1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00

wip: prepare moving microvms definitions to own folders

This commit is contained in:
oddlama 2023-06-12 00:21:25 +02:00
parent e4199be809
commit 3f19475eda
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 31 additions and 16 deletions

View file

@ -16,15 +16,30 @@
./fs.nix
./net.nix
./promtail.nix
./kanidm.nix
./grafana.nix
./loki.nix
];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
extra.promtail = {
enable = true;
proxy = "sentinel";
};
extra.microvms.vms = let
defaults = {
system = "x86_64-linux";
autostart = true;
zfs = {
enable = true;
pool = "rpool";
};
};
in {
kanidm = defaults;
grafana = defaultsa;
loki = defaults
};
#ddclient = defineVm;
#kanidm = defineVm;
#gitea/forgejo = defineVm;
@ -35,6 +50,8 @@
#paperless = defineVm;
#radicale = defineVm;
#minecraft = defineVm;
#firefly
#adguardhome
#prometheus
#influxdb

View file

@ -59,8 +59,8 @@
users.allow_sign_up = false;
server = {
domain = "grafana.${nodes.sentinel.config.repo.secrets.local.personalDomain}";
root_url = "https://${config.services.grafana.settings.server.domain}";
domain = nodes.sentinel.config.proxiedDomains.grafana;
root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}";
enforce_domain = true;
enable_gzip = true;
http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
@ -76,9 +76,7 @@
};
auth.disable_login_form = true;
"auth.generic_oauth" = let
authDomain = nodes.ward-kanidm.config.services.kanidm.serverSettings.domain;
in {
"auth.generic_oauth" = {
enabled = true;
name = "Kanidm";
icon = "signin";
@ -89,9 +87,9 @@
client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
scopes = "openid email profile";
login_attribute_path = "prefered_username";
auth_url = "https://${authDomain}/ui/oauth2";
token_url = "https://${authDomain}/oauth2/token";
api_url = "https://${authDomain}/oauth2/openid/grafana/userinfo";
auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2";
token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token";
api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
use_pkce = true;
# Allow mapping oauth2 roles to server admin
allow_assign_grafana_admin = true;
@ -112,7 +110,7 @@
name = "Loki";
type = "loki";
access = "proxy";
url = "https://loki.${nodes.sentinel.config.repo.secrets.local.personalDomain}";
url = "https://${nodes.sentinel.config.proxiedDomains.loki}";
orgId = 1;
basicAuth = true;
basicAuthUser = nodeName;

View file

@ -56,8 +56,8 @@
enableServer = true;
# enablePAM = true;
serverSettings = {
domain = "auth.${nodes.sentinel.config.repo.secrets.local.personalDomain}";
origin = "https://${config.services.kanidm.serverSettings.domain}";
domain = nodes.sentinel.config.proxiedDomains.kanidm;
origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
tls_key = config.age.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";