set services to default retooling

custom.nix

@@ -1,8 +1,10 @@
-{ config, pkgs, lib, ... }:
 {
-  # Only enable what this machine needs
+  # ── Disable services you don't want ─────────────
-  sovran_systemsOS.services.wordpress.enable = true;
+  sovran_systemsOS.services.wordpress = false;
-  sovran_systemsOS.services.nextcloud.enable = true;
+  sovran_systemsOS.services.nextcloud = false;
-  sovran_systemsOS.services.synapse.enable = true;
+
-  # btcpayserver is NOT enabled — no domain file needed, no vhost created
+  # ── Enable features you do want ─────────────────
+  sovran_systemsOS.features.haven = true;
+  sovran_systemsOS.features.element-calling = true;
+  sovran_systemsOS.nostr_npub = "npub1abc123...";
 }

modules/bitcoinecosystem.nix

@@ -1,8 +1,6 @@
 { config, pkgs, lib, ... }:
 
-lib.mkIf config.sovran_systemsOS.features.bitcoin {
+lib.mkIf config.sovran_systemsOS.services.bitcoin {
-	
-	## Bitcoind
 
   services.bitcoind = {
     enable = true;
@@ -22,18 +20,12 @@ lib.mkIf config.sovran_systemsOS.features.bitcoin {
   nix-bitcoin.onionServices.electrs.enable = true;
   nix-bitcoin.onionServices.rtl.enable = true;
 
-
-	## Electrs
-	
   services.electrs = {
     enable = true;
     tor.enforce = true;
     dataDir = "/run/media/Second_Drive/BTCEcoandBackup/Electrs_Data";
   };
 
-
-  ## LND
-	
   services.lnd = {
     enable = true;
     tor.enforce = true;
@@ -45,17 +37,11 @@ lib.mkIf config.sovran_systemsOS.features.bitcoin {
 
   nix-bitcoin.onionServices.lnd.public = true;
 
-
-  ## LNDconnect
-
   services.lnd.lndconnect = {
     enable = true;
     onion = true;
   };
 
-		
-	## RTL
-	
   services.rtl = {
     enable = true;
     tor.enforce = true;
@@ -65,24 +51,16 @@ lib.mkIf config.sovran_systemsOS.features.bitcoin {
       lnd = {
         enable = true;
       };
-		
     };
   };
 
-
-	## BTCpayserver
-	
   services.btcpayserver = {
     enable = true;
   };
 
   services.btcpayserver.lightningBackend = "lnd";
 
-	
-	## System
-
   nix-bitcoin.generateSecrets = true;
-
   nix-bitcoin.nodeinfo.enable = true;
 
   nix-bitcoin.operator = {
@@ -91,5 +69,4 @@ lib.mkIf config.sovran_systemsOS.features.bitcoin {
   };
 
   nix-bitcoin.useVersionLockedPkgs = false;
-	
 }

modules/core/role-logic.nix

@@ -3,20 +3,11 @@
 {
   config = lib.mkMerge [
 
-    # Server-Desktop Role most services enabled
+    # Server-Desktop Role — services already default to on,
+    # so we only need to set features here
     (lib.mkIf config.sovran_systemsOS.roles.server-desktop {
-      sovran_systemsOS.features = {
+      # All services are default=true, nothing to set
-        synapse = true;
+      # All features are default=false, nothing to set
-        bitcoin = true;
-        coturn = true;
-        vaultwarden = true;
-        haven = false;
-        mempool = false;
-        bip110 = false;
-        element-calling = false;
-        bitcoin-core = false;
-        rdp = false;
-      };
     })
 
