From 5168f5fc3e51b9fedceaef2d0067361cb09fcceb Mon Sep 17 00:00:00 2001
From: blake <me@blakedheld.xyz>
Date: Sun, 12 Oct 2025 13:57:35 -0500
Subject: [PATCH] removed nginx and altered caddy (build script changes too)

---
 bin/backup_browse.sh.bak                      | 173 ------------------
 bin/backup_browse_fzf.sh                      |  64 -------
 bin/rebuild.sh                                |  47 +++--
 bin/rebuild_legacy.sh                         |  26 +++
 flake.nix                                     |   2 +-
 hosts/snowbelle/configuration.nix             |   1 -
 ...default_temp.nix => .default.nix.template} |   0
 .../homelab/services/arr/bazarr/default.nix   |  10 -
 .../services/arr/flaresolverr/default.nix     |  10 -
 .../homelab/services/arr/prowlarr/default.nix |  10 -
 .../homelab/services/arr/radarr/default.nix   |  10 -
 .../homelab/services/arr/sonarr/default.nix   |  11 +-
 .../services/audiobookshelf/default.nix       |  29 ---
 modules/homelab/services/caddy/default.nix    |   2 +-
 modules/homelab/services/default.nix          |   1 -
 modules/homelab/services/gitea/default.nix    |  39 +---
 modules/homelab/services/glance/default.nix   |  19 --
 .../services/home/homeassistant/default.nix   |  37 ----
 .../services/home/zigbee2mqtt/default.nix     |  27 ---
 modules/homelab/services/immich/default.nix   |  21 ---
 modules/homelab/services/jellyfin/default.nix |  19 --
 .../homelab/services/qbittorrent/default.nix  |  10 -
 .../homelab/services/uptime-kuma/default.nix  |  32 +---
 .../homelab/services/vaultwarden/default.nix  |  20 --
 24 files changed, 63 insertions(+), 557 deletions(-)
 delete mode 100755 bin/backup_browse.sh.bak
 delete mode 100755 bin/backup_browse_fzf.sh
 create mode 100755 bin/rebuild_legacy.sh
 rename modules/homelab/services/{default_temp.nix => .default.nix.template} (100%)

diff --git a/bin/backup_browse.sh.bak b/bin/backup_browse.sh.bak
deleted file mode 100755
index 82b514d..0000000
--- a/bin/backup_browse.sh.bak
+++ /dev/null
@@ -1,173 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# --- SUDO CHECK ---
-if [ "$EUID" -ne 0 ]; then
-    echo "This script requires root privileges. Re-running with sudo..."
-    exec sudo "$0" "$@"
-fi
-
-# --- HANDLE -k OPTION FOR KEY FILE ---
-BORG_PASSPHRASE=""
-
-while getopts "k:" opt; do
-    case "$opt" in
-        k)
-            BORG_PASSPHRASE=$(<"$OPTARG")
-            if [ -z "$BORG_PASSPHRASE" ]; then
-                echo "Error: The key file is empty."
-                exit 1
-            fi
-            echo "Using passphrase from key file: $OPTARG"
-            ;;
-        *)
-            echo "Usage: $0 [-k passphrase_file] <repo>"
-            exit 1
-            ;;
-    esac
-done
-shift $((OPTIND - 1))
-
-# --- FALLBACK TO /run/secrets/borg_passwd IF NO KEY FILE ---
-if [ -z "$BORG_PASSPHRASE" ]; then
-    if [ -f "/run/secrets/borg_passwd" ]; then
-        BORG_PASSPHRASE=$(<"/run/secrets/borg_passwd")
-        echo "Using passphrase from /run/secrets/borg_passwd"
-    else
-        # Prompt user for passphrase if neither -k nor /run/secrets/borg_passwd is available
-        read -s -p "Enter Borg repository passphrase: " BORG_PASSPHRASE
-        echo
-    fi
-fi
-
-export BORG_PASSPHRASE
-
-# --- DEFAULT REPO ---
-REPO="${1:-/holocron/backups}"
-
-# --- CHECK REQUIRED COMMANDS ---
-for cmd in borg fzf find tree cp mkdir; do
-    command -v "$cmd" >/dev/null || { echo "Error: '$cmd' is required but not installed."; exit 1; }
-done
-
-# --- LIST ARCHIVES (sorted, newest last) ---
-mapfile -t archives < <(borg list --format="{archive}{NL}" "$REPO" | sort)
-if [ ${#archives[@]} -eq 0 ]; then
-    echo "No archives found in $REPO"
-    exit 1
-fi
-
-# --- FZF ARCHIVE SELECT ---
-selected=$(printf '%s\n' "${archives[@]}" | fzf --prompt="Select archive: " --height=40% --border --reverse)
-if [ -z "$selected" ]; then
-    echo "No archive selected."
