refactor: use options for config parts

This works towards having reusable modules * `config.pub-solar-os.networking.domain` is used for the main domain * `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy * `config.pub-solar-os.imprintUrl` links towards the imprint * `config.pub-solar-os.auth.enable` enables the keycloak installation. This is needed because `config.pub-solar-os.auth` has to be available everywhere, but we do not want to install keycloak everywhere. * `config.pub-solar-os.auth.realm` sets the keycloak realm name
2024-05-08 19:47:47 +02:00 · 2024-05-08 19:47:47 +02:00 · 68278ad983
parent aa7ab4bc6b
commit 68278ad983
29 changed files with 209 additions and 192 deletions
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -49,6 +49,7 @@
          self.nixosModules.overlays
          self.nixosModules.core

+          self.nixosModules.keycloak
          self.nixosModules.caddy
          self.nixosModules.drone
          self.nixosModules.forgejo-actions-runner
--- a/modules/caddy/default.nix
+++ b/modules/caddy/default.nix
@ -5,11 +5,7 @@
 , ...
 }:
 {
-  systemd.tmpfiles.rules = [
-    "d '/data/srv/www/os/download/' 0750 ${config.pub-solar-os.authentication.robot.username} ${config.pub-solar-os.authentication.robot.username} - -"
-  ];
-
-  services.caddy = {
+ services.caddy = {
    enable = lib.mkForce true;
    group = config.pub-solar-os.authentication.robot.username;
    email = config.pub-solar-os.adminEmail;
@ -17,27 +13,6 @@
    globalConfig = lib.mkForce ''
      grace_period 60s
    '';
-    virtualHosts = {
-      "flora-6.pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-                    basicauth * {
-                ${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
-                    }
-                    reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
-        '';
-      };
-      "obs-portal.pub.solar" = {
-        logFormat = lib.mkForce ''
-          output discard
-        '';
-        extraConfig = ''
-          reverse_proxy obs-portal.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.lev-1.int.greenbaum.zone:3000
-        '';
-      };
-    };
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }
--- a/modules/collabora/default.nix
+++ b/modules/collabora/default.nix
@ -4,7 +4,7 @@
 , self
 , ...
 }: {
-  services.nginx.virtualHosts."collabora.pub.solar" = {
+  services.nginx.virtualHosts."collabora.${config.pub-solar-os.networking.domain}" = {
    enableACME = true;
    forceSSL = true;

@ -32,8 +32,8 @@
          "--pull=always"
        ];
        environment = {
-          server_name = "collabora.pub.solar";
-          aliasgroup1 = "https://cloud.pub.solar:443";
+          server_name = "collabora.${config.pub-solar-os.networking.domain}";
+          aliasgroup1 = "https://cloud.${config.pub-solar-os.networking.domain}:443";
          DONT_GEN_SSL_CERT = "1";
          extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
          SLEEPFORDEBUGGER = "0";
--- a/modules/core/default.nix
+++ b/modules/core/default.nix
@ -12,6 +12,18 @@
      type = types.str;
      default = "admins@pub.solar";
    };
+
+    privacyPolicyUrl = mkOption {
+      description = "URL of the privacy policy. Used to link there from applications";
+      type = types.str;
+      default = "https://pub.solar/privacy";
+    };
+
+    imprintUrl = mkOption {
+      description = "URL of the imprint. Used to link there from applications";
+      type = types.str;
+      default = "https://pub.solar/about";
+    };
  };

  config = {
--- a/modules/coturn/default.nix
+++ b/modules/coturn/default.nix
@ -14,7 +14,7 @@
    max-port = 50000;
    use-auth-secret = true;
    static-auth-secret-file = "/run/agenix/coturn-static-auth-secret";
-    realm = "turn.pub.solar";
+    realm = "turn.${config.pub-solar-os.networking.domain}";
    cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
    pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
    extraConfig =
@ -89,7 +89,7 @@
  services.nginx.virtualHosts.${config.services.coturn.realm} = {
    enableACME = true;
    addSSL = true;
-    globalRedirect = "pub.solar";
+    globalRedirect = "${config.pub-solar-os.networking.domain}";
  };

  users.users.nginx.extraGroups = [ "turnserver" ];
--- a/modules/drone/default.nix
+++ b/modules/drone/default.nix
@ -30,7 +30,7 @@
    "d '/var/lib/drone-db' 0750 drone drone - -"
  ];

