feat: remove old "freeform" globals and use new structured globals

2025-10-10 23:00:39 +02:00 · 2024-07-31 15:49:44 +02:00 · 2024-07-31 15:49:44 +02:00 · a128dd5f40
commit a128dd5f40
parent 4e717fab96
35 changed files with 214 additions and 59 deletions
--- a/hosts/envoy/idmail.nix
+++ b/hosts/envoy/idmail.nix
@ -1,9 +1,10 @@
 {
  config,
+  globals,
  lib,
  ...
 }: let
-  mailDomains = config.repo.secrets.global.domains.mail;
+  mailDomains = globals.domains.mail;
  primaryDomain = mailDomains.primary;
  idmailDomain = "alias.${primaryDomain}";
 in {
--- a/hosts/envoy/net.nix
+++ b/hosts/envoy/net.nix
@ -1,13 +1,14 @@
 {
  config,
+  globals,
  lib,
  ...
 }: let
  icfg = config.repo.secrets.local.networking.interfaces.wan;
 in {
  networking.hostId = config.repo.secrets.local.networking.hostId;
-  networking.domain = config.repo.secrets.global.domains.mail.primary;
-  networking.hosts."127.0.0.1" = ["mx1.${config.repo.secrets.global.domains.mail.primary}"];
+  networking.domain = globals.domains.mail.primary;
+  networking.hosts."127.0.0.1" = ["mail.${globals.domains.mail.primary}"];

  globals.monitoring.ping.envoy = {
    hostv4 = lib.net.cidr.ip icfg.hostCidrv4;
--- a/hosts/envoy/stalwart-mail.nix
+++ b/hosts/envoy/stalwart-mail.nix
@ -1,10 +1,11 @@
 {
  config,
+  globals,
  lib,
  pkgs,
  ...
 }: let
-  mailDomains = config.repo.secrets.global.domains.mail;
+  mailDomains = globals.domains.mail;
  primaryDomain = mailDomains.primary;
  stalwartDomain = "mail.${primaryDomain}";
  dataDir = "/var/lib/stalwart-mail";
--- a/hosts/sentinel/coturn.nix
+++ b/hosts/sentinel/coturn.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  lib,
  pkgs,
  ...
@ -11,7 +12,7 @@
    mkForce
    ;

-  hostDomain = config.repo.secrets.global.domains.me;
+  hostDomain = globals.domains.me;
  coturnDomain = "coturn.${hostDomain}";
 in {
  age.secrets.coturn-password-netbird = {
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -26,7 +26,7 @@
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;

-  services.nginx.virtualHosts.${config.repo.secrets.global.domains.me} = {
+  services.nginx.virtualHosts.${globals.domains.me} = {
    forceSSL = true;
    useACMEWildcardHost = true;
    locations."/".root = pkgs.runCommand "index.html" {} ''
--- a/hosts/sentinel/net.nix
+++ b/hosts/sentinel/net.nix
@ -1,12 +1,13 @@
 {
  config,
+  globals,
  lib,
  ...
 }: let
  icfg = config.repo.secrets.local.networking.interfaces.wan;
 in {
  networking.hostId = config.repo.secrets.local.networking.hostId;
-  networking.domain = config.repo.secrets.global.domains.me;
+  networking.domain = globals.domains.me;

  globals.monitoring.ping.sentinel = {
    hostv4 = lib.net.cidr.ip icfg.hostCidrv4;
--- a/hosts/sentinel/oauth2.nix
+++ b/hosts/sentinel/oauth2.nix
@ -6,8 +6,8 @@
 }: {
  meta.oauth2-proxy = {
    enable = true;
-    cookieDomain = config.repo.secrets.global.domains.me;
-    portalDomain = "oauth2.${config.repo.secrets.global.domains.me}";
+    cookieDomain = globals.domains.me;
+    portalDomain = "oauth2.${globals.domains.me}";
    # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services")
  };

