authorBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-12-20 13:58:21 +0100
committerBenedikt Peetz <benedikt.peetz@b-peetz.de>2024-12-20 13:58:21 +0100
commit33639143ea50404a04bc4c454435aff1bd79dd4b (patch)
treeede4b6832bb86ac30281fc22700ae1fe40658f37 /modules/nixos
parentfix(treewide): Update to nixos release 24.11 (diff)
refactor({modules,test}): Migrate to a `by-name` structure
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
deleted file mode 100644
index fa21596..0000000
--- a/modules/nixos/default.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{...}: {
-  imports = [
-    ./vhack
-  ];
diff --git a/modules/nixos/vhack/default.nix b/modules/nixos/vhack/default.nix
deleted file mode 100644
index bed22af..0000000
--- a/modules/nixos/vhack/default.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{...}: {
-  imports = [
-    ./etesync
-    ./git-server
-    ./nginx
-    ./nix-sync
-    ./openssh
-    ./peertube
-  ];
diff --git a/modules/nixos/vhack/etesync/default.nix b/modules/nixos/vhack/etesync/default.nix
deleted file mode 100644
index 0f6c565..0000000
--- a/modules/nixos/vhack/etesync/default.nix
+++ /dev/null
@@ -1,72 +0,0 @@
-  config,
-  lib,
-  ...
-}: let
-  cfg = config.vhack.etesync;
-in {
-  options.vhack.etesync = {
-    enable = lib.mkEnableOption ''
-      a secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars, tasks and notes.
-    '';
-  };
-  config = lib.mkIf cfg.enable {
-    services.etebase-server = {
-      enable = true;
-      port = 8001;
-      settings = {
-        global.secret_file = "${config.age.secrets.etebase-server.path}";
-        allowed_hosts = {
-          allowed_host1 = "etebase.vhack.eu";
-          allowed_host2 = "dav.vhack.eu";
-        };
-      };
-    };
-    age.secrets.etebase-server = {
-      file = ./secret_file.age;
-      mode = "700";
-      owner = "etebase-server";
-      group = "etebase-server";
-    };
-    environment.persistence."/srv".directories = [
-      {
-        directory = "/var/lib/etebase-server";
-        user = "etebase-server";
-        group = "etebase-server";
-        mode = "0700";
-      }
-    ];
-    services.nginx = {
-      enable = true;
-      recommendedTlsSettings = true;
-      recommendedOptimisation = true;
-      recommendedGzipSettings = true;
-      recommendedProxySettings = true;
-      virtualHosts = {
-        "etebase.vhack.eu" = {
-          enableACME = true;
-          forceSSL = true;
-          locations = {
-            # TODO: Maybe fix permissions to use pregenerated static files which would
-            # improve performance.
-            #"/static" = {
-            #  root = config.services.etebase-server.settings.global.static_root;
-            #};
-            "/" = {
-              proxyPass = "${builtins.toString config.services.etebase-server.port}";
-            };
-          };
-          serverAliases = [
-            "dav.vhack.eu"
-          ];
-        };
-      };
-    };
-  };
diff --git a/modules/nixos/vhack/etesync/secret_file.age b/modules/nixos/vhack/etesync/secret_file.age
deleted file mode 100644
index 8d8e3c2..0000000
--- a/modules/nixos/vhack/etesync/secret_file.age
+++ /dev/null
@@ -1,17 +0,0 @@
diff --git a/modules/nixos/vhack/git-server/css.nix b/modules/nixos/vhack/git-server/css.nix
deleted file mode 100644
index 3d73ea0..0000000
--- a/modules/nixos/vhack/git-server/css.nix
+++ /dev/null
@@ -1,116 +0,0 @@
-{cgitPkg, pkgs}: let
-  /*
-  Adapted from `https://git.qyliss.net/nixlib/sys/atuin.nix`, originally distributed under
-  the MIT license.
-  */
-  cgitCss =
-    pkgs.runCommand "cgit-extra.css" {
-      licenseHeader = ''
-        /*
-         * This program is free software: you can redistribute it and/or modify
-         * it under the terms of the GNU General Public License v2 as published
-         * by the Free Software Foundation.
