site-config: dedupe cross-host values, fix stale dark-reader urls, drop desktop 1g hugepages

new site-config.nix holds values previously duplicated across hosts: domain, old_domain, contact_email, timezone, binary_cache (url + pubkey), dns_servers, lan (cidr + gateway), hosts.{muffin,yarn} (ip/alias/ssh_host_key), ssh_keys.{laptop,desktop,ci_deploy}. threaded through specialArgs on all three hosts + home-manager extraSpecialArgs + homeConfigurations.primary + serverLib. service-configs.nix now takes { site_config } as a function arg and drops its https namespace; per-service domains (gitea/matrix/ntfy/mollysocket/livekit/firefox-sync/grafana) are derived from site_config.domain. ~15 service files and 6 vm tests migrated. breakage fixes rolled in: - home/progs/zen/dark-reader.nix: 5 stale *.gardling.com entries in disabledFor rewritten to *.sigkill.computer (caddy 301s the old names so these never fired and the new sigkill urls were getting dark-reader applied) - modules/desktop-common.nix: drop unused hugepagesz=1G/hugepages=3 kernelParams (no consumer on mreow or yarn; xmrig on muffin still reserves its own via services/monero/xmrig.nix) verification: muffin toplevel is bit-identical to pre-refactor baseline. mreow/yarn toplevels differ only in boot.json kernelParams + darkreader storage.js (nix-diff verified). deployGuardTest and fail2banVaultwardenTest (latter exercises site_config.domain via bitwarden.nix) pass.
2026-04-22 20:48:29 -04:00
parent 8cdb9c4381
commit d00ff42e8e
28 changed files with 190 additions and 100 deletions
--- a/services/llama-cpp.nix
+++ b/services/llama-cpp.nix
@@ -1,5 +1,6 @@
 {
  pkgs,
+  site_config,
  service_configs,
  config,
  inputs,
@@ -24,7 +25,7 @@ in
  # "Invalid API Key" warning has no client IP, and behind Caddy the
  # llama-server access log only sees 127.0.0.1. Caddy's JSON log has
  # the real client IP via request.remote_ip.
-  services.caddy.virtualHosts."llm.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."llm.${site_config.domain}".extraConfig = ''
    log {
      output file /var/log/caddy/access-llama-cpp.log
      format json
@@ -52,8 +53,8 @@ in
      # defaults: maxretry=5, findtime=10m, bantime=10m

      # NAT hairpinning sends LAN traffic via the router IP. Don't ban
-      # 192.168.1.0/24 or we lock ourselves out.
-      ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
+      # our LAN or we lock ourselves out.
+      ignoreip = "127.0.0.1/8 ::1 ${site_config.lan.cidr}";
    };
    filter.Definition = {
      failregex = ''^.*"remote_ip":"<HOST>".*"status":401.*$'';