Remove obtrusive Caddy footer from browse template

When `ip=dhcp` is passed as a kernel param (which I assume, but don't
know for sure, just gets passed to systemd and probably then to
systemd-networkd or NetworkManager or whatever does the networking in
the initrd?), IPv6 doesn't come up. With the param, bad IPv6:

```text
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 3c:52:82:00:46:d6 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 192.168.1.20/24 brd 192.168.1.255 scope global eno1
       valid_lft forever preferred_lft forever
    inet6 2601:441:8301:8af7:94e1:4d4c:73c2:ac31/64 scope global temporary dynamic
       valid_lft 322763sec preferred_lft 86330sec
    inet6 fd0a:8f9f:6f83:0:3e52:82ff:fe00:46d6/64 scope global dynamic mngtmpaddr proto kernel_ra
       valid_lft forever preferred_lft forever
    inet6 2601:441:8301:8af7:3e52:82ff:fe00:46d6/64 scope global dynamic mngtmpaddr proto kernel_ra
       valid_lft 322763sec preferred_lft 322763sec
    inet6 fe80::3e52:82ff:fe00:46d6/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
```

whereas without the param I get good (whatever that means) addresses:

```text
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 3c:52:82:00:46:d6 brd ff:ff:ff:ff:ff:ff
    altname enp0s31f6
    inet 192.168.1.20/24 brd 192.168.1.255 scope global dynamic noprefixroute eno1
       valid_lft 43188sec preferred_lft 43188sec
    inet6 fd0a:8f9f:6f83::33b/128 scope global dynamic noprefixroute
       valid_lft 43190sec preferred_lft 43190sec
    inet6 2601:441:8301:8af7::33b/128 scope global dynamic noprefixroute
       valid_lft 43190sec preferred_lft 43190sec
    inet6 2601:441:8301:8af7:b572:fc6c:ba27:dcdb/64 scope global temporary dynamic
       valid_lft 322965sec preferred_lft 86235sec
    inet6 2601:441:8301:8af7:f3f0:df23:a6bb:7d25/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 322965sec preferred_lft 322965sec
    inet6 fd0a:8f9f:6f83:0:485e:f55d:fa1d:cef4/64 scope global temporary dynamic
       valid_lft 604790sec preferred_lft 86235sec
    inet6 fd0a:8f9f:6f83:0:7851:1417:807:f017/64 scope global mngtmpaddr noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::eb0c:1983:24a5:3e42/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
```

I'm honestly not entirely sure what this _should_ look like, but what I
_do_ know is that in the "bad" configuration, SSH takes an extra ~10s to
connect as it has to wait for two ~5s `No route to host` timeouts:

```console
[chandler@oscar:~]$ ssh -v root@bert
OpenSSH_9.8p1, OpenSSL 3.0.14 4 Jun 2024
debug1: Reading configuration data /home/chandler/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 5: Applying options for *
debug1: Connecting to bert [fd0a:8f9f:6f83::33b] port 22.
debug1: connect to address fd0a:8f9f:6f83::33b port 22: No route to host
debug1: Connecting to bert [2601:441:8301:8af7::33b] port 22.
debug1: connect to address 2601:441:8301:8af7::33b port 22: No route to host
debug1: Connecting to bert [192.168.1.20] port 22.
debug1: Connection established.
```

Future work: What _should_ my IPv6 config look like? Is there any way I
can keep network config stable between the initrd and the booted system?
Why is this recommended against?

> The default is false when systemd is enabled in initrd, because the
> systemd-networkd documentation suggests it.