-         *
-         * This program is distributed in the hope that it will be useful,
-         * but WITHOUT ANY WARRANTY; without even the implied warranty of
-         * GNU General Public License for more details.
-         *
-         * See <https://www.gnu.org/licenses/>.
-         */
-      '';
-      # Adapted from
-      # <https://git.causal.agency/src/plain/www/git.causal.agency/custom.css>,
-      # distributed as a Larger Work under a Secondary License,
-      # as permitted by the terms of the
-      # Mozilla Public License Version 2.0.
-      extraCss = ''
-        * { line-height: 1.25em; }
-        article {
-          font-family: sans-serif;
-          max-width: 70ch;
-          margin-left: auto;
-          margin-right: auto;
-        }
-        div#cgit {
-          margin: auto;
-          font-family: monospace;
-          -moz-tab-size: 4;
-          tab-size: 4;
-          display: table;
-        }
-        div#cgit table#header {
-          margin-left: auto;
-          margin-right: auto;
-        }
-        div#cgit table#header td.logo {
-          display: none;
-        }
-        div#cgit table#header td.main {
-          font-size: 1em;
-          font-weight: bold;
-        }
-        div#cgit table#header td.sub {
-          border-top: none;
-        }
-        div#cgit table.tabs {
-          margin-left: auto;
-          margin-right: auto;
-          border-bottom: none;
-        }
-        div#cgit div.content {
-          border-bottom: none;
-          min-width: 108ch;
-        }
-        div#cgit div.content div#summary {
-          display: table;
-          margin-left: auto;
-          margin-right: auto;
-        }
-        div#cgit div.notes {
-          border: none;
-          background: transparent;
-          padding: 0;
-        }
-        div#cgit table.list {
-          margin-left: auto;
-          margin-right: auto;
-        }
-        div#cgit table.list th a {
-          color: inherit;
-        }
-        div#cgit table.list tr:nth-child(even) {
-          background: inherit;
-        }
-        div#cgit table.list tr:hover {
-          background: inherit;
-        }
-        div#cgit table.list tr.nohover-highlight:hover:nth-child(even) {
-          background: inherit;
-        }
-        div#cgit div.footer {
-          font-size: 1em;
-          margin-top: 0;
-        }
-        div#cgit table.blob td.linenumbers:nth-last-child(3) {
-          display: none;
-        }
-        div#cgit table.blob td.linenumbers a:target {
-          color: goldenrod;
-          text-decoration: underline;
-          outline: none;
-        }
-      '';
-      passAsFile = ["licenseHeader" "extraCss"];
-    } ''
-      cat $licenseHeaderPath ${cgitPkg}/cgit/cgit.css $extraCssPath > $out
-    '';
-  cgitCss
diff --git a/modules/nixos/vhack/git-server/default.nix b/modules/nixos/vhack/git-server/default.nix
deleted file mode 100644
index a374f4c..0000000
--- a/modules/nixos/vhack/git-server/default.nix
+++ /dev/null
@@ -1,178 +0,0 @@
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  cfg = config.vhack.git-server;
-  cgitCss = import ./css.nix {
-    inherit pkgs;
-    cgitPkg =
-      config.services.cgit."${cfg.domain}".package;
-  };
-in {
-  options.vhack.git-server = {
-    enable = lib.mkEnableOption ''
-      a lightweight git-server, realised with cgit and gitolite.
-    '';
-    domain = lib.mkOption {
-      type = lib.types.str;
-      default = "git.vhack.eu";
-      description = ''
-        The domain this git instance will run under.
-      '';
-    };
-    gitolite = {
-      adminPubkey = lib.mkOption {
-        description = ''
-          The initial key to use for gitolite. This will only be used for the initial
-          clone of the `gitolite-admin` repository.
-        '';
-        type = lib.types.str;
-        default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAe4o1PM6VasT3KZNl5NYvgkkBrPOg36dqsywd10FztS openpgp:0x21D20D6A";
-      };
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    programs.git = {
-      enable = true;
-      config = {
-        init = {
-          defaultBranch = "main";
-        };
-      };
-    };
-    # Needed for the nginx proxy and the virtual host
-    vhack.nginx.enable = true;
-    services = {
-      gitolite = {
-        inherit (cfg.gitolite) adminPubkey;
-        enable = true;
-        dataDir = "/srv/gitolite";
-        user = "git";
-        group = "git";
-        extraGitoliteRc = ''
-          $RC{UMASK} = 0027; # Enable group access, important for cgit.
