Require postgres version to be configured manually

defaults/meta/network-virtual.nix

@@ -15,7 +15,7 @@
           id = "100.64.0.0";
           prefixLength = 10;
         };
-        domain = "vpn.net.qo.is";
+        domain = "vpn.qo.is";
         hosts = { };
       };
 

defaults/nextcloud/default.nix

@@ -13,7 +13,7 @@
     owner = name;
   };
 
-  services.postgresql.enable = true;
+  qois.postgresql.enable = true;
   qois.backup-client.includePaths = [ config.services.nextcloud.home ];
 
   services.nextcloud = {
@@ -30,24 +30,6 @@
       dbtype = "pgsql";
     };
 
-    appstoreEnable = false;
-    extraApps = {
-      inherit (config.services.nextcloud.package.passthru.packages.apps)
-        calendar
-        contacts
-        deck
-        groupfolders
-        maps
-        memories
-        music
-        news
-        notes
-        notify_push
-        tasks
-        twofactor_webauthn
-        ;
-    };
-
     phpOptions = {
       "opcache.interned_strings_buffer" = "23";
     };

nixos-configurations/calanda/default.nix

@@ -17,5 +17,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "23.05"; # Did you read the comment?
 }

nixos-configurations/cyprianspitz/default.nix

@@ -24,5 +24,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "24.05"; # Did you read the comment?
 }

nixos-configurations/lindberg-build/applications/attic.nix

@@ -52,10 +52,11 @@ in
 
   imports = [ ../../../defaults/webserver ];
 
+  qois.postgresql.enable = true;
+
   # Note: Attic cache availability is "best effort", so no artifacts are backed up.
 
   services.postgresql = {
-    enable = true;
     ensureDatabases = [ "atticd" ];
     ensureUsers = [
       {

nixos-configurations/lindberg-build/applications/default.nix

@@ -7,5 +7,4 @@
   ];
 
   qois.git-ci-runner.enable = true;
-  qois.postgresql.package = pkgs.postgresql_15;
 }

nixos-configurations/lindberg-build/default.nix

@@ -22,5 +22,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 }

nixos-configurations/lindberg-nextcloud/applications/cloud.nix

@@ -6,7 +6,7 @@ in
 
   imports = [ ../../../defaults/nextcloud ];
 
-  services.postgresql.enable = true;
+  qois.postgresql.enable = true;
 
   services.nextcloud = {
     hostName = host;

nixos-configurations/lindberg-nextcloud/applications/default.nix

@@ -2,6 +2,4 @@
 {
 
   imports = [ ./cloud.nix ];
-
-  qois.postgresql.package = pkgs.postgresql_14;
 }

nixos-configurations/lindberg-nextcloud/default.nix

@@ -46,5 +46,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "22.05"; # Did you read the comment?
 }

nixos-configurations/lindberg-webapps/applications/default.nix

@@ -6,5 +6,4 @@
   qois.vault.enable = true;
   qois.git.enable = true;
   qois.static-page.enable = true;
-  qois.postgresql.package = pkgs.postgresql_15;
 }

nixos-configurations/lindberg-webapps/default.nix

@@ -21,5 +21,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "23.11"; # Did you read the comment?
 }

nixos-configurations/lindberg/default.nix

@@ -25,5 +25,5 @@
   # this value at the release version of the first install of this system.
   # Before changing this value read the documentation for this option
   # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "21.11"; # Did you read the comment?
 }

nixos-configurations/tierberg/default.nix

@@ -20,5 +20,5 @@
   # compatible, in order to avoid breaking some software such as database
   # servers. You should change this only after NixOS release notes say you
   # should.
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "23.05"; # Did you read the comment?
 }

nixos-modules/postgresql/default.nix

@@ -11,15 +11,15 @@ in
 with lib;
 {
   options.qois.postgresql = {
-    # Note: this module is auto-enabled if postgres is used.
+    enable = mkEnableOption ''Enable postgresql services with defaults'';
     package = mkPackageOption pkgs "postgresql" {
       example = "postgresql_15";
       default = null;
     };
   };
 
-  config = mkIf config.services.postgresql.enable {
+  config = mkIf cfg.enable {
-    services.postgresql.package = cfg.package;
+    services.postgresql.enable = true;
     services.postgresqlBackup.enable = true;
     qois.backup-client.includePaths = [ config.services.postgresqlBackup.location ];
   };

nixos-modules/qois/git/default.nix

@@ -21,7 +21,7 @@ with lib;
   };
 
   config = mkIf cfg.enable {
-    services.postgresql.enable = true;
+    qois.postgresql.enable = true;
 
     services.forgejo = {
       enable = true;