-    exit 1
-fi
-echo "Selected archive: $selected"
-
-# --- GENERATE A UNIQUE, SHORTER MOUNT POINT ---
-MOUNT_POINT="/tmp/borg-mount-${selected}-$(uuidgen | sha256sum | head -c 6)"
-mkdir -p "$MOUNT_POINT"
-
-# --- MOUNT ARCHIVE ---
-echo "Mounting '$selected' to $MOUNT_POINT..."
-borg mount "$REPO::$selected" "$MOUNT_POINT"
-
-if [ ! -d "$MOUNT_POINT" ]; then
-    echo "Error: mount failed."
-    exit 1
-fi
-
-# --- LIST FILES AND DIRECTORIES ---
-echo "Scanning files and directories..."
-if command -v fd >/dev/null 2>&1; then
-    # List files and directories using fd (can handle both files and dirs)
-    files=$(fd --type f --type d . "$MOUNT_POINT" | sort)
-else
-    # Fall back to find if fd is not available
-    files=$(find "$MOUNT_POINT" -type f -o -type d | sort)
-fi
-
-if [ -z "$files" ]; then
-    echo "No files or directories found in archive."
-    borg umount "$MOUNT_POINT"
-    rm -rf "$MOUNT_POINT"
-    exit 1
-fi
-
-# --- HIERARCHICAL FZF FILE/DIRECTORY SELECTION (REVERSED) ---
-# We reverse the order of files to display the latest (newest) files/folders at the top.
-selected_files=$(printf '%s\n' "$files" | sed "s|$MOUNT_POINT/||" | tac | fzf \
-    --multi \
-    --height=50% \
-    --border \
-    --prompt="Select files or directories to restore: " \
-    --preview "tree -C -L 5 $MOUNT_POINT/$(dirname {})" \
-    --preview-window=right:50% \
-    --delimiter='/' \
-    --with-nth=1..)
-
-if [ -z "$selected_files" ]; then
-    echo "No files or directories selected. Exiting."
-    borg umount "$MOUNT_POINT"
-    rm -rf "$MOUNT_POINT"
-    exit 0
-fi
-
-# --- SUMMARY OF SELECTED FILES/DIRECTORIES ---
-echo "Selected files and directories:"
-for file in $selected_files; do
-    echo "  $file"
-done
-
-# --- OPTIONS MENU (concise) ---
-# Default to option 1 if no input is given
-echo "Select restore destination: 1) Restore to ./${selected}_restore  2) Restore to original dirs  3) Quit"
-read -p "Enter your choice (1/2/3) [default: 1]: " choice
-# Default to option 1 if user presses Enter without providing input
-choice="${choice:-1}"
-
-# --- SET RESTORE DESTINATION BASED ON USER CHOICE ---
-case "$choice" in
-    1)
-        DEST="./${selected}_restore"
-        ;;
-    2)
-        DEST="$MOUNT_POINT"
-        ;;
-    3)
-        echo "Quitting. No files restored."
-        borg umount "$MOUNT_POINT"
-        rm -rf "$MOUNT_POINT"
-        exit 0
-        ;;
-    *)
-        echo "Invalid choice. Exiting."
-        borg umount "$MOUNT_POINT"
-        rm -rf "$MOUNT_POINT"
-        exit 1
-        ;;
-esac
-
-mkdir -p "$DEST"
-
-# --- RESTORE FILES AND DIRECTORIES ---
-echo "Restoring selected files and directories..."