.envrc

@@ -0,0 +1 @@
+use nix;

.gitignore

@@ -1 +1,2 @@
 keys.toml
+.direnv

animal/Makefile

@@ -1,3 +0,0 @@
-.PHONY: deploy
-deploy:
-	nixos-rebuild switch --fast -I nixos-config=./configuration.nix --build-host root@animal.chandlerswift.com --target-host root@animal.chandlerswift.com

animal/configuration.nix

@@ -1,75 +0,0 @@
-{ config, lib, pkgs, ... }: {
-
-#   config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
-#       "minecraft-server"
-#     ];
-
-  imports = [
-    ./hardware-configuration.nix
-    ./web.nix
-    ./monitoring.nix
-    ./kathe.nix
-    ./eric.nix
-  ];
-
-  networking.hostName = "animal";
-  time.timeZone = "America/Chicago";
-  i18n.defaultLocale = "en_US.UTF-8";
-
-  fileSystems."/mnt/nas" = {
-    device = "//home.chandlerswift.com/chandlerpublic";
-    fsType = "cifs";
-    options = [ "guest" "port=55445" ];
-  };
-
-#   services.minecraft-server = {
-#     enable = true;
-#     declarative = true;
-#     eula = true;
-#     dataDir = "/srv/minecraft";
-#     openFirewall = true;
-#     whitelist = {
-#       chandlerswift = "04095aeb-edec-3c3f-b0d5-d703fab53c9c";
-#       villlater = "90b7fcd6-9f43-38c5-8ea2-163f13b092f0";
-#       LarryHorton = "de963636-138f-3ef4-8c52-a2dcf9a328f4";
-#       IsaacSwift = "88e17365-4b63-3385-a4b6-b2c4864b0b98";
-#       Mayornnaise = "be25bf89-ef07-3fa3-926b-20b939df62f1";
-#       Ripptide66 = "a94051cb-5769-3726-86b5-bc9fe4cbe5f5";
-#     };
-#   };
-
-  services.murmur = {
-    # TODO https://nixos.org/manual/nixos/stable/options#opt-services.murmur.enable
-    # TODO https://github.com/azlux/botamusique
-    #enable = true;
-  };
-
-  environment.systemPackages = with pkgs; [ rsync ];
-
-  services.openssh.enable = true;
-  users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhPyyqS3BGYor3zLbjc8hZuhem3mS8TNmvWogXcnz/b chandler@chandlerswift.com'' ];
-
-#   services.jitsi-meet = {
-#     enable = true;
-#     hostName = "meet.animal.chandlerswift.com";
-#     nginx.enable = false;
-#     caddy.enable = true;
-#   };
-#   services.jitsi-videobridge.openFirewall = true;
-
-
-  networking.firewall.allowedTCPPorts = [
-    80 # Caddy
-    443 # Caddy
-  ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-
-  # This option defines the first version of NixOS you have installed on this particular machine,
-  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
-  #
-  # Most users should NEVER change this value after the initial install, for any reason,
-  # even if you've upgraded your system to a new NixOS release.
-  system.stateVersion = "24.05";
-
-}
-

animal/eric.nix

@@ -1,17 +0,0 @@
-{
-
-#   users.users.eric = {
-#     isNormalUser = true;
-#     description = "Eric Villnow";
-#     openssh.authorizedKeys.keys = [
-#       # TODO
-#     ];
-#   };
-
-  services.caddy.virtualHosts."nas.ericvillnow.com" = {
-    serverAliases = ["nas.vill.how"];
-    extraConfig = ''
-      reverse_proxy http://192.168.10.11:80
-    '';
-  };
-}

animal/hardware-configuration.nix

@@ -1,19 +0,0 @@
-{ modulesPath, ... }:
-{
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-  boot.loader.grub = {
-    efiSupport = true;
-    efiInstallAsRemovable = true;
-    device = "nodev";
-  };
-  fileSystems."/boot" = { device = "/dev/disk/by-uuid/FDD2-F69B"; fsType = "vfat"; };
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/vda2"; fsType = "ext4"; };
-  swapDevices = [{
-    device = "/swapfile";
-    size = 4 * 1024; # 4GB
-  }];
-  boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = true;
-}