-          # Enable modifing git variables (for cgit.owner and such things)
-          # These must be enable in the gitolite-admin repo (option user-configs = ...)
-          push( @{$RC{ENABLE}}, 'config' );
-          push( @{$RC{ENABLE}}, 'git-config' );
-          push( @{$RC{ENABLE}}, 'expand-deny-messages' );
-          push( @{$RC{ENABLE}}, 'Motd' );
-          push( @{$RC{ENABLE}}, 'cgit' );
-        '';
-      };
-      cgit."${cfg.domain}" = {
-        enable = true;
-        package = pkgs.cgit-pink;
-        scanPath = "${config.services.gitolite.dataDir}/repositories";
-        user = "git";
-        group = "git";
-        settings = {
-          branch-sort = "age";
-          # Allow users to download a repo checkout with these compression formats
-          snapshots = ["tar.gz" "zip"];
-          # The template used to generate the clone url for https clone.
-          clone-url = [
-            "https://${cfg.domain}/$CGIT_REPO_URL"
-            "ssh://git@${cfg.domain}/$CGIT_REPO_URL"
-          ];
-          enable-http-clone = true;
-          # TODO: We might want to add an logo and readme here <2024-07-31>
-          # logo = "<url>";
-          # root-readme = "/some/readme/file"
-          root-desc = "The cgit instance of ${cfg.domain}!";
-          root-title = "${
-            lib.strings.toUpper (builtins.substring 0 1 cfg.domain) + builtins.substring 1 (builtins.stringLength cfg.domain) cfg.domain
-          } cgit instace";
-          # Set the default maximum statistics period. Valid values are "week",
-          # "month", "quarter" and "year".
-          max-stats = "week";
-          readme = [
-            ":README.md"
-            ":readme.md"
-            ":README.mkd"
-            ":readme.mkd"
-            ":README.rst"
-            ":readme.rst"
-            ":README.html"
-            ":readme.html"
-            ":README.htm"
-            ":readme.htm"
-            ":README.txt"
-            ":readme.txt"
-            ":README"
-            ":readme"
-            ":INSTALL.md"
-            ":install.md"
-            ":INSTALL.mkd"
-            ":install.mkd"
-            ":INSTALL.rst"
-            ":install.rst"
-            ":INSTALL.html"
-            ":install.html"
-            ":INSTALL.htm"
-            ":install.htm"
-            ":INSTALL.txt"
-            ":install.txt"
-            ":INSTALL"
-            ":install"
-          ];
-          enable-blame = true;
-          enable-commit-graph = true;
-          enable-subject-links = true;
-          enable-follow-links = true;
-          enable-index-links = true;
-          enable-index-owner = true;
-          # NOTE: This allows cgit to take configuration from the bare git repositories:
-          # All `repo.<key>` can be set by setting `cgit.<key>` in the git config. E.g.:
-          # setting the owner (i.e. `repo.owner`) would be done by setting the
-          # `cgit.owner` config. All repo options are outline in the cgitrc (5) man page.
-          enable-git-config = true;
-          # Remove the `.git` suffix from scanned repositories (this must be set _before_ `scan-path`)
-          remove-suffix = true;
-          css = "/custom_cgit.css";
-          # This is a number of path elements to treat as section.
-          # `-1` means that we treat the last element as name, all others as sections
-          section-from-path = -1;
-          project-list = "${config.services.gitolite.dataDir}/projects.list";
-          # TODO:  We might want to use the kernel.org `libravatar.lua` email-filter <2024-07-31>
-          source-filter = "${config.services.cgit."${cfg.domain}".package}/lib/cgit/filters/syntax-highlighting.py";
-          about-filter = "${config.services.cgit."${cfg.domain}".package}/lib/cgit/filters/about-formatting.sh";
-        };
-      };
-      nginx.virtualHosts."${cfg.domain}" = {
-        enableACME = true;
-        forceSSL = true;
-        locations = {
-          "= /custom_cgit.css" = {
-            alias = cgitCss.outPath;
-          };
-        };
-      };
-    };
-  };
diff --git a/modules/nixos/vhack/nginx/default.nix b/modules/nixos/vhack/nginx/default.nix
deleted file mode 100644
index 6a82147..0000000
--- a/modules/nixos/vhack/nginx/default.nix
+++ /dev/null
@@ -1,68 +0,0 @@
-  lib,
-  config,
-  ...
