  # A way to remove annoyances and visual bloat of many webpages.
   userContent = mkCssWithRoot ./userContent.css;
 
+  # Mostly appropriated from https://github.com/arkenfox/user.js
   settings = {
     # Updates
     #
@@ -395,6 +398,7 @@ in {
     #
     "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
     #
+    "browser.startup.page" = 1;
     "browser.startup.homepage" = "about:blank"; # TODO Custom?
     "browser.startup.homepage_welcome_url" = "";
     "browser.startup.homepage_welcome_url.additional" = "";
@@ -406,11 +410,6 @@ in {
     "browser.newtabpage.enabled" = false;
     "browser.newtabpage.enhanced" = false;
     "browser.newtabpage.activity-stream.default.sites" = "";
-    "browser.newtabpage.activity-stream.asrouter.disable-captive-portal-vpn-promo" =
-      true;
-    "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = false;
-    "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" =
-      false;
     "browser.newtabpage.activity-stream.discoverystream.enabled" = false;
     "browser.newtabpage.activity-stream.feeds.discoverystreamfeed" = false;
     "browser.newtabpage.activity-stream.feeds.places" = false;
@@ -422,6 +421,8 @@ in {
     "browser.newtabpage.activity-stream.showSponsored" = false;
     "browser.newtabpage.activity-stream.showSponsoredTopSites" = false;
     "browser.newtabpage.activity-stream.telemetry" = false;
+    "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons" = false;
+    "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features" = false;
     #
     "layout.css.color-mix.enabled" = true;
     #
@@ -473,7 +474,7 @@ in {
     # Toolbar
     #
     "browser.uiCustomization.state" = ''
-      {"placements":{"widget-overflow-fixed-list":["ublock0_raymondhill_net-browser-action","_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","_2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c_-browser-action","_b7f9d2cd-d772-4302-8c3f-eb941af36f76_-browser-action","ipfs-firefox-addon_lidel_org-browser-action","addon_darkreader_org-browser-action","_7a7a4a92-a2a0-41d1-9fd7-1e92480d612d_-browser-action","_aecec67f-0d10-4fa7-b7c7-609a2db280cf_-browser-action"],"nav-bar":["back-button","forward-button","urlbar-container","save-to-pocket-button"],"toolbar-menubar":["menubar-items"],"TabsToolbar":["tabbrowser-tabs","new-tab-button","alltabs-button"],"PersonalToolbar":["personal-bookmarks"]},"seen":["addon_darkreader_org-browser-action","ipfs-firefox-addon_lidel_org-browser-action","plasma-browser-integration_kde_org-browser-action","ublock0_raymondhill_net-browser-action","_2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c_-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action","_7a7a4a92-a2a0-41d1-9fd7-1e92480d612d_-browser-action","_aecec67f-0d10-4fa7-b7c7-609a2db280cf_-browser-action","_b7f9d2cd-d772-4302-8c3f-eb941af36f76_-browser-action","developer-button"],"dirtyAreaCache":["nav-bar","widget-overflow-fixed-list","toolbar-menubar","TabsToolbar","PersonalToolbar"],"currentVersion":17,"newElementCount":6}
+      {"placements":{"widget-overflow-fixed-list":["ublock0_raymondhill_net-browser-action","_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","_2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c_-browser-action","ipfs-firefox-addon_lidel_org-browser-action","addon_darkreader_org-browser-action","_7a7a4a92-a2a0-41d1-9fd7-1e92480d612d_-browser-action","_aecec67f-0d10-4fa7-b7c7-609a2db280cf_-browser-action"],"nav-bar":["back-button","forward-button","urlbar-container","save-to-pocket-button"],"toolbar-menubar":["menubar-items"],"TabsToolbar":["tabbrowser-tabs","new-tab-button","alltabs-button"],"PersonalToolbar":["personal-bookmarks"]},"seen":["addon_darkreader_org-browser-action","ipfs-firefox-addon_lidel_org-browser-action","plasma-browser-integration_kde_org-browser-action","ublock0_raymondhill_net-browser-action","_2e5ff8c8-32fe-46d0-9fc8-6b8986621f3c_-browser-action","_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action","_73a6fe31-595d-460b-a920-fcc0f8843232_-browser-action","_7a7a4a92-a2a0-41d1-9fd7-1e92480d612d_-browser-action","_aecec67f-0d10-4fa7-b7c7-609a2db280cf_-browser-action","_b7f9d2cd-d772-4302-8c3f-eb941af36f76_-browser-action","developer-button","_a4c4eda4-fb84-4a84-b4a1-f7c1cbf2a1ad_-browser-action"],"dirtyAreaCache":["nav-bar","widget-overflow-fixed-list","toolbar-menubar","TabsToolbar","PersonalToolbar"],"currentVersion":17,"newElementCount":7}
     '';
   };
 }
diff --git a/modules/nixfiles/firefox/userContent.css b/modules/nixfiles/firefox/userContent.css
index b93d5dd..97365f9 100644
--- a/modules/nixfiles/firefox/userContent.css
+++ b/modules/nixfiles/firefox/userContent.css
@@ -26,6 +26,14 @@
 
