feat: glance test

modules/config/devices/config/deimos.nix

@@ -14,6 +14,9 @@ in
   ip = {
     address0 = deimosIP;
   };
+  wireguard = {
+    ip0 = "10.100.0.3";
+  };
   boot = {
     options = ownerWriteOthersReadMask;
   };

modules/config/instances/config/podgrab.nix

@@ -1,35 +0,0 @@
-{ moduleFunctions }:
-let
-  inherit (moduleFunctions.instancesFunctions)
-    domain0
-    servicePath
-    sslPath
-    sopsPath
-    ;
-
-  label = "Podgrab";
-  name = "podgrab";
-  subdomain = "podcasts";
-  domain = "${subdomain}.${domain0}";
-in
-{
-  label = label;
-  name = name;
-  sops = {
-    path0 = "${sopsPath}/${name}";
-  };
-  domains = {
-    url0 = domain;
-  };
-  subdomain = name;
-  paths = {
-    path0 = "${servicePath}/${label}";
-  };
-  ports = {
-    port0 = 4242;
-  };
-  ssl = {
-    cert = "${sslPath}/${name}.${domain0}/fullchain.pem";
-    key = "${sslPath}/${name}.${domain0}/key.pem";
-  };
-}

modules/nixos/default.nix

@@ -10,7 +10,6 @@ in
           mullvad
           syncthing
           ollama
-          glance
           plasma
           sddm
           hypr
@@ -32,7 +31,6 @@ in
           sddm
           flatpak
           espanso
-          glance
           ;
       };
     };
@@ -52,17 +50,18 @@ in
           acme
           audiobookshelf
           caddy
+          forgejo
+          glance
           jellyfin
           logrotate
           mastodon
           minecraft
           ollama
-          website
           postgresql
           samba
           searx
           vaultwarden
-          forgejo
+          website
           ;
       };
     };

modules/nixos/services/acme/default.nix

@@ -32,15 +32,15 @@ in
           value = dnsConfig;
         })
         [
+          "audiobookshelf"
+          "glance"
           "jellyfin"
           "minecraft"
-          "ollama"
           "nextcloud"
-          "syncthing"
+          "ollama"
           "searx"
-          "podgrab"
+          "syncthing"
           "vaultwarden"
-          "audiobookshelf"
         ]
       )
       ++ (map
@@ -49,9 +49,9 @@ in
           value = dnsConfig;
         })
         [
-          "peertube"
           "forgejo"
           "mastodon"
+          "peertube"
         ]
       )
       ++ (map

modules/nixos/services/glance/config/server.nix

@@ -1,10 +1,14 @@
-{ flake, service, ... }:
+{ flake, configHelpers, ... }:
 let
   inherit (flake.config.people) user0;
+  inherit (flake.config.machines.devices) ceres;
 in
 {
   assets-path = "/home/${user0}/Files/Projects/dotfiles/modules/nixos/services/glance/assets";
-  port = service.ports.port0;
+  # host = configHelpers.host;
+  # host = configHelpers.localhost;
+  host = ceres.wireguard.ip0;
+  port = configHelpers.service.ports.port0;
   # auth = {
   #   secret-key = config.sops.secrets."${service.name}-key".path;
   #   users.${user0}.password = config.sops.secrets."${service.name}-${user0}-pass".path;

