diff --git a/hosts/kroma/default.nix b/hosts/kroma/default.nix index 4fdb82a..0db6658 100644 --- a/hosts/kroma/default.nix +++ b/hosts/kroma/default.nix @@ -82,14 +82,20 @@ port = 51820; name = "netbird-home"; interface = "wt-home"; + autoStart = false; openFirewall = true; config.ServerSSHAllowed = false; environment = rec { NB_MANAGEMENT_URL = "https://${nodes.sentinel.config.networking.providedDomains.netbird}"; NB_ADMIN_URL = NB_MANAGEMENT_URL; - NB_HOSTNAME = "home-gateway"; }; }; + environment.persistence."/persist".directories = [ + { + directory = "/var/lib/netbird-home"; + mode = "0700"; + } + ]; topology.self.icon = "devices.desktop"; } diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 9158772..ab86487 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -19,9 +19,9 @@ boot.mode = "bios"; - users.groups.acme.members = ["nginx"]; wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443]; + users.groups.acme.members = ["nginx"]; services.nginx.enable = true; services.nginx.recommendedSetup = true; diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index bef0d3a..ca5bcb6 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -9,6 +9,7 @@ in { wireguard.proxy-sentinel = { client.via = "sentinel"; firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port]; + firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.grafana.settings.server.http_port]; }; age.secrets.grafana-secret-key = { @@ -78,6 +79,30 @@ in { }; }; + nodes.ward-web-proxy = { + services.nginx = { + upstreams.grafana = { + servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {}; + extraConfig = '' + zone grafana 64k; + keepalive 2; + ''; + }; + virtualHosts.${grafanaDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations."/" = { + proxyPass = "http://grafana"; + proxyWebsockets = true; + }; + extraConfig = '' + allow 192.168.1.0/24; + deny all; + ''; + }; + }; + }; + environment.persistence."/persist".directories = [ { directory = config.services.grafana.dataDir; diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 9501433..4dbc650 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -111,5 +111,6 @@ // mkMicrovm "netbird" // mkMicrovm "radicale" // mkMicrovm "vaultwarden" + // mkMicrovm "web-proxy" ); } diff --git a/hosts/ward/guests/netbird.nix b/hosts/ward/guests/netbird.nix index 391da9e..1a0eee3 100644 --- a/hosts/ward/guests/netbird.nix +++ b/hosts/ward/guests/netbird.nix @@ -47,8 +47,9 @@ in { dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird"; management = { + singleAccountModeDomain = "internal.${config.repo.secrets.global.domains.me}"; dnsDomain = "internal.${config.repo.secrets.global.domains.me}"; - singleAccountModeDomain = "home.lan"; + disableAnonymousMetrics = true; oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration"; turnDomain = sentinelCfg.networking.providedDomains.coturn; turnPort = sentinelCfg.services.coturn.tls-listening-port; diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix new file mode 100644 index 0000000..1918410 --- /dev/null +++ b/hosts/ward/guests/web-proxy.nix @@ -0,0 +1,37 @@ +{config, ...