site-config: dedupe cross-host values, fix stale dark-reader urls, drop desktop 1g hugepages

new site-config.nix holds values previously duplicated across hosts:
  domain, old_domain, contact_email, timezone, binary_cache (url + pubkey),
  dns_servers, lan (cidr + gateway), hosts.{muffin,yarn} (ip/alias/ssh_host_key),
  ssh_keys.{laptop,desktop,ci_deploy}.

threaded through specialArgs on all three hosts + home-manager extraSpecialArgs +
homeConfigurations.primary + serverLib. service-configs.nix now takes
{ site_config } as a function arg and drops its https namespace; per-service
domains (gitea/matrix/ntfy/mollysocket/livekit/firefox-sync/grafana) are
derived from site_config.domain. ~15 service files and 6 vm tests migrated.

breakage fixes rolled in:
 - home/progs/zen/dark-reader.nix: 5 stale *.gardling.com entries in
   disabledFor rewritten to *.sigkill.computer (caddy 301s the old names so
   these never fired and the new sigkill urls were getting dark-reader applied)
 - modules/desktop-common.nix: drop unused hugepagesz=1G/hugepages=3
   kernelParams (no consumer on mreow or yarn; xmrig on muffin still reserves
   its own via services/monero/xmrig.nix)

verification: muffin toplevel is bit-identical to pre-refactor baseline.
mreow/yarn toplevels differ only in boot.json kernelParams + darkreader
storage.js (nix-diff verified). deployGuardTest and fail2banVaultwardenTest
(latter exercises site_config.domain via bitwarden.nix) pass.

services/bitwarden.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  site_config,
   service_configs,
   ...
 }:
@@ -25,7 +26,7 @@
     configurePostgres = true;
     config = {
       # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
-      DOMAIN = "https://bitwarden.${service_configs.https.domain}";
+      DOMAIN = "https://bitwarden.${site_config.domain}";
       SIGNUPS_ALLOWED = false;
 
       ROCKET_ADDRESS = "127.0.0.1";
@@ -34,7 +35,7 @@
     };
   };
 
-  services.caddy.virtualHosts."bitwarden.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."bitwarden.${site_config.domain}".extraConfig = ''
     encode zstd gzip
 
     reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {

services/caddy/caddy.nix

@@ -1,5 +1,6 @@
 {
   config,
+  site_config,
   service_configs,
   pkgs,
   lib,
@@ -42,8 +43,8 @@ let
     '';
   };
 
-  newDomain = service_configs.https.domain;
-  oldDomain = service_configs.https.old_domain;
+  newDomain = site_config.domain;
+  oldDomain = site_config.old_domain;
 in
 {
   imports = [
@@ -54,7 +55,7 @@ in
 
   services.caddy = {
     enable = true;
-    email = "titaniumtown@proton.me";
+    email = site_config.contact_email;
 
     # Build with Njalla DNS provider for DNS-01 ACME challenges (wildcard certs)
     package = pkgs.caddy.withPlugins {
@@ -146,8 +147,9 @@ in
       # defaults: maxretry=5, findtime=10m, bantime=10m
 
       # Ignore local network IPs - NAT hairpinning causes all LAN traffic to
-      # appear from the router IP (192.168.1.1). Banning it blocks all internal access.
-      ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
+      # appear from the router IP (site_config.lan.gateway). Banning it
+      # blocks all internal access.
+      ignoreip = "127.0.0.1/8 ::1 ${site_config.lan.cidr}";
     };
     filter.Definition = {
       # Only match 401s where an Authorization header was actually sent.

services/caddy/caddy_senior_project.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  site_config,
   service_configs,
   inputs,
   ...
@@ -32,7 +33,7 @@ let
   };
 in
 {
-  services.caddy.virtualHosts."senior-project.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."senior-project.${site_config.domain}".extraConfig = ''
     root * ${hugoWebsite}
     file_server browse
   '';

services/graphing-calculator.nix

@@ -1,4 +1,5 @@
 {
+  site_config,
   service_configs,
   inputs,
   pkgs,
@@ -9,7 +10,7 @@ let
     inputs.ytbn-graphing-software.packages.${pkgs.stdenv.targetPlatform.system}.web;
 in
 {
-  services.caddy.virtualHosts."graphing.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."graphing.${site_config.domain}".extraConfig = ''
     root * ${graphing-calculator}
     file_server browse
   '';

services/harmonia.nix

@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  site_config,
   service_configs,
   ...
 }:
@@ -19,7 +20,7 @@
 