nixos-modules/qois/vpn-server/default.nix

@@ -16,11 +16,6 @@ in
 
   options.qois.vpn-server = {
     enable = mkEnableOption "Enable vpn server services";
-    domain = mkOption {
-      description = "Domain for the VPN admin server";
-      type = types.str;
-      default = "vpn.qo.is";
-    };
     dnsRecords = mkOption {
       description = "DNS records to add to Hosts";
       type = with types; attrsOf str;
@@ -41,8 +36,8 @@ in
       with config.services.headscale.settings;
       (
         [
-          database.sqlite.path
+          db_path
-          derp.server.private_key_path
+          private_key_path
           noise.private_key_path
         ]
         ++ derp.paths
@@ -61,22 +56,22 @@ in
       in
       {
         enable = true;
-        address = vnet.backplane.hosts.cyprianspitz.v4.ip; # TODO: This entails that the backplane interface is up.
+        address = vnet.backplane.hosts.cyprianspitz.v4.ip;
         port = 46084;
         settings = {
-          server_url = "https://${cfg.domain}:443";
+          server_url = "https://${vpnNet.domain}:443";
 
           tls_letsencrypt_challenge_type = "TLS-ALPN-01";
           tls_letsencrypt_hostname = vpnNet.domain;
 
-          dns = {
+          dns_config = {
-            base_domain = vpnNet.domain;
+            nameservers = [ vnet.backplane.hosts.calanda.v4.ip ];
-            magic_dns = true;
+            domains = [
-            nameservers.global = [ vnet.backplane.hosts.calanda.v4.ip ];
+              vpnNet.domain
-            search_domains = [
-              # vpnNet.domain # First by default with magic_dns
               vnet.backplane.domain
             ];
+            magic_dns = true;
+            base_domain = vpnNet.domain;
             extra_records = pipe cfg.dnsRecords [
               attrsToList
               (map (val: val // { type = "A"; }))
@@ -85,10 +80,9 @@ in
 
           ip_prefixes = [ vpnNetPrefix ];
 
-          policy =
+          acl_policy_path = pkgs.writeTextFile {
-            let
+            name = "acls";
-              # Note: headscale has limited acl support currently. This might change in the future.
+            text = builtins.toJSON {
-              aclPolicy = {
               hosts = {
                 "clients" = vpnNetPrefix;
               };
@@ -135,13 +129,6 @@ in
                 }
               ];
             };
-            in
-            {
-              mode = "file";
-              path = pkgs.writeTextFile {
-                name = "acls";
-                text = builtins.toJSON aclPolicy;
-              };
           };
         };
       };

nixos-modules/router-dhcp/default.nix

@@ -43,13 +43,12 @@ in
   };
 
   config = mkIf cfg.enable {
-    services.dnsmasq = {
+    services.dnsmasq.enable = true;
-      enable = true;
+    services.dnsmasq.extraConfig = ''
-      settings = {
       # Listen on this specific port instead of the standard DNS port
       # (53). Setting this to zero completely disables DNS function,
       # leaving only DHCP and/or TFTP.
-        port = cfg.localDnsPort;
+      port=${toString cfg.localDnsPort}
 
       # The following two options make you a better netizen, since they
       # tell dnsmasq to filter out queries which the public DNS cannot
@@ -58,9 +57,10 @@ in
       # these requests from bringing up the link unnecessarily.
 
       # Never forward plain names (without a dot or domain part)
-        domain-needed = true;
+      domain-needed
       # Never forward addresses in the non-routed address spaces.
-        bogus-priv = true;
+      bogus-priv
+
 
       # Uncomment this to filter useless windows-originated DNS requests
       # which can trigger dial-on-demand links needlessly.
@@ -88,7 +88,7 @@ in
 
       # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
       # files for changes and re-read them then uncomment this.
-        no-poll = true;
+      no-poll
 
       # Add other name servers here, with domain specs if they are for
       # non-public domains.
@@ -100,13 +100,13 @@ in
 
       # Add local-only domains here, queries in these domains are answered
       # from /etc/hosts or DHCP only.
-        local = "/${config.networking.hostName}/";
+      local=/${config.networking.hostName}/
 
       # Add domains which you want to force to an IP address here.
       # The example below send any host in double-click.net to a local
       # web-server.
       #address=/double-click.net/127.0.0.1
-        address = "/${config.networking.hostName}.${cfg.localDomain}/${routerCfg.internalRouterIP}";
+      address=/${config.networking.hostName}.${cfg.localDomain}/${routerCfg.internalRouterIP}
 