     # Desktop role
@@ -25,11 +16,14 @@
       services.desktopManager.gnome.enable = true;
     })
 
-    # Bitcoin node role
+    # Bitcoin node role — only bitcoin, disable other services
     (lib.mkIf config.sovran_systemsOS.roles.node {
-      sovran_systemsOS.features = {
+      sovran_systemsOS.services = {
         bitcoin = true;
-        bip110 = false;
+        synapse = false;
+        vaultwarden = false;
+        wordpress = false;
+        nextcloud = false;
       };
     })
 

modules/core/roles.nix

@@ -11,11 +11,37 @@
       node = lib.mkEnableOption "Bitcoin Node Only Role";
     };
 
+    # ── Services (default ON — user can disable in custom.nix) ──
+    services = {
+      synapse = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Matrix Synapse homeserver";
+      };
+      bitcoin = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Bitcoin Ecosystem (bitcoind, electrs, lnd, rtl, btcpay)";
+      };
+      vaultwarden = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Vaultwarden password manager";
+      };
+      wordpress = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "WordPress (raw PHP served by Caddy)";
+      };
+      nextcloud = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Nextcloud (raw PHP served by Caddy)";
+      };
+    };
+
+    # ── Features (default OFF — user can enable in custom.nix) ──
     features = {
-      coturn = lib.mkEnableOption "TURN server";
-      synapse = lib.mkEnableOption "Matrix Synapse";
-      bitcoin = lib.mkEnableOption "Bitcoin Ecosystem";
-      vaultwarden = lib.mkEnableOption "Vaultwarden";
       haven = lib.mkEnableOption "Haven NOSTR relay";
       bip110 = lib.mkEnableOption "BIP-110 Bitcoin Better Money";
       mempool = lib.mkEnableOption "Bitcoin Mempool Explorer";
@@ -29,5 +55,10 @@
       default = "";
       description = "Nostr public key (npub1...) for Haven relay";
     };
+
+    packages.bip110 = lib.mkOption {
+      type = lib.types.package;
+      description = "BIP-110 bitcoind-knots package";
+    };
   };
 }

modules/modules.nix

@@ -1,46 +1,30 @@
 { config, pkgs, lib, ... }:
 
 {
-<<<<<<< HEAD
   imports = [
+    # ── Core (always loaded) ──────────────────────────────────
     ./core/roles.nix
     ./core/role-logic.nix
     ./core/caddy.nix
     ./core/sovran-manage.nix
+
+    # ── Always on (no flag) ───────────────────────────────────
     ./php.nix
     ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix
+
+    # ── Services (default ON — disable in custom.nix) ─────────
     ./synapse.nix
-    ./coturn.nix
     ./wordpress.nix
     ./nextcloud.nix
-    ./btcpayserver.nix
-=======
- 
-  imports = [
-    
-    ./core/roles.nix
-    ./core/role-logic.nix
-    ./php.nix
-    ./Sovran_SystemsOS_File_Fixes_And_New_Services.nix
-
-    # Always imported feature modules
-    ./synapse.nix
-    ./coturn.nix
-    ./bitcoinecosystem.nix
->>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
     ./vaultwarden.nix
+    ./bitcoinecosystem.nix
+
+    # ── Features (default OFF — enable in custom.nix) ─────────
     ./haven.nix
     ./bip110.nix
     ./element-calling.nix
     ./mempool.nix
     ./bitcoin-core.nix
     ./rdp.nix
-<<<<<<< HEAD
-    ./bitcoinecosystem.nix
   ];
-=======
-
-  ];
-
->>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }

modules/nextcloud.nix

@@ -1,16 +1,6 @@
 { config, pkgs, lib, ... }:
 
-let
+lib.mkIf config.sovran_systemsOS.services.nextcloud {
-  cfg = config.sovran_systemsOS.services.nextcloud;
-in
-{
-  options.sovran_systemsOS.services.nextcloud = {
-    enable = lib.mkEnableOption "Nextcloud (raw PHP served by Caddy)";
-  };
-
-  config = lib.mkIf cfg.enable {
-
-    # ── Caddy vhost is now handled centrally in caddy.nix ─────
 
   # ── PostgreSQL database ───────────────────────────────────
   services.postgresql = {
@@ -34,7 +24,6 @@ in
 
       SECRET_FILE="/var/lib/secrets/nextclouddb"
 