-}: let
-  importedRedirects = import ./redirects.nix {};
-  mkRedirect = {
-    key,
-    value,
-  }: {
-    name = key;
-    value = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/".return = "301 ${value}";
-    };
-  };
-  redirects = builtins.listToAttrs (builtins.map mkRedirect importedRedirects);
-  cfg = config.vhack.nginx;
-in {
-  options.vhack.nginx = {
-    enable = lib.mkEnableOption ''
-      a default nginx config.
-    '';
-    selfsign = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-      description = ''
-        Whether to selfsign the acme certificates. This should only
-        really be useful for tests.
-      '';
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    security.acme = {
-      acceptTerms = true;
-      defaults = {
-        email = "admin@vhack.eu";
-        webroot = "/var/lib/acme/acme-challenge";
-        # Avoid spamming the acme server, if we run in a test, and only really want self-signed
-        # certificates
-        server = lib.mkIf cfg.selfsign "";
-      };
-    };
-    networking.firewall = {
-      allowedTCPPorts = [80 443];
-    };
-    services.nginx = {
-      enable = true;
-      # The merge here is fine, as no domain should be specified twice
-      virtualHosts =
-        {
-          "gallery.s-schoeffel.de" = {
-            forceSSL = true;
-            enableACME = true;
-            root = "/srv/gallery.s-schoeffel.de";
-          };
-        }
-        // redirects;
-    };
-  };
diff --git a/modules/nixos/vhack/nginx/redirects.nix b/modules/nixos/vhack/nginx/redirects.nix
deleted file mode 100644
index a021e72..0000000
--- a/modules/nixos/vhack/nginx/redirects.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{...}: [
-  {
-    key = "source.vhack.eu";
-    value = "https://codeberg.org/vhack.eu/nixos-server";
-  }
diff --git a/modules/nixos/vhack/nix-sync/default.nix b/modules/nixos/vhack/nix-sync/default.nix
deleted file mode 100644
index a624e0e..0000000
--- a/modules/nixos/vhack/nix-sync/default.nix
+++ /dev/null
@@ -1,61 +0,0 @@
-  config,
-  lib,
-  ...
-}: let
-  cfg = config.vhack.nix-sync;
-  mkNixSyncRepository = {
-    domain,
-    root ? "",
-    url,
-    extraSettings ? {},
-  }: {
-    name = "${domain}";
-    value = {
-      path = "/etc/nginx/websites/${domain}/${root}";
-      uri = "${url}";
-      inherit extraSettings;
-    };
-  };
-  nixSyncRepositories = builtins.listToAttrs (builtins.map mkNixSyncRepository domains);
-  mkVirtHost = {
-    domain,
-    root ? "",
-    url,
-    extraSettings ? {},
-  }: {
-    name = "${domain}";
-    value =
-      lib.recursiveUpdate {
-        forceSSL = true;
-        enableACME = true;
-        root = "/etc/nginx/websites/${domain}/${root}";
-      }
-      extraSettings;
-  };
-  virtHosts = builtins.listToAttrs (builtins.map mkVirtHost domains);
-  domains = import ./hosts.nix {};
-in {
-  imports = [
-    ./module.nix
-  ];
-  options.vhack.nix-sync = {
-    enable = lib.mkEnableOption ''
-      a website git ops solution.