-  services.caddy.virtualHosts."ci.pub.solar" = {
+  services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = {
    logFormat = lib.mkForce ''
      output discard
    '';
@ -87,11 +87,11 @@
        extraOptions = [
          "--network=drone-net"
          "--pull=always"
-          "--add-host=nachtigall.pub.solar:10.7.6.1"
+          "--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
        ];
        environment = {
-          DRONE_GITEA_SERVER = "https://git.pub.solar";
-          DRONE_SERVER_HOST = "ci.pub.solar";
+          DRONE_GITEA_SERVER = "https://git.${config.pub-solar-os.networking.domain}";
+          DRONE_SERVER_HOST = "ci.${config.pub-solar-os.networking.domain}";
          DRONE_SERVER_PROTO = "https";
          DRONE_DATABASE_DRIVER = "postgres";
        };
@ -111,10 +111,10 @@
        extraOptions = [
          "--network=drone-net"
          "--pull=always"
-          "--add-host=nachtigall.pub.solar:10.7.6.1"
+          "--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
        ];
        environment = {
-          DRONE_RPC_HOST = "ci.pub.solar";
+          DRONE_RPC_HOST = "ci.${config.pub-solar-os.networking.domain}";
          DRONE_RPC_PROTO = "https";
          DRONE_RUNNER_CAPACITY = "2";
          DRONE_RUNNER_NAME = "flora-6-docker-runner";
--- a/modules/forgejo/default.nix
+++ b/modules/forgejo/default.nix
@ -29,7 +29,7 @@
    user = "gitea";
  };

-  services.nginx.virtualHosts."git.pub.solar" = {
+  services.nginx.virtualHosts."git.${config.pub-solar-os.networking.domain}" = {
    enableACME = true;
    forceSSL = true;

@ -78,8 +78,8 @@
      DEFAULT.APP_NAME = "pub.solar git server";

      server = {
-        ROOT_URL = "https://git.pub.solar";
-        DOMAIN = "git.pub.solar";
+        ROOT_URL = "https://git.${config.pub-solar-os.networking.domain}";
+        DOMAIN = "git.${config.pub-solar-os.networking.domain}";
        HTTP_ADDR = "127.0.0.1";
        HTTP_PORT = 3000;
        START_SSH_SERVER = true;
@ -123,7 +123,7 @@

      # https://forgejo.org/docs/latest/admin/config-cheat-sheet/#webhook-webhook
      webhook = {
-        ALLOWED_HOST_LIST = "loopback,external,*.pub.solar";
+        ALLOWED_HOST_LIST = "loopback,external,*.${config.pub-solar-os.networking.domain}";
      };

      # See https://forgejo.org/docs/latest/admin/actions/
--- a/modules/grafana/default.nix
+++ b/modules/grafana/default.nix
@ -33,7 +33,7 @@
    };
  };

-  services.caddy.virtualHosts."grafana.pub.solar" = {
+  services.caddy.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = {
    logFormat = lib.mkForce ''
      output discard
    '';
@ -51,8 +51,8 @@
        # and Port
        http_port = 3000;
        # Grafana needs to know on which domain and URL it's running
-        domain = "grafana.pub.solar";
-        root_url = "https://grafana.pub.solar";
+        domain = "grafana.${config.pub-solar-os.networking.domain}";
+        root_url = "https://grafana.${config.pub-solar-os.networking.domain}";
        enable_gzip = true;
      };
      smtp = {
@ -78,9 +78,9 @@
        email_attribute_path = "email";
        login_attribute_path = "preferred_username";
        name_attribute_path = "full_name";
-        auth_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/auth";
-        token_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/token";
-        api_url = "https://auth.pub.solar/realms/pub.solar/protocol/openid-connect/userinfo";
+        auth_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/auth";
+        token_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/token";
+        api_url = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/protocol/openid-connect/userinfo";
        role_attribute_path = "contains(roles[*], 'admin') && 'GrafanaAdmin' || 'Viewer'";
        allow_assign_grafana_admin = true;
      };
--- a/modules/keycloak/default.nix
+++ b/modules/keycloak/default.nix
@ -4,93 +4,105 @@
 , pkgs
 , ...
 }: {
-  age.secrets.keycloak-database-password = {
-    file = "${flake.self}/secrets/keycloak-database-password.age";
-    mode = "600";
-    #owner = "keycloak";
+  options.pub-solar-os.auth = with lib; {
+     enable = mkEnableOption "Enable keycloak to run on the node";
+
+     realm = mkOption {
+      description = "Name of the realm";
+      type = types.str;
+      default = config.pub-solar-os.networking.domain;
+    };
  };

