mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

refactor: major refactor into proper reusable modules. No logical changes.

Browse source
This commit is contained in:
oddlama 2023-06-29 00:27:54 +02:00
parent 04872f6ec5
commit 84ac34cb6c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
80 changed files with 761 additions and 776 deletions
Download patch file Download diff file Expand all files Collapse all files

26
hosts/ward/default.nix
View file

@ -7,13 +7,13 @@
imports = [
nixos-hardware.common-cpu-intel
nixos-hardware.common-pc-ssd
../../modules/optional/hardware/intel.nix
../../modules/optional/hardware/physical.nix
../common/core
../common/hardware/intel.nix
../common/hardware/physical.nix
../common/initrd-ssh.nix
../common/efi.nix
../common/zfs.nix
../../modules
../../modules/optional/boot-efi.nix
../../modules/optional/initrd-ssh.nix
../../modules/optional/zfs.nix
./fs.nix
./net.nix
@ -21,16 +21,16 @@
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
extra.promtail = {
meta.promtail = {
enable = true;
proxy = "sentinel";
};
# Connect safely via wireguard to skip authentication
networking.hosts.${nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.providedDomains.influxdb];
extra.telegraf = {
networking.hosts.${nodes.sentinel.config.meta.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
meta.telegraf = {
enable = true;
influxdb2.domain = nodes.sentinel.config.providedDomains.influxdb;
influxdb2.domain = nodes.sentinel.config.networking.providedDomains.influxdb;
influxdb2.organization = "servers";
influxdb2.bucket = "telegraf";
};
@ -38,7 +38,11 @@
# TODO track my github stats
# services.telegraf.extraConfig.inputs.github = {};
extra.microvms.vms = let
meta.microvms.commonImports = [
./microvms/common.nix
];
meta.microvms.vms = let
defaults = {
system = "x86_64-linux";
autostart = true;

28
hosts/ward/microvms/adguardhome/default.nix
View file

@ -8,30 +8,10 @@
sentinelCfg = nodes.sentinel.config;
adguardhomeDomain = "adguardhome.${sentinelCfg.repo.secrets.local.personalDomain}";
in {
imports = [
../../../../modules/proxy-via-sentinel.nix
];
extra.promtail = {
enable = true;
proxy = "sentinel";
};
# Connect safely via wireguard to skip authentication
networking.hosts.${sentinelCfg.extra.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.providedDomains.influxdb];
extra.telegraf = {
enable = true;
influxdb2.domain = sentinelCfg.providedDomains.influxdb;
influxdb2.organization = "servers";
influxdb2.bucket = "telegraf";
};
networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
};
meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
nodes.sentinel = {
providedDomains.adguard = adguardhomeDomain;
networking.providedDomains.adguard = adguardhomeDomain;
services.nginx = {
upstreams.adguardhome = {
@ -43,7 +23,7 @@ in {
};
virtualHosts.${adguardhomeDomain} = {
forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert adguardhomeDomain;
useACMEWildcardHost = true;
oauth2.enable = true;
oauth2.allowedGroups = ["access_adguardhome"];
locations."/" = {
@ -57,7 +37,7 @@ in {
services.adguardhome = {
enable = true;
settings = {
bind_host = config.extra.wireguard.proxy-sentinel.ipv4;
bind_host = config.meta.wireguard.proxy-sentinel.ipv4;
bind_port = 3000;
#dns = {
# edns_client_subnet.enabled = false;

18
hosts/ward/microvms/common.nix Normal file
View file

@ -0,0 +1,18 @@
{nodes, ...}: let
sentinelCfg = nodes.sentinel.config;
in {
meta.wireguard-proxy.sentinel = {};
meta.promtail = {
enable = true;
proxy = "sentinel";
};
# Connect safely via wireguard to skip authentication
networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
meta.telegraf = {
enable = true;
influxdb2.domain = sentinelCfg.networking.providedDomains.influxdb;
influxdb2.organization = "servers";
influxdb2.bucket = "telegraf";
};
}