-    '';
-  };
-  config = lib.mkIf cfg.enable {
-    services.nix-sync = {
-      enable = true;
-      repositories = nixSyncRepositories;
-    };
-    vhack.nginx.enable = true;
-    services.nginx.virtualHosts = virtHosts;
-  };
diff --git a/modules/nixos/vhack/nix-sync/hosts.nix b/modules/nixos/vhack/nix-sync/hosts.nix
deleted file mode 100644
index 98dbbf1..0000000
--- a/modules/nixos/vhack/nix-sync/hosts.nix
+++ /dev/null
@@ -1,48 +0,0 @@
-{...}: let
-  extraWkdSettings = {
-    locations."/.well-known/openpgpkey/hu/".extraConfig = ''
-      default_type application/octet-stream;
-      # Came from: https://www.uriports.com/blog/setting-up-openpgp-web-key-directory/
-      # No idea if it is actually necessary
-      # add_header Access-Control-Allow-Origin * always;
-    '';
-  };
-in [
-  {
-    domain = "vhack.eu";
-    url = "https://codeberg.org/vhack.eu/website.git";
-  }
-  {
-    domain = "b-peetz.de";
-    url = "https://codeberg.org/bpeetz/b-peetz.de.git";
-  }
-  # Trinitrix
-  {
-    domain = "trinitrix.vhack.eu";
-    url = "https://codeberg.org/trinitrix/website.git";
-  }
-  # WKD
-  {
-    domain = "openpgpkey.b-peetz.de";
-    url = "https://codeberg.org/vhack.eu/gpg_wkd.git";
-    extraSettings = extraWkdSettings;
-  }
-  {
-    domain = "openpgpkey.s-schoeffel.de";
-    url = "https://codeberg.org/vhack.eu/gpg_wkd.git";
-    extraSettings = extraWkdSettings;
-  }
-  {
-    domain = "openpgpkey.sils.li";
-    url = "https://codeberg.org/vhack.eu/gpg_wkd.git";
-    extraSettings = extraWkdSettings;
-  }
-  {
-    domain = "openpgpkey.vhack.eu";
-    url = "https://codeberg.org/vhack.eu/gpg_wkd.git";
-    extraSettings = extraWkdSettings;
-  }
diff --git a/modules/nixos/vhack/nix-sync/module.nix b/modules/nixos/vhack/nix-sync/module.nix
deleted file mode 100644
index a3ab0af..0000000
--- a/modules/nixos/vhack/nix-sync/module.nix
+++ /dev/null
@@ -1,299 +0,0 @@
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  cfg = config.services.nix-sync;
-  esa = lib.strings.escapeShellArg;
-  mkTimer = name: repo: {
-    description = "Nix sync ${name} timer";
-    wantedBy = ["timers.target"];
-    timerConfig = {
-      OnUnitActiveSec = repo.interval;
-    };
-    wants = ["network-online.target"];
-    after = ["network-online.target"];
-  };
-  parents = path: let
-    split_path = builtins.split "/" path;
-    filename = builtins.elemAt split_path (builtins.length split_path - 1);
-    path_build =
-      lib.strings.removeSuffix "/" (builtins.replaceStrings [filename] [""] path);
-    final_path =
-      if filename == ""
-      then parents path_build
-      else path_build;
-  in
-    final_path;
-  mkUnit = name: repo: let
-    optionalPathSeparator =
-      if lib.strings.hasPrefix "/" repo.path
-      then ""
-      else "/";
-    /*
-    * `ln` tries to create a symlink in the directory, if the target ends with a '/',
-    * thus remove it.
