chore: update stalwart, add firezone tokens

2025-10-11 07:10:39 +02:00 · 2025-03-16 15:13:53 +01:00 · 2025-03-16 15:13:53 +01:00 · 3dabfb23e0
commit 3dabfb23e0
parent be7e4d158c
5 changed files with 30 additions and 6 deletions
--- a/hosts/sentinel/firezone.nix
+++ b/hosts/sentinel/firezone.nix
@ -28,6 +28,11 @@ in
 {
  age.secrets.firezone-smtp-password.generator.script = "alnum";

+  # NOTE: state: this token is from a manually created service account
+  age.secrets.firezone-relay-token = {
+    rekeyFile = config.node.secretsDir + "/firezone-relay-token.age";
+  };
+
  # Mirror the original oauth2 secret
  age.secrets.firezone-oauth2-client-secret = {
    inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-firezone) rekeyFile;
@ -137,6 +142,16 @@ in
    web.externalUrl = "https://${firezoneDomain}/";
  };

+  services.firezone.relay = {
+    enable = true;
+    name = "sentinel";
+    apiUrl = "wss://${firezoneDomain}/api/";
+    tokenFile = config.age.secrets.firezone-relay-token.path;
+    publicIpv4 = lib.net.cidr.ip config.repo.secrets.local.networking.interfaces.wan.hostCidrv4;
+    publicIpv6 = lib.net.cidr.ip config.repo.secrets.local.networking.interfaces.wan.hostCidrv6;
+    openFirewall = true;
+  };
+
  services.nginx = {
    upstreams.firezone = {
      servers."127.0.0.1:${toString config.services.firezone.server.web.port}" = { };