refactor: major refactor into proper reusable modules. No logical changes.

hosts/sentinel/acme.nix

@@ -17,5 +17,5 @@ in {
       reloadServices = ["nginx"];
     };
   };
-  extra.acme.wildcardDomains = acme.domains;
+  security.acme.wildcardDomains = acme.domains;
 }

hosts/sentinel/default.nix

@@ -4,32 +4,32 @@
   ...
 }: {
   imports = [
-    ../common/core
-    ../common/hardware/hetzner-cloud.nix
-    ../common/bios-boot.nix
-    ../common/initrd-ssh.nix
-    ../common/zfs.nix
+    ../../modules/optional/hardware/hetzner-cloud.nix
 
-    ./fs.nix
-    ./net.nix
+    ../../modules
+    ../../modules/optional/boot-bios.nix
+    ../../modules/optional/initrd-ssh.nix
+    ../../modules/optional/zfs.nix
 
     ./acme.nix
+    ./fs.nix
+    ./net.nix
     ./oauth2.nix
   ];
 
   users.groups.acme.members = ["nginx"];
   services.nginx.enable = true;
 
-  extra.promtail = {
+  meta.promtail = {
     enable = true;
     proxy = "sentinel";
   };
 
   # Connect safely via wireguard to skip authentication
-  networking.hosts.${config.extra.wireguard.proxy-sentinel.ipv4} = [config.providedDomains.influxdb];
-  extra.telegraf = {
+  networking.hosts.${config.meta.wireguard.proxy-sentinel.ipv4} = [config.networking.providedDomains.influxdb];
+  meta.telegraf = {
     enable = true;
-    influxdb2.domain = config.providedDomains.influxdb;
+    influxdb2.domain = config.networking.providedDomains.influxdb;
     influxdb2.organization = "servers";
     influxdb2.bucket = "telegraf";
   };

hosts/sentinel/net.nix

@@ -52,7 +52,7 @@
     };
   };
 
-  extra.wireguard.proxy-sentinel.server = {
+  meta.wireguard.proxy-sentinel.server = {
     host = config.networking.fqdn;
     port = 51443;
     reservedAddresses = ["10.43.0.0/24" "fd00:43::/120"];

hosts/sentinel/oauth2.nix

@@ -4,7 +4,7 @@
   pkgs,
   ...
 }: {
-  extra.oauth2_proxy = {
+  meta.oauth2_proxy = {
     enable = true;
     cookieDomain = config.repo.secrets.local.personalDomain;
     portalDomain = "oauth2.${config.repo.secrets.local.personalDomain}";
@@ -22,15 +22,15 @@
   in {
     provider = "oidc";
     scope = "openid email";
-    loginURL = "https://${config.providedDomains.kanidm}/ui/oauth2";
-    redeemURL = "https://${config.providedDomains.kanidm}/oauth2/token";
-    validateURL = "https://${config.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
+    loginURL = "https://${config.networking.providedDomains.kanidm}/ui/oauth2";
+    redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token";
+    validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
     clientID = clientId;
     keyFile = config.age.secrets.oauth2-proxy-secret.path;
     email.domains = ["*"];
 
     extraConfig = {
-      oidc-issuer-url = "https://${config.providedDomains.kanidm}/oauth2/openid/${clientId}";
+      oidc-issuer-url = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}";
       provider-display-name = "Kanidm";
       #skip-provider-button = true;
     };