refactor: get rid of providedDomains in favor of globals

hosts/sire/guests/common.nix

@@ -1,5 +1,6 @@
 {
   config,
+  globals,
   lib,
   nodes,
   ...
@@ -17,13 +18,13 @@ in {
     if config.wireguard ? proxy-home
     then wardWebProxyCfg.wireguard.proxy-home.ipv4
     else sentinelCfg.wireguard.proxy-sentinel.ipv4
-  } = [sentinelCfg.networking.providedDomains.influxdb];
+  } = [globals.services.influxdb.domain];
 
   meta.telegraf = lib.mkIf (!config.boot.isContainer) {
     enable = true;
     scrapeSensors = false;
     influxdb2 = {
-      domain = sentinelCfg.networking.providedDomains.influxdb;
+      inherit (globals.services.influxdb) domain;
       organization = "machines";
       bucket = "telegraf";
       node = "sire-influxdb";

hosts/sire/guests/grafana.nix

@@ -1,9 +1,9 @@
 {
   config,
+  globals,
   nodes,
   ...
 }: let
-  sentinelCfg = nodes.sentinel.config;
   wardWebProxyCfg = nodes.ward-web-proxy.config;
   grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}";
 in {
@@ -83,8 +83,6 @@ in {
       config.age.secrets.grafana-loki-basic-auth-password
     ];
 
-    networking.providedDomains.grafana = grafanaDomain;
-
     services.nginx = {
       upstreams.grafana = {
         servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
@@ -140,8 +138,8 @@ in {
   ];
 
   networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
-    sentinelCfg.networking.providedDomains.influxdb # technically a duplicate (see ./common.nix)...
-    sentinelCfg.networking.providedDomains.loki
+    globals.services.influxdb.domain # technically a duplicate (see ./common.nix)...
+    globals.services.loki.domain
   ];
 
   services.grafana = {
@@ -178,9 +176,9 @@ in {
         client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}";
         scopes = "openid email profile";
         login_attribute_path = "preferred_username";
-        auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2";
-        token_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/token";
-        api_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/grafana/userinfo";
+        auth_url = "https://${globals.services.kanidm.domain}/ui/oauth2";
+        token_url = "https://${globals.services.kanidm.domain}/oauth2/token";
+        api_url = "https://${globals.services.kanidm.domain}/oauth2/openid/grafana/userinfo";
         use_pkce = true;
         # Allow mapping oauth2 roles to server admin
         allow_assign_grafana_admin = true;
@@ -195,7 +193,7 @@ in {
           name = "InfluxDB (machines)";
           type = "influxdb";
           access = "proxy";
-          url = "https://${sentinelCfg.networking.providedDomains.influxdb}";
+          url = "https://${globals.services.influxdb.domain}";
           orgId = 1;
           secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-machines.path}}";
           jsonData.version = "Flux";
@@ -206,7 +204,7 @@ in {
           name = "InfluxDB (home_assistant)";
           type = "influxdb";
           access = "proxy";
-          url = "https://${sentinelCfg.networking.providedDomains.influxdb}";
+          url = "https://${globals.services.influxdb.domain}";
           orgId = 1;
           secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-home.path}}";
           jsonData.version = "Flux";
@@ -217,7 +215,7 @@ in {
           name = "Loki";
           type = "loki";
           access = "proxy";
-          url = "https://${sentinelCfg.networking.providedDomains.loki}";
+          url = "https://${globals.services.loki.domain}";
           orgId = 1;
           basicAuth = true;
           basicAuthUser = "${config.node.name}+grafana-loki-basic-auth-password";

hosts/sire/guests/immich.nix

@@ -1,7 +1,8 @@
 {
-  pkgs,
   config,
+  globals,
   nodes,
+  pkgs,
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
@@ -86,7 +87,7 @@
 
         clientId = "immich";
         # clientSecret will be dynamically added in activation script
-        issuerUrl = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}";
+        issuerUrl = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}";
         scope = "openid email profile";
         storageLabelClaim = "preferred_username";
       };
@@ -183,9 +184,8 @@ in {
     ];
   };
 
+  globals.services.immich.domain = immichDomain;
   nodes.sentinel = {
-    networking.providedDomains.immich = immichDomain;
-
     services.nginx = {
       upstreams.immich = {
         servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = {};

hosts/sire/guests/influxdb.nix

@@ -89,8 +89,6 @@ in {
 
   globals.services.influxdb.domain = influxdbDomain;
   nodes.sentinel = {
-    networking.providedDomains.influxdb = influxdbDomain;
-
     services.nginx = {
       upstreams.influxdb = {
         servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = {};

hosts/sire/guests/loki.nix

@@ -17,9 +17,8 @@ in {
     firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
   };
 
+  globals.services.loki.domain = lokiDomain;
   nodes.sentinel = {
-    networking.providedDomains.loki = lokiDomain;
-
     age.secrets.loki-basic-auth-hashes = {
       generator.script = "basic-auth";
       mode = "440";

hosts/sire/guests/minecraft.nix

@@ -359,6 +359,7 @@ in {
     }
   ];
 
+  globals.services.minecraft.domain = minecraftDomain;
   nodes.sentinel = {
     # Rewrite destination addr with dnat on incoming connections
     # and masquerade responses to make them look like they originate from this host.
@@ -384,8 +385,6 @@ in {
       };
     };
 
-    networking.providedDomains.minecraft = minecraftDomain;
-
     services.nginx = {
       upstreams.minecraft = {
         servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {};

hosts/sire/guests/paperless.nix

@@ -1,5 +1,6 @@
 {
   config,
+  globals,
   lib,
   nodes,
   pkgs,
@@ -23,9 +24,8 @@ in {
     firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.paperless.port];
   };
 
+  globals.services.paperless.domain = paperlessDomain;
   nodes.sentinel = {
-    networking.providedDomains.paperless = paperlessDomain;
-
     services.nginx = {
       upstreams.paperless = {
         servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = {};
@@ -126,7 +126,7 @@ in {
               client_id = "paperless";
               # secret will be added dynamically
               #secret = "";
-              settings.server_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${client_id}/.well-known/openid-configuration";
+              settings.server_url = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
             }
           ];
         };