38
hosts/ward/microvms/grafana/default.nix
View file

@ -9,27 +9,7 @@
sentinelCfg = nodes.sentinel.config;
grafanaDomain = "grafana.${sentinelCfg.repo.secrets.local.personalDomain}";
in {
imports = [
../../../../modules/proxy-via-sentinel.nix
];
extra.promtail = {
enable = true;
proxy = "sentinel";
};
# Connect safely via wireguard to skip authentication
networking.hosts.${sentinelCfg.extra.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.providedDomains.influxdb];
extra.telegraf = {
enable = true;
influxdb2.domain = sentinelCfg.providedDomains.influxdb;
influxdb2.organization = "servers";
influxdb2.bucket = "telegraf";
};
networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
};
meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
age.secrets.grafana-secret-key = {
rekeyFile = ./secrets/grafana-secret-key.age;
@ -55,7 +35,7 @@ in {
config.age.secrets.grafana-loki-basic-auth-password
];
providedDomains.grafana = grafanaDomain;
networking.providedDomains.grafana = grafanaDomain;
services.nginx = {
upstreams.grafana = {
@ -67,7 +47,7 @@ in {
};
virtualHosts.${grafanaDomain} = {
forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
useACMEWildcardHost = true;
locations."/" = {
proxyPass = "http://grafana";
proxyWebsockets = true;
@ -87,7 +67,7 @@ in {
root_url = "https://${grafanaDomain}";
enforce_domain = true;
enable_gzip = true;
http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
http_addr = config.meta.wireguard.proxy-sentinel.ipv4;
http_port = 3001;
};
@ -111,9 +91,9 @@ in {
client_secret = "aZKNCM6KpjBy4RqwKJXMLXzyx9rKH6MZTFk4wYrKWuBqLj6t"; # TODO temporary test not a real secret
scopes = "openid email profile";
login_attribute_path = "prefered_username";
auth_url = "https://${sentinelCfg.providedDomains.kanidm}/ui/oauth2";
token_url = "https://${sentinelCfg.providedDomains.kanidm}/oauth2/token";
api_url = "https://${sentinelCfg.providedDomains.kanidm}/oauth2/openid/grafana/userinfo";
auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2";
token_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/token";
api_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/grafana/userinfo";
use_pkce = true;
# Allow mapping oauth2 roles to server admin
allow_assign_grafana_admin = true;
@ -128,7 +108,7 @@ in {
name = "InfluxDB (servers)";
type = "influxdb";
access = "proxy";
url = "https://${sentinelCfg.providedDomains.influxdb}";
url = "https://${sentinelCfg.networking.providedDomains.influxdb}";
orgId = 1;
secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token.path}}";
jsonData.version = "Flux";
@ -140,7 +120,7 @@ in {
name = "Loki";
type = "loki";
access = "proxy";
url = "https://${sentinelCfg.providedDomains.loki}";
url = "https://${sentinelCfg.networking.providedDomains.loki}";
orgId = 1;
basicAuth = true;
basicAuthUser = "${nodeName}+grafana-loki-basic-auth-password";