modules/nixos/services/glance/default.nix

@@ -1,10 +1,20 @@
 { config, flake, ... }:
 let
-  inherit (flake.config.services.instances) glance jellyfin;
+  inherit (flake.config.services.instances)
+    glance
+    jellyfin
+    web
+    ;
+  inherit (flake.config.machines.devices) ceres mars deimos;
+  configHelpers = {
     service = glance;
+    hostname = config.networking.hostName;
+    localhost = web.localhost.address1;
+    host = configHelpers.service.domains.url0;
+  };
   configPath = ./config;
   configImports = {
-    server = import (configPath + /server.nix) { inherit flake service; };
+    server = import (configPath + /server.nix) { inherit flake configHelpers; };
     branding = import (configPath + /branding.nix);
     theme = import (configPath + /theme.nix);
     pages = import (configPath + /pages.nix) { inherit config flake; };
@@ -16,11 +26,32 @@ in
       enable = true;
       settings = configImports;
     };
+    caddy = {
+      virtualHosts = {
+        "${configHelpers.host}" = {
+          extraConfig = ''
+            @allowed_ips {
+              remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0}
+            }
+
+            handle @allowed_ips {
+              redir /.well-known/carddav /remote.php/dav/ 301
+              redir /.well-known/caldav /remote.php/dav/ 301
+              reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0}
+            }
+            handle {
+              respond "Access Denied" 403
+            }
+            tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key}
+          '';
+        };
+      };
+    };
   };
   sops =
     let
       sopsPath = secret: {
-        path = "/run/secrets/${service.name}-${secret}";
+        path = "/run/secrets/${configHelpers.service.name}-${secret}";
         owner = "root";
         group = "root";
         mode = "644";
@@ -30,7 +61,7 @@ in
       secrets = builtins.listToAttrs (
         map
           (secret: {
-            name = "${service.name}-${secret}";
+            name = "${configHelpers.service.name}-${secret}";
             value = sopsPath secret;
           })
           [
@@ -41,15 +72,10 @@ in
       );
     };
 
-  systemd.tmpfiles.rules = [
-    # "Z ${service.paths.path0} 755 ${service.name} ${service.name} -"
-    # "Z ${service.sops.path0} 755 root root -"
-  ];
-
   networking = {
     firewall = {
-      allowedTCPPorts = [
-        service.ports.port0
+      interfaces.wg0.allowedTCPPorts = [
+        configHelpers.service.ports.port0
       ];
     };
   };

modules/nixos/services/podgrab/default.nix

@@ -1,77 +0,0 @@
-{ config, flake, ... }:
-let
-  inherit (flake.config.services.instances) podgrab web;
-  inherit (flake.config.machines.devices) ceres;
-  service = podgrab;
-  localhost = web.localhost.address0;
-  host = service.domains.url0;
-in
-{
-  services = {
-    podgrab = {
-      enable = true;
-      port = service.ports.port0;
-      passwordFile = config.sops.secrets."${service.name}-pass".path;
-      dataDirectory = service.paths.path0;
-    };
-    caddy = {
-      virtualHosts = {
-        "${host}" = {
-          extraConfig = ''
-            redir /.well-known/carddav /remote.php/dav/ 301
-            redir /.well-known/caldav /remote.php/dav/ 301
-
-            reverse_proxy ${localhost}:${toString service.ports.port0}
-
-            tls ${service.ssl.cert} ${service.ssl.key}
-          '';
-        };
-      };
-    };
-  };
-
-  sops =
-    let
-      sopsPath = secret: {
-        path = "${service.sops.path0}/password.env";
-        owner = service.name;
-        mode = "600";
-      };
-    in
-    {
-      secrets = builtins.listToAttrs (
-        map
-          (secret: {
-            name = "${service.name}-${secret}";
-            value = sopsPath secret;
-          })
-          [
-            "pass"
-          ]
-      );
-    };
-
-  fileSystems."/var/lib/${service.name}" = {
-    device = service.paths.path0;
-    fsType = "none";
-    options = [
-      "bind"
-    ];
-    depends = [
-      ceres.storage0.mount
-    ];
-  };
-
-  systemd.tmpfiles.rules = [
-    "Z ${service.paths.path0} 0755 ${service.name} ${service.name} -"
-    "Z ${service.sops.path0} 0755 ${service.name} ${service.name} -"
-  ];
-
-  networking = {
-    firewall = {
-      allowedTCPPorts = [
-        service.ports.port0
-      ];
-    };
-  };
-}

modules/nixos/services/searx/default.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  inherit (flake.config.machines.devices) ceres mars;
+  inherit (flake.config.machines.devices) ceres mars deimos;
   inherit (flake.config.services.instances) searx web;
   configHelpers = {
     service = searx;
@@ -47,7 +47,7 @@ in
               "${configHelpers.host}" = {
                 extraConfig = ''
                   @allowed_ips {
-                    remote_ip ${mars.wireguard.ip0}
+                    remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0}
                   }
 