 @-moz-document url-prefix(https://github.com/), url-prefix(https://gist.github.com/)
 {
+    .footer {
+        display: none !important;
+    }
+
+    .application-main {
+        padding-bottom: 20px !important;
+    }
+
     .blob-num,
     .blob-code-inner {
         font-family: var(--monospace-font-family) !important;
@@ -250,3 +258,14 @@
         --offset: default !important;
     }
 }
+
+@-moz-document regexp("https:\/\/\.*\.wikipedia\.org/.*") {
+    #footer,
+    #mp-topbanner,
+    #mw-head,
+    #mw-page-base,
+    #siteNotice,
+    .wbc-editpage {
+        display: none !important;
+    }
+}
diff --git a/modules/nixfiles/gotify.nix b/modules/nixfiles/gotify.nix
index 440aff8..1cfd9a7 100644
--- a/modules/nixfiles/gotify.nix
+++ b/modules/nixfiles/gotify.nix
@@ -23,11 +23,15 @@ in {
       nixfiles.modules = {
         nginx = {
           enable = true;
-          virtualHosts.${cfg.domain} = {
-            locations."/" = {
-              proxyPass = "http://127.0.0.1:${toString config.services.gotify.port}";
-              proxyWebsockets = true;
-            };
+          upstreams.gotify.servers."127.0.0.1:${toString config.services.gotify.port}" = {};
+          virtualHosts.${cfg.domain}.locations."/" = {
+            proxyPass = "http://gotify";
+            proxyWebsockets = true;
+            extraConfig = ''
+              if ($internal != 1) {
+                return 403;
+              }
+            '';
           };
         };
         postgresql.enable = true;
diff --git a/modules/nixfiles/grafana.nix b/modules/nixfiles/grafana.nix
index 66cde70..fcc85f8 100644
--- a/modules/nixfiles/grafana.nix
+++ b/modules/nixfiles/grafana.nix
@@ -40,9 +40,15 @@ in {
     nixfiles.modules = {
       nginx = {
         enable = true;
+        upstreams.grafana.servers."127.0.0.1:${toString cfg.port}" = {};
         virtualHosts.${cfg.domain}.locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString cfg.port}";
+          proxyPass = "http://grafana";
           proxyWebsockets = true;
+          extraConfig = ''
+            if ($internal != 1) {
+              return 403;
+            }
+          '';
         };
       };
       postgresql.enable = true;
diff --git a/modules/nixfiles/hydra.nix b/modules/nixfiles/hydra.nix
index 0814b3a..2168ed5 100644
--- a/modules/nixfiles/hydra.nix
+++ b/modules/nixfiles/hydra.nix
@@ -26,7 +26,8 @@ in {
     nixfiles.modules = {
       nginx = {
         enable = true;
-        virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:${toString cfg.port}";
+        upstreams.hydra.servers."127.0.0.1:${toString cfg.port}" = {};
+        virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://hydra";
       };
       postgresql.enable = true;
     };
diff --git a/modules/nixfiles/ipfs.nix b/modules/nixfiles/ipfs.nix
index 455f8e8..8bdbc12 100644
--- a/modules/nixfiles/ipfs.nix
+++ b/modules/nixfiles/ipfs.nix
@@ -134,8 +134,13 @@ in {
     (mkIf this.isHeadless {
       nixfiles.modules.nginx = {
         enable = true;
+        upstreams = {
+          ipfs_gateway.servers."127.0.0.1:${toString cfg.gatewayPort}" = {};
+          ipfs_swarm.servers."127.0.0.1:${toString cfg.swarmPort}" = {};
+          ipfs_api.servers."127.0.0.1:${toString cfg.apiPort}" = {};
+        };
         virtualHosts = {
-          ${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:${toString cfg.gatewayPort}";
+          ${cfg.domain}.locations."/".proxyPass = "http://ipfs_gateway";
           "swarm.${cfg.domain}" = {
             serverName = cfg.domain;
             listen = [
@@ -148,12 +153,12 @@ in {
                 port = swarmDefaultPort;
               }
             ];
-            locations."/".proxyPass = "http://127.0.0.1:${toString cfg.swarmPort}";
+            locations."/".proxyPass = "http://ipfs_swarm";
           };
           "api.${cfg.domain}" = {
             # TODO Redirect "/" to "/webui" but keep other endpoints.
             locations."/" = {
-              proxyPass = "http://127.0.0.1:${toString cfg.apiPort}";
+              proxyPass = "http://ipfs_api";
               extraConfig = ''
                 if ($internal != 1) {
                   return 403;
diff --git a/modules/nixfiles/lidarr.nix b/modules/nixfiles/lidarr.nix
index 15e91ae..f73f917 100644
--- a/modules/nixfiles/lidarr.nix
+++ b/modules/nixfiles/lidarr.nix
@@ -19,7 +19,8 @@ in {
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = {
       enable = true;
-      virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:8686";
+      upstreams.lidarr.servers."127.0.0.1:8686" = {};
+      virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://lidarr";
     };
 