31
hosts/ward/microvms/influxdb/default.nix
View file

@ -10,31 +10,10 @@
influxdbPort = 8086;
in {
microvm.mem = 1024;
imports = [
../../../../modules/proxy-via-sentinel.nix
];
extra.promtail = {
enable = true;
proxy = "sentinel";
};
# Connect safely via wireguard to skip authentication
networking.hosts.${sentinelCfg.extra.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.providedDomains.influxdb];
extra.telegraf = {
enable = true;
influxdb2.domain = sentinelCfg.providedDomains.influxdb;
influxdb2.organization = "servers";
influxdb2.bucket = "telegraf";
};
networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [influxdbPort];
};
meta.wireguard-proxy.sentinel.allowedTCPPorts = [influxdbPort];
nodes.sentinel = {
providedDomains.influxdb = influxdbDomain;
networking.providedDomains.influxdb = influxdbDomain;
services.nginx = {
upstreams.influxdb = {
@ -46,7 +25,7 @@ in {
};
virtualHosts.${influxdbDomain} = {
forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert influxdbDomain;
useACMEWildcardHost = true;
oauth2.enable = true;
oauth2.allowedGroups = ["access_influxdb"];
locations."/" = {
@ -54,7 +33,7 @@ in {
proxyWebsockets = true;
extraConfig = ''
satisfy any;
${lib.concatMapStrings (ip: "allow ${ip};\n") sentinelCfg.extra.wireguard.proxy-sentinel.server.reservedAddresses}
${lib.concatMapStrings (ip: "allow ${ip};\n") sentinelCfg.meta.wireguard.proxy-sentinel.server.reservedAddresses}
deny all;
'';
};
@ -66,7 +45,7 @@ in {
enable = true;
settings = {
reporting-disabled = true;
http-bind-address = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}";
http-bind-address = "${config.meta.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}";
};
};

28
hosts/ward/microvms/kanidm/default.nix
View file

@ -10,27 +10,7 @@
kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
kanidmPort = 8300;
in {
imports = [
../../../../modules/proxy-via-sentinel.nix
];
extra.promtail = {
enable = true;
proxy = "sentinel";
};
# Connect safely via wireguard to skip authentication
networking.hosts.${sentinelCfg.extra.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.providedDomains.influxdb];
extra.telegraf = {
enable = true;
influxdb2.domain = sentinelCfg.providedDomains.influxdb;
influxdb2.organization = "servers";
influxdb2.bucket = "telegraf";
};
networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [kanidmPort];
};
meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
age.secrets."kanidm-self-signed.crt" = {
rekeyFile = ./secrets/kanidm-self-signed.crt.age;
@ -45,7 +25,7 @@ in {
};
nodes.sentinel = {
providedDomains.kanidm = kanidmDomain;
networking.providedDomains.kanidm = kanidmDomain;
services.nginx = {
upstreams.kanidm = {
@ -57,7 +37,7 @@ in {
};
virtualHosts.${kanidmDomain} = {
forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert kanidmDomain;
useACMEWildcardHost = true;
locations."/".proxyPass = "https://kanidm";
# Allow using self-signed certs to satisfy kanidm's requirement
# for TLS connections. (Although this is over wireguard anyway)
@ -76,7 +56,7 @@ in {
origin = "https://${kanidmDomain}";
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
tls_key = config.age.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}";
bindaddress = "${config.meta.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}";
trust_x_forward_for = true;
};
};

28
hosts/ward/microvms/loki/default.nix
View file

@ -8,30 +8,10 @@
sentinelCfg = nodes.sentinel.config;
lokiDomain = "loki.${sentinelCfg.repo.secrets.local.personalDomain}";
in {
imports = [
../../../../modules/proxy-via-sentinel.nix
];
extra.promtail = {
enable = true;
proxy = "sentinel";
};
# Connect safely via wireguard to skip authentication
networking.hosts.${sentinelCfg.extra.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.providedDomains.influxdb];
extra.telegraf = {
enable = true;
influxdb2.domain = sentinelCfg.providedDomains.influxdb;
influxdb2.organization = "servers";
influxdb2.bucket = "telegraf";
};
networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
};
meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
nodes.sentinel = {
providedDomains.loki = lokiDomain;
networking.providedDomains.loki = lokiDomain;
age.secrets.loki-basic-auth-hashes = {
rekeyFile = ./secrets/loki-basic-auth-hashes.age;
@ -52,7 +32,7 @@ in {
};
virtualHosts.${lokiDomain} = {
forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain;
useACMEWildcardHost = true;
locations."/" = {
proxyPass = "http://loki";
proxyWebsockets = true;
@ -86,7 +66,7 @@ in {
auth_enabled = false;
server = {
http_listen_address = config.extra.wireguard.proxy-sentinel.ipv4;
http_listen_address = config.meta.wireguard.proxy-sentinel.ipv4;
http_listen_port = 3100;
log_level = "warn";
};