animal/kathe.nix

@@ -1,26 +0,0 @@
-{
-
-  users.users.kathe = {
-    isNormalUser = true;
-    description = "Käthe Swift";
-    openssh.authorizedKeys.keys = [
-      # TODO: ed25519
-      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTORULg2qqAJs5i9V7YpavlDaQBdPsEtj7s23B50qRz+VjP9rNQC8F2bVgI1BbI7CqQho2IFCG2nAiBqciLAMxTqaihI6OlNyhVJvkVSXxy2ru8NEKTPA2UnciepxeyQGfgstv8d+8mLiDbcytWDbtNoTymhy5DjCwki8gnQQTO1XVcJr5N12OsvoaCcikYQwTcxgXG0rVxlg/DUQJeaV1hZdHwpgr1cbdX2JxMONo8wcW5Ox5ZJs/+Zz72iOfoa9DXJChfdOQ5dMC+WVGwd3JbHQLWQmnCepYBKiUv8JMN7ZkDBcyIFJ+dc7F/CwBrPAF9g93GEauEilWulKV4AmbqdxY+lK/hp0fSr69H4bkqLmeAeXTHIlTge1FuQKNSKHeBhQ4y7OxDc0IEzDCE7OXT04fn6etsZcFb2JIYhFZWKGxiwSYWAjfdkmVnC48sC6Q3Heonk/IxZwbKVOUlo7B0q43A4PzTWiOWFcFKDGXn3KrNRCXuLfaYxYDyTEc2ss="
-    ];
-  };
-
-  services.caddy.virtualHosts."piano.animal.chandlerswift.com".extraConfig = ''
-    encode gzip
-    file_server
-    root /srv/piano.animal.chandlerswift.com
-    # hide .git # ???
-  '';
-  systemd.tmpfiles.settings."10-piano-animal-chandlerswift-com" = {
-    "/srv/piano.animal.chandlerswift.com" = {
-      d = {
-        user = "kathe";
-        mode = "0755";
-      };
-    };
-  };
-}

animal/monitoring.nix

@@ -1,20 +0,0 @@
-{
-  services.grafana = {
-    enable = true;
-    settings = {
-      server = {
-        http_addr = "127.0.0.1";
-        http_port = 3000;
-        domain = "monitoring.animal.chandlerswift.com";
-      };
-    };
-  };
-
-  services.prometheus = {
-    enable = true;
-  };
-
-  services.caddy.virtualHosts."monitoring.animal.chandlerswift.com".extraConfig = ''
-    reverse_proxy :3000
-  '';
-}

animal/web.nix

@@ -1,20 +0,0 @@
-{
-  services.caddy = {
-    enable = true;
-    virtualHosts."animal.chandlerswift.com".extraConfig = ''
-      respond "Hello, world!"
-    '';
-  };
-
-  services.caddy.virtualHosts."maps.animal.chandlerswift.com".extraConfig = ''
-    encode gzip
-    file_server
-    root /srv/maps.animal.chandlerswift.com
-    # hide .git # ???
-  '';
-  systemd.tmpfiles.settings."10-maps-animal-chandlerswift-com" = {
-    "/srv/maps.animal.chandlerswift.com" = {
-      d = {};
-    };
-  };
-}

bert/Makefile

@@ -0,0 +1,16 @@
+# https://stackoverflow.com/a/23324703
+current_dir:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
+
+.PHONY: deploy
+deploy:
+	rsync -avz $(current_dir)/ root@bert:config/
+	ssh root@bert nixos-rebuild switch --fast -I nixos-config=/root/config/configuration.nix
+
+.PHONY: local-build-deploy
+local-build-deploy:
+	nixos-rebuild switch --fast -I nixos-config=./configuration.nix --build-host root@bert --target-host root@bert
+
+.PHONY: deploy-upgrade
+deploy-upgrade:
+	rsync -avz $(current_dir)/ root@bert:config/
+	ssh root@bert nixos-rebuild switch --upgrade-all --fast -I nixos-config=/root/config/configuration.nix

