From 9bf85c00cf2fbe967f7836532b5e1b6408359c5e Mon Sep 17 00:00:00 2001
From: Giulio De Pasquale <git@depasquale.giugl.io>
Date: Fri, 12 May 2023 23:05:10 +0200
Subject: [PATCH] architect: services use new networking attrset

---
 hosts/architect/bazarr.nix    | 12 ++++---
 hosts/architect/calibre.nix   | 12 ++++---
 hosts/architect/default.nix   |  6 ++--
 hosts/architect/deluge.nix    | 10 +++---
 hosts/architect/fail2ban.nix  |  9 +++--
 hosts/architect/gitea.nix     | 11 ++++---
 hosts/architect/headscale.nix |  5 +--
 hosts/architect/jellyfin.nix  | 54 +++++++++++++++---------------
 hosts/architect/keycloak.nix  | 12 ++++---
 hosts/architect/libreddit.nix | 14 ++++----
 hosts/architect/lidarr.nix    | 14 ++++----
 hosts/architect/matrix.nix    | 13 ++++----
 hosts/architect/minecraft.nix | 14 ++++----
 hosts/architect/minio.nix     | 19 ++++++-----
 hosts/architect/nextcloud.nix | 21 +++++++-----
 hosts/architect/nginx.nix     |  1 +
 hosts/architect/nzbget.nix    | 12 ++++---
 hosts/architect/plex.nix      | 14 ++++----
 hosts/architect/prosody.nix   | 10 +++---
 hosts/architect/prowlarr.nix  | 18 +++++-----
 hosts/architect/radarr.nix    | 13 +++++---
 hosts/architect/runas.nix     | 13 +++++---
 hosts/architect/sonarr.nix    | 12 ++++---
 hosts/architect/tailscale.nix |  6 ++--
 hosts/architect/utilities.nix | 13 ++++++++
 hosts/architect/wireguard.nix | 62 +++++++++++++++++------------------
 26 files changed, 227 insertions(+), 173 deletions(-)
 create mode 100644 hosts/architect/utilities.nix

diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix
index d4a6a57..7ca8884 100644
--- a/hosts/architect/bazarr.nix
+++ b/hosts/architect/bazarr.nix
@@ -1,9 +1,11 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "htbaz.giugl.io";
-  network = import ./network.nix;
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -25,9 +27,9 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
   users.groups.media.members = [ "bazarr" ];
diff --git a/hosts/architect/calibre.nix b/hosts/architect/calibre.nix
index 185bc75..362a4f0 100644
--- a/hosts/architect/calibre.nix
+++ b/hosts/architect/calibre.nix
@@ -1,9 +1,11 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "books.giugl.io";
-  network = import ./network.nix;
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -29,9 +31,9 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
   users.groups.media.members = [ "calibre-web" ];
diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix
index 56ba5fa..193076d 100644
--- a/hosts/architect/default.nix
+++ b/hosts/architect/default.nix
@@ -5,9 +5,9 @@ let
     "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
   ];
   domain = "devs.giugl.io";
-  # device.address device.hostname
-  generateDeviceStrings = devices: lib.concatStringsSep "\n"
-    (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices);
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) generateDeviceStrings;
 in
 {
   imports = [
diff --git a/hosts/architect/deluge.nix b/hosts/architect/deluge.nix
index cf3a781..98522f8 100644
--- a/hosts/architect/deluge.nix
+++ b/hosts/architect/deluge.nix
@@ -2,8 +2,10 @@
 
 let
   domain = "htdel.giugl.io";
-  network = import ./network.nix;
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 
   listenPorts = [ 51413 51414 ];
 in
@@ -54,9 +56,9 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
   users.groups.media.members = [ "deluge" ];
diff --git a/hosts/architect/fail2ban.nix b/hosts/architect/fail2ban.nix
index 2dfa35c..65836f0 100644
--- a/hosts/architect/fail2ban.nix
+++ b/hosts/architect/fail2ban.nix
@@ -1,9 +1,14 @@
-{ config, pkgs, ... }: {
+{ config, pkgs, ... }:
+
+{
   services.fail2ban = {
     enable = true;
     package = pkgs.fail2ban;
     packageFirewall = pkgs.nftables;
     bantime-increment.enable = true;
-    ignoreIP = [ "10.0.0.0/24" "10.3.0.0/24" ];
+    ignoreIP = [
+      config.architect.networks.lan.net
+      config.architect.networks.tailscale.net
+    ];
   };
 }
diff --git a/hosts/architect/gitea.nix b/hosts/architect/gitea.nix
index 3f4c8a9..49dd14a 100644
--- a/hosts/architect/gitea.nix
+++ b/hosts/architect/gitea.nix
@@ -2,7 +2,9 @@
 