-        # Existing machines already have this file — leave it alone
       if [ ! -f "$SECRET_FILE" ]; then
         mkdir -p /var/lib/secrets
         pwgen -s 64 1 > "$SECRET_FILE"
@@ -43,7 +32,6 @@ in
 
       DB_PASS=$(cat "$SECRET_FILE")
 
-        # Create role if it doesn't exist, update password either way
       psql -U postgres <<SQL
         DO \$\$
         BEGIN
@@ -56,7 +44,6 @@ in
         \$\$;
       SQL
 
-        # Create database if it doesn't exist
       if ! psql -U postgres -lqt | cut -d \| -f 1 | grep -qw "nextclouddb"; then
         psql -U postgres -c "CREATE DATABASE nextclouddb WITH OWNER ncusr TEMPLATE template0 LC_COLLATE = 'C' LC_CTYPE = 'C';"
       fi
@@ -99,7 +86,6 @@ in
       echo "  Nextcloud Automated Installation"
       echo "══════════════════════════════════════════════"
 
-        # ── Download ────────────────────────────────────
       if [ ! -f "$INSTALL_DIR/occ" ]; then
           echo "Downloading Nextcloud..."
           TEMP_DIR=$(mktemp -d)
@@ -111,10 +97,8 @@ in
           echo "Download complete."
       fi
 
-        # ── Create data directory ───────────────────────
       mkdir -p "$DATA_DIR"
 
-        # ── Set permissions ─────────────────────────────
       chown -R caddy:root "$INSTALL_DIR"
       chown -R caddy:root "$DATA_DIR"
       find "$INSTALL_DIR" -type d -exec chmod 750 {} \;
@@ -123,7 +107,6 @@ in
       chmod -R 770 "$INSTALL_DIR/config"
       chmod -R 770 "$DATA_DIR"
 
-        # ── Wait for database ───────────────────────────
       echo "Waiting for PostgreSQL..."
       for i in $(seq 1 30); do
           if su -s /bin/sh caddy -c "php -r \"new PDO('pgsql:host=$DB_HOST;dbname=$DB_NAME', '$DB_USER', '$DB_PASS');\"" 2>/dev/null; then
@@ -133,7 +116,6 @@ in
           sleep 2
       done
 
-        # ── Run Nextcloud install via occ ───────────────
       echo "Running Nextcloud installation..."
       su -s /bin/sh caddy -c "
         php $INSTALL_DIR/occ maintenance:install \
@@ -147,24 +129,18 @@ in
           --data-dir '$DATA_DIR'
       "
 
-        # ── Configure trusted domains ───────────────────
-        echo "Configuring trusted domains..."
       su -s /bin/sh caddy -c "
         php $INSTALL_DIR/occ config:system:set trusted_domains 0 --value='$DOMAIN'
         php $INSTALL_DIR/occ config:system:set overwrite.cli.url --value='https://$DOMAIN'
         php $INSTALL_DIR/occ config:system:set overwriteprotocol --value='https'
       "
 
-        # ── Set recommended settings ─<EFBFBD><EFBFBD>──────────────────
-        echo "Applying recommended settings..."
       su -s /bin/sh caddy -c "
         php $INSTALL_DIR/occ config:system:set default_phone_region --value='US'
         php $INSTALL_DIR/occ config:system:set memcache.local --value='\OC\Memcache\APCu'
         php $INSTALL_DIR/occ background:cron
       "
 
-        # ── Install default apps ────────────────────────
-        echo "Installing default apps..."
       su -s /bin/sh caddy -c "
         php $INSTALL_DIR/occ app:install calendar || true
         php $INSTALL_DIR/occ app:install contacts || true
@@ -178,7 +154,6 @@ in
         php $INSTALL_DIR/occ app:enable deck || true
       "
 