-while IFS= read -r file; do
-    # Path is already stripped of /tmp, so no need for further modification
-    dest_path="$DEST/$file"
-    mkdir -p "$(dirname "$dest_path")"
-    # If it's a directory, we use cp -r to ensure the directory structure is restored
-    if [ -d "$MOUNT_POINT/$file" ]; then
-        cp -r "$MOUNT_POINT/$file" "$dest_path"
-    else
-        cp -a "$MOUNT_POINT/$file" "$dest_path"
-    fi
-    echo "Restored: $file"
-done <<< "$selected_files"
-
-# --- CLEANUP ---
-borg umount "$MOUNT_POINT"
-rm -rf "$MOUNT_POINT"
-echo "Restore complete."
-
diff --git a/bin/backup_browse_fzf.sh b/bin/backup_browse_fzf.sh
deleted file mode 100755
index d3bb223..0000000
--- a/bin/backup_browse_fzf.sh
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/usr/bin/env bash
-# borg-browser.sh — fzf-based Borg archive browser with passphrase prompt
-
-[ "$EUID" -ne 0 ] && { echo "Please run as root."; exec sudo "$0" "$@"; }
-
-REPO="/holocron/backups"
-
-# Prompt once for Borg passphrase
-read -rs -p "Borg passphrase: " BORG_PASSPHRASE
-echo
-export BORG_PASSPHRASE
-
-# Pick an archive
-ARCHIVE=$(borg list --short "$REPO" | fzf --prompt="Select archive: ") || {
-    unset BORG_PASSPHRASE
-    exit
-}
-[ -z "$ARCHIVE" ] && { unset BORG_PASSPHRASE; exit; }
-
-# Function to browse directories hierarchically
-browse_borg_dir() {
-    local prefix="$1"
-
-    while true; do
-        # Get immediate children of the current path
-        ITEMS=$(borg list --format='{path}{NL}' "$REPO::$ARCHIVE" \
-            | awk -v p="$prefix" -F/ '
-                BEGIN{n=split(p,a,"/")}
-                index($0,p)==1 && NF>n {
-                    if (NF==n+1) print $NF;
-                    else print $(n+1)"/";
-                }' \
-            | sort -u)
-
-        [ -z "$ITEMS" ] && { echo "No items found in $prefix"; return; }
-
-        SELECTION=$(echo -e "../\n$ITEMS" | fzf --prompt="${prefix:-/}> ")
-        case "$SELECTION" in
-            "../")
-                prefix="${prefix%/*}"
-                prefix="${prefix%/}"
-                ;;
-            "")
-                return
-                ;;
-            */)
-                prefix="${prefix:+$prefix/}${SELECTION%/}"
-                ;;
-            *)
-                local fullpath="${prefix:+$prefix/}$SELECTION"
-                echo "Selected file: $fullpath"
-                read -rp "Extract it here? [y/N]: " yn
-                if [[ $yn =~ ^[Yy]$ ]]; then
-                    borg extract "$REPO::$ARCHIVE" "$fullpath"
-                fi
-                return
-                ;;
-        esac
-    done
-}
-
-browse_borg_dir ""
-unset BORG_PASSPHRASE
-
diff --git a/bin/rebuild.sh b/bin/rebuild.sh
index b481230..2caf0b6 100755
--- a/bin/rebuild.sh
+++ b/bin/rebuild.sh
@@ -1,26 +1,37 @@
 #!/usr/bin/env bash
-set -e
-pushd ~/.nix
-# nvim flake.nix
-# alejandra . &>/dev/null
-# git diff -U0 *.nix
+set -euo pipefail
+# your hostname (flake target)
+hostname="$(hostname)"
+old_gen=$(nixos-rebuild list-generations | grep current | awk '{print $1}')
+gen=$((old_gen + 1))
+timestamp=$(date '+%Y-%m-%d %H:%M:%S')
+nix_dir="$HOME/.nix"
+logfile="$nix_dir/.nixos-switch-log"
 
-# add generation comment to flake.nix
-gen=$(nixos-rebuild list-generations | grep current)
+pushd "$nix_dir" >/dev/null
+
+# function to get current nixos generation
+get_current_generation() {
+    nixos-rebuild list-generations
+}
+
+echo "diffs:"
+git diff
+git status --short
+read -rp "commit message: " commit_msg
+echo "rebuilding nixos with flake.nix..."