 let
   domain = "git.giugl.io";
-  network = import ./network.nix;
+
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   architect.firewall.openTCP = [ config.services.gitea.settings.server.SSH_PORT ];
@@ -33,9 +35,8 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
-
 }
diff --git a/hosts/architect/headscale.nix b/hosts/architect/headscale.nix
index 12ae648..c9f11b3 100644
--- a/hosts/architect/headscale.nix
+++ b/hosts/architect/headscale.nix
@@ -2,8 +2,9 @@
 
 let
   domain = "vipienne.giugl.io";
-  architectInterfaceAddress = interface:
-    config.architect.networks.${interface}.devices.architect.address;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   architect.firewall = {
diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix
index e2ad9fc..b61a73d 100644
--- a/hosts/architect/jellyfin.nix
+++ b/hosts/architect/jellyfin.nix
@@ -1,9 +1,11 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 let
-  network = import ./network.nix;
   domain = "media.giugl.io";
-  auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+  port = 8096;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   # needed since StateDirectory does not accept symlinks
@@ -19,44 +21,40 @@ in
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      extraConfig = auth_block { access_role = "jellyfin"; whitelisted_ips = network.gdevices; } +
-        ''
-          # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
-          #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
-          # Disable buffering when the nginx proxy gets very resource heavy upon streaming
-          proxy_buffering off;
-        '';
+      extraConfig = ''
+        # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
+        #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
+        # Disable buffering when the nginx proxy gets very resource heavy upon streaming
+        proxy_buffering off;
+
+        allow ${config.architect.networks.lan.net};
+        allow ${config.architect.networks.tailscale.net};
+        deny all;
+      '';
 
       locations."/" = {
-        proxyPass = "http://127.0.0.1:8096";
-        #        extraConfig = ''
-        #          allow 10.0.0.0/24;
-        #          allow 10.3.0.0/24;
-        #          deny all;
-        #        '';
+        proxyPass = "http://127.0.0.1:${toString port}";
       };
 
       locations."/socket" = {
-        proxyPass = "http://127.0.0.1:8096";
+        proxyPass = "http://127.0.0.1:${toString port}";
         proxyWebsockets = true;
-        #        extraConfig = ''
-        #          allow 10.0.0.0/24;
-        #          allow 10.3.0.0/24;
-        #          deny all;
-        #        '';
       };
     };
   };
 
+
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
-  users.groups.media.members = [ "jellyfin" ];
-  users.groups.video.members = [ "jellyfin" ];
-  users.groups.render.members = [ "jellyfin" ];
+  users.groups = {
+    media.members = [ "jellyfin" ];
+    video.members = [ "jellyfin" ];
+    render.members = [ "jellyfin" ];
+  };
 
   fileSystems."/tmp/jellyfin" = {
     device = "none";
diff --git a/hosts/architect/keycloak.nix b/hosts/architect/keycloak.nix
index 6972892..c8e7aa6 100644
--- a/hosts/architect/keycloak.nix
+++ b/hosts/architect/keycloak.nix
@@ -1,8 +1,10 @@
-{ pkgs, config, ... }:
+{ pkgs, lib, config, ... }:
 