88
hosts/ward/microvms/vaultwarden/default.nix
View file

@ -8,68 +8,50 @@
sentinelCfg = nodes.sentinel.config;
vaultwardenDomain = "pw.${sentinelCfg.repo.secrets.local.personalDomain}";
in {
imports = [
../../../../modules/proxy-via-sentinel.nix
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
config.services.vaultwarden.config.rocketPort
config.services.vaultwarden.config.websocketPort
];
extra.promtail = {
enable = true;
proxy = "sentinel";
};
# Connect safely via wireguard to skip authentication
networking.hosts.${sentinelCfg.extra.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.providedDomains.influxdb];
extra.telegraf = {
enable = true;
influxdb2.domain = sentinelCfg.providedDomains.influxdb;
influxdb2.organization = "servers";
influxdb2.bucket = "telegraf";
};
age.secrets.vaultwarden-env = {
rekeyFile = ./secrets/vaultwarden-env.age;
mode = "440";
group = "vaultwarden";
};
networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [
config.services.vaultwarden.config.rocketPort
config.services.vaultwarden.config.websocketPort
];
};
nodes.sentinel = {
providedDomains.vaultwarden = vaultwardenDomain;
networking.providedDomains.vaultwarden = vaultwardenDomain;
upstreams.vaultwarden = {
servers."${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}" = {};
extraConfig = ''
zone vaultwarden 64k;
keepalive 2;
'';
};
upstreams.vaultwarden-websocket = {
servers."${config.services.vaultwarden.config.websocketAddress}:${toString config.services.vaultwarden.config.websocketPort}" = {};
extraConfig = ''
zone vaultwarden-websocket 64k;
keepalive 2;
'';
};
virtualHosts.${vaultwardenDomain} = {
forceSSL = true;
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert vaultwardenDomain;
extraConfig = ''
client_max_body_size 256M;
'';
locations."/".proxyPass = "http://vaultwarden";
locations."/notifications/hub" = {
proxyPass = "http://vaultwarden-websocket";
proxyWebsockets = true;
services.nginx = {
upstreams.vaultwarden = {
servers."${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}" = {};
extraConfig = ''
zone vaultwarden 64k;
keepalive 2;
'';
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://vaultwarden";
proxyWebsockets = true;
upstreams.vaultwarden-websocket = {
servers."${config.services.vaultwarden.config.websocketAddress}:${toString config.services.vaultwarden.config.websocketPort}" = {};
extraConfig = ''
zone vaultwarden-websocket 64k;
keepalive 2;
'';
};
virtualHosts.${vaultwardenDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
extraConfig = ''
client_max_body_size 256M;
'';
locations."/".proxyPass = "http://vaultwarden";
locations."/notifications/hub" = {
proxyPass = "http://vaultwarden-websocket";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://vaultwarden";
proxyWebsockets = true;
};
};
};
};
@ -84,9 +66,9 @@ in {
webVaultEnabled = true;
websocketEnabled = true;
websocketAddress = config.extra.wireguard.proxy-sentinel.ipv4;
websocketAddress = config.meta.wireguard.proxy-sentinel.ipv4;
websocketPort = 3012;
rocketAddress = config.extra.wireguard.proxy-sentinel.ipv4;
rocketAddress = config.meta.wireguard.proxy-sentinel.ipv4;
rocketPort = 8012;
signupsAllowed = false;

4
hosts/ward/net.nix
View file

@ -172,12 +172,12 @@ in {
systemd.services.kea-dhcp4-server.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "lan-self"}.device"];
extra.microvms.networking = {
meta.microvms.networking = {
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
macvtapInterface = "lan";
wireguard.openFirewallRules = ["lan-to-local"];
};
# Allow accessing influx
extra.wireguard.proxy-sentinel.client.via = "sentinel";
meta.wireguard.proxy-sentinel.client.via = "sentinel";
}