--- a/hosts/sire/guests/ai.nix
+++ b/hosts/sire/guests/ai.nix
@ -1,5 +1,9 @@
-{config, ...}: let
-  openWebuiDomain = "chat.${config.repo.secrets.global.domains.me}";
+{
+  config,
+  globals,
+  ...
+}: let
+  openWebuiDomain = "chat.${globals.domains.me}";
 in {
  microvm.mem = 1024 * 16;
  microvm.vcpu = 20;
@ -76,7 +80,7 @@ in {
        oauth2 = {
          enable = true;
          allowedGroups = ["access_openwebui"];
-          X-Email = "\${upstream_http_x_auth_request_preferred_username}@${config.repo.secrets.global.domains.personal}";
+          X-Email = "\${upstream_http_x_auth_request_preferred_username}@${globals.domains.personal}";
        };
        extraConfig = ''
          client_max_body_size 128M;
--- a/hosts/sire/guests/grafana.nix
+++ b/hosts/sire/guests/grafana.nix
@ -6,7 +6,7 @@
  ...
 }: let
  wardWebProxyCfg = nodes.ward-web-proxy.config;
-  grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}";
+  grafanaDomain = "grafana.${globals.domains.me}";
 in {
  wireguard.proxy-sentinel = {
    client.via = "sentinel";
--- a/hosts/sire/guests/immich.nix
+++ b/hosts/sire/guests/immich.nix
@ -7,7 +7,7 @@
 }: let
  sentinelCfg = nodes.sentinel.config;
  wardWebProxyCfg = nodes.ward-web-proxy.config;
-  immichDomain = "immich.${config.repo.secrets.global.domains.me}";
+  immichDomain = "immich.${globals.domains.me}";

  ipImmichMachineLearning = "10.89.0.10";
  ipImmichPostgres = "10.89.0.12";
--- a/hosts/sire/guests/influxdb.nix
+++ b/hosts/sire/guests/influxdb.nix
@ -1,5 +1,6 @@
 {
  config,
+  globals,
  lib,
  nodes,
  pkgs,
@ -7,7 +8,7 @@
 }: let
  sentinelCfg = nodes.sentinel.config;
  wardCfg = nodes.ward.config;
-  influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}";
+  influxdbDomain = "influxdb.${globals.domains.me}";
  influxdbPort = 8086;
 in {
  wireguard.proxy-sentinel = {
--- a/hosts/sire/guests/loki.nix
+++ b/hosts/sire/guests/loki.nix
@ -1,11 +1,12 @@
 {
  config,
+  globals,
  nodes,
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
  wardWebProxyCfg = nodes.ward-web-proxy.config;
-  lokiDomain = "loki.${config.repo.secrets.global.domains.me}";
+  lokiDomain = "loki.${globals.domains.me}";
 in {
  wireguard.proxy-sentinel = {
    client.via = "sentinel";
--- a/hosts/sire/guests/minecraft.nix
+++ b/hosts/sire/guests/minecraft.nix
@ -1,13 +1,14 @@
 # FIXME: todo: host the proxy on sentinel so the IPs are not lost in natting
 {
  config,
-  pkgs,
+  globals,
  lib,
+  pkgs,
  ...
 }: let
  inherit (lib) getExe;

-  minecraftDomain = "mc.${config.repo.secrets.global.domains.me}";
+  minecraftDomain = "mc.${globals.domains.me}";
  dataDir = "/var/lib/minecraft";

  minecraft-attach = pkgs.writeShellApplication {
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@ -8,7 +8,7 @@
 }: let
  sentinelCfg = nodes.sentinel.config;
  wardWebProxyCfg = nodes.ward-web-proxy.config;
-  paperlessDomain = "paperless.${config.repo.secrets.global.domains.me}";
+  paperlessDomain = "paperless.${globals.domains.me}";
  paperlessBackupDir = "/var/cache/paperless-backup";
 in {
  microvm.mem = 1024 * 9;
--- a/hosts/ward/guests/adguardhome.nix
+++ b/hosts/ward/guests/adguardhome.nix
@ -5,7 +5,7 @@
  pkgs,
  ...
 }: let
-  adguardhomeDomain = "adguardhome.${config.repo.secrets.global.domains.me}";
+  adguardhomeDomain = "adguardhome.${globals.domains.me}";
 in {
  wireguard.proxy-sentinel = {
    client.via = "sentinel";
@ -88,7 +88,7 @@ in {
          # wireguard address for influxdb
          {
            inherit (globals.services.influxdb) domain;
-            answer = config.repo.secrets.global.domains.me;
+            answer = globals.domains.me;
          }
        ]
        # Use the local mirror-proxy for some services (not necessary, just for speed)
@ -102,8 +102,8 @@ in {
          globals.services.influxdb.domain
          globals.services.loki.domain
          globals.services.paperless.domain
-          "home.${config.repo.secrets.global.domains.me}"
-          "fritzbox.${config.repo.secrets.global.domains.me}"
+          "home.${globals.domains.me}"
+          "fritzbox.${globals.domains.me}"
        ];
      filters = [
        {
--- a/hosts/ward/guests/forgejo.nix
+++ b/hosts/ward/guests/forgejo.nix
@ -6,7 +6,7 @@
  pkgs,
  ...
 }: let
-  forgejoDomain = "git.${config.repo.secrets.global.domains.me}";
+  forgejoDomain = "git.${globals.domains.me}";
 in {
  wireguard.proxy-sentinel = {
    client.via = "sentinel";
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -3,8 +3,7 @@
  globals,
  ...
 }: let
-  inherit (config.repo.secrets.global) domains;
-  kanidmDomain = "auth.${domains.me}";
+  kanidmDomain = "auth.${globals.domains.me}";
  kanidmPort = 8300;

  mkRandomSecret = {
@ -108,7 +107,7 @@ in {
      adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
      idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;