bert/README.md

@@ -0,0 +1,23 @@
+# Installation
+1. Install NixOS minimal
+2. `ssh-keygen -N "" -f /etc/secrets/initrd/ssh_host_ed25519_key`
+2. Enable SSH server and add root SSH key
+3. Deploy updated config with `make`
+4. Set up [Remote Disk Unlocking](https://nixos.wiki/wiki/Remote_disk_unlocking)
+   1. mkdir -p /etc/secrets/initrd && ssh-keygen -N "" -f /etc/secrets/initrd/ssh_host_25519_key
+5. Deploy content to web services
+
+# Notes on Caddy
+Until 2.8 is released with 24.11, Caddy has a pretty limited sense of what
+content-types should be compressed:
+
+https://github.com/caddyserver/caddy/blob/v2.7.6/modules/caddyhttp/encode/encode.go#L85-L101
+
+Specifically, this doesn't include GeoJSON, which is a bit of a shame for
+maps.chandlerswift.com. That said, I'll probably be upgrading to 24.11 as soon
+as it comes out, so in the intervening time I'm just not going to worry about
+it.
+
+The list was expanded in this PR:
+
+https://github.com/caddyserver/caddy/pull/6081

bert/configuration.nix

@@ -0,0 +1,70 @@
+{ config, pkgs, lib, ... }:
+
+{
+  imports =
+    [
+      ./hardware-configuration.nix
+      ./services/factorio.nix
+      ./services/http/index.nix
+      ./services/monitoring.nix
+      ./services/forgejo.nix
+    ];
+
+  # Bootloader
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.timeout = 1;
+
+  # Set up SSH unlocking
+  boot.kernelParams = [ "ip=dhcp" ];
+  boot.initrd = {
+    availableKernelModules = [ "e1000e" ];
+    network = {
+      enable = true;
+      flushBeforeStage2 = true; # Without this, stage2 IPv6 config is messed up?
+      ssh = {
+        enable = true;
+        port = 22;
+        authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhPyyqS3BGYor3zLbjc8hZuhem3mS8TNmvWogXcnz/b chandler@chandlerswift.com" ];
+        hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ];
+        shell = "/bin/cryptsetup-askpass";
+      };
+    };
+  };
+
+  boot.initrd.luks.devices."luks-48836129-1aa0-45c7-9fd1-6b053fa620b1".device = "/dev/disk/by-uuid/48836129-1aa0-45c7-9fd1-6b053fa620b1";
+  networking.hostName = "bert";
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  time.timeZone = "America/Chicago";
+  i18n.defaultLocale = "en_US.UTF-8";
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+
+  environment.systemPackages = with pkgs; [
+    rsync
+  ];
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+  users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEhPyyqS3BGYor3zLbjc8hZuhem3mS8TNmvWogXcnz/b chandler@chandlerswift.com'' ];
+
+  networking.firewall.allowedTCPPorts = [
+    80 # Caddy
+    443 # Caddy
+  ];
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.05"; # Did you read the comment?
+
+}

bert/hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/5abc0802-3969-460c-8089-5fec9f985c18";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."luks-da40f6d2-49d7-4a55-8a2e-94fa5f28dbbc".device = "/dev/disk/by-uuid/da40f6d2-49d7-4a55-8a2e-94fa5f28dbbc";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/B684-07FB";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/f5d7bb99-03aa-4f7c-9d4a-e264ceb514c6"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

bert/services/factorio.nix

@@ -0,0 +1,17 @@
+{
+  # nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+  #   "factorio-headless"
+  # ];
+  services.factorio = let
+    factorio-nixpkgs = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/7e35ac30ea1d236419653182559367ecd8a30675.tar.gz") {
+      config.allowUnfree = true;
+    };
+  in {
+    enable = true;
+    package = factorio-nixpkgs.factorio-headless;
+    openFirewall = true;
+    nonBlockingSaving = true;
+    game-name = "Chandler's Factorio Server";
+    description = "Job 28:2";
+  };
+}