 let
-  network = import ./network.nix;
   domain = "auth.giugl.io";
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -73,8 +75,8 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 }
diff --git a/hosts/architect/libreddit.nix b/hosts/architect/libreddit.nix
index e652599..71c841b 100644
--- a/hosts/architect/libreddit.nix
+++ b/hosts/architect/libreddit.nix
@@ -1,8 +1,10 @@
-{ lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 
 let
   domain = "reddit.giugl.io";
-  network = import ./network.nix;
+
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -14,13 +16,13 @@ in
     nginx.virtualHosts.${domain} = {
       forceSSL = true;
       enableACME = true;
-      locations."/" = { proxyPass = "http://127.0.0.1:9090"; };
+      locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.libreddit.port}"; };
     };
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 }
diff --git a/hosts/architect/lidarr.nix b/hosts/architect/lidarr.nix
index 15f3a9b..c07bc97 100644
--- a/hosts/architect/lidarr.nix
+++ b/hosts/architect/lidarr.nix
@@ -1,9 +1,11 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "htlid.giugl.io";
-  network = import ./network.nix;
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -25,10 +27,10 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
-
+  
   users.groups.media.members = [ "lidarr" ];
 }
diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix
index 19feccb..ba13c57 100644
--- a/hosts/architect/matrix.nix
+++ b/hosts/architect/matrix.nix
@@ -1,9 +1,11 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 let
   domain = "runas.rocks";
-  network = import ./network.nix;
   db_name = "matrix-synapse-runas.rocks";
+
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -111,9 +113,8 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
-
 }
diff --git a/hosts/architect/minecraft.nix b/hosts/architect/minecraft.nix
index 96a4a35..f2a4f24 100644
--- a/hosts/architect/minecraft.nix
+++ b/hosts/architect/minecraft.nix
@@ -1,8 +1,10 @@
-{ config, pkgs, ... }:
+{ lib, config, pkgs, ... }:
 
 let
   domain = "minecraft.giugl.io";
-  network = import ./network.nix;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   architect.firewall.openTCP = [ 25565 ];
@@ -14,10 +16,10 @@ in
     package = pkgs.unstablePkgs.minecraft-server;
     serverProperties = { motd = "Welcome on the RuNas server!"; };
   };
-
+  
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 }
diff --git a/hosts/architect/minio.nix b/hosts/architect/minio.nix
index 6e03f79..174125f 100644
--- a/hosts/architect/minio.nix
+++ b/hosts/architect/minio.nix
@@ -1,8 +1,10 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "s3.giugl.io";
-  network = import ./network.nix;
+
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -15,18 +17,17 @@ in
         proxyPass = "http://127.0.0.1:9000";
         extraConfig = ''
           client_max_body_size 500M;
-          allow 10.0.0.0/24;
-          ${lib.concatMapStrings (x: "allow ${x};") network.gdevices }
-          allow ${network.manduria-wg};
+          allow ${config.architect.networks.lan.net};
+          allow ${config.architect.networks.tailscale.net};
           deny all;
         '';
       };
     };
   };
-
+  
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 }
diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix
index 1350744..000ead5 100644
--- a/hosts/architect/nextcloud.nix
+++ b/hosts/architect/nextcloud.nix
@@ -1,12 +1,19 @@
-{ pkgs, ... }:
+{ pkgs, config, lib, ... }:
 
 let
   domain = "cloud.giugl.io";
-  network = import ./network.nix;
   redis_port = 6379;
+
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+    };
+    
     mysql = {
       enable = true;
       package = pkgs.unstablePkgs.mysql80;
@@ -53,13 +60,9 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
-  services.nginx.virtualHosts.${domain} = {
-    forceSSL = true;
-    enableACME = true;
-  };
 }
diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix
index 18817f3..d1d2e2c 100644
--- a/hosts/architect/nginx.nix
+++ b/hosts/architect/nginx.nix
@@ -90,5 +90,6 @@
       worker_processes 24;
     '';
   };
+  
   users.groups.acme.members = [ "nginx" ];
 }
diff --git a/hosts/architect/nzbget.nix b/hosts/architect/nzbget.nix
index 07fedfe..d83280f 100644
--- a/hosts/architect/nzbget.nix
+++ b/hosts/architect/nzbget.nix
@@ -1,9 +1,11 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "htnzb.giugl.io";
-  network = import ./network.nix;
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -25,9 +27,9 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
   users.groups.media.members = [ "nzbget" ];
diff --git a/hosts/architect/plex.nix b/hosts/architect/plex.nix
index b7e1e3e..bfaaee4 100644
--- a/hosts/architect/plex.nix
+++ b/hosts/architect/plex.nix
@@ -1,9 +1,11 @@
-{ pkgs, lib, ... }:
+{ pkgs, config, lib, ... }:
 