-  services.nginx.virtualHosts."auth.pub.solar" = {
-    enableACME = true;
-    forceSSL = true;
+  config = lib.mkIf config.pub-solar-os.auth.enable {
+    age.secrets.keycloak-database-password = {
+      file = "${flake.self}/secrets/keycloak-database-password.age";
+      mode = "600";
+      #owner = "keycloak";
+    };

-    locations = {
-      "= /" = {
-        extraConfig = ''
-          return 302 /realms/pub.solar/account;
-        '';
-      };
+    services.nginx.virtualHosts."auth.${config.pub-solar-os.networking.domain}" = {
+      enableACME = true;
+      forceSSL = true;

-      "/" = {
-        extraConfig = ''
-          proxy_pass http://127.0.0.1:8080;
-          proxy_buffer_size 8k;
-        '';
+      locations = {
+        "= /" = {
+          extraConfig = ''
+            return 302 /realms/${config.pub-solar-os.auth.realm}/account;
+          '';
+        };
+
+        "/" = {
+          extraConfig = ''
+            proxy_pass http://127.0.0.1:8080;
+            proxy_buffer_size 8k;
+          '';
+        };
      };
    };
-  };

-  # keycloak
-  services.keycloak = {
-    enable = true;
-    database.passwordFile = config.age.secrets.keycloak-database-password.path;
-    settings = {
-      hostname = "auth.pub.solar";
-      http-host = "127.0.0.1";
-      http-port = 8080;
-      proxy = "edge";
-      features = "declarative-user-profile";
+    # keycloak
+    services.keycloak = {
+      enable = true;
+      database.passwordFile = config.age.secrets.keycloak-database-password.path;
+      settings = {
+        hostname = "auth.${config.pub-solar-os.networking.domain}";
+        http-host = "127.0.0.1";
+        http-port = 8080;
+        proxy = "edge";
+        features = "declarative-user-profile";
+      };
+      themes = {
+        "pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
+      };
    };
-    themes = {
-      "pub.solar" = flake.inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar;
-    };
-  };

-  services.restic.backups.keycloak-droppie = {
-    paths = [
-      "/tmp/keycloak-backup.sql"
-    ];
-    timerConfig = {
-      OnCalendar = "*-*-* 02:00:00 Etc/UTC";
-      # droppie will be offline if nachtigall misses the timer
-      Persistent = false;
+    services.restic.backups.keycloak-droppie = {
+      paths = [
+        "/tmp/keycloak-backup.sql"
+      ];
+      timerConfig = {
+        OnCalendar = "*-*-* 02:00:00 Etc/UTC";
+        # droppie will be offline if nachtigall misses the timer
+        Persistent = false;
+      };
+      initialize = true;
+      passwordFile = config.age.secrets."restic-repo-droppie".path;
+      repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar";
+      backupPrepareCommand = ''
+        ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
+      '';
+      backupCleanupCommand = ''
+        rm /tmp/keycloak-backup.sql
+      '';
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 4"
+        "--keep-monthly 3"
+      ];
    };
-    initialize = true;
-    passwordFile = config.age.secrets."restic-repo-droppie".path;
-    repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar";
-    backupPrepareCommand = ''
-      ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
-    '';
-    backupCleanupCommand = ''
-      rm /tmp/keycloak-backup.sql
-    '';
-    pruneOpts = [
-      "--keep-daily 7"
-      "--keep-weekly 4"
-      "--keep-monthly 3"
-    ];
-  };