bert/services/forgejo.nix

@@ -0,0 +1,19 @@
+{
+  services.forgejo = {
+    enable = true;
+    settings = {
+      DEFAULT = {
+        APP_NAME = "Forgejo: Beyond coding. We Forge."; # TODO
+      };
+      server = {
+        # USE_PROXY_PROTOCOL = true;
+        DOMAIN = "git.chandlerswift.com";
+        #SSH_DOMAIN = "git.chandlerswift.com";
+        ROOT_URL = "https://git.chandlerswift.com/";
+        HTTP_PORT = 3001;
+        LANDING_PAGE = "/chandlerswift";
+      };
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+}

bert/services/http/files.chandlerswift.com.nix

@@ -0,0 +1,13 @@
+
+{
+  services.caddy.virtualHosts."files.chandlerswift.com".extraConfig = ''
+    encode zstd gzip
+    file_server
+    root * /srv/www/files.chandlerswift.com
+  '';
+  systemd.tmpfiles.settings."10-files-chandlerswift-com" = {
+    "/srv/www/files.chandlerswift.com" = {
+      d = {};
+    };
+  };
+}

bert/services/http/git.chandlerswift.com.nix

@@ -0,0 +1,5 @@
+{config, ...}: {
+  services.caddy.virtualHosts."git.chandlerswift.com".extraConfig = ''
+    reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
+  '';
+}

bert/services/http/home.chandlerswift.com.nix

@@ -0,0 +1,15 @@
+
+{
+  services.caddy.virtualHosts."home.chandlerswift.com".extraConfig = ''
+    encode zstd gzip
+    file_server
+    root * /srv/www/home.chandlerswift.com
+    reverse_proxy /grafana/* localhost:3000
+    # hide .git # ???
+  '';
+  systemd.tmpfiles.settings."10-home-chandlerswift-com" = {
+    "/srv/www/home.chandlerswift.com" = {
+      d = {};
+    };
+  };
+}

bert/services/http/index.nix

@@ -0,0 +1,21 @@
+{
+  imports = [
+    ./files.chandlerswift.com.nix
+    ./git.chandlerswift.com.nix
+    ./home.chandlerswift.com.nix
+    ./katherineandchandler.com.nix
+    ./maps.chandlerswift.com.nix
+    ./stjohnscccc.org.nix
+    ./swiftgang.net.nix
+  ];
+
+  services.caddy = {
+    enable = true;
+    email = "chandler@chandlerswift.com";
+    globalConfig = ''
+      servers {
+          metrics # Enable Prometheus monitoring
+      }
+    '';
+  };
+}

bert/services/http/katherineandchandler.com.nix

@@ -0,0 +1,14 @@
+
+{
+  services.caddy.virtualHosts."katherineandchandler.com".extraConfig = ''
+    encode zstd gzip
+    file_server
+    root * /srv/www/katherineandchandler.com
+    # hide .git # ???
+  '';
+  systemd.tmpfiles.settings."10-katherineandchandler-com" = {
+    "/srv/www/katherineandchandler.com" = {
+      d = {};
+    };
+  };
+}

bert/services/http/maps.chandlerswift.com.nix

@@ -0,0 +1,14 @@
+
+{
+  services.caddy.virtualHosts."maps.chandlerswift.com".extraConfig = ''
+    encode zstd gzip
+    file_server
+    root * /srv/www/maps.chandlerswift.com
+    # hide .git # ???
+  '';
+  systemd.tmpfiles.settings."10-maps-chandlerswift-com" = {
+    "/srv/www/maps.chandlerswift.com" = {
+      d = {};
+    };
+  };
+}