     services.lidarr.enable = true;
diff --git a/modules/nixfiles/loki.nix b/modules/nixfiles/loki.nix
index 7f85852..77b6ca0 100644
--- a/modules/nixfiles/loki.nix
+++ b/modules/nixfiles/loki.nix
@@ -26,8 +26,9 @@ in {
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
+      upstreams.loki.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${domain}.locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyPass = "http://loki";
         extraConfig = ''
           if ($internal != 1) {
             return 403;
diff --git a/modules/nixfiles/matrix/dendrite.nix b/modules/nixfiles/matrix/dendrite.nix
index eb3c437..4792f0e 100644
--- a/modules/nixfiles/matrix/dendrite.nix
+++ b/modules/nixfiles/matrix/dendrite.nix
@@ -27,8 +27,9 @@ in {
     nixfiles.modules = {
       nginx = {
         enable = true;
+        upstreams.dendrite.servers."127.0.0.1:${toString config.services.dendrite.httpPort}" = {};
         virtualHosts.${cfg.domain}.locations = {
-          "/_matrix".proxyPass = "http://127.0.0.1:${toString config.services.dendrite.httpPort}";
+          "/_matrix".proxyPass = "http://dendrite";
           "= /.well-known/matrix/server" = {
             extraConfig = ''
               add_header Content-Type application/json;
diff --git a/modules/nixfiles/matrix/synapse.nix b/modules/nixfiles/matrix/synapse.nix
index 877d7e9..5f16b7d 100644
--- a/modules/nixfiles/matrix/synapse.nix
+++ b/modules/nixfiles/matrix/synapse.nix
@@ -25,8 +25,9 @@ in {
       nixfiles.modules = {
         nginx = {
           enable = true;
+          upstreams.synapse.servers."${bind_address}:${toString port}" = {};
           virtualHosts.${cfg.domain}.locations = {
-            "~ ^(/_matrix|/_synapse/client)".proxyPass = "http://${bind_address}:${toString port}";
+            "~ ^(/_matrix|/_synapse/client)".proxyPass = "http://synapse";
             "= /.well-known/matrix/server" = {
               extraConfig = ''
                 add_header Content-Type application/json;
diff --git a/modules/nixfiles/nginx.nix b/modules/nixfiles/nginx.nix
index d08fdab..38fc613 100644
--- a/modules/nixfiles/nginx.nix
+++ b/modules/nixfiles/nginx.nix
@@ -11,10 +11,14 @@ in {
   options.nixfiles.modules.nginx = {
     enable = mkEnableOption "Nginx";
 
+    upstreams = mkOption {
+      description = "Defines a group of servers to use as proxy target.";
+      type = with types; anything;
+      default = null;
+    };
+
     virtualHosts = mkOption {
       description = "Attrset of virtual hosts.";
-      # Not sure how to "inherit" the type from the original Nixpkgs option.
-      # Just make sure it's compatible with service.nginx.virtualHosts, ok?
       type = with types; anything;
       default = null;
     };
@@ -30,6 +34,8 @@ in {
 
         statusPage = true;
 
+        serverTokens = false;
+
         recommendedGzipSettings = true;
         recommendedOptimisation = true;
         recommendedProxySettings = true;
@@ -50,6 +56,8 @@ in {
             ''))
         ];
 