-  services.restic.backups.keycloak-storagebox = {
-    paths = [
-      "/tmp/keycloak-backup.sql"
-    ];
-    timerConfig = {
-      OnCalendar = "*-*-* 04:10:00 Etc/UTC";
+    services.restic.backups.keycloak-storagebox = {
+      paths = [
+        "/tmp/keycloak-backup.sql"
+      ];
+      timerConfig = {
+        OnCalendar = "*-*-* 04:10:00 Etc/UTC";
+      };
+      initialize = true;
+      passwordFile = config.age.secrets."restic-repo-storagebox".path;
+      repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
+      backupPrepareCommand = ''
+        ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
+      '';
+      backupCleanupCommand = ''
+        rm /tmp/keycloak-backup.sql
+      '';
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 4"
+        "--keep-monthly 3"
+      ];
    };
-    initialize = true;
-    passwordFile = config.age.secrets."restic-repo-storagebox".path;
-    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
-    backupPrepareCommand = ''
-      ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
-    '';
-    backupCleanupCommand = ''
-      rm /tmp/keycloak-backup.sql
-    '';
-    pruneOpts = [
-      "--keep-daily 7"
-      "--keep-weekly 4"
-      "--keep-monthly 3"
-    ];
  };
 }
--- a/modules/loki/default.nix
+++ b/modules/loki/default.nix
@ -4,6 +4,19 @@
 , flake
 , ...
 }: {
+  services.caddy.virtualHosts = {
+    "flora-6.${config.pub-solar-os.networking.domain}" = {
+      logFormat = lib.mkForce ''
+        output discard
+      '';
+      extraConfig = ''
+        basicauth * {
+          ${config.pub-solar-os.authentication.robot.username} $2a$14$mmIAy/Ezm6YGohUtXa2mWeW6Bcw1MQXPhrRbz14jAD2iUu3oob/t.
+        }
+        reverse_proxy :${toString config.services.loki.configuration.server.http_listen_port}
+      '';
+    };
+  };
  # source: https://gist.github.com/rickhull/895b0cb38fdd537c1078a858cf15d63e
  # https://grafana.com/docs/loki/latest/configure/examples/#1-local-configuration-exampleyaml
  services.loki = {
--- a/modules/mailman/default.nix
+++ b/modules/mailman/default.nix
@ -9,7 +9,7 @@

  users.users.nginx.extraGroups = [ "mailman" ];

-  services.nginx.virtualHosts."list.pub.solar" = {
+  services.nginx.virtualHosts."list.${config.pub-solar-os.networking.domain}" = {
    enableACME = true;
    forceSSL = true;
  };
@ -24,15 +24,15 @@
    enable = true;
    relayDomains = [ "hash:/var/lib/mailman/data/postfix_domains" ];
    # get TLS certs for list.pub.solar from acme
-    sslCert = "/var/lib/acme/list.pub.solar/fullchain.pem";
-    sslKey = "/var/lib/acme/list.pub.solar/key.pem";
+    sslCert = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/fullchain.pem";
+    sslKey = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/key.pem";
    config = {
      transport_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
      local_recipient_maps = [ "hash:/var/lib/mailman/data/postfix_lmtp" ];
    };
    rootAlias = "admins@pub.solar";
    postmasterAlias = "admins@pub.solar";
-    hostname = "list.pub.solar";
+    hostname = "list.${config.pub-solar-os.networking.domain}";
  };

  systemd.paths.watcher-acme-ssl-file = {
@ -40,7 +40,7 @@
    documentation = [ "systemd.path(5)" ];
    partOf = [ "postfix-reload.service" ];
    pathConfig = {
-      PathChanged = "/var/lib/acme/list.pub.solar/fullchain.pem";
+      PathChanged = "/var/lib/acme/list.${config.pub-solar-os.networking.domain}/fullchain.pem";
      Unit = "postfix-reload.service";
    };
    wantedBy = [ "multi-user.target" ];
@ -64,7 +64,7 @@
    enable = true;
    serve.enable = true;
    hyperkitty.enable = true;
-    webHosts = [ "list.pub.solar" ];
+    webHosts = [ "list.${config.pub-solar-os.networking.domain}" ];
    siteOwner = "admins@pub.solar";
  };