                   handle @allowed_ips {

secrets/secrets.yaml

@@ -40,6 +40,8 @@ wireguard-phone-private: ENC[AES256_GCM,data:hm6KoNseaalt+/SYCkCW0w4sRzzpNNMjhda
 wireguard-phone-public: ENC[AES256_GCM,data:gGMAIg3T6dOmo1z2c6oZ8Sgnylp0wjpADRWRyBCAEhmlJp1PVj+d478TO08=,iv:A4DV7zPKXwVF2nyFySyrmfdExoo3LrbiYt6PYa4/WcQ=,tag:wY4fYv1wXE0tYonrLoHpGQ==,type:str]
 wireguard-mars-private: ENC[AES256_GCM,data:pUkR29PgGhHeR3d6fFJDs0bwASaC/RqUTsJe+vYs+P2skIGivkRzhi3LRBE=,iv:JK7O28r73V3NiVGikMIZunJtrdtp4jOGPi2quLYSkWY=,tag:nSHqfnZhiLrm7JuZuJtc7Q==,type:str]
 wireguard-mars-public: ENC[AES256_GCM,data:fA37Ev7WL2vsgG/PE4YMFHclbhjHqCgNCOiF5J9L5UD8YuGCHUbpTV7A+w4=,iv:K9W/IZatUL+HZ5k9FGjmA4+He4xTO3IAswqpbelfhPw=,tag:FC5kiMD/pdtNjQxklDvfrA==,type:str]
+wireguard-deimos-private: ENC[AES256_GCM,data:A/LbG/kTjT0xa93Y31RXfM6D9ibHHjuaZ0TIFr8/zn2l7AD7NfmpgZXuPII=,iv:tK9Iyll/GXPXNsMXJKpNKSxMqeHLqSgCfQTSM8+NOVU=,tag:yfJP9hjR/6DXgKtFKqR5Zw==,type:str]
+wireguard-deimos-public: ENC[AES256_GCM,data:ZhcnUafVzrPtEP19TgnsEl6Edwjxbkeb2N+Rg7V1O7zArhcc+Owk/l6iHU4=,iv:UcKBnz/4sGyLM/lQJo7e3G0qWAWlTtRNl5K1e3oT1sw=,tag:BbjZcjl98X9aoCTD+hfhgg==,type:str]
 glance-jellyfin: ENC[AES256_GCM,data:ozdDKgAWkA88J2j8RtiOP/aQPAt/neUOSlAZF20g510=,iv:x+VhYlnA9F/VPrzVcma4/oPelCc8kjWoTZvOs4L9Uqo=,tag:crdSDjr8Y5GH/JAF6t8Yeg==,type:str]
 kanboard-smtp: ENC[AES256_GCM,data:eOIEGwJZlvbJaTfDRU3IFQ==,iv:Jex01WlHG3uxqUnTSF+v1BgnNcIu4cS9OwHBCFl1m28=,tag:3Eld1FkI6AftlCyC3419BA==,type:str]
 podgrab-pass: ENC[AES256_GCM,data:DVmJDb4VqcZDKNcedSaRA5dqKOzx1tSzDiK3i23+a6v3nK+4Kh7n8EA=,iv:SiiUjJLHkCOO1VKCmubftKx06laFqNv79tIPnkVYrJU=,tag:kdkT+03DemlNAsuzps8fnw==,type:str]
@@ -56,7 +58,7 @@ sops:
             bXBOa1VSakoyaWxpODJEOU11QUZCaUEK8Ch9Ten3DdrPHF1DTH2qei85AlHUOaLD
             aNfzakake7ej+MxJYdKEU0bcWofNMKzIlZa2uM10KZSENDP8d8qlig==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-01T08:55:49Z"
-    mac: ENC[AES256_GCM,data:2m5iKDV7yIkYIL2bq9+7sFD2Nf8K1Z7mB6EKE3U+nFurOTxgUE0W10kV3BJoPoD78t5xjdbbmIt+NpmH9D41oE4lSPlOdTZujEpT0EcuNBVwz4MDBR/N7GRk74Etq1kJQ2f/NInhh8eH4xZDCQHR8BKxSX1RCd/0yWqrEbpfWrk=,iv:7gI48Urn0xFJwx3l3IzBT7KLTf4FlIf5p5Y/6Pms3ZA=,tag:QdA9cuKvFbXfT7kMbth5hQ==,type:str]
+    lastmodified: "2025-07-04T00:40:18Z"
+    mac: ENC[AES256_GCM,data:N2BwAzga2/Ig96p49rqNhhZ2udYWt7mQ9JD8DFXuxa3HOh3gtx7FWeWpGjvLnLWCgGcT4R61RKmgZQZRADNxYPE3vtdpPOFz0XvgcYSDlwslzBdSsVc08sh77P0LDgZsCzE1MxYynQ6nzFcc6gW5sorInLarsHoCCBC+Z5YpOVg=,iv:H6d3VrERM02/1zI5boFemEpMYD3greYZRqlSpBqROzM=,tag:TEakUvOlKoZYo/XPS6HVnA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2