-        # ── Save admin credentials ──────────────────────
       CREDS_FILE="/var/lib/secrets/nextcloud-admin"
       cat > "$CREDS_FILE" << CREDS
 Nextcloud Admin Credentials
@@ -192,33 +167,20 @@ CREDS
       echo ""
       echo "══════════════════════════════════════════════"
       echo "  Nextcloud installation complete!"
-        echo ""
-        echo "  URL:      https://$DOMAIN/"
-        echo "  Username: $ADMIN_USER"
-        echo "  Password: $ADMIN_PASS"
-        echo ""
-        echo "  Installed apps: Calendar, Contacts, Tasks,"
-        echo "                  Notes, Deck"
-        echo ""
       echo "  Credentials saved to: $CREDS_FILE"
       echo "══════════════════════════════════════════════"
     '';
   };
 
-    # ── Cron ──────────────────────────────────────────────────
   services.cron.systemCronJobs = [
     "*/5 * * * * caddy /run/current-system/sw/bin/php -f /var/lib/www/nextcloud/cron.php"
   ];
 
-    # ── Ensure directories ────────────────────────────────────
   systemd.tmpfiles.rules = [
     "d /var/lib/www 0755 caddy root -"
     "d /var/lib/www/nextcloud 0750 caddy root -"
     "d /var/lib/www/nextcloud-data 0770 caddy root -"
   ];
 
-    environment.systemPackages = with pkgs; [
+  environment.systemPackages = with pkgs; [ unzip ];
-      unzip
-    ];
-  };
 }

modules/personalization.nix

@@ -1,24 +0,0 @@
-{
-
-matrix_url = builtins.readFile /var/lib/domains/matrix;
-wordpress_url = builtins.readFile /var/lib/domains/wordpress;
-nextcloud_url = builtins.readFile /var/lib/domains/nextcloud;
-btcpayserver_url = builtins.readFile /var/lib/domains/btcpayserver;
-caddy_email_for_acme = builtins.readFile /var/lib/domains/sslemail;
-vaultwarden_url = builtins.readFile /var/lib/domains/vaultwarden;
-haven_url = builtins.readFile /var/lib/domains/haven;
-element-calling_url = builtins.readFile /var/lib/domains/element-calling;
-
-##
-
-external_ip_secret = builtins.readFile /var/lib/secrets/external_ip;
-coturn_static_auth_secret = builtins.readFile /var/lib/secrets/turn;
-
-##
-
-matrixdb = builtins.readFile /var/lib/secrets/matrixdb;
-nextclouddb = builtins.readFile /var/lib/secrets/nextclouddb;
-wordpressdb = builtins.readFile /var/lib/secrets/wordpressdb;
-
-
-}

modules/synapse.nix

@@ -1,7 +1,7 @@
 { config, pkgs, lib, ... }:
 
-<<<<<<< HEAD
+lib.mkIf config.sovran_systemsOS.services.synapse {
-{
+
   # ── PostgreSQL database for Matrix ──────────────────────────
   services.postgresql = {
     enable = true;
@@ -27,6 +27,8 @@
     };
     path = [ config.services.postgresql.package pkgs.pwgen pkgs.coreutils ];
     script = ''
+      set -euo pipefail
+
       SECRET_DIR="/var/lib/secrets"
       SECRET_FILE="$SECRET_DIR/matrix_db_secret"
 
@@ -48,7 +50,7 @@
     '';
   };
 
-  # ── Generate Synapse runtime config from /var/lib/domains ───
+  # ── Generate Synapse runtime config from domain files ───────
   systemd.services.matrix-synapse-runtime-config = {
     description = "Generate Matrix Synapse runtime config from domain files";
     before = [ "matrix-synapse.service" ];
@@ -61,13 +63,27 @@
     };
     path = [ pkgs.coreutils ];
     script = ''
+      set -euo pipefail
+
       MATRIX=$(cat /var/lib/domains/matrix)
       RUNTIME_DIR="/run/matrix-synapse"
       mkdir -p "$RUNTIME_DIR"
 