--- a/modules/mastodon/default.nix
+++ b/modules/mastodon/default.nix
@ -38,7 +38,7 @@
  services.mastodon = {
    enable = true;
    # Different from WEB_DOMAIN in our case
-    localDomain = "pub.solar";
+    localDomain = "${config.pub-solar-os.networking.domain}";
    enableUnixSocket = true;
    # Number of processes used by the mastodon-streaming service
    # Recommended is the amount of your CPU cores minus one
@ -68,7 +68,7 @@
      "/run/agenix/mastodon-extra-env-secrets"
    ];
    extraConfig = {
-      WEB_DOMAIN = "mastodon.pub.solar";
+      WEB_DOMAIN = "mastodon.${config.pub-solar-os.networking.domain}";
      # Defined in ./opensearch.nix
      ES_HOST = "127.0.0.1";
      # S3 File storage (optional)
@ -77,7 +77,7 @@
      S3_BUCKET = "pub-solar-mastodon";
      S3_REGION = "europe-west-1";
      S3_ENDPOINT = "https://gateway.tardigradeshare.io";
-      S3_ALIAS_HOST = "files.pub.solar";
+      S3_ALIAS_HOST = "files.${config.pub-solar-os.networking.domain}";
      # Translation (optional)
      # -----------------------
      DEEPL_PLAN = "free";
@ -85,11 +85,11 @@
      # --------------
      OIDC_ENABLED = "true";
      OIDC_DISPLAY_NAME = "pub.solar ID";
-      OIDC_ISSUER = "https://auth.pub.solar/realms/pub.solar";
+      OIDC_ISSUER = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}";
      OIDC_DISCOVERY = "true";
      OIDC_SCOPE = "openid,profile,email";
      OIDC_UID_FIELD = "preferred_username";
-      OIDC_REDIRECT_URI = "https://mastodon.pub.solar/auth/auth/openid_connect/callback";
+      OIDC_REDIRECT_URI = "https://mastodon.${config.pub-solar-os.networking.domain}/auth/auth/openid_connect/callback";
      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
      # only use OIDC for login / registration
      OMNIAUTH_ONLY = "true";
--- a/modules/matrix-irc/default.nix
+++ b/modules/matrix-irc/default.nix
@ -25,9 +25,9 @@ in
    registrationUrl = "http://localhost:8010";
    settings = {
      homeserver = {
-        domain = "pub.solar";
+        domain = "${config.pub-solar-os.networking.domain}";
        url = "http://127.0.0.1:${synapseClientPort}";
-        media_url = "https://matrix.pub.solar";
+        media_url = "https://matrix.${config.pub-solar-os.networking.domain}";
        enablePresence = false;
      };
      ircService = {
--- a/modules/matrix-telegram/default.nix
+++ b/modules/matrix-telegram/default.nix
@ -13,7 +13,7 @@
      homeserver = {
        # TODO: Use the port from synapse config
        address = "http://127.0.0.1:8008";
-        domain = "pub.solar";
+        domain = "${config.pub-solar-os.networking.domain}";
        verify_ssl = true;
      };
      appservice = {
@ -34,7 +34,7 @@
        };
        public = {
          enabled = true;
-          external = "https://matrix.pub.solar/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
+          external = "https://matrix.${config.pub-solar-os.networking.domain}/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
          prefix = "/c3c3f34b-29fb-5feb-86e5-98c75ec8214b";
        };
      };
@ -140,7 +140,7 @@
        username_template = "telegram_{userid}";

        permissions = {
-          "pub.solar" = "full";
+          "${config.pub-solar-os.networking.domain}" = "full";
        };
      };

--- a/modules/matrix/default.nix
+++ b/modules/matrix/default.nix
@ -1,7 +1,7 @@
 { flake, config, pkgs, ... }:
 let
-  publicDomain = "matrix.pub.solar";
-  serverDomain = "pub.solar";
+  publicDomain = "matrix.${config.pub-solar-os.networking.domain}";
+  serverDomain = "${config.pub-solar-os.networking.domain}";
 in
 {
  age.secrets."matrix-synapse-signing-key" = {
--- a/modules/mediawiki/default.nix
+++ b/modules/mediawiki/default.nix
@ -26,14 +26,14 @@ let
      ## For more information on customizing the URLs
      ## (like /w/index.php/Page_title to /wiki/Page_title) please see:
      ## https://www.mediawiki.org/wiki/Manual:Short_URL
-      $wgScriptPath = "https://wiki.pub.solar";
+      $wgScriptPath = "https://wiki.${config.pub-solar-os.networking.domain}";

      ## https://www.mediawiki.org/wiki/Manual:Short_URL
      ## https://www.mediawiki.org/wiki/Extension:OpenID_Connect#Known_issues
      $wgArticlePath = "/index.php/$1";

      ## The protocol and server name to use in fully-qualified URLs
-      $wgServer = "https://wiki.pub.solar";
+      $wgServer = "https://wiki.${config.pub-solar-os.networking.domain}";

      ## The URL path to static resources (images, scripts, etc.)
      $wgResourceBasePath = $wgScriptPath;
@ -143,7 +143,7 @@ let
      $wgPluggableAuth_Config[] = [
          'plugin' => 'OpenIDConnect',
          'data' => [
-              'providerURL' => 'https://auth.pub.solar/realms/pub.solar',
+              'providerURL' => 'https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}',
              'clientID' => 'mediawiki',
              'clientsecret' => trim(file_get_contents('/run/mediawiki/oidc-client-secret'))
          ]
@ -189,7 +189,7 @@ in
    '';
  };

-  services.nginx.virtualHosts."wiki.pub.solar" = {
+  services.nginx.virtualHosts."wiki.${config.pub-solar-os.networking.domain}" = {
    enableACME = true;
    forceSSL = true;

--- a/modules/nextcloud/default.nix
+++ b/modules/nextcloud/default.nix
@ -16,13 +16,13 @@
    owner = "nextcloud";
  };

