refactor: get rid of providedDomains in favor of globals

2025-10-10 23:00:39 +02:00 · 2024-06-02 16:59:14 +02:00 · 2024-06-02 16:59:14 +02:00 · 68b12b865c
commit 68b12b865c
parent b6cd74c732
31 changed files with 103 additions and 107 deletions
--- a/config/default.nix
+++ b/config/default.nix
@ -35,14 +35,4 @@
    ./topology.nix
    ./users.nix
  ];
-
-  nixpkgs.config.allowUnfree = true;
-  nixpkgs.overlays =
-    import ../pkgs/default.nix
-    ++ [
-      inputs.nix-topology.overlays.default
-      inputs.nixos-extra-modules.overlays.default
-      inputs.nixvim.overlays.default
-      inputs.wired-notify.overlays.default
-    ];
 }
--- a/hosts/envoy/default.nix
+++ b/hosts/envoy/default.nix
@ -1,4 +1,8 @@
-{nodes, ...}: {
+{
+  globals,
+  nodes,
+  ...
+}: {
  imports = [
    ../../config
    ../../config/hardware/hetzner-cloud.nix
@ -25,12 +29,12 @@
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
+  networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
  meta.telegraf = {
    enable = true;
    scrapeSensors = false;
    influxdb2 = {
-      domain = nodes.sentinel.config.networking.providedDomains.influxdb;
+      inherit (globals.services.influxdb) domain;
      organization = "machines";
      bucket = "telegraf";
      node = "sire-influxdb";
--- a/hosts/kroma/default.nix
+++ b/hosts/kroma/default.nix
@ -1,8 +1,8 @@
 {
+  globals,
  inputs,
  lib,
  minimal,
-  nodes,
  ...
 }:
 {
@ -67,11 +67,11 @@
  #};

  ## Connect safely via wireguard to skip authentication
-  #networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
+  #networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
  #meta.telegraf = {
  #  enable = true;
  #  influxdb2 = {
-  #    domain = nodes.sentinel.config.networking.providedDomains.influxdb;
+  #    domain = globals.services.influxdb.domain;
  #    organization = "machines";
  #    bucket = "telegraf";
  #    node = "sire-influxdb";
@ -89,7 +89,7 @@
    openFirewall = true;
    config.ServerSSHAllowed = false;
    environment = rec {
-      NB_MANAGEMENT_URL = "https://${nodes.sentinel.config.networking.providedDomains.netbird}";
+      NB_MANAGEMENT_URL = "https://${globals.services.netbird.domain}";
      NB_ADMIN_URL = NB_MANAGEMENT_URL;
    };
  };
--- a/hosts/sentinel/coturn.nix
+++ b/hosts/sentinel/coturn.nix
@ -38,7 +38,7 @@ in {
      to = config.services.coturn.max-port;
    }
  ];
-  networking.providedDomains.coturn = coturnDomain;
+  globals.services.coturn.domain = coturnDomain;

  services.coturn = {
    enable = true;
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  pkgs,
  ...
 }: {
@ -44,12 +45,12 @@
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [config.networking.providedDomains.influxdb];
+  networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
  meta.telegraf = {
    enable = true;
    scrapeSensors = false;
    influxdb2 = {
-      domain = config.networking.providedDomains.influxdb;
+      inherit (globals.services.influxdb) domain;
      organization = "machines";
      bucket = "telegraf";
      node = "sire-influxdb";
--- a/hosts/sentinel/oauth2.nix
+++ b/hosts/sentinel/oauth2.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  nodes,
  ...
 }: {
@ -40,14 +41,14 @@
  in {
    provider = "oidc";
    scope = "openid email";
-    loginURL = "https://${config.networking.providedDomains.kanidm}/ui/oauth2";
-    redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token";
-    validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
+    loginURL = "https://${globals.services.kanidm.domain}/ui/oauth2";
+    redeemURL = "https://${globals.services.kanidm.domain}/oauth2/token";
+    validateURL = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}/userinfo";
    clientID = clientId;
    email.domains = ["*"];