   # serve latest deploy store paths (unauthenticated — just a path string)
   # CI writes to /var/lib/nix-deploy/<hostname> after building
-  services.caddy.virtualHosts."nix-cache.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."nix-cache.${site_config.domain}".extraConfig = ''
     handle_path /deploy/* {
         root * /var/lib/nix-deploy
         file_server

services/jellyfin/jellyfin.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  site_config,
   service_configs,
   lib,
   ...
@@ -24,7 +25,7 @@
     inherit (service_configs.jellyfin) dataDir cacheDir;
   };
 
-  services.caddy.virtualHosts."jellyfin.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."jellyfin.${site_config.domain}".extraConfig = ''
     reverse_proxy :${builtins.toString service_configs.ports.private.jellyfin.port} {
       # Disable response buffering for streaming. Caddy's default partial
       # buffering delays fMP4-HLS segments and direct-play responses where

services/llama-cpp.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  site_config,
   service_configs,
   config,
   inputs,
@@ -24,7 +25,7 @@ in
   # "Invalid API Key" warning has no client IP, and behind Caddy the
   # llama-server access log only sees 127.0.0.1. Caddy's JSON log has
   # the real client IP via request.remote_ip.
-  services.caddy.virtualHosts."llm.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."llm.${site_config.domain}".extraConfig = ''
     log {
       output file /var/log/caddy/access-llama-cpp.log
       format json
@@ -52,8 +53,8 @@ in
       # defaults: maxretry=5, findtime=10m, bantime=10m
 
       # NAT hairpinning sends LAN traffic via the router IP. Don't ban
-      # 192.168.1.0/24 or we lock ourselves out.
-      ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
+      # our LAN or we lock ourselves out.
+      ignoreip = "127.0.0.1/8 ::1 ${site_config.lan.cidr}";
     };
     filter.Definition = {
       failregex = ''^.*"remote_ip":"<HOST>".*"status":401.*$'';

services/matrix/coturn.nix

@@ -1,13 +1,14 @@
 {
   config,
   lib,
+  site_config,
   service_configs,
   ...
 }:
 {
   services.coturn = {
     enable = true;
-    realm = service_configs.https.domain;
+    realm = site_config.domain;
     use-auth-secret = true;
     static-auth-secret-file = config.age.secrets.coturn-auth-secret.path;
     listening-port = service_configs.ports.public.coturn.port;

services/matrix/matrix.nix

@@ -1,5 +1,6 @@
 {
   config,
+  site_config,
   service_configs,
   lib,
   ...
@@ -23,7 +24,7 @@
 
     settings.global = {
       port = [ service_configs.ports.private.matrix.port ];
-      server_name = service_configs.https.domain;
+      server_name = site_config.domain;
       allow_registration = true;
       registration_token_file = config.age.secrets.matrix-reg-token.path;
 
@@ -43,14 +44,14 @@
       # TURN server config (coturn)
       turn_secret_file = config.age.secrets.matrix-turn-secret.path;
       turn_uris = [
-        "turn:${service_configs.https.domain}?transport=udp"
-        "turn:${service_configs.https.domain}?transport=tcp"
+        "turn:${site_config.domain}?transport=udp"
+        "turn:${site_config.domain}?transport=tcp"
       ];
       turn_ttl = 86400;
     };
   };
 
-  services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore ''
+  services.caddy.virtualHosts.${site_config.domain}.extraConfig = lib.mkBefore ''
     header /.well-known/matrix/* Content-Type application/json
     header /.well-known/matrix/* Access-Control-Allow-Origin *
     respond /.well-known/matrix/server `{"m.server": "${service_configs.matrix.domain}:${builtins.toString service_configs.ports.public.https.port}"}`

services/minecraft.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  site_config,
   service_configs,
   lib,
   config,
@@ -177,7 +178,7 @@
   };
 
   services.caddy.virtualHosts = lib.mkIf (config.services.caddy.enable) {
-    "map.${service_configs.https.domain}".extraConfig = ''
+    "map.${site_config.domain}".extraConfig = ''
       root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web
       file_server browse
     '';

services/ssh.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  site_config,
   username,
   ...
 }:
@@ -25,14 +26,14 @@
   ];
 
   users.users.${username}.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
+    site_config.ssh_keys.laptop
+    site_config.ssh_keys.desktop
   ];
 
   # used for deploying configs to server
   users.users.root.openssh.authorizedKeys.keys =
     config.users.users.${username}.openssh.authorizedKeys.keys
     ++ [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5ZYN6idL/w/mUIfPOH1i+Q/SQXuzAMQUEuWpipx1Pc ci-deploy@muffin"
+      site_config.ssh_keys.ci_deploy
     ];
 }