-  services.nginx.virtualHosts."cloud.pub.solar" = {
+  services.nginx.virtualHosts."cloud.${config.pub-solar-os.networking.domain}" = {
    enableACME = true;
    forceSSL = true;
  };

  services.nextcloud = {
-    hostName = "cloud.pub.solar";
+    hostName = "cloud.${config.pub-solar-os.networking.domain}";
    home = "/var/lib/nextcloud";

    enable = true;
@ -50,7 +50,7 @@
    };

    extraOptions = {
-      overwrite.cli.url = "http://cloud.pub.solar";
+      overwrite.cli.url = "http://cloud.${config.pub-solar-os.networking.domain}";

      installed = true;
      default_phone_region = "+49";
--- a/modules/nginx-mastodon-files/default.nix
+++ b/modules/nginx-mastodon-files/default.nix
@ -1,4 +1,7 @@
-{ ... }:
+{
+  config,
+  ...
+}:

 let
  objStorHost = "link.tardigradeshare.io";
@ -6,7 +9,7 @@ let
 in
 {
  services.nginx.virtualHosts = {
-    "files.pub.solar" = {
+    "files.${config.pub-solar-os.networking.domain}" = {
      enableACME = true;
      forceSSL = true;

--- a/modules/nginx-mastodon/default.nix
+++ b/modules/nginx-mastodon/default.nix
@ -5,7 +5,7 @@ in
 {
  services.nginx = {
    virtualHosts = {
-      "mastodon.pub.solar" = {
+      "mastodon.${config.pub-solar-os.networking.domain}" = {
        root = "${cfg.package}/public/";
        # mastodon only supports https, but you can override this if you offload tls elsewhere.
        forceSSL = lib.mkDefault true;
@ -16,11 +16,11 @@ in
        '';

        locations."/auth/confirmation/new".extraConfig = ''
-          return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
+          return 302 https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/login-actions/reset-credentials?client_id=mastodon;
        '';

        locations."/auth/password/new".extraConfig = ''
-          return 302 https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon;
+          return 302 https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/login-actions/reset-credentials?client_id=mastodon;
        '';

        locations."/system/".alias = "/var/lib/mastodon/public-system/";
--- a/modules/nginx-matrix/default.nix
+++ b/modules/nginx-matrix/default.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ lib, pkgs, config, ... }:
 let
  commonHeaders = ''
    add_header Permissions-Policy interest-cohort=() always;
@ -44,7 +44,7 @@ let
        role = "m.role.admin";
      }
    ];
-    support_page = "https://pub.solar/about";
+    support_page = "https://${config.pub-solar-os.networking.domain}/about";
  };
  mkWellKnown = data: ''
    add_header Content-Type application/json;
@ -64,11 +64,11 @@ in
    # This is already in production use #
    #####################################

-    "pub.solar" = {
-      locations = wellKnownLocations "pub.solar";
+    "${config.pub-solar-os.networking.domain}" = {
+      locations = wellKnownLocations "${config.pub-solar-os.networking.domain}";
    };

-    "chat.pub.solar" = {
+    "chat.${config.pub-solar-os.networking.domain}" = {
      forceSSL = true;
      enableACME = true;
      root = pkgs.element-web.override {
@ -76,13 +76,13 @@ in
      };
    };

-    "stickers.chat.pub.solar" = {
+    "stickers.chat.${config.pub-solar-os.networking.domain}" = {
      forceSSL = true;
      enableACME = true;
      root = pkgs.element-stickerpicker;
    };

-    "matrix.pub.solar" = {
+    "matrix.${config.pub-solar-os.networking.domain}" = {
      root = "/dev/null";

      forceSSL = lib.mkDefault true;
@ -122,8 +122,8 @@ in
        };
      };
    };
-    "matrix.pub.solar-federation" = {
-      serverName = "matrix.pub.solar";
+    "matrix.${config.pub-solar-os.networking.domain}-federation" = {
+      serverName = "matrix.${config.pub-solar-os.networking.domain}";
      forceSSL = lib.mkDefault true;
      enableACME = lib.mkDefault true;
      listen = [{
--- a/modules/nginx-prometheus-exporters/default.nix
+++ b/modules/nginx-prometheus-exporters/default.nix
@ -17,7 +17,7 @@ in
    owner = "nginx";
  };
  services.nginx.virtualHosts = {
-    "nachtigall.pub.solar" = {
+    "nachtigall.${config.pub-solar-os.networking.domain}" = {
      enableACME = true;
      addSSL = true;
      basicAuthFile = "${config.age.secrets.nachtigall-metrics-nginx-basic-auth.path}";
--- a/modules/nginx-website/default.nix
+++ b/modules/nginx-website/default.nix
@ -1,10 +1,11 @@
-{ lib, ... }: {
+{
+  lib, config, ... }: {
  systemd.tmpfiles.rules = [
-    "d '/srv/www/pub.solar' 0750 hakkonaut hakkonaut - -"
+    "d '/srv/www/${config.pub-solar-os.networking.domain}' 0750 hakkonaut hakkonaut - -"
  ];