+if ! sudo nixos-rebuild switch --flake .#"$hostname" 2>&1 | tee "$logfile"; then
+    echo "rebuild failed; exited with no commit"
+    exit 1
+fi
 if sed -n '3p' flake.nix | grep -q '^# generation:'; then
     # replace the comment on line 3
-    sed -i "3s/^# generation:.*/# generation: $gen/" flake.nix
+    sed -i "3s|^# generation:.*|# generation: $gen, timestamp: $timestamp|" flake.nix
 else
     # insert comment on line 3
-    sed -i "3i# generation: $gen" flake.nix
+    sed -i "3i# generation: $gen, timestamp: $timestamp" flake.nix
 fi
+echo "committing..."
+git commit -m "$commit_msg"
+echo "flake rebuild and commit fin"
 
-git diff -U0 $(find . -name '*.nix')
-
-echo "nixos rebuilding..."
-#sudo nixos-rebuild switch --flake ~/.nix#snowbelle &>.nixos-switch-log || (
-# cat .nixos-switch-log | grep --color error && false)
-sudo nixos-rebuild switch --flake ~/.nix#snowbelle 2>&1 | tee .nixos-switch-log | grep --color=always -E "error|$" && true
-
-git commit -am "$gen"
-popd
diff --git a/bin/rebuild_legacy.sh b/bin/rebuild_legacy.sh
new file mode 100755
index 0000000..b481230
--- /dev/null
+++ b/bin/rebuild_legacy.sh
@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -e
+pushd ~/.nix
+# nvim flake.nix
+# alejandra . &>/dev/null
+# git diff -U0 *.nix
+
+# add generation comment to flake.nix
+gen=$(nixos-rebuild list-generations | grep current)
+if sed -n '3p' flake.nix | grep -q '^# generation:'; then
+    # replace the comment on line 3
+    sed -i "3s/^# generation:.*/# generation: $gen/" flake.nix
+else
+    # insert comment on line 3
+    sed -i "3i# generation: $gen" flake.nix
+fi
+
+git diff -U0 $(find . -name '*.nix')
+
+echo "nixos rebuilding..."
+#sudo nixos-rebuild switch --flake ~/.nix#snowbelle &>.nixos-switch-log || (
+# cat .nixos-switch-log | grep --color error && false)
+sudo nixos-rebuild switch --flake ~/.nix#snowbelle 2>&1 | tee .nixos-switch-log | grep --color=always -E "error|$" && true
+
+git commit -am "$gen"
+popd
diff --git a/flake.nix b/flake.nix
index bf2035a..fa185d0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,6 +1,6 @@
 # flake for blakes nixos config
 # define new devices in outputs
-# generation: 355 current  2025-10-12 12:06:38  25.05.20251006.20c4598  6.12.50                          *
+# generation: 359, timestamp: 2025-10-12 13:43:47
 {
   description = "blakes nix config";
   inputs = {
diff --git a/hosts/snowbelle/configuration.nix b/hosts/snowbelle/configuration.nix
index 43a4deb..6cd13bc 100644
--- a/hosts/snowbelle/configuration.nix
+++ b/hosts/snowbelle/configuration.nix
@@ -30,7 +30,6 @@ in
       zfs.enable = true;
       smb.enable = true;
       nfs.enable = true;
-      nginx-proxy.enable = false;
     };
     services = {
       caddy.enable = true;
diff --git a/modules/homelab/services/default_temp.nix b/modules/homelab/services/.default.nix.template
similarity index 100%
rename from modules/homelab/services/default_temp.nix
rename to modules/homelab/services/.default.nix.template
diff --git a/modules/homelab/services/arr/bazarr/default.nix b/modules/homelab/services/arr/bazarr/default.nix
index 28dfb64..83a20d0 100644
--- a/modules/homelab/services/arr/bazarr/default.nix
+++ b/modules/homelab/services/arr/bazarr/default.nix
@@ -71,16 +71,6 @@ in
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       extraConfig = ''
diff --git a/modules/homelab/services/arr/flaresolverr/default.nix b/modules/homelab/services/arr/flaresolverr/default.nix
index ca0c505..99dc0c1 100644
--- a/modules/homelab/services/arr/flaresolverr/default.nix
+++ b/modules/homelab/services/arr/flaresolverr/default.nix
@@ -67,16 +67,6 @@ in
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       extraConfig = ''
diff --git a/modules/homelab/services/arr/prowlarr/default.nix b/modules/homelab/services/arr/prowlarr/default.nix
index 17b2d3e..bbaa530 100644
--- a/modules/homelab/services/arr/prowlarr/default.nix