}: let + inherit (config.repo.secrets.local) acme; +in { + age.secrets.acme-cloudflare-dns-token = { + rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age"; + mode = "440"; + group = "acme"; + }; + + age.secrets.acme-cloudflare-zone-token = { + rekeyFile = config.node.secretsDir + "/acme-cloudflare-zone-token.age"; + mode = "440"; + group = "acme"; + }; + + security.acme = { + acceptTerms = true; + defaults = { + credentialFiles = { + CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path; + CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path; + }; + dnsProvider = "cloudflare"; + dnsPropagationCheck = true; + reloadServices = ["nginx"]; + }; + inherit (acme) certs wildcardDomains; + }; + + #nodes.sentinel = { + # # port forward 80,443 (ward) to 80,443 (web-proxy) + #}; + + users.groups.acme.members = ["nginx"]; + services.nginx.enable = true; + services.nginx.recommendedSetup = true; +} diff --git a/hosts/ward/secrets/web-proxy/acme-cloudflare-dns-token.age b/hosts/ward/secrets/web-proxy/acme-cloudflare-dns-token.age new file mode 100644 index 0000000..49e3559 --- /dev/null +++ b/hosts/ward/secrets/web-proxy/acme-cloudflare-dns-token.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 GLh/xkRHD1zOOGYiWxlORV+qzYaTNvnXZoGe9qdxXUI +2TMHIo8emk76HOEgOpSOR3t1ib87kAGcH9FmZSLyhlU +-> piv-p256 xqSe8Q A6KvjXG2UNrpvNfY924v9/DVz7Ooncem24keDbtWXp7i +fNiibPhEaeRaXV8AxKFL2T7Er8byHmGCGT8ciwye1Kw +-> l1G-grease w;*@H4 +r4rvf0/eUQYWuhKWMIR94Uww+bgbr2GBP4oEWM8TftQFcioNNEK1Zm8bwocMvhM9 +i/KA6H6qw5yR68gKU3CPDzlMaIM99Oit3p7+3NdM2QPFKqvdYr9MdBcI +--- RGaCUY59RAiy0MUYasVeUf2cCfJqil3YTJmL0cXrmjA +M~B{`\BvWϞ4b`aR^l8K; Z5\W .[P,~Aq \ No newline at end of file diff --git a/hosts/ward/secrets/web-proxy/acme-cloudflare-zone-token.age b/hosts/ward/secrets/web-proxy/acme-cloudflare-zone-token.age new file mode 100644 index 0000000..c26ae7a --- /dev/null +++ b/hosts/ward/secrets/web-proxy/acme-cloudflare-zone-token.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 Y7J0KmGssDwytzJSMTKnb2qVfCBEl4nMiKeg4PDhbhM +R+FV22jr0XcybGJk8Z2o40O5ptRK3NPgQOxJ7HlORho +-> piv-p256 xqSe8Q AyC1XlhbGhbfUBn4gV56t48AazKi5Lt9H5BCOZqbTtOp +s3mrvVrMZ/kTdUSjKyBWa5hUFL2fwL2xRo7UFF0AwP0 +-> Ao-grease vp@ m_b +oV7D7L5dZtF75bJ6Ms0yZr92rENJmE4xKpdlBp4h40onYWv1Z17R2/bmygv5MD9+ +S7J25g3rxfk00fUOK8cwDcWyRtp4jQqcooJyrQ +--- J/aXuudcbUAfU06R065fsvPTX2qZr0w0eZ9gI6I+McY +v-##=|ڕ-IRn X25519 NIQfcq9fdcwAm3/7bqVw9XKuHxH6r2r7Lbqjjr/u+2w +Cfz/aTYCh4gNWo+dOzDKXNBaAlt0W/aqTb30ho/i5nM +-> piv-p256 xqSe8Q Al+FYiIKhA9B31HjuxCNE65MfYWKIxO+ZefbPsDWljxu ++K47WX1YQpRkvIzR4ALVucSj21YIv9WUluEQ62ccEWk +-> a"CCg7E9-grease ~ &+9|O +fuXdG2v+8S2Bti9ifpvRPfRZfh9ioXzOuYXcPkyPynbQPy2isAksKx83FgQeRoID +VHH/CKTjy/qFCDec9MXX2i9GCWWrva1n2tfOXl9kh2IZ1Zl2te2rsA +--- Tg/N4zk19YF7LCLd9wb95nyQJs0B59SHO4nh76xif0c +N9ޝ}w2 Q/zbCAu{O&iR,E19=єӇM CpF:9="[ߖ6&}3E&%YA))Ĵ͇m +_oV@U*Q1_L \ No newline at end of file diff --git a/secrets/generated/sentinel/loki-basic-auth-hashes.age b/secrets/generated/sentinel/loki-basic-auth-hashes.age index e425eb1..c13a4bb 100644 Binary files a/secrets/generated/sentinel/loki-basic-auth-hashes.age and b/secrets/generated/sentinel/loki-basic-auth-hashes.age differ diff --git a/secrets/generated/ward-web-proxy/dhparams.pem.age b/secrets/generated/ward-web-proxy/dhparams.pem.age new file mode 100644 index 0000000..a842d1f Binary files /dev/null and b/secrets/generated/ward-web-proxy/dhparams.pem.age differ diff --git a/secrets/generated/ward-web-proxy/promtail-loki-basic-auth-password.age b/secrets/generated/ward-web-proxy/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..bee259c --- /dev/null +++ b/secrets/generated/ward-web-proxy/promtail-loki-basic-auth-password.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 L5QeScr47cZuTXA2+suY1Z859dDPG7NAiiYUgIA/6Bs ++9/qfyYCn3E4Pt3AiIe1y0ikuCDKn2TxPr2n8P9pbRI +-> piv-p256 xqSe8Q AgqCoxqf5/kIfGz/w1ISInjhla9GM2/E7vbQ4xM2m6BI +wqJBvegatDBotrMVu4Mtu/Ti+ZxmnqM+9S79WrnwGwY +-> cJ+g)As-grease 17 halok $29WPO mJYp +BhQNUu5asGzmfKDEQ9uJc5EBKzR5h62BAXMlE2hRs2YdyTDHGYnPt8W3fqPthnw2 +zujauJioA5apYZqEXT6rji9D9LY12tO3Kg +--- dmVnPmT3cgoN8+PLw6VOeN34MCwv9xiq8Dz/moyR3aw +3Fevܫw8ϯJE0YϿkޖ)!#6"# Vqi I mb.J{~ \ No newline at end of file diff --git a/secrets/generated/ward-web-proxy/telegraf-influxdb-token.age b/secrets/generated/ward-web-proxy/telegraf-influxdb-token.age new file mode 100644 index 0000000..a988c47 --- /dev/null +++ b/secrets/generated/ward-web-proxy/telegraf-influxdb-token.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 mDqiVQOWk7oHh8Fe+XfsJuBVYQKX64OBbJJHAlp9+go +Y//Pun+q8oxIoygP4KNdqPQuF4ofsAsrcKBkJAxP+Q4 +-> piv-p256 xqSe8Q AlfJ9Pf9lseof2TLRM13YZn73LypMipUKDWjI9tWe/PS +FwEwUcxtggjuZDQmAHagbBh6PsqnCR2qrAbhei3KYEI +-> k-grease ^kKsR3EO g< S3? +W[LIq2, +5HUcLZxeuBAD+LNu60mipaKZxS1iC50/pM1j5s8SULOjaYsHGkhgcgsuRK/R +--- KzXceMOxfzRsGRXP99cvYn1Al3OHcebz80sGPWF2rww +WGVT"}&m:+3R9D!0"'r%?8_lYnnuaHLׅv \ No newline at end of file diff --git a/secrets/rekeyed/sentinel/089eda6d3476434194e52aece39a18f5-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/089eda6d3476434194e52aece39a18f5-loki-basic-auth-hashes.age deleted file mode 100644 index d0f42eb..0000000 Binary files a/secrets/rekeyed/sentinel/089eda6d3476434194e52aece39a18f5-loki-basic-auth-hashes.age and /dev/null differ diff --git a/secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age b/secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age new file mode 100644 index 0000000..c53d63f Binary files /dev/null and b/secrets/rekeyed/sentinel/45fcec727e61235564782d3d45463711-loki-basic-auth-hashes.age differ diff --git a/secrets/rekeyed/sire-influxdb/77e41d6d4f1ee94ad7d26e00c3363352-telegraf-influxdb-token-ward-web-proxy.age b/secrets/rekeyed/sire-influxdb/77e41d6d4f1ee94ad7d26e00c3363352-telegraf-influxdb-token-ward-web-proxy.age new file mode 100644 index 0000000..0deab71 --- /dev/null +++ b/secrets/rekeyed/sire-influxdb/77e41d6d4f1ee94ad7d26e00c3363352-telegraf-influxdb-token-ward-web-proxy.