  services.nginx.virtualHosts = {
-    "www.pub.solar" = {
+    "www.${config.pub-solar-os.networking.domain}" = {
      enableACME = true;
      addSSL = true;

@ -15,12 +16,12 @@

      locations."/" = {
        extraConfig = ''
-          return 301 https://pub.solar$request_uri;
+          return 301 https://${config.pub-solar-os.networking.domain}$request_uri;
        '';
      };
    };

-    "pub.solar" = {
+    "${config.pub-solar-os.networking.domain}" = {
      default = true;
      enableACME = true;
      forceSSL = true;
@ -35,7 +36,7 @@
        # https://masto.host/mastodon-usernames-different-from-the-domain-used-for-installation/
        "/.well-known/host-meta" = {
          extraConfig = ''
-            return 301 https://mastodon.pub.solar$request_uri;
+            return 301 https://mastodon.${config.pub-solar-os.networking.domain}$request_uri;
          '';
        };

@ -44,11 +45,11 @@
          # Redirect requests that match /.well-known/webfinger?resource=* to Mastodon
          extraConfig = ''
            if ($arg_resource) {
-              return 301 https://mastodon.pub.solar$request_uri;
+              return 301 https://mastodon.${config.pub-solar-os.networking.domain}$request_uri;
            }

            add_header Content-Type text/plain;
-            return 200 '{\n  "subject": "acct:admins@pub.solar",\n  "links": [\n    {\n    "rel": "http://openid.net/specs/connect/1.0/issuer",\n    "href": "https://auth.pub.solar/realms/pub.solar"\n    }\n  ]\n}';
+            return 200 '{\n  "subject": "acct:admins@pub.solar",\n  "links": [\n    {\n    "rel": "http://openid.net/specs/connect/1.0/issuer",\n    "href": "https://auth.${config.pub-solar-os.networking.domain}/realms/pub.solar"\n    }\n  ]\n}';
          '';
        };

@ -59,7 +60,7 @@
              "Expires: 2025-01-04T23:00:00.000Z"
              "Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/8A8987ADE3736C8CA2EB315A9B809EBBDD62BAE3"
              "Preferred-Languages: en,de"
-              "Canonical: https://pub.solar/.well-known/security.txt"
+              "Canonical: https://${config.pub-solar-os.networking.domain}/.well-known/security.txt"
            ];
        in {
          extraConfig = ''
@ -70,12 +71,12 @@

        "/satzung" = {
          extraConfig = ''
-            return 302 https://cloud.pub.solar/s/iaKqiW25QJpHPYs;
+            return 302 https://cloud.${config.pub-solar-os.networking.domain}/s/iaKqiW25QJpHPYs;
          '';
        };

        "/" = {
-          root = "/srv/www/pub.solar";
+          root = "/srv/www/${config.pub-solar-os.networking.domain}";
          index = "index.html";
          tryFiles = "$uri $uri/ =404";
        };
--- a/modules/nginx/default.nix
+++ b/modules/nginx/default.nix
@ -5,7 +5,7 @@
 , ...
 }:
 let
-  acmeEmailAddress = "admins@pub.solar";
+  acmeEmailAddress = config.pub-solar-os.adminEmail;
  webserverGroup = "hakkonaut";
 in
 {
--- a/modules/obs-portal/default.nix
+++ b/modules/obs-portal/default.nix
@ -14,8 +14,8 @@ FRONTEND_URL = None
 FRONTEND_HTTPS = True
 FRONTEND_DIR = "../frontend/build/"
 FRONTEND_CONFIG = {
-    "imprintUrl": "https://pub.solar/about",
-    "privacyPolicyUrl": "https://pub.solar/privacy",
+    "imprintUrl": "${config.pub-solar-os.imprintUrl}",
+    "privacyPolicyUrl": "${config.pub-solar-os.privacyPolicyUrl}",
    "mapHome": {"zoom": 12, "latitude": 50.93, "longitude": 6.97},
    "banner": {
        "text": "This is an installation serving the Cologne/Bonn region run for Team OBSKöln by pub.solar n.e.V.",
@ -27,15 +27,15 @@ ADDITIONAL_CORS_ORIGINS = None
  '';

  env = {
-    OBS_KEYCLOAK_URI = "auth.pub.solar";
-    OBS_PORTAL_URI = "obs-portal.pub.solar";
+    OBS_KEYCLOAK_URI = "auth.${config.pub-solar-os.networking.domain}";
+    OBS_PORTAL_URI = "obs-portal.${config.pub-solar-os.networking.domain}";