+        inherit (cfg) upstreams;
+
         virtualHosts =
           {
             default = {
diff --git a/modules/nixfiles/nsd.nix b/modules/nixfiles/nsd.nix
index 35fd668..5426414 100644
--- a/modules/nixfiles/nsd.nix
+++ b/modules/nixfiles/nsd.nix
@@ -100,7 +100,6 @@ in {
                       # ns2 = varda;
 
                       alertmanager = manwe;
-                      bitwarden = manwe;
                       flood = yavanna;
                       gotify = manwe;
                       grafana = manwe;
@@ -108,6 +107,7 @@ in {
                       prometheus = manwe;
                       radicale = manwe;
                       rss-bridge = manwe;
+                      vaultwarden = manwe;
                     };
                   };
               })
diff --git a/modules/nixfiles/prometheus.nix b/modules/nixfiles/prometheus.nix
index 696cfe4..e816b74 100644
--- a/modules/nixfiles/prometheus.nix
+++ b/modules/nixfiles/prometheus.nix
@@ -25,8 +25,9 @@ in {
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = with cfg; {
       enable = true;
+      upstreams.prometheus.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${domain}.locations."/" = {
-        proxyPass = with cfg; "http://127.0.0.1:${toString port}";
+        proxyPass = "http://prometheus";
         extraConfig = ''
           if ($internal != 1) {
             return 403;
diff --git a/modules/nixfiles/radarr.nix b/modules/nixfiles/radarr.nix
index 1ed0747..0abfdf2 100644
--- a/modules/nixfiles/radarr.nix
+++ b/modules/nixfiles/radarr.nix
@@ -19,7 +19,8 @@ in {
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = {
       enable = true;
-      virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:7878";
+      upstreams.radarr.servers."127.0.0.1:7878" = {};
+      virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://radarr";
     };
 
     services.radarr.enable = true;
diff --git a/modules/nixfiles/radicale.nix b/modules/nixfiles/radicale.nix
index 45702b6..679a8be 100644
--- a/modules/nixfiles/radicale.nix
+++ b/modules/nixfiles/radicale.nix
@@ -29,8 +29,9 @@ in {
 
       nixfiles.modules.nginx = {
         enable = true;
+        upstreams.radicale.servers."127.0.0.1:${toString port}" = {};
         virtualHosts.${cfg.domain}.locations."/" = {
-          proxyPass = "http://127.0.0.1:${toString port}";
+          proxyPass = "http://radicale";
           extraConfig = ''
             if ($internal != 1) {
               return 403;
diff --git a/modules/nixfiles/rss-bridge.nix b/modules/nixfiles/rss-bridge.nix
index c35b749..42bb7d0 100644
--- a/modules/nixfiles/rss-bridge.nix
+++ b/modules/nixfiles/rss-bridge.nix
@@ -17,14 +17,7 @@ in {
   };
 
   config = mkIf cfg.enable {
-    nixfiles.modules.nginx = {
-      enable = true;
-      virtualHosts.${cfg.domain}.extraConfig = ''
-        if ($internal != 1) {
-          return 403;
-        }
-      '';
-    };
+    nixfiles.modules.nginx.enable = true;
 
     services = {
       rss-bridge = {
diff --git a/modules/nixfiles/rtorrent.nix b/modules/nixfiles/rtorrent.nix
index 3560be2..320da03 100644
--- a/modules/nixfiles/rtorrent.nix
+++ b/modules/nixfiles/rtorrent.nix
@@ -190,6 +190,7 @@ in {
         mkIf cfg.flood.enable {
           nixfiles.modules.nginx = {
             enable = true;
+            upstreams.flood.servers."127.0.0.1:${toString cfg.port}" = {};
             virtualHosts.${cfg.flood.domain} = {
               root = "${pkg}/lib/node_modules/flood/dist/assets";
               locations = {
@@ -202,7 +203,7 @@ in {
                   '';
                 };
                 "/api" = {
-                  proxyPass = "http://127.0.0.1:${toString port}";
+                  proxyPass = "http://flood";
                   extraConfig = ''
                     proxy_buffering off;
                     proxy_cache off;
diff --git a/modules/nixfiles/searx.nix b/modules/nixfiles/searx.nix
index c01c517..fd11904 100644
--- a/modules/nixfiles/searx.nix
+++ b/modules/nixfiles/searx.nix
@@ -32,8 +32,9 @@ in {
 
     nixfiles.modules.nginx = {
       enable = true;
+      upstreams.searx.servers."127.0.0.1:${toString cfg.port}" = {};
       virtualHosts.${cfg.domain}.locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
+        proxyPass = "http://searx";
         extraConfig = ''
           if ($internal != 1) {
             return 403;
diff --git a/modules/nixfiles/sonarr.nix b/modules/nixfiles/sonarr.nix
index 1b22d63..8c79175 100644
--- a/modules/nixfiles/sonarr.nix
+++ b/modules/nixfiles/sonarr.nix
@@ -19,7 +19,8 @@ in {
   config = mkIf cfg.enable {
     nixfiles.modules.nginx = {
       enable = true;
-      virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://127.0.0.1:8989";
+      upstreams.sonarr.servers."127.0.0.1:8989" = {};
+      virtualHosts.${cfg.domain}.locations."/".proxyPass = "http://sonarr";
     };
 