systems/ceres/config/wireguard.nix

@@ -1,8 +1,8 @@
 { config, flake, ... }:
 let
-  inherit (flake.config.services.instances) wireGuard searx;
-  inherit (flake.config.machines.devices) mars ceres;
-  service = wireGuard;
+  inherit (flake.config.services) instances;
+  inherit (flake.config.machines.devices) mars deimos ceres;
+  service = instances.wireGuard;
 in
 {
   networking = {
@@ -14,9 +14,6 @@ in
         service.ports.port0
         service.ports.port1
       ];
-      interfaces.wg0.allowedTCPPorts = [
-        searx.ports.port0
-      ];
     };
 
     nat = {
@@ -32,10 +29,17 @@ in
         listenPort = service.ports.port1;
         privateKeyFile = config.sops.secrets."${service.name}-private".path;
         peers = [
+          # if you need to create a new key pair
+          # wg genkey | save --raw --force privatekey
+          # open privatekey | wg pubkey | save --raw --force publickey
           {
             publicKey = "9zfRPxkxTLHM9tABC8lIaDMrzdjcF2l1mtG82uqGKUQ=";
             allowedIPs = [ "${mars.wireguard.ip0}/32" ];
           }
+          {
+            publicKey = "hKbvOlvKdWAlq45rfV3ggwOI8xqiqVWweXV+2GQx/0I=";
+            allowedIPs = [ "${deimos.wireguard.ip0}/32" ];
+          }
         ];
       };
     };

systems/deimos/config/wireguard.nix

@@ -0,0 +1,56 @@
+{ config, flake, ... }:
+let
+  inherit (flake.config.services.instances) wireGuard web;
+  inherit (flake.config.services) instances;
+  inherit (flake.config.machines.devices) ceres deimos;
+  service = wireGuard;
+in
+{
+  networking = {
+    hosts = {
+      ${ceres.wireguard.ip0} = [
+        instances.searx.domains.url0
+        instances.glance.domains.url0
+      ];
+    };
+    wireguard.interfaces = {
+      wg0 = {
+        ips = [ "${deimos.wireguard.ip0}/32" ];
+        privateKeyFile = config.sops.secrets."${service.name}-deimos-private".path;
+        peers = [
+          {
+            publicKey = "fs58+Kz+eG9qAXvvMB2NkW+wa88yP61uam4HHWaBJVw=";
+            allowedIPs = [
+              "${ceres.wireguard.ip0}/32"
+              "${web.localhost.address4}/24"
+            ];
+            endpoint = "${web.remotehost.address0}:${builtins.toString service.ports.port1}";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+  };
+
+  sops =
+    let
+      sopsPath = secret: {
+        path = "${service.sops.path0}/${service.name}-${secret}-pass";
+        owner = "root";
+        mode = "600";
+      };
+    in
+    {
+      secrets = builtins.listToAttrs (
+        map
+          (secret: {
+            name = "${service.name}-${secret}";
+            value = sopsPath secret;
+          })
+          [
+            "deimos-private"
+            "deimos-public"
+          ]
+      );
+    };
+}

systems/mars/config/wireguard.nix

@@ -8,7 +8,10 @@ in
 {
   networking = {
     hosts = {
-      ${ceres.wireguard.ip0} = [ instances.searx.domains.url0 ];
+      ${ceres.wireguard.ip0} = [
+        instances.searx.domains.url0
+        instances.glance.domains.url0
+      ];
     };
     wireguard.interfaces = {
       wg0 = {