    OBS_POSTGRES_MAX_OVERFLOW = "20";
    OBS_POSTGRES_POOL_SIZE = "40";

    OBS_HOST = "0.0.0.0";
    OBS_PORT = "3000";
-    OBS_KEYCLOAK_URL = "https://auth.pub.solar/realms/pub.solar/";
+    OBS_KEYCLOAK_URL = "https://auth.${config.pub-solar-os.networking.domain}/realms/${config.pub-solar-os.auth.realm}/";
    OBS_KEYCLOAK_CLIENT_ID = "openbikesensor-portal";
    OBS_DEDICATED_WORKER = "True";
    OBS_DATA_DIR = "/data";
@ -66,7 +66,7 @@ in {
      '';
    };

-  services.nginx.virtualHosts."obs-portal.pub.solar" = {
+  services.nginx.virtualHosts."obs-portal.${config.pub-solar-os.networking.domain}" = {
    enableACME = true;
    forceSSL = true;

--- a/modules/owncast/default.nix
+++ b/modules/owncast/default.nix
@ -4,7 +4,7 @@
 , pkgs
 , ...
 }: {
-  services.nginx.virtualHosts."stream.pub.solar" = {
+  services.nginx.virtualHosts."stream.${config.pub-solar-os.networking.domain}" = {
    enableACME = true;
    forceSSL = true;
    locations."/" = {
--- a/modules/prometheus/default.nix
+++ b/modules/prometheus/default.nix
@ -43,7 +43,7 @@
          password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
        };
        static_configs = [{
-          targets = [ "nachtigall.pub.solar" ];
+          targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
          labels = {
            instance = "nachtigall";
          };
@ -58,7 +58,7 @@
          password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
        };
        static_configs = [{
-          targets = [ "nachtigall.pub.solar" ];
+          targets = [ "nachtigall.${config.pub-solar-os.networking.domain}" ];
          labels = {
            instance = "nachtigall";
          };
--- a/modules/promtail/default.nix
+++ b/modules/promtail/default.nix
@ -21,7 +21,7 @@
        filename = "/tmp/positions.yaml";
      };
      clients = [{
-        url = "https://flora-6.pub.solar/loki/api/v1/push";
+        url = "https://flora-6.${config.pub-solar-os.networking.domain}/loki/api/v1/push";
        basic_auth = {
          username = "hakkonaut";
          password_file = "${config.age.secrets.nachtigall-metrics-prometheus-basic-auth-password.path}";
--- a/modules/searx/default.nix
+++ b/modules/searx/default.nix
@ -10,7 +10,7 @@
    mode = "600";
  };

-  services.nginx.virtualHosts."search.pub.solar" = {
+  services.nginx.virtualHosts."search.${config.pub-solar-os.networking.domain}" = {
    enableACME = true;
    forceSSL = true;

@ -38,14 +38,14 @@
      use_default_settings = true;

      server = {
-        base_url = "https://search.pub.solar";
+        base_url = "https://search.${config.pub-solar-os.networking.domain}";
        secret_key = "@SEARX_SECRET_KEY@";
      };

      general = {
        debug = false;
-        instance_name = "search.pub.solar";
-        privacypolicy_url = "https://pub.solar/privacy";
+        instance_name = "search.${config.pub-solar-os.networking.domain}";
+        privacypolicy_url = config.pub-solar-os.privacyPolicyUrl;
        # use true to use your own donation page written in searx/info/en/donate.md
        # use false to disable the donation link
        donation_url = false;
--- a/modules/tmate/default.nix
+++ b/modules/tmate/default.nix
@ -1,9 +1,9 @@
-{ ... }:
+{ config,... }:
 {
  services.tmate-ssh-server = {
    enable = true;
    port = 2222;
    openFirewall = true;
-    host = "tmate.pub.solar";
+    host = "tmate.${config.pub-solar-os.networking.domain}";
  };
 }