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 1tdZKQ UFx8Re0mcIt2HcL5x/GaXoi2CezPo6K7dKFD+nzfURg +sPM57TihJrVuRIhAUHVfehcGOhw4w3DRHTwW12cmEoU +-> }0-grease C\z~D+j +wMZmyvzkl/4iDjjH2kq0bbiPImhlesbTgLTV09l4tiep7EEzeKm2BoG+gmTVDQ +--- PzpDgRPy2dE/rvmZoKmJUDdY6yDaP3FCgL9t63YVWUM +E 0RKI=sTF$wp IdEWP[^'w,9݄AMx 0ۃ +S]OC \ No newline at end of file diff --git a/secrets/rekeyed/ward-web-proxy/16cd8ee5ae22b74c03ca5169c62b1666-acme-cloudflare-zone-token.age b/secrets/rekeyed/ward-web-proxy/16cd8ee5ae22b74c03ca5169c62b1666-acme-cloudflare-zone-token.age new file mode 100644 index 0000000..f029dc2 Binary files /dev/null and b/secrets/rekeyed/ward-web-proxy/16cd8ee5ae22b74c03ca5169c62b1666-acme-cloudflare-zone-token.age differ diff --git a/secrets/rekeyed/ward-web-proxy/3b347f2a2024cd71914fb44bd0cf027d-telegraf-influxdb-token.age b/secrets/rekeyed/ward-web-proxy/3b347f2a2024cd71914fb44bd0cf027d-telegraf-influxdb-token.age new file mode 100644 index 0000000..df19aed Binary files /dev/null and b/secrets/rekeyed/ward-web-proxy/3b347f2a2024cd71914fb44bd0cf027d-telegraf-influxdb-token.age differ diff --git a/secrets/rekeyed/ward-web-proxy/3ecb8cd7dc2d4ba24de6f1f1ed0b9e1c-dhparams.pem.age b/secrets/rekeyed/ward-web-proxy/3ecb8cd7dc2d4ba24de6f1f1ed0b9e1c-dhparams.pem.age new file mode 100644 index 0000000..c496e69 Binary files /dev/null and b/secrets/rekeyed/ward-web-proxy/3ecb8cd7dc2d4ba24de6f1f1ed0b9e1c-dhparams.pem.age differ diff --git a/secrets/rekeyed/ward-web-proxy/7a373fa309ea4806998a5716906f3cac-promtail-loki-basic-auth-password.age b/secrets/rekeyed/ward-web-proxy/7a373fa309ea4806998a5716906f3cac-promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..1df9750 Binary files /dev/null and b/secrets/rekeyed/ward-web-proxy/7a373fa309ea4806998a5716906f3cac-promtail-loki-basic-auth-password.age differ diff --git a/secrets/rekeyed/ward-web-proxy/fe0973a0966ad375770995305acd07c7-acme-cloudflare-dns-token.age b/secrets/rekeyed/ward-web-proxy/fe0973a0966ad375770995305acd07c7-acme-cloudflare-dns-token.age new file mode 100644 index 0000000..1de1da7 --- /dev/null +++ b/secrets/rekeyed/ward-web-proxy/fe0973a0966ad375770995305acd07c7-acme-cloudflare-dns-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 NwOpTA phHAnMhRnbsn7xSs7aWA65U/ZQusblSQ5dx0W7BgUmQ +uYeX2njTvlGDpI7UQ3SwQJru0rc7SVcvVqy1UB9i+i4 +-> 3a@Ad*-grease 2$Q$, ghooe0R +BrufnH/DkowTfeg/KW4a3ka10mONjewEiV70ag +--- 0yFOek1QRJRzSuGzx91aB31S4jA5ieoqFw+jAFLL/Rs +ёοux܏ 6clX0v}9yuQU"\Y? ϔZHPlz \ No newline at end of file