feat: try rework

config/endpoints.nix

@@ -1,28 +1,67 @@
 let
-  lib = import <nixpkgs/lib>;
   net = import ./network.nix;
+  services = import ./services.nix;
+  web = import ../intermediate/web.nix;
 in
-rec {
-    [
-        {
-            type = "web";
-            domain = "${net.devices.remote_proxy.domain}";
-            endpoint = "/";
-            force_ssl = true;
-            port = 443;
-            content = web.home;
-        }
-        {
-            type = "proxy";
-            domain = "torrent.${net.local_domain}";
-            endpoint = "/";
-            forceSsl = false;
-            port = 80;
-            content = {
-                type = "service";
-                url = "localhost";
-                port = services.torrent.port;
-            };
-        }
-    ]
-}
+[
+  {
+    type = "web";
+    domain = net.devices.remote_proxy.domain;
+    endpoint = "/";
+    force_ssl = true;
+    port = 443;
+    content = web.storePayloads.home;
+  }
+  {
+    type = "proxy";
+    domain = net.devices.remote_proxy.domain;
+    endpoint = "/_matrix/";
+    force_ssl = true;
+    port = 443;
+    content = {
+      type = "service";
+      ip = net.devices.pi.ip;
+      port = services.continuwuity.port;
+      proxyWebsockets = true;
+    };
+  }
+  {
+    type = "proxy";
+    domain = net.devices.remote_proxy.domain;
+    endpoint = "/_matrix/";
+    force_ssl = true;
+    port = 8448;
+    content = {
+      type = "service";
+      ip = net.devices.pi.ip;
+      port = services.continuwuity.port;
+      proxyWebsockets = true;
+    };
+  }
+  {
+    type = "proxy";
+    domain = "torrent.${net.local_domain}";
+    endpoint = "/";
+    force_ssl = false;
+    port = 80;
+    content = {
+      type = "service";
+      ip = net.devices.pi.ip;
+      port = services.qbittorrent.port;
+      proxyWebsockets = false;
+    };
+  }
+  {
+    type = "proxy";
+    domain = "wiki.${net.local_domain}";
+    endpoint = "/";
+    force_ssl = false;
+    port = 80;
+    content = {
+      type = "service";
+      ip = net.devices.pi.ip;
+      port = services.kiwix.port;
+      proxyWebsockets = true;
+    };
+  }
+]

config/network.nix

@@ -1,8 +1,10 @@
 rec {
+  secrets = import ../intermediate/secrets.nix;
+
   network = {
     subnet = "192.168.2.0/24";
     subnet_base = "192.168.2.0";
-    gateway = ips.router;
+    gateway = devices.router.ip;
     cidr = 24;
   };
 
@@ -11,6 +13,7 @@ rec {
       type = "local";
       ip = "192.168.2.100";
     };
+    "self" = devices.pi;
     "desktop" = {
       type = "local";
       ip = "192.168.2.101";
@@ -28,11 +31,11 @@ rec {
       ip = "193.31.24.99";
       domain = "nudelerde.de";
       auto_ssh = {
+        enable = true;
         sshPort = 22;
         sshUser = "root";
-        key = secret.remote_proxy_key;
-        known_hosts = secret.remote_proxy_known_hosts;
-        forwards = [];
+        key = secrets.byName.autossh_remote_proxy_key.path;
+        known_hosts = secrets.byName.autossh_remote_proxy_known_hosts.path;
       };
     };
   };
@@ -50,5 +53,4 @@ rec {
   ];
 
   local_domain = "home";
-  extern_domain = "nudelerde.de";
 }

config/openssh.nix

@@ -0,0 +1,7 @@
+let
+  secrets = import ../intermediate/secrets.nix;
+  users = builtins.attrNames secrets.source.openssh.users;
+in
+rec {
+  ssh_users = users;
+}

config/secrets.nix

@@ -0,0 +1,34 @@
+{
+  autossh = {
+    remote_proxy = {
+      key = {
+        file = ../secrets/autossh/remote_proxy_key;
+        owner = "autossh-remote_proxy";
+        mode = "0400";
+      };
+      known_hosts = {
+        file = ../secrets/autossh/remote_proxy_known_hosts;
+        owner = "autossh-remote_proxy";
+        mode = "0400";
+      };
+    };
+  };
+
+  qbittorrent = {
+    file = ../secrets/qbittorrent/vpn.json;
+  };
+
+  openssh = {
+    users = {
+      nudelerde = {
+        pub_keys = {
+          file = ../secrets/openssh/nudelerde/pub_keys;
+          path = "/home/nudelerde/.ssh/authorized_keys";
+          owner = "nudelerde";
+          group = "users";
+          mode = "0600";
+        };
+      };
+    };
+  };
+}

config/services.nix

@@ -0,0 +1,35 @@
+# Config-backed service registry.
+# NOTE: VPN credentials are temporarily stored here and will be moved
+# to the dedicated secret system in a later migration step.
+let
+  storage_data = import ../config/storage.nix;
+  secrets = import ../intermediate/secrets.nix;
+in
+rec {
+  continuwuity = {
+    port = 6167;
+  };
+
+  qbittorrent = {
+    port = 8085;
+    root_dir = "${storage_data.ssd.path}/qbittorrent";
+    vpn = {
+      username_file = secrets.byName.qbittorrent_vpn_username.path;
+      password_file = secrets.byName.qbittorrent_vpn_password.path;
+    };
+  };
+
+  kiwix = {
+    port = 8086;
+    root_dir = "${storage_data.ssd.path}/kiwix";
+    urls = [
+      "https://ftp.fau.de/kiwix/zim/wikipedia/wikipedia_en_all_nopic_2025-08.zim"
+      "https://download.kiwix.org/zim/wikipedia/wikipedia_de_all_nopic_2026-01.zim"
+    ];
+  };
+
+  matrix = {
+    trusted_servers = [ "matrix.org" ];
+  };
+
+}

config/storage.nix

@@ -0,0 +1,25 @@
+rec {
+  sdcard = {
+    path = "/";
+    type = "ext4";
+    source = "/dev/disk/by-label/NIXOS_SD";
+    options = [ "noatime" ];
+  };
+
+  ssd = {
+    path = "/mnt/ssd";
+    type = "ext4";
+    source = "/dev/disk/by-uuid/e44fedd5-150c-4af6-a2a0-0476da78e651";
+    options = [ "noatime" ];
+  };
+
+  varlib-storage = {
+    path = "/var/lib";
+    type = "ext4";
+    source = "/dev/disk/by-uuid/c9aacddc-00ab-4d36-8a04-1051586b071c";
+    options = [ "noatime" ];
+    extra = {
+      neededForBoot = true;
+    };
+  };
+}

config/web.nix

@@ -0,0 +1,9 @@
+# Declarative web store config.
+# Keep only root declarations here; parsing/loading happens in intermediate/web.nix.
+rec {
+  stores = {
+    home = {
+      root = ../data/web;
+    };
+  };
+}