bert/services/http/stjohnscccc.org.nix

@@ -0,0 +1,54 @@
+{ pkgs, lib, config, ... }:
+let
+  app = "stjohnscccc";
+  domain = "${app}.chandlerswift.com"; # TODO
+  dataDir = "/srv/www/stjohnscccc.org";
+in {
+  services.phpfpm.pools.${app} = {
+    user = app;
+    settings = {
+      "listen.owner" = config.services.caddy.user;
+      "pm" = "dynamic";
+      "pm.max_children" = 32;
+      # "pm.max_requests" = 500;
+      "pm.start_servers" = 1;
+      "pm.min_spare_servers" = 1;
+      "pm.max_spare_servers" = 4;
+      "php_admin_value[error_log]" = "stderr";
+      "php_admin_flag[log_errors]" = true;
+      "catch_workers_output" = true;
+    };
+    # phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
+  };
+  services.caddy.virtualHosts.${domain}.extraConfig = ''
+    root * ${dataDir}/public
+
+    handle /downloads/* {
+      file_server {
+        browse ${./caddy-browse-template.html}
+        hide .gitignore
+      }
+    }
+
+    handle {
+      encode zstd gzip
+      php_fastcgi unix/${config.services.phpfpm.pools.${app}.socket}
+      file_server
+    }
+
+    handle_errors {
+      respond "{err.status_code} {err.status_text}"
+    }
+  '';
+  users.users.${app} = {
+    isSystemUser = true;
+    home = dataDir;
+    group = app;
+  };
+  users.groups.${app} = {};
+  systemd.tmpfiles.settings."10-stjohnscccc.org" = {
+    "/srv/www/stjohnscccc.org" = {
+      d = {};
+    };
+  };
+}

bert/services/http/swiftgang.net.nix

@@ -0,0 +1,13 @@
+
+{
+  services.caddy.virtualHosts."swiftgang.net".extraConfig = ''
+    encode zstd gzip
+    file_server
+    root * /srv/www/swiftgang.net
+  '';
+  systemd.tmpfiles.settings."10-swiftgang-net" = {
+    "/srv/www/swiftgang.net" = {
+      d = {};
+    };
+  };
+}

bert/services/monitoring.nix

@@ -0,0 +1,41 @@
+{
+  services.prometheus = {
+    enable = true;
+    scrapeConfigs = [
+      {
+        job_name = "caddy";
+        static_configs = [{
+          targets = [
+            "localhost:2019"
+          ];
+        }];
+      }
+      {
+        job_name = "node";
+        static_configs = [{
+          targets = [
+            "localhost:9100"
+          ];
+        }];
+      }
+    ];
+    exporters.node = {
+      enable = true;
+      # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters.nix
+      enabledCollectors = [ "systemd" ];
+      # /nix/store/zgsw0yx18v10xa58psanfabmg95nl2bb-node_exporter-1.8.1/bin/node_exporter  --help
+      # extraFlags = [ "--collector.ethtool" "--collector.softirqs" "--collector.tcpstat" "--collector.wifi" ];
+    };
+  };
+
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        root_url = "https://home.chandlerswift.com/grafana/";
+        serve_from_sub_path = true;
+      };
+    };
+  };
+
+}

oscar/configuration.nix

@@ -138,7 +138,6 @@
       libreoffice-qt
       prismlauncher
       qgis
-      thunderbird
 
       # command line applications
       beets
@@ -163,6 +162,8 @@
       factorio
     ];
 
+    programs.thunderbird.enable = true;
+
     programs.bash.enable = true;
 
     programs.direnv = {

shell.nix

@@ -0,0 +1,11 @@
+let
+#   nixpkgs = fetchTarball "https://github.com/NixOS/nixpkgs/tarball/nixos-24.05";
+  pkgs = import <nixpkgs> { config = {}; overlays = []; };
+in
+
+pkgs.mkShellNoCC {
+  packages = with pkgs; [
+    # nixd
+    gnumake
+  ];
+}