+++ b/modules/homelab/services/arr/prowlarr/default.nix
@@ -73,16 +73,6 @@ in
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       extraConfig = ''
diff --git a/modules/homelab/services/arr/radarr/default.nix b/modules/homelab/services/arr/radarr/default.nix
index c103b12..79ce04a 100644
--- a/modules/homelab/services/arr/radarr/default.nix
+++ b/modules/homelab/services/arr/radarr/default.nix
@@ -76,16 +76,6 @@ in
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       extraConfig = ''
diff --git a/modules/homelab/services/arr/sonarr/default.nix b/modules/homelab/services/arr/sonarr/default.nix
index 4894db8..32e6cad 100644
--- a/modules/homelab/services/arr/sonarr/default.nix
+++ b/modules/homelab/services/arr/sonarr/default.nix
@@ -74,16 +74,7 @@ in
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-
+    # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       extraConfig = ''
         tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
diff --git a/modules/homelab/services/audiobookshelf/default.nix b/modules/homelab/services/audiobookshelf/default.nix
index c1ab148..0c01da1 100644
--- a/modules/homelab/services/audiobookshelf/default.nix
+++ b/modules/homelab/services/audiobookshelf/default.nix
@@ -75,35 +75,6 @@ in
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-          extraConfig = ''
-            proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto  $scheme;
-            proxy_set_header Host               $host;
-            proxy_set_header Upgrade            $http_upgrade;
-            proxy_set_header Connection         "upgrade";
-            proxy_http_version                  1.1;
-            client_max_body_size                10240M;
-          '';
-      };
-    };
-
-     # external reverse proxy entry
-     services.nginx.virtualHosts."$abs.blakedheld.xyz" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       serverAliases = [ "abs.${homelab.public_domain}" ];
diff --git a/modules/homelab/services/caddy/default.nix b/modules/homelab/services/caddy/default.nix
index 88c26ab..7a8f5dd 100644
--- a/modules/homelab/services/caddy/default.nix
+++ b/modules/homelab/services/caddy/default.nix
@@ -46,7 +46,7 @@ in
       dataDir = cfg.data_dir;
       email = "me@blakedheld.xyz";
       globalConfig = ''
-        auto_https ignore_loaded_certs
+#        auto_https ignore_loaded_certs
       '';
     };
 
diff --git a/modules/homelab/services/default.nix b/modules/homelab/services/default.nix
index 98b0b66..2cfa9e6 100644
--- a/modules/homelab/services/default.nix
+++ b/modules/homelab/services/default.nix
@@ -17,7 +17,6 @@
     ./audiobookshelf
     ./qbittorrent
     ./jellyfin
-    ./nginx-proxy
     ./caddy
     ./arr/flaresolverr
     ./home/mosquitto
diff --git a/modules/homelab/services/gitea/default.nix b/modules/homelab/services/gitea/default.nix
index cf2a2bc..6787278 100644
--- a/modules/homelab/services/gitea/default.nix
+++ b/modules/homelab/services/gitea/default.nix
@@ -91,47 +91,11 @@ in
     # open firewall
     networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-        extraConfig = ''
-          client_max_body_size 512M;
-          proxy_set_header Connection $http_connection;
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Host $host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-        '';
-      };
-    };
-     # external reverse proxy entry
-     services.nginx.virtualHosts."git.blakedheld.xyz" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-        extraConfig = ''
-          client_max_body_size 512M;
-          proxy_set_header Connection $http_connection;
-          proxy_set_header Upgrade $http_upgrade;
-          proxy_set_header Host $host;
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-          proxy_set_header X-Forwarded-Proto $scheme;
-        '';
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       serverAliases = [ "git.${homelab.public_domain}" ];
       extraConfig = ''