-    */
-    repoPath = lib.strings.removeSuffix "/" repo.path;
-    repoCachePath = cfg.cachePath + optionalPathSeparator + repo.path;
-    execStartScript = pkgs.writeScript "nix-sync-exec" ''
-      #! /usr/bin/env dash
-      cd ${esa repoCachePath};
-      git fetch
-      origin="$(git rev-parse @{u})";
-      branch="$(git rev-parse @)";
-      if ! [ "$origin" = "$branch" ]; then
-        git pull --rebase;
-        out_paths=$(mktemp);
-        nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths";
-        [ "$(wc -l < "$out_paths")" -gt 1 ] && (echo "To many out-paths"; exit 1)
-        out_path="$(cat "$out_paths")";
-        rm ${esa repoPath};
-        ln -s "$out_path" ${esa repoPath};
-        rm "$out_paths";
-      fi
-    '';
-    execStartPreScript = ''
-      if ! [ -d ${esa repoCachePath}/.git ]; then
-          mkdir --parents ${esa repoCachePath};
-          git clone ${esa repo.uri} ${esa repoCachePath};
-          out_paths=$(mktemp);
-          nix build ${esa repoCachePath} --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths";
-          [ "$(wc -l < "$out_paths")" -gt 1 ] && (echo "To many out-paths"; exit 1)
-          out_path="$(cat "$out_paths")";
-          ln -s "$out_path" ${esa repoPath};
-          rm "$out_paths";
-      fi
-      if ! [ -L ${esa repoPath} ]; then
-        cd ${esa repoCachePath};
-        git pull --rebase;
-        out_paths=$(mktemp);
-        nix build . --print-out-paths --experimental-features 'nix-command flakes' > "$out_paths";
-        [ "$(wc -l < "$out_paths")" -gt 1 ] && { echo "To many out-paths"; exit 1; }
-        out_path="$(cat "$out_paths")";
-        if [ -d ${esa repoPath} ]; then
-          rm -d ${esa repoPath};
-        else
-          mkdir --parents "$(dirname ${esa repoPath})";
-        fi
-        [ -e ${esa repoPath} ] && rm ${esa repoPath};
-        ln -s "$out_path" ${esa repoPath};
-        rm "$out_paths";
-      fi
-    '';
-  in {
-    description = "Nix Sync ${name}";
-    wantedBy = ["default.target"];
-    after = ["network.target"];
-    path = with pkgs; [openssh git nix mktemp coreutils dash];
-    preStart = execStartPreScript;
-    serviceConfig = {
-      TimeoutSec = 0;
-      ExecStart = execStartScript;
-      Restart = "on-abort";
-      # User and group
-      User = cfg.user;
-      Group = cfg.group;
-      # Runtime directory and mode
-      RuntimeDirectory = "nix-sync";
-      RuntimeDirectoryMode = "0750";
-      # Cache directory and mode
-      CacheDirectory = "nix-sync";
-      CacheDirectoryMode = "0750";
-      # Logs directory and mode
-      LogsDirectory = "nix-sync";
-      LogsDirectoryMode = "0750";
-      # Proc filesystem
-      ProcSubset = "all";
-      ProtectProc = "invisible";
-      # New file permissions
-      UMask = "0027"; # 0640 / 0750
-      # Capabilities
-      AmbientCapabilities = ["CAP_CHOWN"];
-      CapabilityBoundingSet = ["CAP_CHOWN"];
-      # Security
-      NoNewPrivileges = true;
-      # Sandboxing (sorted by occurrence in https://www.freedesktop.org/software/systemd/man/systemd.exec.html)
-      ReadWritePaths = ["${esa (parents repo.path)}" "-${esa (parents repoCachePath)}" "-${esa cfg.cachePath}"];
-      ReadOnlyPaths = ["/nix"]; # TODO: Should be irrelevant, as we have ProtectSystem=Strict <2024-06-01>
-      ProtectSystem = "strict";
-      ProtectHome = true;
-      PrivateTmp = true;
-      PrivateDevices = true;
-      ProtectHostname = true;
-      ProtectClock = true;
-      ProtectKernelTunables = true;
-      ProtectKernelModules = true;
-      ProtectKernelLogs = true;
-      ProtectControlGroups = true;
-      RestrictAddressFamilies = ["AF_UNIX" "AF_INET" "AF_INET6"];
-      RestrictNamespaces = true;
-      LockPersonality = true;
-      MemoryDenyWriteExecute = true;
-      RestrictRealtime = true;
-      RestrictSUIDSGID = true;
-      RemoveIPC = true;
-      PrivateMounts = true;
-      # System Call Filtering
-      SystemCallArchitectures = "native";
-      SystemCallFilter = ["~@cpu-emulation @debug @keyring @mount @obsolete @privileged @setuid"];
-    };
-  };
-  services =
-    lib.mapAttrs' (name: repo: {
-      name = "nix-sync-${name}";
-      value = mkUnit name repo;
-    })
-    cfg.repositories;
-  timers =
-    lib.mapAttrs' (name: repo: {
-      name = "nix-sync-${name}";
-      value = mkTimer name repo;
-    })
-    cfg.repositories;
-  # generate the websites directory, so systemd can mount it read write
-  generatedDirectories =
-    lib.mapAttrsToList (
-      _: repo: "d ${esa (parents repo.path)} 0755 ${cfg.user} ${cfg.group}"
-    )
-    cfg.repositories;
-  repositoryType = lib.types.submodule ({name, ...}: {
-    options = {
-      name = lib.mkOption {
-        internal = true;
-        default = name;
-        type = lib.types.str;
-        description = "The name that should be given to this unit.";
-      };
-      path = lib.mkOption {
-        type = lib.types.str;
-        description = "The path at which to sync the repository";
-      };
-      uri = lib.mkOption {
-        type = lib.types.str;
-        example = "ssh://user@example.com:/~[user]/path/to/repo.git";
-        description = ''
-          The URI of the remote to be synchronized. This is only used in the
-          event that the directory does not already exist. See
-          <link xlink:href="https://git-scm.com/docs/git-clone#_git_urls"/>
-          for the supported URIs.
