From 68b12b865c02a765321e5de18d37b0e01ab2bd7d Mon Sep 17 00:00:00 2001 From: oddlama Date: Sun, 2 Jun 2024 16:59:14 +0200 Subject: [PATCH] refactor: get rid of providedDomains in favor of globals --- config/default.nix | 10 ---------- hosts/envoy/default.nix | 10 +++++++--- hosts/kroma/default.nix | 8 ++++---- hosts/sentinel/coturn.nix | 2 +- hosts/sentinel/default.nix | 5 +++-- hosts/sentinel/oauth2.nix | 9 +++++---- hosts/sire/default.nix | 7 ++++--- hosts/sire/guests/common.nix | 5 +++-- hosts/sire/guests/grafana.nix | 20 +++++++++----------- hosts/sire/guests/immich.nix | 8 ++++---- hosts/sire/guests/influxdb.nix | 2 -- hosts/sire/guests/loki.nix | 3 +-- hosts/sire/guests/minecraft.nix | 3 +-- hosts/sire/guests/paperless.nix | 6 +++--- hosts/ward/default.nix | 9 +++++---- hosts/ward/guests/adguardhome.nix | 18 +++++++++--------- hosts/ward/guests/common.nix | 5 +++-- hosts/ward/guests/forgejo.nix | 7 +++---- hosts/ward/guests/home-gateway.nix | 4 ++-- hosts/ward/guests/kanidm.nix | 16 +++++++--------- hosts/ward/guests/netbird.nix | 10 +++++----- hosts/ward/guests/radicale.nix | 3 +-- hosts/ward/guests/vaultwarden.nix | 3 +-- hosts/zackbiene/default.nix | 5 +++-- hosts/zackbiene/home-assistant.nix | 3 ++- modules/default.nix | 1 - modules/distributed-config.nix | 1 - modules/promtail.nix | 3 ++- modules/provided-domains.nix | 7 ------- nix/globals.nix | 7 +++++-- nix/hosts.nix | 10 ++++++++++ 31 files changed, 103 insertions(+), 107 deletions(-) delete mode 100644 modules/provided-domains.nix diff --git a/config/default.nix b/config/default.nix index e19fe98..5a5abf4 100644 --- a/config/default.nix +++ b/config/default.nix @@ -35,14 +35,4 @@ ./topology.nix ./users.nix ]; - - nixpkgs.config.allowUnfree = true; - nixpkgs.overlays = - import ../pkgs/default.nix - ++ [ - inputs.nix-topology.overlays.default - inputs.nixos-extra-modules.overlays.default - inputs.nixvim.overlays.default - inputs.wired-notify.overlays.default - ]; } diff --git a/hosts/envoy/default.nix b/hosts/envoy/default.nix index f3df9ad..2b808d7 100644 --- a/hosts/envoy/default.nix +++ b/hosts/envoy/default.nix @@ -1,4 +1,8 @@ -{nodes, ...}: { +{ + globals, + nodes, + ... +}: { imports = [ ../../config ../../config/hardware/hetzner-cloud.nix @@ -25,12 +29,12 @@ }; # Connect safely via wireguard to skip authentication - networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb]; + networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain]; meta.telegraf = { enable = true; scrapeSensors = false; influxdb2 = { - domain = nodes.sentinel.config.networking.providedDomains.influxdb; + inherit (globals.services.influxdb) domain; organization = "machines"; bucket = "telegraf"; node = "sire-influxdb"; diff --git a/hosts/kroma/default.nix b/hosts/kroma/default.nix index a7621f5..9e69759 100644 --- a/hosts/kroma/default.nix +++ b/hosts/kroma/default.nix @@ -1,8 +1,8 @@ { + globals, inputs, lib, minimal, - nodes, ... }: { @@ -67,11 +67,11 @@ #}; ## Connect safely via wireguard to skip authentication - #networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb]; + #networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain]; #meta.telegraf = { # enable = true; # influxdb2 = { - # domain = nodes.sentinel.config.networking.providedDomains.influxdb; + # domain = globals.services.influxdb.domain; # organization = "machines"; # bucket = "telegraf"; # node = "sire-influxdb"; @@ -89,7 +89,7 @@ openFirewall = true; config.ServerSSHAllowed = false; environment = rec { - NB_MANAGEMENT_URL = "https://${nodes.sentinel.config.networking.providedDomains.netbird}"; + NB_MANAGEMENT_URL = "https://${globals.services.netbird.domain}"; NB_ADMIN_URL = NB_MANAGEMENT_URL; }; }; diff --git a/hosts/sentinel/coturn.nix b/hosts/sentinel/coturn.nix index 232e171..bf32ea1 100644 --- a/hosts/sentinel/coturn.nix +++ b/hosts/sentinel/coturn.nix @@ -38,7 +38,7 @@ in { to = config.services.coturn.max-port; } ]; - networking.providedDomains.coturn = coturnDomain; + globals.services.coturn.domain = coturnDomain; services.coturn = { enable = true; diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 0dc7d3c..3020043 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -1,5 +1,6 @@ { config, + globals, pkgs, ... }: { @@ -44,12 +45,12 @@ }; # Connect safely via wireguard to skip authentication - networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [config.networking.providedDomains.influxdb]; + networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain]; meta.telegraf = { enable = true; scrapeSensors = false; influxdb2 = { - domain = config.networking.providedDomains.influxdb; + inherit (globals.services.influxdb) domain; organization = "machines"; bucket = "telegraf"; node = "sire-influxdb"; diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix index 51c2df3..656443f 100644 --- a/hosts/sentinel/oauth2.nix +++ b/hosts/sentinel/oauth2.nix @@ -1,5 +1,6 @@ { config, + globals, nodes, ... }: { @@ -40,14 +41,14 @@ in { provider = "oidc"; scope = "openid email"; - loginURL = "https://${config.networking.providedDomains.kanidm}/ui/oauth2"; - redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token"; - validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo"; + loginURL = "https://${globals.services.kanidm.domain}/ui/oauth2"; + redeemURL = "https://${globals.services.kanidm.domain}/oauth2/token"; + validateURL = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}/userinfo"; clientID = clientId; email.domains = ["*"]; extraConfig = { - oidc-issuer-url = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}"; + oidc-issuer-url = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}"; provider-display-name = "Kanidm"; #skip-provider-button = true; }; diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index d15d15d..b137ccf 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -1,5 +1,6 @@ { config, + globals, inputs, lib, nodes, @@ -32,11 +33,11 @@ }; # Connect safely via wireguard to skip authentication - networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb]; + networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain]; meta.telegraf = { enable = true; influxdb2 = { - domain = nodes.sentinel.config.networking.providedDomains.influxdb; + inherit (globals.services.influxdb) domain; organization = "machines"; bucket = "telegraf"; node = "sire-influxdb"; @@ -96,7 +97,7 @@ baseMac = config.repo.secrets.local.networking.interfaces.lan.mac; }; extraSpecialArgs = { - inherit (inputs.self) nodes; + inherit (inputs.self) nodes globals; inherit (inputs.self.pkgs.x86_64-linux) lib; inherit inputs minimal; }; diff --git a/hosts/sire/guests/common.nix b/hosts/sire/guests/common.nix index 81bc212..6a1aeca 100644 --- a/hosts/sire/guests/common.nix +++ b/hosts/sire/guests/common.nix @@ -1,5 +1,6 @@ { config, + globals, lib, nodes, ... @@ -17,13 +18,13 @@ in { if config.wireguard ? proxy-home then wardWebProxyCfg.wireguard.proxy-home.ipv4 else sentinelCfg.wireguard.proxy-sentinel.ipv4 - } = [sentinelCfg.networking.providedDomains.influxdb]; + } = [globals.services.influxdb.domain]; meta.telegraf = lib.mkIf (!config.boot.isContainer) { enable = true; scrapeSensors = false; influxdb2 = { - domain = sentinelCfg.networking.providedDomains.influxdb; + inherit (globals.services.influxdb) domain; organization = "machines"; bucket = "telegraf"; node = "sire-influxdb"; diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index 99995b5..bd9f3de 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -1,9 +1,9 @@ { config, + globals, nodes, ... }: let - sentinelCfg = nodes.sentinel.config; wardWebProxyCfg = nodes.ward-web-proxy.config; grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}"; in { @@ -83,8 +83,6 @@ in { config.age.secrets.grafana-loki-basic-auth-password ]; - networking.providedDomains.grafana = grafanaDomain; - services.nginx = { upstreams.grafana = { servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {}; @@ -140,8 +138,8 @@ in { ]; networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [ - sentinelCfg.networking.providedDomains.influxdb # technically a duplicate (see ./common.nix)... - sentinelCfg.networking.providedDomains.loki + globals.services.influxdb.domain # technically a duplicate (see ./common.nix)... + globals.services.loki.domain ]; services.grafana = { @@ -178,9 +176,9 @@ in { client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}"; scopes = "openid email profile"; login_attribute_path = "preferred_username"; - auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2"; - token_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/token"; - api_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/grafana/userinfo"; + auth_url = "https://${globals.services.kanidm.domain}/ui/oauth2"; + token_url = "https://${globals.services.kanidm.domain}/oauth2/token"; + api_url = "https://${globals.services.kanidm.domain}/oauth2/openid/grafana/userinfo"; use_pkce = true; # Allow mapping oauth2 roles to server admin allow_assign_grafana_admin = true; @@ -195,7 +193,7 @@ in { name = "InfluxDB (machines)"; type = "influxdb"; access = "proxy"; - url = "https://${sentinelCfg.networking.providedDomains.influxdb}"; + url = "https://${globals.services.influxdb.domain}"; orgId = 1; secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-machines.path}}"; jsonData.version = "Flux"; @@ -206,7 +204,7 @@ in { name = "InfluxDB (home_assistant)"; type = "influxdb"; access = "proxy"; - url = "https://${sentinelCfg.networking.providedDomains.influxdb}"; + url = "https://${globals.services.influxdb.domain}"; orgId = 1; secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-home.path}}"; jsonData.version = "Flux"; @@ -217,7 +215,7 @@ in { name = "Loki"; type = "loki"; access = "proxy"; - url = "https://${sentinelCfg.networking.providedDomains.loki}"; + url = "https://${globals.services.loki.domain}"; orgId = 1; basicAuth = true; basicAuthUser = "${config.node.name}+grafana-loki-basic-auth-password"; diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index af955b3..56de5ee 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -1,7 +1,8 @@ { - pkgs, config, + globals, nodes, + pkgs, ... }: let sentinelCfg = nodes.sentinel.config; @@ -86,7 +87,7 @@ clientId = "immich"; # clientSecret will be dynamically added in activation script - issuerUrl = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}"; + issuerUrl = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}"; scope = "openid email profile"; storageLabelClaim = "preferred_username"; }; @@ -183,9 +184,8 @@ in { ]; }; + globals.services.immich.domain = immichDomain; nodes.sentinel = { - networking.providedDomains.immich = immichDomain; - services.nginx = { upstreams.immich = { servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = {}; diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix index 7ad0af2..7a0e0e3 100644 --- a/hosts/sire/guests/influxdb.nix +++ b/hosts/sire/guests/influxdb.nix @@ -89,8 +89,6 @@ in { globals.services.influxdb.domain = influxdbDomain; nodes.sentinel = { - networking.providedDomains.influxdb = influxdbDomain; - services.nginx = { upstreams.influxdb = { servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = {}; diff --git a/hosts/sire/guests/loki.nix b/hosts/sire/guests/loki.nix index 600409d..cb724e7 100644 --- a/hosts/sire/guests/loki.nix +++ b/hosts/sire/guests/loki.nix @@ -17,9 +17,8 @@ in { firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port]; }; + globals.services.loki.domain = lokiDomain; nodes.sentinel = { - networking.providedDomains.loki = lokiDomain; - age.secrets.loki-basic-auth-hashes = { generator.script = "basic-auth"; mode = "440"; diff --git a/hosts/sire/guests/minecraft.nix b/hosts/sire/guests/minecraft.nix index 0b0eafb..971b9c8 100644 --- a/hosts/sire/guests/minecraft.nix +++ b/hosts/sire/guests/minecraft.nix @@ -359,6 +359,7 @@ in { } ]; + globals.services.minecraft.domain = minecraftDomain; nodes.sentinel = { # Rewrite destination addr with dnat on incoming connections # and masquerade responses to make them look like they originate from this host. @@ -384,8 +385,6 @@ in { }; }; - networking.providedDomains.minecraft = minecraftDomain; - services.nginx = { upstreams.minecraft = { servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {}; diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix index 0c51cd1..dc64009 100644 --- a/hosts/sire/guests/paperless.nix +++ b/hosts/sire/guests/paperless.nix @@ -1,5 +1,6 @@ { config, + globals, lib, nodes, pkgs, @@ -23,9 +24,8 @@ in { firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.paperless.port]; }; + globals.services.paperless.domain = paperlessDomain; nodes.sentinel = { - networking.providedDomains.paperless = paperlessDomain; - services.nginx = { upstreams.paperless = { servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = {}; @@ -126,7 +126,7 @@ in { client_id = "paperless"; # secret will be added dynamically #secret = ""; - settings.server_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${client_id}/.well-known/openid-configuration"; + settings.server_url = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration"; } ]; }; diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index c1a117a..69ae731 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -1,9 +1,10 @@ { config, + globals, inputs, lib, - nodes, minimal, + nodes, ... }: { imports = [ @@ -34,11 +35,11 @@ }; # Connect safely via wireguard to skip authentication - networking.hosts.${config.wireguard.proxy-home.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb]; + networking.hosts.${config.wireguard.proxy-home.ipv4} = [globals.services.influxdb.domain]; meta.telegraf = { enable = true; influxdb2 = { - domain = nodes.sentinel.config.networking.providedDomains.influxdb; + inherit (globals.services.influxdb) domain; organization = "machines"; bucket = "telegraf"; node = "sire-influxdb"; @@ -83,7 +84,7 @@ baseMac = config.repo.secrets.local.networking.interfaces.lan.mac; }; extraSpecialArgs = { - inherit (inputs.self) nodes; + inherit (inputs.self) nodes globals; inherit (inputs.self.pkgs.x86_64-linux) lib; inherit inputs minimal; }; diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index fbe92e5..1c4d2f1 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -1,7 +1,7 @@ { config, + globals, lib, - nodes, pkgs, ... }: let @@ -12,9 +12,8 @@ in { firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.port]; }; + globals.services.adguardhome.domain = adguardhomeDomain; nodes.sentinel = { - networking.providedDomains.adguard = adguardhomeDomain; - services.nginx = { upstreams.adguardhome = { servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" = {}; @@ -78,7 +77,7 @@ in { # Undo the /etc/hosts entry so we don't answer with the internal # wireguard address for influxdb { - domain = nodes.sentinel.config.networking.providedDomains.influxdb; + inherit (globals.services.influxdb) domain; answer = config.repo.secrets.global.domains.me; } ] @@ -87,11 +86,12 @@ in { inherit domain; answer = "192.168.1.4"; }) [ - nodes.sentinel.config.networking.providedDomains.grafana - nodes.sentinel.config.networking.providedDomains.immich - nodes.sentinel.config.networking.providedDomains.influxdb - nodes.sentinel.config.networking.providedDomains.loki - nodes.sentinel.config.networking.providedDomains.paperless + # FIXME: dont hardcode, filter global service domains by internal state + globals.services.grafana.domain + globals.services.immich.domain + globals.services.influxdb.domain + globals.services.loki.domain + globals.services.paperless.domain "home.