-        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
+#        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
         reverse_proxy http://127.0.0.1:${toString cfg.port}
       '';
     };
@@ -144,6 +108,7 @@ in
       check-url = "http://${homelab.host_ip}:${toString cfg.port}";
       icon = "di:${service}"; }];
 
+    # manage secrets with sops
     sops.secrets = {
       "${service}_database_password" = {
         owner = "${service}";
diff --git a/modules/homelab/services/glance/default.nix b/modules/homelab/services/glance/default.nix
index 1127123..f2635a4 100644
--- a/modules/homelab/services/glance/default.nix
+++ b/modules/homelab/services/glance/default.nix
@@ -223,25 +223,6 @@ in
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-#     # external reverse proxy entry
-#     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
-#      forceSSL = true;
-#      sslCertificate = sec."ssl_blakedheld_crt".path;
-#      sslCertificateKey = sec."ssl_blakedheld_key".path;
-#      locations."/" = {
-#        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-#      };
-#    };
-#
 #    sops.secrets = {
 #      "${service}_" = {
 #        owner = "${service}";
diff --git a/modules/homelab/services/home/homeassistant/default.nix b/modules/homelab/services/home/homeassistant/default.nix
index 1195deb..77967a0 100644
--- a/modules/homelab/services/home/homeassistant/default.nix
+++ b/modules/homelab/services/home/homeassistant/default.nix
@@ -87,40 +87,6 @@ in
     # open firewall
     networking.firewall.allowedTCPPorts = [ cfg.port 8123 ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      extraConfig = ''
-        proxy_buffering off;
-      '';
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-        extraConfig = 
-          "proxy_set_header Upgrade $http_upgrade;" + 
-          "proxy_set_header Connection upgrade;"
-        ;
-      };
-    };
-     # external reverse proxy entry
-     services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      extraConfig = ''
-        proxy_buffering off;
-      '';
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-        extraConfig = 
-          "proxy_set_header Upgrade $http_upgrade;" + 
-          "proxy_set_header Connection upgrade;"
-        ;
-      };
-    };
-
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       serverAliases = [ "${service}.${homelab.public_domain}" ];
@@ -147,9 +113,6 @@ in
 
 
 
-
-
-
 # here lies my tough, and I mean fucking tough, swing at
 # getting this to work bare metal, ggs ill see you again
 # - didnt take long
diff --git a/modules/homelab/services/home/zigbee2mqtt/default.nix b/modules/homelab/services/home/zigbee2mqtt/default.nix
index 8bb8be2..4316d64 100644
--- a/modules/homelab/services/home/zigbee2mqtt/default.nix
+++ b/modules/homelab/services/home/zigbee2mqtt/default.nix
@@ -94,33 +94,6 @@ in
 #    # open firewall
     networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-       extraConfig = ''
-        proxy_buffering off;
-      '';
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-        extraConfig = ''
-          proxy_set_header Host $host; 
-          proxy_set_header X-Real-IP $remote_addr;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        '';
-      };
-      locations."/api" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}/api";
-        extraConfig = ''
-          proxy_set_header Host $host; 
-          proxy_http_version 1.1;  
-          proxy_set_header Upgrade $http_upgrade;  
-          proxy_set_header Connection upgrade;
-        '';
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       serverAliases = [ "z2m.${homelab.public_domain}" ];
diff --git a/modules/homelab/services/immich/default.nix b/modules/homelab/services/immich/default.nix
index 47d9436..865228c 100644
--- a/modules/homelab/services/immich/default.nix
+++ b/modules/homelab/services/immich/default.nix
@@ -75,27 +75,6 @@ in