     services.sonarr.enable = true;
diff --git a/modules/nixfiles/syncthing.nix b/modules/nixfiles/syncthing.nix
index 8f68675..6e6e629 100644
--- a/modules/nixfiles/syncthing.nix
+++ b/modules/nixfiles/syncthing.nix
@@ -144,8 +144,9 @@ in {
     (mkIf this.isHeadless {
       nixfiles.modules.nginx = {
         enable = true;
+        upstreams.syncthing.servers.${config.services.syncthing.guiAddress} = {};
         virtualHosts.${cfg.domain}.locations."/" = {
-          proxyPass = "http://${config.services.syncthing.guiAddress}";
+          proxyPass = "http://syncthing";
           extraConfig = ''
             if ($internal != 1) {
               return 403;
diff --git a/modules/nixfiles/vaultwarden.nix b/modules/nixfiles/vaultwarden.nix
index f40e4f5..dc8bb84 100644
--- a/modules/nixfiles/vaultwarden.nix
+++ b/modules/nixfiles/vaultwarden.nix
@@ -13,7 +13,7 @@ in {
     domain = mkOption {
       description = "Domain name sans protocol scheme.";
       type = with types; str;
-      default = "bitwarden.${config.networking.domain}";
+      default = "vaultwarden.${config.networking.domain}";
     };
   };
 
@@ -27,17 +27,21 @@ in {
     nixfiles.modules = {
       nginx = {
         enable = true;
-        virtualHosts.${cfg.domain} = with config.services.vaultwarden.config; {
+        upstreams = with config.services.vaultwarden.config; {
+          vaultwarden_rocket.servers."${ROCKET_ADDRESS}:${toString ROCKET_PORT}" = {};
+          vaultwarden_websocket.servers."${WEBSOCKET_ADDRESS}:${toString WEBSOCKET_PORT}" = {};
+        };
+        virtualHosts.${cfg.domain} = {
           locations."/" = {
-            proxyPass = "http://[${ROCKET_ADDRESS}]:${toString ROCKET_PORT}";
+            proxyPass = "http://vaultwarden_rocket";
             proxyWebsockets = true;
           };
           locations."/notifications/hub" = {
-            proxyPass = "http://[${WEBSOCKET_ADDRESS}]:${toString WEBSOCKET_PORT}";
+            proxyPass = "http://vaultwarden_websocket";
             proxyWebsockets = true;
           };
           locations."/notifications/hub/negotiate" = {
-            proxyPass = "http://[${ROCKET_ADDRESS}]:${toString ROCKET_PORT}";
+            proxyPass = "http://vaultwarden_rocket";
             proxyWebsockets = true;
           };
         };
@@ -60,11 +64,11 @@ in {
           SIGNUPS_ALLOWED = false;
           INVITATIONS_ALLOWED = true;
 
-          ROCKET_ADDRESS = "::1";
+          ROCKET_ADDRESS = "127.0.0.1";
           ROCKET_PORT = 8812;
 
           WEBSOCKET_ENABLED = true;
-          WEBSOCKET_ADDRESS = "::1";
+          WEBSOCKET_ADDRESS = "127.0.0.1";
           WEBSOCKET_PORT = 8813;
 
           LOG_LEVEL = "error";
diff --git a/modules/nixfiles/wireguard.nix b/modules/nixfiles/wireguard.nix
index fa7ad34..c4fca1e 100644
--- a/modules/nixfiles/wireguard.nix
+++ b/modules/nixfiles/wireguard.nix
@@ -193,13 +193,12 @@ in {
           firewall.allowedUDPPorts = [cfg.server.port];
         };
 
-        # # TODO Dashboard for this.
-        # services.prometheus.exporters.wireguard = {
-        #   enable = true;
-        #   listenAddress = mkDefault this.wireguard.ipv4.address;
-        #   withRemoteIp = true;
-        #   port = 9586;
-        # };
+        services.prometheus.exporters.wireguard = {
+          enable = true;
+          listenAddress = mkDefault this.wireguard.ipv4.address;
+          withRemoteIp = true;
+          port = 9586;
+        };
       })
     ];
 }

Consider giving Nix/NixOS a try! <3