${config.repo.secrets.global.domains.me}" "fritzbox.${config.repo.secrets.global.domains.me}" ]; diff --git a/hosts/ward/guests/common.nix b/hosts/ward/guests/common.nix index 81bc212..6a1aeca 100644 --- a/hosts/ward/guests/common.nix +++ b/hosts/ward/guests/common.nix @@ -1,5 +1,6 @@ { config, + globals, lib, nodes, ... @@ -17,13 +18,13 @@ in { if config.wireguard ? proxy-home then wardWebProxyCfg.wireguard.proxy-home.ipv4 else sentinelCfg.wireguard.proxy-sentinel.ipv4 - } = [sentinelCfg.networking.providedDomains.influxdb]; + } = [globals.services.influxdb.domain]; meta.telegraf = lib.mkIf (!config.boot.isContainer) { enable = true; scrapeSensors = false; influxdb2 = { - domain = sentinelCfg.networking.providedDomains.influxdb; + inherit (globals.services.influxdb) domain; organization = "machines"; bucket = "telegraf"; node = "sire-influxdb"; diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix index b9b8e9a..816a2b1 100644 --- a/hosts/ward/guests/forgejo.nix +++ b/hosts/ward/guests/forgejo.nix @@ -1,11 +1,11 @@ { config, + globals, lib, nodes, pkgs, ... }: let - sentinelCfg = nodes.sentinel.config; forgejoDomain = "git.${config.repo.secrets.global.domains.me}"; in { wireguard.proxy-sentinel = { @@ -26,9 +26,8 @@ in { inherit (config.services.forgejo) group; }; + globals.services.forgejo.domain = forgejoDomain; nodes.sentinel = { - networking.providedDomains.forgejo = forgejoDomain; - # Rewrite destination addr with dnat on incoming connections # and masquerade responses to make them look like they originate from this host. # - 9922 (wan) -> 22 (proxy-sentinel) @@ -190,7 +189,7 @@ in { ["--name" providerName] ["--provider" "openidConnect"] ["--key" clientId] - ["--auto-discover-url" "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/.well-known/openid-configuration"] + ["--auto-discover-url" "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}/.well-known/openid-configuration"] ["--scopes" "email"] ["--scopes" "profile"] ["--group-claim-name" "groups"] diff --git a/hosts/ward/guests/home-gateway.nix b/hosts/ward/guests/home-gateway.nix index 64a4055..30a7011 100644 --- a/hosts/ward/guests/home-gateway.nix +++ b/hosts/ward/guests/home-gateway.nix @@ -1,4 +1,4 @@ -{nodes, ...}: { +{globals, ...}: { # Forwarding required to masquerade netbird network boot.kernel.sysctl."net.ipv4.ip_forward" = 1; @@ -25,7 +25,7 @@ openFirewall = true; config.ServerSSHAllowed = false; environment = rec { - NB_MANAGEMENT_URL = "https://${nodes.sentinel.config.networking.providedDomains.netbird}"; + NB_MANAGEMENT_URL = "https://${globals.services.netbird.domain}"; NB_ADMIN_URL = NB_MANAGEMENT_URL; NB_HOSTNAME = "home-gateway"; }; diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index 65aaa1f..55e7c79 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -1,10 +1,9 @@ { config, - nodes, + globals, ... }: let inherit (config.repo.secrets.global) domains; - sentinelCfg = nodes.sentinel.config; kanidmDomain = "auth.${domains.me}"; kanidmPort = 8300; @@ -40,9 +39,8 @@ in { age.secrets.kanidm-oauth2-paperless = mkRandomSecret; age.secrets.kanidm-oauth2-web-sentinel = mkRandomSecret; + globals.services.kanidm.domain = kanidmDomain; nodes.sentinel = { - networking.providedDomains.kanidm = kanidmDomain; - services.nginx = { upstreams.kanidm = { servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = {}; @@ -102,7 +100,7 @@ in { groups."immich.access" = {}; systems.oauth2.immich = { displayName = "Immich"; - originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/"; + originUrl = "https://${globals.services.immich.domain}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path; preferShortUsername = true; # XXX: PKCE is currently not supported by immich @@ -117,7 +115,7 @@ in { systems.oauth2.netbird = { public = true; displayName = "Netbird"; - originUrl = "https://${sentinelCfg.networking.providedDomains.netbird}/"; + originUrl = "https://${globals.services.netbird.domain}/"; preferShortUsername = true; enableLocalhostRedirects = true; enableLegacyCrypto = true; @@ -128,7 +126,7 @@ in { groups."paperless.access" = {}; systems.oauth2.paperless = { displayName = "Paperless"; - originUrl = "https://${sentinelCfg.networking.providedDomains.paperless}/"; + originUrl = "https://${globals.services.paperless.domain}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-paperless.path; preferShortUsername = true; scopeMaps."paperless.access" = ["openid" "email" "profile"]; @@ -141,7 +139,7 @@ in { groups."grafana.server-admins" = {}; systems.oauth2.grafana = { displayName = "Grafana"; - originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/"; + originUrl = "https://${globals.services.grafana.domain}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path; preferShortUsername = true; scopeMaps."grafana.access" = ["openid" "email" "profile"]; @@ -160,7 +158,7 @@ in { groups."forgejo.admins" = {}; systems.oauth2.forgejo = { displayName = "Forgejo"; - originUrl = "https://${sentinelCfg.networking.providedDomains.forgejo}/"; + originUrl = "https://${globals.services.forgejo.domain}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path; scopeMaps."forgejo.access" = ["openid" "email" "profile"]; # XXX: PKCE is currently not supported by gitea/forgejo, diff --git a/hosts/ward/guests/netbird.nix b/hosts/ward/guests/netbird.nix index 1a0eee3..122a4b7 100644 --- a/hosts/ward/guests/netbird.nix +++ b/hosts/ward/guests/netbird.nix @@ -1,5 +1,6 @@ { config, + globals, lib, nodes, ... @@ -44,14 +45,14 @@ in { enable = true; domain = netbirdDomain; - dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird"; + dashboard.settings.AUTH_AUTHORITY = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird"; management = { singleAccountModeDomain = "internal.${config.repo.secrets.global.domains.me}"; dnsDomain = "internal.${config.repo.secrets.global.domains.me}"; disableAnonymousMetrics = true; - oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration"; - turnDomain = sentinelCfg.networking.providedDomains.coturn; + oidcConfigEndpoint = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird/.well-known/openid-configuration"; + turnDomain = globals.services.coturn.domain; turnPort = sentinelCfg.services.coturn.tls-listening-port; settings = { HttpConfig = { @@ -76,9 +77,8 @@ in { }; }; + globals.services.netbird.domain = netbirdDomain; nodes.sentinel = { - networking.providedDomains.netbird = netbirdDomain; - services.nginx = { upstreams.netbird-mgmt = { servers."${config.wireguard.proxy-sentinel.ipv4}:${builtins.toString config.services.netbird.server.management.port}" = {}; diff --git a/hosts/ward/guests/radicale.nix b/hosts/ward/guests/radicale.nix index 00af9be..f214fc8 100644 --- a/hosts/ward/guests/radicale.nix +++ b/hosts/ward/guests/radicale.nix @@ -6,9 +6,8 @@ in { firewallRuleForNode.sentinel.allowedTCPPorts = [8000]; }; + globals.services.radicale.domain = radicaleDomain; nodes.sentinel = { - networking.providedDomains.radicale = radicaleDomain; - services.nginx = { upstreams.radicale = { servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = {}; diff --git a/hosts/ward/guests/vaultwarden.nix b/hosts/ward/guests/vaultwarden.nix index e1fc551..3b1587b 100644 --- a/hosts/ward/guests/vaultwarden.nix +++ b/hosts/ward/guests/vaultwarden.nix @@ -25,9 +25,8 @@ in { } ]; + globals.services.vaultwarden.domain = vaultwardenDomain; nodes.sentinel = { - networking.providedDomains.vaultwarden = vaultwardenDomain; - services.nginx = { upstreams.vaultwarden = { servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = {}; diff --git a/hosts/zackbiene/default.nix b/hosts/zackbiene/default.nix index 77d9c09..3cda84c 100644 --- a/hosts/zackbiene/default.nix +++ b/hosts/zackbiene/default.nix @@ -1,5 +1,6 @@ { config, + globals, lib, nodes, ... @@ -41,12 +42,12 @@ in { if config.wireguard ? proxy-home then wardWebProxyCfg.wireguard.proxy-home.ipv4 else sentinelCfg.wireguard.proxy-sentinel.ipv4 - } = [sentinelCfg.networking.providedDomains.influxdb]; + } = [globals.services.influxdb.domain]; meta.telegraf = { enable = true; influxdb2 = { - domain = sentinelCfg.networking.providedDomains.influxdb; + inherit (globals.services.influxdb) domain; organization = "machines"; bucket = "telegraf"; node = "sire-influxdb"; diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index 3c44cc1..f449018 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -1,5 +1,6 @@ { config, + globals, lib, nodes, pkgs, @@ -88,7 +89,7 @@ in { influxdb = { api_version = 2; - host = nodes.sentinel.config.networking.providedDomains.influxdb; + host = globals.services.influxdb.domain; port = "443"; max_retries = 10; ssl = true; diff --git a/modules/default.nix b/modules/default.nix index 6a39544..f8a6624 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -15,7 +15,6 @@ ./netbird-client.nix ./oauth2-proxy.nix ./promtail.nix - ./provided-domains.nix ./secrets.nix ./telegraf.nix ]; diff --git a/modules/distributed-config.nix b/modules/distributed-config.nix index e728809..8e2b401 100644 --- a/modules/distributed-config.nix +++ b/modules/distributed-config.nix @@ -40,7 +40,6 @@ forwardedOptions = [ ["age" "secrets"] - ["networking" "providedDomains"] ["networking" "nftables" "chains"] ["services" "nginx" "upstreams"] ["services" "nginx" "virtualHosts"] diff --git a/modules/promtail.nix b/modules/promtail.nix index 44a48eb..6a59ebf 100644 --- a/modules/promtail.nix +++ b/modules/promtail.nix @@ -3,6 +3,7 @@ lib, minimal, nodes, + globals, ... }: let inherit @@ -48,7 +49,7 @@ in { { basic_auth.username = "${config.node.name}+promtail-loki-basic-auth-password"; basic_auth.password_file = config.age.secrets.promtail-loki-basic-auth-password.path; - url = "https://${nodes.${cfg.proxy}.config.networking.providedDomains.loki}/loki/api/v1/push"; + url = "https://${globals.services.loki.domain}/loki/api/v1/push"; } ]; diff --git a/modules/provided-domains.nix b/modules/provided-domains.nix deleted file mode 100644 index b09fa3a..0000000 --- a/modules/provided-domains.nix +++ /dev/null @@ -1,7 +0,0 @@ -{lib, ...}: { - options.networking.providedDomains = lib.mkOption { - type = lib.types.attrsOf lib.types.str; - default = {}; - description = "Registry of domains that this host 'provides' (that refer to this host with some functionality). For easy cross-node referencing."; - }; -} diff --git a/nix/globals.nix b/nix/globals.nix index 4880a47..4ab81d7 100644 --- a/nix/globals.nix +++ b/nix/globals.nix @@ -20,7 +20,10 @@ }) ]; }; - in - globalsSystem.config.globals; + in { + # Make sure the keys of this attrset are trivially evaluatable to avoid infinite recursion, + # therefore we inherit relevant attributes from the config. + inherit (globalsSystem.config.globals) services; + }; }; } diff --git a/nix/hosts.nix b/nix/hosts.nix index f2276d1..03278fd 100644 --- a/nix/hosts.nix +++ b/nix/hosts.nix @@ -28,6 +28,16 @@ }; modules = [ { + nixpkgs.config.allowUnfree = true; + nixpkgs.overlays = + import ../pkgs/default.nix + ++ [ + inputs.nix-topology.overlays.default + inputs.nixos-extra-modules.overlays.default + inputs.nixvim.overlays.default + inputs.wired-notify.overlays.default + ]; + node.name = name; node.secretsDir = ../hosts/${name}/secrets; }