    extraConfig = {
-      oidc-issuer-url = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}";
+      oidc-issuer-url = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}";
      provider-display-name = "Kanidm";
      #skip-provider-button = true;
    };
--- a/hosts/sire/default.nix
+++ b/hosts/sire/default.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  inputs,
  lib,
  nodes,
@ -32,11 +33,11 @@
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
+  networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
  meta.telegraf = {
    enable = true;
    influxdb2 = {
-      domain = nodes.sentinel.config.networking.providedDomains.influxdb;
+      inherit (globals.services.influxdb) domain;
      organization = "machines";
      bucket = "telegraf";
      node = "sire-influxdb";
@ -96,7 +97,7 @@
            baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
          };
          extraSpecialArgs = {
-            inherit (inputs.self) nodes;
+            inherit (inputs.self) nodes globals;
            inherit (inputs.self.pkgs.x86_64-linux) lib;
            inherit inputs minimal;
          };
--- a/hosts/sire/guests/common.nix
+++ b/hosts/sire/guests/common.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  lib,
  nodes,
  ...
@ -17,13 +18,13 @@ in {
    if config.wireguard ? proxy-home
    then wardWebProxyCfg.wireguard.proxy-home.ipv4
    else sentinelCfg.wireguard.proxy-sentinel.ipv4
-  } = [sentinelCfg.networking.providedDomains.influxdb];
+  } = [globals.services.influxdb.domain];

  meta.telegraf = lib.mkIf (!config.boot.isContainer) {
    enable = true;
    scrapeSensors = false;
    influxdb2 = {
-      domain = sentinelCfg.networking.providedDomains.influxdb;
+      inherit (globals.services.influxdb) domain;
      organization = "machines";
      bucket = "telegraf";
      node = "sire-influxdb";
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -1,9 +1,9 @@
 {
  config,
+  globals,
  nodes,
  ...
 }: let
-  sentinelCfg = nodes.sentinel.config;
  wardWebProxyCfg = nodes.ward-web-proxy.config;
  grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}";
 in {
@ -83,8 +83,6 @@ in {
      config.age.secrets.grafana-loki-basic-auth-password
    ];

-    networking.providedDomains.grafana = grafanaDomain;
-
    services.nginx = {
      upstreams.grafana = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
@ -140,8 +138,8 @@ in {
  ];

  networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
-    sentinelCfg.networking.providedDomains.influxdb # technically a duplicate (see ./common.nix)...
-    sentinelCfg.networking.providedDomains.loki
+    globals.services.influxdb.domain # technically a duplicate (see ./common.nix)...
+    globals.services.loki.domain
  ];

  services.grafana = {
@ -178,9 +176,9 @@ in {
        client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}";
        scopes = "openid email profile";
        login_attribute_path = "preferred_username";
-        auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2";
-        token_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/token";
-        api_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/grafana/userinfo";
+        auth_url = "https://${globals.services.kanidm.domain}/ui/oauth2";
+        token_url = "https://${globals.services.kanidm.domain}/oauth2/token";
+        api_url = "https://${globals.services.kanidm.domain}/oauth2/openid/grafana/userinfo";
        use_pkce = true;
        # Allow mapping oauth2 roles to server admin
        allow_assign_grafana_admin = true;
@ -195,7 +193,7 @@ in {
          name = "InfluxDB (machines)";
          type = "influxdb";
          access = "proxy";
-          url = "https://${sentinelCfg.networking.providedDomains.influxdb}";
+          url = "https://${globals.services.influxdb.domain}";
          orgId = 1;
          secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-machines.path}}";
          jsonData.version = "Flux";
@ -206,7 +204,7 @@ in {
          name = "InfluxDB (home_assistant)";
          type = "influxdb";
          access = "proxy";
-          url = "https://${sentinelCfg.networking.providedDomains.influxdb}";
+          url = "https://${globals.services.influxdb.domain}";
          orgId = 1;
          secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-home.path}}";
          jsonData.version = "Flux";
@ -217,7 +215,7 @@ in {
          name = "Loki";
          type = "loki";
          access = "proxy";
-          url = "https://${sentinelCfg.networking.providedDomains.loki}";
+          url = "https://${globals.services.loki.domain}";
          orgId = 1;
          basicAuth = true;
          basicAuthUser = "${config.node.name}+grafana-loki-basic-auth-password";
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@ -1,7 +1,8 @@
 {
-  pkgs,
  config,
+  globals,
  nodes,
+  pkgs,
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
@ -86,7 +87,7 @@

