feat: expose configurations, add retry, make stable

pi/configuration.nix

@@ -5,35 +5,30 @@
 
   networking.hostName = "noisebell";
 
-  # Enable the noisebell service
+  # Decrypted at runtime by agenix
+  age.secrets.endpoint-url.file = ./secrets/endpoint-url.age;
+  age.secrets.tailscale-auth-key.file = ./secrets/tailscale-auth-key.age;
+
   services.noisebell = {
     enable = true;
-    endpointUrl = "https://example.com/webhook"; # TODO: set your endpoint
+    port = 80;
+    endpointUrlFile = config.age.secrets.endpoint-url.path;
   };
 
-  # Basic system config
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
-  # Tailscale
-  services.tailscale.enable = true;
-
-  # Caddy reverse proxy — proxies to the noisebell status endpoint
-  services.caddy = {
+  services.tailscale = {
     enable = true;
-    virtualHosts.":80".extraConfig = ''
-      reverse_proxy localhost:${toString config.services.noisebell.port}
-    '';
+    authKeyFile = config.age.secrets.tailscale-auth-key.path;
   };
 
   services.openssh.enable = true;
 
-  # Only allow traffic from Tailscale interface
   networking.firewall = {
     trustedInterfaces = [ "tailscale0" ];
     allowedUDPPorts = [ config.services.tailscale.port ];
   };
 
   users.users.root.openssh.authorizedKeys.keys = [
-    # TODO: add your SSH public key
   ];
 }