 let
   domain = "plex.giugl.io";
-  network = import ./network.nix;
   port = 32400;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   architect.firewall = {
@@ -86,11 +88,11 @@ in
       locations."/" = { proxyPass = "http://127.0.0.1:${toString port}"; };
     };
   };
-
+  
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
   users.groups.media.members = [ "plex" ];
diff --git a/hosts/architect/prosody.nix b/hosts/architect/prosody.nix
index d9a257a..d5c8302 100644
--- a/hosts/architect/prosody.nix
+++ b/hosts/architect/prosody.nix
@@ -4,7 +4,9 @@ let
   domain = "xmpp.giugl.io";
   conference_domain = "conference.${domain}";
   upload_domain = "uploads.${domain}";
-  network = import ./network.nix;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   architect.firewall = {
@@ -42,9 +44,9 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
   users.groups = {
diff --git a/hosts/architect/prowlarr.nix b/hosts/architect/prowlarr.nix
index 17fdeba..ad5b8e8 100644
--- a/hosts/architect/prowlarr.nix
+++ b/hosts/architect/prowlarr.nix
@@ -1,8 +1,10 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "htpro.giugl.io";
-  network = import ./network.nix;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -14,8 +16,8 @@ in
       locations."/" = {
         proxyPass = "http://127.0.0.1:9696";
         extraConfig = ''
-          allow 10.0.0.0/24;
-          ${lib.concatMapStrings (x: "allow ${x};") network.gdevices}
+          allow ${config.architect.networks.lan.net};
+          allow ${config.architect.networks.tailscale.net};
           deny all;
         '';
       };
@@ -29,11 +31,11 @@ in
       #      };
     };
   };
-
+  
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
   users.groups.media.members = [ "prowlarr" ];
diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix
index 0d042d0..15748e6 100644
--- a/hosts/architect/radarr.nix
+++ b/hosts/architect/radarr.nix
@@ -1,9 +1,11 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "htrad.giugl.io";
-  network = import ./network.nix;
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -24,10 +26,11 @@ in
     };
   };
 
+
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
   users.groups.media.members = [ "radarr" ];
diff --git a/hosts/architect/runas.nix b/hosts/architect/runas.nix
index 99eb081..2bcc112 100644
--- a/hosts/architect/runas.nix
+++ b/hosts/architect/runas.nix
@@ -1,14 +1,17 @@
-{ services, pkgs, lib, makeBinPath, ... }:
+{ config, pkgs, lib, ... }:
+
 let
   domain = "runas.rocks";
   runas_root = "/var/lib/runas.rocks/dist";
   service_name = "runas.rocks-pull";
-  network = import ./network.nix;
   mkStartScript = name: pkgs.writeShellScript "${name}.sh" ''
     set -euo pipefail
     cd ${runas_root}
     git pull origin main --rebase
   '';
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services.nginx.virtualHosts.${domain} = {
@@ -39,8 +42,8 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 }
diff --git a/hosts/architect/sonarr.nix b/hosts/architect/sonarr.nix
index 93c5aa1..42874e8 100644
--- a/hosts/architect/sonarr.nix
+++ b/hosts/architect/sonarr.nix
@@ -1,9 +1,11 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 let
   domain = "htson.giugl.io";
-  network = import ./network.nix;
   auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
+  
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) architectInterfaceAddress;
 in
 {
   services = {
@@ -25,9 +27,9 @@ in
   };
 
   networking.extraHosts = ''
-    ${network.architect-lan} ${domain}
-    ${network.architect-wg} ${domain}
-    ${network.architect-ts} ${domain}
+    ${architectInterfaceAddress "lan"} ${domain}
+    ${architectInterfaceAddress "wireguard"} ${domain}
+    ${architectInterfaceAddress "tailscale"} ${domain}
   '';
 
   users.groups.media.members = [ "sonarr" ];
diff --git a/hosts/architect/tailscale.nix b/hosts/architect/tailscale.nix
index aaa5b14..4b79313 100644
--- a/hosts/architect/tailscale.nix
+++ b/hosts/architect/tailscale.nix
@@ -2,9 +2,9 @@
 