        clientId = "immich";
        # clientSecret will be dynamically added in activation script
-        issuerUrl = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}";
+        issuerUrl = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}";
        scope = "openid email profile";
        storageLabelClaim = "preferred_username";
      };
@ -183,9 +184,8 @@ in {
    ];
  };

+  globals.services.immich.domain = immichDomain;
  nodes.sentinel = {
-    networking.providedDomains.immich = immichDomain;
-
    services.nginx = {
      upstreams.immich = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = {};
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@ -89,8 +89,6 @@ in {

  globals.services.influxdb.domain = influxdbDomain;
  nodes.sentinel = {
-    networking.providedDomains.influxdb = influxdbDomain;
-
    services.nginx = {
      upstreams.influxdb = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = {};
--- a/hosts/sire/guests/loki.nix
+++ b/hosts/sire/guests/loki.nix
@ -17,9 +17,8 @@ in {
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
  };

+  globals.services.loki.domain = lokiDomain;
  nodes.sentinel = {
-    networking.providedDomains.loki = lokiDomain;
-
    age.secrets.loki-basic-auth-hashes = {
      generator.script = "basic-auth";
      mode = "440";
--- a/hosts/sire/guests/minecraft.nix
+++ b/hosts/sire/guests/minecraft.nix
@ -359,6 +359,7 @@ in {
    }
  ];

+  globals.services.minecraft.domain = minecraftDomain;
  nodes.sentinel = {
    # Rewrite destination addr with dnat on incoming connections
    # and masquerade responses to make them look like they originate from this host.
@ -384,8 +385,6 @@ in {
      };
    };

-    networking.providedDomains.minecraft = minecraftDomain;
-
    services.nginx = {
      upstreams.minecraft = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {};
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  lib,
  nodes,
  pkgs,
@ -23,9 +24,8 @@ in {
    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.paperless.port];
  };

+  globals.services.paperless.domain = paperlessDomain;
  nodes.sentinel = {
-    networking.providedDomains.paperless = paperlessDomain;
-
    services.nginx = {
      upstreams.paperless = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = {};
@ -126,7 +126,7 @@ in {
              client_id = "paperless";
              # secret will be added dynamically
              #secret = "";
-              settings.server_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+              settings.server_url = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
            }
          ];
        };
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -1,9 +1,10 @@
 {
  config,
+  globals,
  inputs,
  lib,
-  nodes,
  minimal,
+  nodes,
  ...
 }: {
  imports = [
@ -34,11 +35,11 @@
  };

  # Connect safely via wireguard to skip authentication
-  networking.hosts.${config.wireguard.proxy-home.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
+  networking.hosts.${config.wireguard.proxy-home.ipv4} = [globals.services.influxdb.domain];
  meta.telegraf = {
    enable = true;
    influxdb2 = {
-      domain = nodes.sentinel.config.networking.providedDomains.influxdb;
+      inherit (globals.services.influxdb) domain;
      organization = "machines";
      bucket = "telegraf";
      node = "sire-influxdb";
@ -83,7 +84,7 @@
            baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
          };
          extraSpecialArgs = {
-            inherit (inputs.self) nodes;
+            inherit (inputs.self) nodes globals;
            inherit (inputs.self.pkgs.x86_64-linux) lib;
            inherit inputs minimal;
          };
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -1,7 +1,7 @@
 {
  config,
+  globals,
  lib,
-  nodes,
  pkgs,
  ...
 }: let
@ -12,9 +12,8 @@ in {
    firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.port];
  };

