split up tewi/nixos.nix

nixos/systems/tewi/cloudflared.nix

@@ -1,18 +1,25 @@
-{ config, lib, ... }: with lib; {
-  sops.secrets.cloudflared-tunnel-apartment.owner = config.services.cloudflared.user;
+{ config, lib, ... }: let
+  inherit (lib) mapAttrs' nameValuePair splitString last;
+  inherit (config) services;
+  inherit (services.kanidm.serverSettings) domain;
+in {
+  sops.secrets.cloudflared-tunnel-apartment.owner = services.cloudflared.user;
   services.cloudflared = {
     enable = true;
     tunnels = {
       "a3ae32ce-fe82-4f2c-ad54-3adf4a45fcbc" = {
         credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path;
         default = "http_status:404";
-        ingress = {
-          "gensokyo.zone" = "http://localhost:80";
-          "home.gensokyo.zone" = "http://localhost:8123";
-          "z2m.gensokyo.zone" = "http://localhost:80";
-          "login.gensokyo.zone" = "http://localhost:${toString config.services.vouch-proxy.settings.vouch.port}";
-          "id.gensokyo.zone" = {
-            service = "https://127.0.0.1:8081";
+        ingress = mapAttrs' (prefix: nameValuePair "${prefix}${domain}") {
+          "" = "http://localhost:80";
+          "home." = "http://localhost:${toString services.home-assistant.config.http.server_port}";
+          "z2m." = "http://localhost:80";
+          "login." = "http://localhost:${toString services.vouch-proxy.settings.vouch.port}";
+          "id." = let
+            inherit (services.kanidm.serverSettings) bindaddress;
+            port = last (splitString ":" bindaddress);
+          in {
+            service = "https://127.0.0.1:${port}";
             originRequest.noTLSVerify = true;
           };
         };

nixos/systems/tewi/mediatomb.nix

@@ -0,0 +1,33 @@
+{ config, lib, ... }: let
+  cfg = config.services.mediatomb;
+  shadowDir = "/mnt/shadow";
+in {
+  services.mediatomb = {
+    enable = true;
+    openFirewall = true;
+    serverName = config.networking.hostName;
+    uuid = "082fd344-bf69-5b72-a68f-a5a4d88e76b2";
+    mediaDirectories = lib.singleton {
+      path = "${shadowDir}/media";
+      recursive = true;
+      hidden-files = false;
+    };
+  };
+  systemd.services.mediatomb = rec {
+    confinement.enable = true;
+    unitConfig = {
+      RequiresMountsFor = [
+        shadowDir
+      ];
+    };
+    serviceConfig = {
+      StateDirectory = cfg.package.pname;
+      BindReadOnlyPaths = map (path: "${shadowDir}/media/${path}") [
+        "anime" "movies" "tv" "unsorted"
+        "music" "music-to-import" "music-raw"
+      ] ++ [
+        "${shadowDir}/deluge/complete"
+      ];
+    };
+  };
+}

nixos/systems/tewi/nixos.nix

@@ -36,6 +36,7 @@ in {
     ./mosquitto.nix
     ./postgres.nix
     ./nginx.nix
+    ./mediatomb.nix
     ./deluge.nix
     ./cloudflared.nix
     ../../gui/nfs.nix
@@ -83,18 +84,6 @@ in {
     kernelModules = [ "kvm-intel" ];
   };
 
-  services.mediatomb = {
-    enable = true;
-    openFirewall = true;
-    serverName = config.networking.hostName;
-    uuid = "082fd344-bf69-5b72-a68f-a5a4d88e76b2";
-    mediaDirectories = lib.singleton {
-      path = "/mnt/shadow/media";
-      recursive = true;
-      hidden-files = false;
-    };
-  };
-
   services.openiscsi = {
     enable = true;
     name = "";
@@ -163,21 +152,6 @@ in {
         wantedBy = cryptServices;
         before = wantedBy;
       };
-      mediatomb = rec {
-        confinement.enable = true;
-        unitConfig = {
-          RequiresMountsFor = [
-            "/mnt/shadow"
-          ];
-        };
-        serviceConfig = {
-          StateDirectory = config.services.mediatomb.package.pname;
-          BindReadOnlyPaths = map (path: "/mnt/shadow/media/${path}") [
-            "anime" "movies" "tv" "unsorted"
-            "music" "music-to-import" "music-raw"
-          ];
-        };
-      };
     };
   };