 let
   domain = "devs.giugl.io";
-  # device.address device.hostname
-  generateDeviceStrings = devices: lib.concatStringsSep "\n"
-    (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices);
+
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) generateDeviceStrings;
 in
 {
   architect = {
diff --git a/hosts/architect/utilities.nix b/hosts/architect/utilities.nix
new file mode 100644
index 0000000..b61bd7f
--- /dev/null
+++ b/hosts/architect/utilities.nix
@@ -0,0 +1,13 @@
+{ config, lib, ... }:
+
+{
+  # device.address device.hostname
+  generateDeviceStrings = devices: lib.concatStringsSep "\n"
+    (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices);
+    
+  getDeviceAddress = interface: device:
+    config.architect.networks.${interface}.devices.${device}.address;
+
+  architectInterfaceAddress = interface:
+    config.architect.networks.${interface}.devices.architect.address;
+}
diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix
index d85743e..d793151 100644
--- a/hosts/architect/wireguard.nix
+++ b/hosts/architect/wireguard.nix
@@ -4,11 +4,11 @@ let
   listenPort = 1194;
   domain = "devs.giugl.io";
   interface = "wireguard";
-  # device.address device.hostname
-  generateDeviceStrings = devices: lib.concatStringsSep "\n"
-    (lib.mapAttrsToList (name: device: "${device.address} ${device.hostname}") devices);
-  getDeviceAddress = device:
-    config.architect.networks.${interface}.devices.${device}.address;
+
+  utilities = import ./utilities.nix { inherit lib config; };
+  inherit (utilities) generateDeviceStrings getDeviceAddress;
+  
+  getWireguardDeviceAddress = getDeviceAddress "wireguard";
 in
 {
   architect = {
@@ -65,150 +65,150 @@ in
         peers = [
           {
             # Antonio
-            allowedIPs = [ (getDeviceAddress "antonio") ];
+            allowedIPs = [ (getWireguardDeviceAddress "antonio") ];
             publicKey = "SPndCvEzuLHtGAQV8u/4dfLlFHoPcXS3L98oFOwTljc=";
           }
 
           {
             # GBEAST
-            allowedIPs = [ (getDeviceAddress "gbeast") ];
+            allowedIPs = [ (getWireguardDeviceAddress "gbeast") ];
             publicKey = "XiK+wk+DErz0RmCWRxuaJN1cvdj+3DoiU6tcR+uZfAI=";
           }
 
           {
             # shield
-            allowedIPs = [ (getDeviceAddress "shield") ];
+            allowedIPs = [ (getWireguardDeviceAddress "shield") ];
             publicKey = "1GaV/M48sHqQTrBVRQ+jrFU2pUMmv2xkguncVcwPCFs=";
           }
 
           {
             # salvatore
-            allowedIPs = [ (getDeviceAddress "salvatore") ];
+            allowedIPs = [ (getWireguardDeviceAddress "salvatore") ];
             publicKey = "fhlnBHeMyHZKLUCTSA9kmkKoM5x/qzz/rnCJrUh3Gzs=";
           }
 
           {
             # papa
-            allowedIPs = [ (getDeviceAddress "papa") ];
+            allowedIPs = [ (getWireguardDeviceAddress "papa") ];
             publicKey = "oGHygt02Oni3IFbScKD0NVEfHKCp6bpw68aq5g4RrAA=";
           }
 
           {
             # defy
-            allowedIPs = [ (getDeviceAddress "defy") ];
+            allowedIPs = [ (getWireguardDeviceAddress "defy") ];
             publicKey = "Cvi/eto7E6Ef+aiL81ou7x12fJCeuXrf/go9fxEqXG4=";
           }
 
           {
             # germano
-            allowedIPs = [ (getDeviceAddress "germano") ];
+            allowedIPs = [ (getWireguardDeviceAddress "germano") ];
             publicKey = "LJ0DHY1sFVLQb3ngUGGH0HxbDOPb9KCUPSaYcjr5Uiw=";
           }
 
           {
             # flavio
-            allowedIPs = [ (getDeviceAddress "flavio") ];
+            allowedIPs = [ (getWireguardDeviceAddress "flavio") ];
             publicKey = "Yg0P+yHi/9SZHyoel8jT9fmmu+irLYmT8yMp/CZoaSg=";
           }
 
           {
             # alain
-            allowedIPs = [ (getDeviceAddress "alain") ];
+            allowedIPs = [ (getWireguardDeviceAddress "alain") ];
             publicKey = "/o2msFJoUL4yovcIQJTU8c1faFtekrjSBBWJABouWno=";
           }
 
           {
             # dima
-            allowedIPs = [ (getDeviceAddress "dima") ];
+            allowedIPs = [ (getWireguardDeviceAddress "dima") ];
             publicKey = "svzWYIZ6v+cLCp/emGG7mx2YpBJqw2fqjVuHZy7b6H0=";
           }
 
           {
             # mikey
-            allowedIPs = [ (getDeviceAddress "mikey") ];
+            allowedIPs = [ (getWireguardDeviceAddress "mikey") ];
             publicKey = "ewbDdX3z7nxG2aPIf9TogXkhxPlGipLFcy6XfyDC6gI=";
           }
 