+  globals.services.adguardhome.domain = adguardhomeDomain;
  nodes.sentinel = {
-    networking.providedDomains.adguard = adguardhomeDomain;
-
    services.nginx = {
      upstreams.adguardhome = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" = {};
@ -78,7 +77,7 @@ in {
          # Undo the /etc/hosts entry so we don't answer with the internal
          # wireguard address for influxdb
          {
-            domain = nodes.sentinel.config.networking.providedDomains.influxdb;
+            inherit (globals.services.influxdb) domain;
            answer = config.repo.secrets.global.domains.me;
          }
        ]
@ -87,11 +86,12 @@ in {
          inherit domain;
          answer = "192.168.1.4";
        }) [
-          nodes.sentinel.config.networking.providedDomains.grafana
-          nodes.sentinel.config.networking.providedDomains.immich
-          nodes.sentinel.config.networking.providedDomains.influxdb
-          nodes.sentinel.config.networking.providedDomains.loki
-          nodes.sentinel.config.networking.providedDomains.paperless
+          # FIXME: dont hardcode, filter global service domains by internal state
+          globals.services.grafana.domain
+          globals.services.immich.domain
+          globals.services.influxdb.domain
+          globals.services.loki.domain
+          globals.services.paperless.domain
          "home.${config.repo.secrets.global.domains.me}"
          "fritzbox.${config.repo.secrets.global.domains.me}"
        ];
--- a/hosts/ward/guests/common.nix
+++ b/hosts/ward/guests/common.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  lib,
  nodes,
  ...
@ -17,13 +18,13 @@ in {
    if config.wireguard ? proxy-home
    then wardWebProxyCfg.wireguard.proxy-home.ipv4
    else sentinelCfg.wireguard.proxy-sentinel.ipv4
-  } = [sentinelCfg.networking.providedDomains.influxdb];
+  } = [globals.services.influxdb.domain];

  meta.telegraf = lib.mkIf (!config.boot.isContainer) {
    enable = true;
    scrapeSensors = false;
    influxdb2 = {
-      domain = sentinelCfg.networking.providedDomains.influxdb;
+      inherit (globals.services.influxdb) domain;
      organization = "machines";
      bucket = "telegraf";
      node = "sire-influxdb";
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@ -1,11 +1,11 @@
 {
  config,
+  globals,
  lib,
  nodes,
  pkgs,
  ...
 }: let
-  sentinelCfg = nodes.sentinel.config;
  forgejoDomain = "git.${config.repo.secrets.global.domains.me}";
 in {
  wireguard.proxy-sentinel = {
@ -26,9 +26,8 @@ in {
    inherit (config.services.forgejo) group;
  };

+  globals.services.forgejo.domain = forgejoDomain;
  nodes.sentinel = {
-    networking.providedDomains.forgejo = forgejoDomain;
-
    # Rewrite destination addr with dnat on incoming connections
    # and masquerade responses to make them look like they originate from this host.
    # - 9922 (wan) -> 22 (proxy-sentinel)
@ -190,7 +189,7 @@ in {
        ["--name" providerName]
        ["--provider" "openidConnect"]
        ["--key" clientId]
-        ["--auto-discover-url" "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/.well-known/openid-configuration"]
+        ["--auto-discover-url" "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}/.well-known/openid-configuration"]
        ["--scopes" "email"]
        ["--scopes" "profile"]
        ["--group-claim-name" "groups"]
--- a/hosts/ward/guests/home-gateway.nix
+++ b/hosts/ward/guests/home-gateway.nix
@ -1,4 +1,4 @@
-{nodes, ...}: {
+{globals, ...}: {
  # Forwarding required to masquerade netbird network
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

@ -25,7 +25,7 @@
    openFirewall = true;
    config.ServerSSHAllowed = false;
    environment = rec {
-      NB_MANAGEMENT_URL = "https://${nodes.sentinel.config.networking.providedDomains.netbird}";
+      NB_MANAGEMENT_URL = "https://${globals.services.netbird.domain}";
      NB_ADMIN_URL = NB_MANAGEMENT_URL;
      NB_HOSTNAME = "home-gateway";
    };
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -1,10 +1,9 @@
 {
  config,
-  nodes,
+  globals,
  ...
 }: let
  inherit (config.repo.secrets.global) domains;
-  sentinelCfg = nodes.sentinel.config;
  kanidmDomain = "auth.${domains.me}";
  kanidmPort = 8300;