-        '';
-      };
-      extraSettings = lib.mkOption {
-        type = lib.types.attrsOf lib.types.anything;
-        example = lib.literalExpression ''
-          {
-            locations."/.well-known/openpgpkey/hu/" = {
-              extraConfig = \'\'
-                  default_type application/octet-stream;
-                  add_header Access-Control-Allow-Origin * always;
-                \'\';
-            };
-          }
-        '';
-        description = ''
-          Extra config to add the the nginx virtual host.
-        '';
-      };
-      interval = lib.mkOption {
-        type = lib.types.int;
-        default = 500;
-        description = ''
-          The interval, specified in seconds, at which the synchronization will
-          be triggered.
-        '';
-      };
-    };
-  });
-in {
-  options = {
-    services.nix-sync = {
-      enable = lib.mkEnableOption "nix-sync services";
-      user = lib.mkOption {
-        type = lib.types.str;
-        default = "nix-sync";
-        description = lib.mdDoc "User account under which nix-sync units runs.";
-      };
-      group = lib.mkOption {
-        type = lib.types.str;
-        default = "nix-sync";
-        description = lib.mdDoc "Group account under which nix-sync units runs.";
-      };
-      cachePath = lib.mkOption {
-        type = lib.types.str;
-        default = "/var/lib/nix-sync";
-        description = lib.mdDoc ''
-          Where to cache git directories. Should not end with a slash ("/")
-        '';
-      };
-      repositories = lib.mkOption {
-        type = with lib.types; attrsOf repositoryType;
-        description = ''
-          The repositories that should be synchronized.
-        '';
-      };
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    assertions = [
-      {
-        assertion = !lib.strings.hasSuffix "/" cfg.cachePath;
-        message = "Your cachePath ('${cfg.cachePath}') ends with a slash ('/'), please use: '${lib.strings.removeSuffix "/" cfg.cachePath}'.";
-      }
-    ];
-    systemd = {
-      tmpfiles.rules =
-        generatedDirectories;
-      inherit services timers;
-    };
-    users.users =
-      if cfg.user == "nix-sync"
-      then {
-        nix-sync = {
-          group = "${cfg.group}";
-          isSystemUser = true;
-        };
-      }
-      else lib.warnIf (cfg.user != "nix-sync") "The user (${cfg.user}) is not \"nix-sync\", thus you are responible for generating it.";
-    users.groups =
-      if cfg.group == "nix-sync"
-      then {
-        nix-sync = {
-          members = ["${cfg.user}"];
-        };
-      }
-      else lib.warnIf (cfg.group != "nix-sync") "The group (${cfg.group}) is not \"nix-sync\", thus you are responible for generating it.";
-  };
diff --git a/modules/nixos/vhack/openssh/default.nix b/modules/nixos/vhack/openssh/default.nix
deleted file mode 100644
index 30d16a6..0000000
--- a/modules/nixos/vhack/openssh/default.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-  config,
-  lib,
-  ...
-}: let
-  cfg = config.vhack.openssh;
-in {
-  options.vhack.openssh = {
-    enable = lib.mkEnableOption ''
-      a sane openssh implementation.