+      # Include TURN config if coturn secret exists (deployed machines)
+      if [ -f /var/lib/secrets/coturn_static_auth_secret ]; then
+        COTURN_SECRET=$(cat /var/lib/secrets/coturn_static_auth_secret)
         cat > "$RUNTIME_DIR/runtime-config.yaml" <<EOF
-      server_name: "$MATRIX"
+server_name: "$MATRIX"
-      EOF
+turn_shared_secret: "$COTURN_SECRET"
+turn_uris:
+  - "turn:$MATRIX:5349?transport=udp"
+  - "turn:$MATRIX:5349?transport=tcp"
+EOF
+      else
+        cat > "$RUNTIME_DIR/runtime-config.yaml" <<EOF
+server_name: "$MATRIX"
+EOF
+      fi
 
       chown matrix-synapse:matrix-synapse "$RUNTIME_DIR/runtime-config.yaml"
       chmod 640 "$RUNTIME_DIR/runtime-config.yaml"
@@ -75,17 +91,16 @@
   };
 
   # ── Synapse service ─────────────────────────────────────────
-  lib.mkIf config.sovran_systemsOS.features.synapse {
   services.matrix-synapse = {
     enable = true;
     extraConfigFiles = [ "/run/matrix-synapse/runtime-config.yaml" ];
     settings = {
+      # server_name, turn_shared_secret, turn_uris injected at runtime
       push.include_content = false;
       group_unread_count_by_room = false;
       encryption_enabled_by_default_for_room_type = "invite";
       allow_profile_lookup_over_federation = false;
       allow_device_name_lookup_over_federation = false;
-        # server_name is injected at runtime via extraConfigFiles
       url_preview_enabled = true;
       max_upload_size = "1024M";
       url_preview_ip_range_blacklist = [
@@ -120,90 +135,11 @@
           tls = false;
           x_forwarded = true;
           resources = [
-              {
+            { names = [ "client" ]; compress = true; }
-                names = [ "client" ];
+            { names = [ "federation" ]; compress = false; }
-                compress = true;
-              }
-              {
-                names = [ "federation" ];
-                compress = false;
-              }
           ];
         }
       ];
     };
   };
-  }
-=======
-
-####### CREATE NEW USER (ADMIN OR NOT) VIA TERMINAL #######
-
-#  (Run as root in terminal) matrix-synapse-register_new_matrix_user #
-
-####### #######
-
-let
-	personalization = import ./personalization.nix;
-in
-lib.mkIf config.sovran_systemsOS.features.synapse {
-	services.matrix-synapse = {
-		enable = true;
-		settings = {
-			push.include_content = false;
-			group_unread_count_by_room = false;
-			encryption_enabled_by_default_for_room_type = "invite";
-			allow_profile_lookup_over_federation = false;
-			allow_device_name_lookup_over_federation = false;
-			server_name = personalization.matrix_url;
-		 	url_preview_enabled = true;
-		 	max_upload_size = "1024M";
-		 	url_preview_ip_range_blacklist = [
-				"10.0.0.0/8"
-				"100.64.0.0/10"
-				"169.254.0.0/16"
-				"172.16.0.0/12"
-				"192.0.0.0/24"
-				"192.0.2.0/24"
-				"192.168.0.0/16"
-				"192.88.99.0/24"
-				"198.18.0.0/15"
-				"198.51.100.0/24"
-				"2001:db8::/32"
-				"203.0.113.0/24"
-				"224.0.0.0/4"
-				"::1/128"
-				"fc00::/7"
-				"fe80::/10"
-				"fec0::/10"
-				"ff00::/8"
-				];
-		 	url_preview_ip_ranger_whitelist = [ "127.0.0.1" ];
-		 	turn_shared_secret = "${personalization.coturn_static_auth_secret}";
-    			turn_uris = [
-      				"turn:${personalization.matrix_url}:5349?transport=udp"
-      				"turn:${personalization.matrix_url}:5349?transport=tcp"
-			];
-			presence.enabled = true;
-			enable_registration = false;
-			registration_shared_secret = config.age.secrets.matrix_reg_secret.path;
-			listeners = [
-				{
-					port = 8008;
-					bind_addresses = [ "::1" ];
-					type = "http";
-					tls = false;
-					x_forwarded = true;
-					resources = [ {
-						names = [ "client" ];
-						compress = true;
-					} 
-					{
-						names = [ "federation" ];
-						compress = false;
-					} ];
-				}
-			];
-		};
- 	};
->>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }

modules/vaultwarden.nix

@@ -1,11 +1,7 @@
 { config, pkgs, lib, ... }:
 
-<<<<<<< HEAD
+lib.mkIf config.sovran_systemsOS.services.vaultwarden {
-lib.mkIf config.sovran_systemsOS.features.vaultwarden {
 
-  # ── Caddy vhost is now handled centrally in caddy.nix ─────
-
-  # ── Generate Vaultwarden runtime config from domain files ──
   systemd.services.vaultwarden-runtime-config = {
     description = "Generate Vaultwarden runtime config from domain files";
     before = [ "vaultwarden.service" ];
@@ -22,8 +18,8 @@ lib.mkIf config.sovran_systemsOS.features.vaultwarden {
       mkdir -p /run/vaultwarden
 
       cat > /run/vaultwarden/runtime.env <<EOF
-      DOMAIN=https://$VAULTWARDEN
+DOMAIN=https://$VAULTWARDEN
-      EOF
+EOF
 
       chmod 640 /run/vaultwarden/runtime.env
     '';
@@ -32,7 +28,6 @@ lib.mkIf config.sovran_systemsOS.features.vaultwarden {
   services.vaultwarden = {
     enable = true;
     config = {
-      # DOMAIN injected at runtime via EnvironmentFile
       SIGNUPS_ALLOWED = false;
       ROCKET_ADDRESS = "127.0.0.1";
       ROCKET_PORT = 8777;
@@ -45,25 +40,4 @@ lib.mkIf config.sovran_systemsOS.features.vaultwarden {
   systemd.services.vaultwarden.serviceConfig.EnvironmentFile = lib.mkAfter [
     "/run/vaultwarden/runtime.env"
   ];
-=======
-let
-	personalization = import ./personalization.nix;
-in
-
-lib.mkIf config.sovran_systemsOS.features.vaultwarden {
-
-	services.vaultwarden = {
-		enable = true;
-		    config = {
-
-        		DOMAIN = "https://${personalization.vaultwarden_url}";
-        		SIGNUPS_ALLOWED = false;
-        		ROCKET_ADDRESS = "127.0.0.1";
-        		ROCKET_PORT = 8777;
-        		ROCKET_LOG = "critical";
-        	};
-		dbBackend = "sqlite";
-		environmentFile = "/var/lib/secrets/vaultwarden/vaultwarden.env";
-	};
->>>>>>> 5bee5ad99bb7890df011d88e9928b6944c3565f8
 }

modules/wordpress.nix

@@ -1,16 +1,6 @@
 { config, pkgs, lib, ... }:
 
-let
+lib.mkIf config.sovran_systemsOS.services.wordpress {
-  cfg = config.sovran_systemsOS.services.wordpress;
-in
-{
-  options.sovran_systemsOS.services.wordpress = {
-    enable = lib.mkEnableOption "WordPress (raw PHP served by Caddy)";
-  };
-
-  config = lib.mkIf cfg.enable {
-
-    # ── Caddy vhost is now handled centrally in caddy.nix ─────
 
   # ── MariaDB database ──────────────────────────────────────
   services.mysql = {
@@ -18,7 +8,7 @@ in
     package = pkgs.mariadb;
   };
 