@ -40,9 +39,8 @@ in {
  age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
  age.secrets.kanidm-oauth2-web-sentinel = mkRandomSecret;

+  globals.services.kanidm.domain = kanidmDomain;
  nodes.sentinel = {
-    networking.providedDomains.kanidm = kanidmDomain;
-
    services.nginx = {
      upstreams.kanidm = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = {};
@ -102,7 +100,7 @@ in {
      groups."immich.access" = {};
      systems.oauth2.immich = {
        displayName = "Immich";
-        originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/";
+        originUrl = "https://${globals.services.immich.domain}/";
        basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
        preferShortUsername = true;
        # XXX: PKCE is currently not supported by immich
@ -117,7 +115,7 @@ in {
      systems.oauth2.netbird = {
        public = true;
        displayName = "Netbird";
-        originUrl = "https://${sentinelCfg.networking.providedDomains.netbird}/";
+        originUrl = "https://${globals.services.netbird.domain}/";
        preferShortUsername = true;
        enableLocalhostRedirects = true;
        enableLegacyCrypto = true;
@ -128,7 +126,7 @@ in {
      groups."paperless.access" = {};
      systems.oauth2.paperless = {
        displayName = "Paperless";
-        originUrl = "https://${sentinelCfg.networking.providedDomains.paperless}/";
+        originUrl = "https://${globals.services.paperless.domain}/";
        basicSecretFile = config.age.secrets.kanidm-oauth2-paperless.path;
        preferShortUsername = true;
        scopeMaps."paperless.access" = ["openid" "email" "profile"];
@ -141,7 +139,7 @@ in {
      groups."grafana.server-admins" = {};
      systems.oauth2.grafana = {
        displayName = "Grafana";
-        originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
+        originUrl = "https://${globals.services.grafana.domain}/";
        basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
        preferShortUsername = true;
        scopeMaps."grafana.access" = ["openid" "email" "profile"];
@ -160,7 +158,7 @@ in {
      groups."forgejo.admins" = {};
      systems.oauth2.forgejo = {
        displayName = "Forgejo";
-        originUrl = "https://${sentinelCfg.networking.providedDomains.forgejo}/";
+        originUrl = "https://${globals.services.forgejo.domain}/";
        basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
        scopeMaps."forgejo.access" = ["openid" "email" "profile"];
        # XXX: PKCE is currently not supported by gitea/forgejo,
--- a/hosts/ward/guests/netbird.nix
+++ b/hosts/ward/guests/netbird.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  lib,
  nodes,
  ...
@ -44,14 +45,14 @@ in {
      enable = true;
      domain = netbirdDomain;

-      dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird";
+      dashboard.settings.AUTH_AUTHORITY = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird";

      management = {
        singleAccountModeDomain = "internal.${config.repo.secrets.global.domains.me}";
        dnsDomain = "internal.${config.repo.secrets.global.domains.me}";
        disableAnonymousMetrics = true;
-        oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration";
-        turnDomain = sentinelCfg.networking.providedDomains.coturn;
+        oidcConfigEndpoint = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird/.well-known/openid-configuration";
+        turnDomain = globals.services.coturn.domain;
        turnPort = sentinelCfg.services.coturn.tls-listening-port;
        settings = {
          HttpConfig = {
@ -76,9 +77,8 @@ in {
    };
  };

+  globals.services.netbird.domain = netbirdDomain;
  nodes.sentinel = {
-    networking.providedDomains.netbird = netbirdDomain;
-
    services.nginx = {
      upstreams.netbird-mgmt = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:${builtins.toString config.services.netbird.server.management.port}" = {};
--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@ -6,9 +6,8 @@ in {
    firewallRuleForNode.sentinel.allowedTCPPorts = [8000];
  };

+  globals.services.radicale.domain = radicaleDomain;
  nodes.sentinel = {
-    networking.providedDomains.radicale = radicaleDomain;
-
    services.nginx = {
      upstreams.radicale = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = {};
--- a/hosts/ward/guests/vaultwarden.nix
+++ b/hosts/ward/guests/vaultwarden.nix
@ -25,9 +25,8 @@ in {
    }
  ];