           {
             # andrew
-            allowedIPs = [ (getDeviceAddress "andrew") ];
+            allowedIPs = [ (getWireguardDeviceAddress "andrew") ];
             publicKey = "LP/FgST9fmBQSoKQFq9sFGvjRFOtRooMcuEcjuqaoWM=";
           }
 
           {
             # mikey laptop
-            allowedIPs = [ (getDeviceAddress "mikeylaptop") ];
+            allowedIPs = [ (getWireguardDeviceAddress "mikeylaptop") ];
             publicKey = "kz/pY/PgV+dwF1JZ2It4r5B5QfRSQM7HkbFCdvd5Yxk=";
           }
 
           {
             # andrew desktop
-            allowedIPs = [ (getDeviceAddress "andrewdesktop") ];
+            allowedIPs = [ (getWireguardDeviceAddress "andrewdesktop") ];
             publicKey = "rpYr3JNLIzxpxzFuQuaHFEl/XvPEPfwLbDETBP8KYXI=";
           }
 
           {
             # laptop desktop
-            allowedIPs = [ (getDeviceAddress "jacopo") ];
+            allowedIPs = [ (getWireguardDeviceAddress "jacopo") ];
             publicKey = "W/taWI79bPIKOolVVu5xZfiJnPw9K91Xn1zhcM0+4g0=";
           }
 
           {
             # frznn
-            allowedIPs = [ (getDeviceAddress "frznn") ];
+            allowedIPs = [ (getWireguardDeviceAddress "frznn") ];
             publicKey = "dXcrdME6VnnE5PBYwvUmayf7cn2wpcExeCR9gIXOO0o=";
           }
 
           {
             # ludo
-            allowedIPs = [ (getDeviceAddress "ludo") ];
+            allowedIPs = [ (getWireguardDeviceAddress "ludo") ];
             publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM=";
           }
 
           {
             # parina
-            allowedIPs = [ (getDeviceAddress "parina") ];
+            allowedIPs = [ (getWireguardDeviceAddress "parina") ];
             publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA=";
           }
 
           {
             # nilo
-            allowedIPs = [ (getDeviceAddress "nilo") ];
+            allowedIPs = [ (getWireguardDeviceAddress "nilo") ];
             publicKey = "lhTEDJ9WnizvEHTd5kN21fTHF27HNk+fPLQnB1B3LW0=";
           }
 
           {
             # parina ipad
-            allowedIPs = [ (getDeviceAddress "parina-ipad") ];
+            allowedIPs = [ (getWireguardDeviceAddress "parina-ipad") ];
             publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU=";
           }
 
           {
             # kcl vm
-            allowedIPs = [ (getDeviceAddress "kclvm") ];
+            allowedIPs = [ (getWireguardDeviceAddress "kclvm") ];
             publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
           }
 
           {
-            allowedIPs = [ (getDeviceAddress "framecca") ];
+            allowedIPs = [ (getWireguardDeviceAddress "framecca") ];
             publicKey = "w0XPu5GcDA2vpNk3KCFRdWNVVQHRtAPApEsK1h3Ovyk=";
           }
 
           {
-            allowedIPs = [ (getDeviceAddress "framecca_one") ];
+            allowedIPs = [ (getWireguardDeviceAddress "framecca_one") ];
             publicKey = "5PnmExv78fU3SS8liUWY/oBCcJ48wzmz/70O0U7K/xs=";
           }
 
           {
-            allowedIPs = [ (getDeviceAddress "framecca_two") ];
+            allowedIPs = [ (getWireguardDeviceAddress "framecca_two") ];
             publicKey = "FbWfh2rL3OYLTDIte+MgctqL/bphn38eqpNy/chc3wM=";
           }
           {
-            allowedIPs = [ (getDeviceAddress "framecca_three") ];
+            allowedIPs = [ (getWireguardDeviceAddress "framecca_three") ];
             publicKey = "Z3LRFs6CO0kUh4J3pf+HcPsWch3hUAwJBG8/b0Kqnxs=";
           }
           {
-            allowedIPs = [ (getDeviceAddress "framecca_four") ];
+            allowedIPs = [ (getWireguardDeviceAddress "framecca_four") ];
             publicKey = "g/Ta12igzxSlCxy7KP865qf+l3+r1LjOo6UXjulmPBc=";
           }
         ];