-    # ── Auto-generate DB password and initialize ──────────────
+  # ── Auto-generate DB password and initialize ────────<EFBFBD><EFBFBD><EFBFBD>─────
   systemd.services.wordpress-db-init = {
     description = "Initialize WordPress MariaDB database with auto-generated password";
     after = [ "mysql.service" ];
@@ -35,7 +25,6 @@ in
 
       SECRET_FILE="/var/lib/secrets/wordpressdb"
 
-        # Existing machines already have this file — leave it alone
       if [ ! -f "$SECRET_FILE" ]; then
         mkdir -p /var/lib/secrets
         pwgen -s 64 1 > "$SECRET_FILE"
@@ -90,7 +79,6 @@ in
       echo "  WordPress Automated Installation"
       echo "══════════════════════════════════════════════"
 
-        # ── Download ────────────────────────────────────
       if [ ! -f "$INSTALL_DIR/wp-includes/version.php" ]; then
           echo "Downloading WordPress..."
           TEMP_DIR=$(mktemp -d)
@@ -102,13 +90,11 @@ in
           echo "Download complete."
       fi
 
-        # ── Set permissions ─────────────────────────────
       chown -R caddy:root "$INSTALL_DIR"
       find "$INSTALL_DIR" -type d -exec chmod 755 {} \;
       find "$INSTALL_DIR" -type f -exec chmod 644 {} \;
       chmod -R 775 "$INSTALL_DIR/wp-content"
 
-        # ── Generate wp-config.php ──────────────────────
       echo "Generating wp-config.php..."
       cd "$INSTALL_DIR"
       su -s /bin/sh caddy -c "
@@ -120,7 +106,6 @@ in
           --skip-check
       "
 
-        # ── Wait for database to be ready ───────────────
       echo "Waiting for database..."
       for i in $(seq 1 30); do
           if su -s /bin/sh caddy -c "wp db check" 2>/dev/null; then
@@ -129,7 +114,6 @@ in
           sleep 2
       done
 
-        # ── Run WordPress install ───────────────────────
       echo "Running WordPress core install..."
       su -s /bin/sh caddy -c "
         wp core install \
@@ -141,8 +125,6 @@ in
           --skip-email
       "
 
-        # ── Configure WordPress settings ────────────────
-        echo "Configuring WordPress..."
       su -s /bin/sh caddy -c "
         wp option update blogdescription 'Powered by Sovran_SystemsOS'
         wp option update permalink_structure '/%postname%/'
@@ -151,15 +133,12 @@ in
         wp rewrite flush
       "
 
-        # ── Security hardening ──────────────────────────
-        echo "Applying security settings..."
       su -s /bin/sh caddy -c "
         wp config set DISALLOW_FILE_EDIT true --raw
         wp config set WP_AUTO_UPDATE_CORE true --raw
         wp config set FORCE_SSL_ADMIN true --raw
       "
 
-        # ── Save admin credentials ──────────────────────
       CREDS_FILE="/var/lib/secrets/wordpress-admin"
       cat > "$CREDS_FILE" << CREDS
 WordPress Admin Credentials
@@ -174,25 +153,15 @@ CREDS
       echo ""
       echo "══════════════════════════════════════════════"
       echo "  WordPress installation complete!"
-        echo ""
-        echo "  URL:      https://$DOMAIN/wp-admin/"
-        echo "  Username: $ADMIN_USER"
-        echo "  Password: $ADMIN_PASS"
-        echo ""
       echo "  Credentials saved to: $CREDS_FILE"
       echo "══════════════════════════════════════════════"
     '';
   };
 
-    # ── Ensure directories ────────────────────────────────────
   systemd.tmpfiles.rules = [
     "d /var/lib/www 0755 caddy root -"
     "d /var/lib/www/wordpress 0755 caddy root -"
   ];
 
-    environment.systemPackages = with pkgs; [
+  environment.systemPackages = with pkgs; [ wp-cli unzip ];
-      wp-cli
-      unzip
-    ];
-  };
 }