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-        proxyWebsockets = true;
-      };
-    };
-     # external reverse proxy entry
-     services.nginx.virtualHosts."photos.blakedheld.xyz" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-        proxyWebsockets = true;
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       serverAliases = [ "photos.${homelab.public_domain}" ];
diff --git a/modules/homelab/services/jellyfin/default.nix b/modules/homelab/services/jellyfin/default.nix
index 22e1ecd..79f968c 100644
--- a/modules/homelab/services/jellyfin/default.nix
+++ b/modules/homelab/services/jellyfin/default.nix
@@ -71,25 +71,6 @@ in
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-     # external reverse proxy entry
-     services.nginx.virtualHosts."media.blakedheld.xyz" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       serverAliases = [ "media.${homelab.public_domain}" ];
diff --git a/modules/homelab/services/qbittorrent/default.nix b/modules/homelab/services/qbittorrent/default.nix
index 922828d..8920f50 100644
--- a/modules/homelab/services/qbittorrent/default.nix
+++ b/modules/homelab/services/qbittorrent/default.nix
@@ -109,16 +109,6 @@ in
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       extraConfig = ''
diff --git a/modules/homelab/services/uptime-kuma/default.nix b/modules/homelab/services/uptime-kuma/default.nix
index e1dfe5c..d6dfb5e 100644
--- a/modules/homelab/services/uptime-kuma/default.nix
+++ b/modules/homelab/services/uptime-kuma/default.nix
@@ -67,32 +67,11 @@ in
     # override umask to make permissions work out
     systemd.services.${service}.serviceConfig = {
       UMask = lib.mkForce "0007";
-#      User = "${service}";
-#      Group = "${service}";
     };
 
 #    # open firewall
 #    networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-#     # external reverse proxy entry
-#     services.nginx.virtualHosts."up.blakedheld.xyz" = {
-#      forceSSL = true;
-#      sslCertificate = sec."ssl_blakedheld_crt".path;
-#      sslCertificateKey = sec."ssl_blakedheld_key".path;
-#      locations."/" = {
-#        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-#      };
-#    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       extraConfig = ''
@@ -109,14 +88,9 @@ in
       check-url = "http://${homelab.host_ip}:${toString cfg.port}";
       icon = "di:${service}"; }];
 
-#    sops.secrets = {
-#      "${service}_" = {
-#        owner = "${service}";
-#        group = "${service}";
-#      };
-#    };
-
      # add to backups
-     modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
+    modules.system.backups.baks = {
+      ${service} = { paths = [ cfg.data_dir ]; };
+    };
   };
 }
diff --git a/modules/homelab/services/vaultwarden/default.nix b/modules/homelab/services/vaultwarden/default.nix
index 1524366..cfb366c 100644
--- a/modules/homelab/services/vaultwarden/default.nix
+++ b/modules/homelab/services/vaultwarden/default.nix
@@ -84,25 +84,6 @@ in
     # open firewall
     networking.firewall.allowedTCPPorts = [ cfg.port ];
 
-    # internal reverse proxy entry
-    services.nginx.virtualHosts."${cfg.url}" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-     # external reverse proxy entry
-     services.nginx.virtualHosts."pass.blakedheld.xyz" = {
-      forceSSL = true;
-      sslCertificate = sec."ssl_blakedheld_crt".path;
-      sslCertificateKey = sec."ssl_blakedheld_key".path;
-      locations."/" = {
-        proxyPass = "http://127.0.0.1:${toString cfg.port}";
-      };
-    };
-
     # add to caddy for reverse proxy
     services.caddy.virtualHosts."${cfg.url}" = {
       serverAliases = [ "pass.${homelab.public_domain}" ];
@@ -111,7 +92,6 @@ in
         reverse_proxy http://127.0.0.1:${toString cfg.port}
       '';
     };
-#        tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
 
     # add to glance
     modules.services.glance.links.services = [{