       # --address (and --server) work with IPv6 addresses too.
       #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
@@ -129,10 +129,8 @@ in
       # specified interfaces (and the loopback) give the name of the
       # interface (eg eth0) here.
       # Repeat the line for more than one interface.
-        interface = [
+      interface=${routerCfg.internalBridgeInterfaceName}
-          routerCfg.internalBridgeInterfaceName
+      interface=lo
-          "lo"
-        ];
       # Or you can specify which interface _not_ to listen on
       #except-interface=
       # Or which to listen on by address (remember to include 127.0.0.1 if
@@ -141,7 +139,7 @@ in
       # If you want dnsmasq to provide only DNS service on an interface,
       # configure it as shown above, and then use the following line to
       # disable DHCP and TFTP on it.
-        no-dhcp-interface = "lo";
+      no-dhcp-interface=lo
 
       # On systems which support it, dnsmasq binds the wildcard address,
       # even when it is listening on only some interfaces. It then discards
@@ -150,18 +148,18 @@ in
       # want dnsmasq to really bind only the interfaces it is listening on,
       # uncomment this option. About the only time you may need this is when
       # running another nameserver on the same machine.
-        bind-interfaces = true;
+      bind-interfaces
 
       # If you don't want dnsmasq to read /etc/hosts, uncomment the
       # following line.
-        no-hosts = true;
+      no-hosts
       # or if you want it to read another file, as well as /etc/hosts, use
       # this.
       #addn-hosts=/etc/banner_add_hosts
 
       # Set this (and domain: see below) if you want to have a domain
       # automatically added to simple names in a hosts-file.
-        expand-hosts = true;
+      expand-hosts
 
       # Set the domain for dnsmasq. this is optional, but if it is set, it
       # does the following things.
@@ -170,7 +168,7 @@ in
       # 2) Sets the "domain" DHCP option thereby potentially setting the
       #    domain of all systems configured by DHCP
       # 3) Provides the domain part for "expand-hosts"
-        domain = cfg.localDomain;
+      domain=${cfg.localDomain}
 
       # Set a different domain for a particular subnet
       #domain=wireless.thekelleys.org.uk,192.168.2.0/24
@@ -183,7 +181,7 @@ in
       # a lease time. If you have more than one network, you will need to
       # repeat this for each network on which you want to supply DHCP
       # service.
-        dhcp-range = "${cfg.dhcpRange},48h";
+      dhcp-range=${cfg.dhcpRange},48h
 
       # This is an example of a DHCP range where the netmask is given. This
       # is needed for networks we reach the dnsmasq DHCP server via a relay
@@ -348,17 +346,10 @@ in
       # are some options which are recommended, they are detailed at the
       # end of this section.
 
-        dhcp-option = [
       # Override the default route supplied by dnsmasq, which assumes the
       # router is the same machine as the one running dnsmasq.
       #dhcp-option=3,1.2.3.4
-          "6,${routerCfg.internalRouterIP}"
+      dhcp-option=6,${routerCfg.internalRouterIP}
-
-          # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
-          # probably doesn't support this......
-          "option:domain-search,${cfg.localDomain}"
-
-        ];
 
       # Do the same thing, but using the option name
       #dhcp-option=option:router,1.2.3.4
@@ -416,6 +407,10 @@ in
       # Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
       #dhcp-option=252,"\n"
 
+      # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
+      # probably doesn't support this......
+      dhcp-option=option:domain-search,${cfg.localDomain}
+
       # Send RFC-3442 classless static routes (note the netmask encoding)
       #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
 
@@ -509,6 +504,7 @@ in
       # to 5. See page 19 of
       # http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
 
+
       # Enable dnsmasq's built-in TFTP server
       #enable-tftp
 
@@ -556,7 +552,7 @@ in
       # server for your campus/company accidentally. The ISC server uses
       # the same option, and this URL provides more information:
       # http://www.isc.org/files/auth.html
-        dhcp-authoritative = true;
+      dhcp-authoritative
 
       # Run an executable when a DHCP lease is created or destroyed.
       # The arguments sent to the script are "add" or "del",
@@ -665,8 +661,7 @@ in
 
       # Log lots of extra information about DHCP transactions.
       #log-dhcp
-      };
+    '';
-    };
 
     systemd.services.dnsmasq = {
       bindsTo = [ "network-addresses-${routerCfg.internalBridgeInterfaceName}.service" ];

nixos-modules/router-wireless-ap/default.nix

@@ -63,7 +63,6 @@ in
         enable = wle24GhzEnabled;
 
         radios.${cfg.wleInterface24Ghz} = {
-          channel = 6;
           wifi4.enable = true;
           wifi4.capabilities = [
             "HT40-"

nixos-modules/vault/default.nix

@@ -48,6 +48,8 @@ with lib;
       };
     };
 
+    qois.postgresql.enable = true;
+
     qois.backup-client.includePaths = [ config.services.vaultwarden.config.DATA_FOLDER ];
 
     services.postgresql =
@@ -55,7 +57,6 @@ with lib;
         name = config.users.users.vaultwarden.name;
       in
       {
-        enable = true;
         ensureUsers = [
           {
             inherit name;