-      inherit (config.repo.secrets.global.kanidm) persons;
+      inherit (globals.kanidm) persons;

      # Immich
      groups."immich.access" = {};
@ -191,7 +190,7 @@ in {
      groups."web-sentinel.openwebui" = {};
      systems.oauth2.web-sentinel = {
        displayName = "Web Sentinel";
-        originUrl = "https://oauth2.${domains.me}/";
+        originUrl = "https://oauth2.${globals.domains.me}/";
        basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
        preferShortUsername = true;
        scopeMaps."web-sentinel.access" = ["openid" "email"];
--- a/hosts/ward/guests/netbird.nix
+++ b/hosts/ward/guests/netbird.nix
@ -6,7 +6,7 @@
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
-  netbirdDomain = "netbird.${config.repo.secrets.global.domains.me}";
+  netbirdDomain = "netbird.${globals.domains.me}";
 in {
  wireguard.proxy-sentinel = {
    client.via = "sentinel";
@ -48,8 +48,8 @@ in {
      dashboard.settings.AUTH_AUTHORITY = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird";

      management = {
-        singleAccountModeDomain = "internal.${config.repo.secrets.global.domains.me}";
-        dnsDomain = "internal.${config.repo.secrets.global.domains.me}";
+        singleAccountModeDomain = "internal.${globals.domains.me}";
+        dnsDomain = "internal.${globals.domains.me}";
        disableAnonymousMetrics = true;
        oidcConfigEndpoint = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird/.well-known/openid-configuration";
        turnDomain = globals.services.coturn.domain;
--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@ -1,5 +1,9 @@
-{config, ...}: let
-  radicaleDomain = "radicale.${config.repo.secrets.global.domains.personal}";
+{
+  config,
+  globals,
+  ...
+}: let
+  radicaleDomain = "radicale.${globals.domains.personal}";
 in {
  wireguard.proxy-sentinel = {
    client.via = "sentinel";
--- a/hosts/ward/guests/vaultwarden.nix
+++ b/hosts/ward/guests/vaultwarden.nix
@ -1,9 +1,10 @@
 {
  config,
+  globals,
  lib,
  ...
 }: let
-  vaultwardenDomain = "pw.${config.repo.secrets.global.domains.personal}";
+  vaultwardenDomain = "pw.${globals.domains.personal}";
 in {
  wireguard.proxy-sentinel = {
    client.via = "sentinel";
--- a/hosts/ward/guests/web-proxy.nix
+++ b/hosts/ward/guests/web-proxy.nix
@ -4,7 +4,7 @@
  ...
 }: let
  inherit (config.repo.secrets.local) acme;
-  fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}";
+  fritzboxDomain = "fritzbox.${globals.domains.me}";
 in {
  wireguard.proxy-home = {
    client.via = "ward";
--- a/hosts/ward/kea.nix
+++ b/hosts/ward/kea.nix
@ -1,5 +1,4 @@
 {
-  config,
  lib,
  globals,
  utils,
@ -67,11 +66,11 @@ in {
              ip-address = globals.net.home-lan.hosts.sire-samba.ipv4;
            }
            {
-              hw-address = config.repo.secrets.global.macs.wallbox;
+              hw-address = globals.macs.wallbox;
              ip-address = globals.net.home-lan.hosts.wallbox.ipv4;
            }
            {
-              hw-address = config.repo.secrets.global.macs.home-assistant;
+              hw-address = globals.macs.home-assistant;
              ip-address = globals.net.home-lan.hosts.home-assistant-temp.ipv4;
            }
          ];
--- a/hosts/zackbiene/home-assistant.nix
+++ b/hosts/zackbiene/home-assistant.nix
@ -6,8 +6,8 @@
  pkgs,
  ...
 }: let
-  homeDomain = "home.${config.repo.secrets.global.domains.me}";
-  fritzboxDomain = "fritzbox.${config.repo.secrets.global.domains.me}";
+  homeDomain = "home.${globals.domains.me}";
+  fritzboxDomain = "fritzbox.${globals.domains.me}";
 in {
  wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
    config.services.home-assistant.config.http.server_port