5 files changed, 13 insertions, 4 deletions

diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix
index 567f46b..2ff257a 100644
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@@ -19,20 +19,25 @@ in
   ];
 
   config = lib.mkIf cfg.enable {
+    # all servers are most likely on stable, so we may want to pull some newer packages from time to time
     _module.args.unstable = inputs.nixpkgs.legacyPackages.${pkgs.stdenv.hostPlatform.system};
 
     boot.tmp.cleanOnBoot = lib.mkDefault true;
 
+    # we don't need it here
     documentation.enable = false;
 
     environment.defaultPackages = lib.mkForce [ ];
 
     nix = {
       gc = {
+        # ~every 2 days
         dates = "Mon,Wed,Fri *-*-* 00:00:00";
         options = "-d --delete-older-than 2d";
       };
 
+      # hardening access to `nix` on servers as no other users
+      # *should* ever really touch it
       settings.allowed-users = [ config.networking.hostName ];
     };
   };
diff --git a/modules/nixos/server/host-user.nix b/modules/nixos/server/host-user.nix
index 0764cb0..c60bfe3 100644
--- a/modules/nixos/server/host-user.nix
+++ b/modules/nixos/server/host-user.nix
@@ -10,8 +10,9 @@ let
 in
 {
   options.server.hostUser = {
-    enable = lib.mkEnableOption "${hostName} user configuration" // {
+    enable = lib.mkEnableOption "a default interactive user" // {
       default = config.server.enable;
+      defaultText = lib.literalExpression "config.server.enable";
     };
 
     manageSecrets = lib.mkEnableOption "automatic management of secrets" // {
diff --git a/modules/nixos/server/mixins/cloudflared.nix b/modules/nixos/server/mixins/cloudflared.nix
index 43da9de..9a56aaa 100644
--- a/modules/nixos/server/mixins/cloudflared.nix
+++ b/modules/nixos/server/mixins/cloudflared.nix
@@ -12,13 +12,13 @@ in
   options.server.mixins.cloudflared = {
     enable = lib.mkEnableOption "cloudflared mixin";
     tunnelName = lib.mkOption {
+      description = ''
+        Name of the default tunnel being created
+      '';
       type = lib.types.str;
       default = "${config.networking.hostName}-nginx";
       defaultText = lib.literalExpression "\${config.networking.hostName}-nginx";
       example = "my-tunnel";
-      description = ''
-        Name of the default tunnel being created
-      '';
     };
 
     manageSecrets = lib.mkEnableOption "automatic management of secrets" // {
@@ -35,6 +35,7 @@ in
           tunnels.${cfg.tunnelName} = {
             default = "http_status:404";
 
+            # map our virtualHosts from nginx to ingress rules
             ingress = lib.mapAttrs (_: _: {
               service = "http://localhost:${toString nginx.defaultHTTPListenPort}";
             }) nginx.virtualHosts;
diff --git a/modules/nixos/server/mixins/hercules.nix b/modules/nixos/server/mixins/hercules.nix
index 7d0b1fb..a04f9b1 100644
--- a/modules/nixos/server/mixins/hercules.nix
+++ b/modules/nixos/server/mixins/hercules.nix
@@ -22,6 +22,7 @@ in
       {
         services.hercules-ci-agent = {
           enable = true;
+          # we want newer features
           package = unstable.hercules-ci-agent;
         };
       }
diff --git a/modules/nixos/server/mixins/promtail.nix b/modules/nixos/server/mixins/promtail.nix
index 6b4cf32..173a85b 100644
--- a/modules/nixos/server/mixins/promtail.nix
+++ b/modules/nixos/server/mixins/promtail.nix
@@ -10,6 +10,7 @@ in
     clients = lib.mkOption {
       type = types.listOf types.attrs;
       default = [ { } ];
+      defaultText = lib.literalExpression "[ { } ]";
       description = "Clients for promtail";
     };
   };