-    '';
-  };
-  config = lib.mkIf cfg.enable {
-    services.openssh = {
-      enable = true;
-      settings.PasswordAuthentication = false;
-      hostKeys = [
-        {
-          # See the explanation for this in /system/impermanence/mods/openssh.nix
-          # path = "/var/lib/sshd/ssh_host_ed25519_key";
-          # FIXME: Remove this workaround
-          path = "/srv/var/lib/sshd/ssh_host_ed25519_key";
-          rounds = 1000;
-          type = "ed25519";
-        }
-      ];
-    };
-  };
diff --git a/modules/nixos/vhack/peertube/default.nix b/modules/nixos/vhack/peertube/default.nix
deleted file mode 100644
index 29d1d07..0000000
--- a/modules/nixos/vhack/peertube/default.nix
+++ /dev/null
@@ -1,113 +0,0 @@
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  cfg = config.vhack.peertube;
-in {
-  options.vhack.peertube = {
-    enable = lib.mkEnableOption ''
-      the peertube video platform.
-    '';
-  };
-  config = lib.mkIf cfg.enable {
-    services.peertube = {
-      enable = true;
-      configureNginx = true;
-      localDomain = "peertube.vhack.eu";
-      enableWebHttps = true;
-      listenWeb = 443;
-      smtp = {
-        createLocally = true;
-        passwordFile = "${config.age.secrets.peertubeSmtp.path}";
-      };
-      database = {
-        createLocally = true;
-      };
-      redis = {
-        enableUnixSocket = true;
-        createLocally = true;
-      };
-      secrets.secretsFile = "${config.age.secrets.peertubeGeneral.path}";
-      settings = {
-        signup = {
-          enabled = true;
-          limit = 10; # When the limit is reached, registrations are disabled. -1 == unlimited
-          minimum_age = 18; # Used to configure the signup form
-          # Users fill a form to register so moderators can accept/reject the registration
-          requires_approval = true;
-          requires_email_verification = true;
-        };
-        user = {
-          video_quota = "10GB";
-          video_quota_daily = "2GB";
-        };
-        auto_blacklist = {
-          videos = {
-            of_users = {
-              enabled = true;
-            };
-          };
-        };
-        listen.hostname = "";
-        instance.name = "PeerTube at Vhack.eu";
-        admin.email = "admin@vhack.eu";
-        smtp = let
-          emailAddress = "peertube@vhack.eu";
-        in {
-          sendmail = "${pkgs.postfix}/bin/sendmail";
-          transport = "sendmail";
-          hostname = "server1.vhack.eu";
-          port = 587;
-          username = emailAddress;
-          tls = true;
-          disable_starttls = true;
-          from_address = emailAddress;
-        };
-      };
-    };
-    # The `configureNginx` option does not do this for some reason
-    # TODO(@bpeetz): Find out why <2024-06-27>
-    services.nginx.virtualHosts."${config.services.peertube.localDomain}" = {
-      enableACME = true;
-      forceSSL = true;
-    };
-    age.secrets = {
-      peertubeGeneral = {
-        file = ./secrets/general.age;
-        mode = "700";
-        owner = "peertube";
-        group = "peertube";
-      };
-      peertubeSmtp = {
-        file = ./secrets/smtp.age;
-        mode = "700";
-        owner = "peertube";
-        group = "peertube";
-      };
-    };
-    environment.persistence."/srv".directories = [
-      {
-        directory = "/var/lib/peertube";
-        user = "peertube";
-        group = "peertube";
-        mode = "0700";
-      }
-    ];
-  };
diff --git a/modules/nixos/vhack/peertube/secrets/general.age b/modules/nixos/vhack/peertube/secrets/general.age
deleted file mode 100644
index 854ab1a..0000000
--- a/modules/nixos/vhack/peertube/secrets/general.age
+++ /dev/null
@@ -1,15 +0,0 @@
diff --git a/modules/nixos/vhack/peertube/secrets/smtp.age b/modules/nixos/vhack/peertube/secrets/smtp.age
deleted file mode 100644
index 1979ea7..0000000
--- a/modules/nixos/vhack/peertube/secrets/smtp.age
+++ /dev/null
@@ -1,16 +0,0 @@