+  globals.services.vaultwarden.domain = vaultwardenDomain;
  nodes.sentinel = {
-    networking.providedDomains.vaultwarden = vaultwardenDomain;
-
    services.nginx = {
      upstreams.vaultwarden = {
        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = {};
--- a/hosts/zackbiene/default.nix
+++ b/hosts/zackbiene/default.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  lib,
  nodes,
  ...
@ -41,12 +42,12 @@ in {
    if config.wireguard ? proxy-home
    then wardWebProxyCfg.wireguard.proxy-home.ipv4
    else sentinelCfg.wireguard.proxy-sentinel.ipv4
-  } = [sentinelCfg.networking.providedDomains.influxdb];
+  } = [globals.services.influxdb.domain];

  meta.telegraf = {
    enable = true;
    influxdb2 = {
-      domain = sentinelCfg.networking.providedDomains.influxdb;
+      inherit (globals.services.influxdb) domain;
      organization = "machines";
      bucket = "telegraf";
      node = "sire-influxdb";
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  lib,
  nodes,
  pkgs,
@ -88,7 +89,7 @@ in {

      influxdb = {
        api_version = 2;
-        host = nodes.sentinel.config.networking.providedDomains.influxdb;
+        host = globals.services.influxdb.domain;
        port = "443";
        max_retries = 10;
        ssl = true;
--- a/modules/default.nix
+++ b/modules/default.nix
@ -15,7 +15,6 @@
    ./netbird-client.nix
    ./oauth2-proxy.nix
    ./promtail.nix
-    ./provided-domains.nix
    ./secrets.nix
    ./telegraf.nix
  ];
--- a/modules/distributed-config.nix
+++ b/modules/distributed-config.nix
@ -40,7 +40,6 @@

  forwardedOptions = [
    ["age" "secrets"]
-    ["networking" "providedDomains"]
    ["networking" "nftables" "chains"]
    ["services" "nginx" "upstreams"]
    ["services" "nginx" "virtualHosts"]
--- a/modules/promtail.nix
+++ b/modules/promtail.nix
@ -3,6 +3,7 @@
  lib,
  minimal,
  nodes,
+  globals,
  ...
 }: let
  inherit
@ -48,7 +49,7 @@ in {
          {
            basic_auth.username = "${config.node.name}+promtail-loki-basic-auth-password";
            basic_auth.password_file = config.age.secrets.promtail-loki-basic-auth-password.path;
-            url = "https://${nodes.${cfg.proxy}.config.networking.providedDomains.loki}/loki/api/v1/push";
+            url = "https://${globals.services.loki.domain}/loki/api/v1/push";
          }
        ];

--- a/modules/provided-domains.nix
+++ b/modules/provided-domains.nix
@ -1,7 +0,0 @@
-{lib, ...}: {
-  options.networking.providedDomains = lib.mkOption {
-    type = lib.types.attrsOf lib.types.str;
-    default = {};
-    description = "Registry of domains that this host 'provides' (that refer to this host with some functionality). For easy cross-node referencing.";
-  };
-}
--- a/nix/globals.nix
+++ b/nix/globals.nix
@ -20,7 +20,10 @@
          })
        ];
      };
-    in
-      globalsSystem.config.globals;
+    in {
+      # Make sure the keys of this attrset are trivially evaluatable to avoid infinite recursion,
+      # therefore we inherit relevant attributes from the config.
+      inherit (globalsSystem.config.globals) services;
+    };
  };
 }
--- a/nix/hosts.nix
+++ b/nix/hosts.nix
@ -28,6 +28,16 @@
        };
        modules = [
          {
+            nixpkgs.config.allowUnfree = true;
+            nixpkgs.overlays =
+              import ../pkgs/default.nix
+              ++ [
+                inputs.nix-topology.overlays.default
+                inputs.nixos-extra-modules.overlays.default
+                inputs.nixvim.overlays.default
+                inputs.wired-notify.overlays.default
+              ];
+
            node.name = name;
            node.secretsDir = ../hosts/${name}/secrets;
          }