diff --git a/config/home-manager.nix b/config/home-manager.nix index b6955ad..3b8aeeb 100644 --- a/config/home-manager.nix +++ b/config/home-manager.nix @@ -10,7 +10,7 @@ useUserPackages = true; verbose = true; sharedModules = [ - inputs.nixos-extra-modules.homeManagerModules.default + (inputs.nixos-extra-modules + "/hm-modules") inputs.nix-index-database.hmModules.nix-index inputs.nixvim.homeManagerModules.nixvim { diff --git a/flake.lock b/flake.lock index 09b9639..77571ea 100644 --- a/flake.lock +++ b/flake.lock @@ -1060,11 +1060,11 @@ ] }, "locked": { - "lastModified": 1757698511, - "narHash": "sha256-UqHHGydF/q3jfYXCpvYLA0TWtvByOp1NwOKCUjhYmPs=", + "lastModified": 1757784838, + "narHash": "sha256-6aHo1++bAFdW1z+0tfuxM9EmxHvon90mHo8/+izXMcY=", "owner": "nix-community", "repo": "home-manager", - "rev": "a3fcc92180c7462082cd849498369591dfb20855", + "rev": "6e28513cf2ee9a985c339fcef24d44f43d23456b", "type": "github" }, "original": { @@ -1462,11 +1462,11 @@ "pre-commit-hooks": "pre-commit-hooks_5" }, "locked": { - "lastModified": 1745053097, - "narHash": "sha256-BEW57utyWCqP4U+MzCXFqbvEC8LE3iZv5dsPMrmTJ9Q=", + "lastModified": 1757798853, + "narHash": "sha256-xQrM5P9YqJfngr7/N0SsFp1p5BMt4NwkWa+3AktIWFU=", "owner": "oddlama", "repo": "nixos-extra-modules", - "rev": "7565d8554b0fc9d621851150e7939d34a3a8cd6c", + "rev": "4c6b6489a41339809e4dc73086db16425cad6466", "type": "github" }, "original": { diff --git a/flake/hosts.nix b/flake/hosts.nix index 6a85d10..8807fc9 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -1,4 +1,7 @@ -{ inputs, ... }: +{ config, inputs, ... }: +let + topConfig = config; +in { flake = { @@ -12,7 +15,6 @@ filterAttrs flip genAttrs - mapAttrs mapAttrs' nameValuePair ; @@ -30,6 +32,7 @@ inherit (pkgs) lib; inherit (config) nodes globals; inherit inputs minimal; + extraModules = topConfig.globals.optModules; }; modules = [ { @@ -49,7 +52,8 @@ node.secretsDir = ../hosts/${name}/secrets; } ../hosts/${name} - ]; + ] + ++ topConfig.globals.optModules; }; # Get all folders in hosts/ @@ -66,7 +70,7 @@ # True NixOS nodes can define additional guest nodes that are built # together with it. We collect all defined guests from each node here # to allow accessing any node via the unified attribute `nodes`. - guestConfigs = flip concatMapAttrs config.nixosConfigurations ( + guestConfigurations = flip concatMapAttrs config.nixosConfigurations ( _: node: flip mapAttrs' (node.config.guests or { }) ( guestName: guestDef: @@ -81,8 +85,6 @@ # All nixosSystem instanciations are collected here, so that we can refer # to any system via nodes. - nodes = config.nixosConfigurations // config.guestConfigs; - # Add a shorthand to easily target toplevel derivations - "@" = mapAttrs (_: v: v.config.system.build.toplevel) config.nodes; + nodes = config.nixosConfigurations // config.guestConfigurations; }; } diff --git a/globals.nix b/globals.nix index 32667a7..12bcf8c 100644 --- a/globals.nix +++ b/globals.nix @@ -22,6 +22,50 @@ in globals = { wireguard = { + proxy-home = { + host = globals.net.home-lan.vlans.services.hosts.ward.ipv4; + port = 51444; + cidrv4 = "10.44.0.0/24"; + cidrv6 = "fd00:44::/120"; + hosts = { + sausebiene.id = 10; + sire-ente.id = 101; + sire-grafana.id = 221; + sire-immich.id = 225; + sire-influxdb.id = 141; + sire-loki.id = 109; + sire-paperless.id = 147; + sire-samba.id = 38; + ward.id = 94; + ward-adguardhome.id = 148; + ward-mealie.id = 128; + ward-web-proxy.id = 11; + }; + }; + + proxy-sentinel = { + port = 51443; + cidrv4 = "10.43.0.0/24"; + cidrv6 = "fd00:43::/120"; + hosts = { + envoy.id = 135; + sentinel.id = 29; + sire-ai.id = 171; + sire-ente.id = 101; + sire-grafana.id = 221; + sire-immich.id = 225; + sire-influxdb.id = 141; + sire-loki.id = 109; + sire-minecraft.id = 163; + sire-paperless.id = 147; + sire.id = 14; + ward-adguardhome.id = 148; + ward-forgejo.id = 128; + ward-kanidm.id = 197; + ward-radicale.id = 252; + ward-vaultwarden.id = 142; + }; + }; }; net = { @@ -125,11 +169,6 @@ in }; }; }; - - proxy-home = { - cidrv4 = "10.44.0.0/24"; - cidrv6 = "fd00:44::/120"; - }; }; monitoring = { diff --git a/hosts/envoy/net.nix b/hosts/envoy/net.nix index ac1ead0..eae3f75 100644 --- a/hosts/envoy/net.nix +++ b/hosts/envoy/net.nix @@ -46,7 +46,4 @@ in }; networking.nftables.firewall.zones.untrusted.interfaces = [ "wan" ]; - - # Allow accessing influx - wireguard.proxy-sentinel.client.via = "sentinel"; } diff --git a/hosts/sausebiene/esphome.nix b/hosts/sausebiene/esphome.nix index 81a74e1..3b6398c 100644 --- a/hosts/sausebiene/esphome.nix +++ b/hosts/sausebiene/esphome.nix @@ -7,9 +7,10 @@ let esphomeDomain = "esphome.${globals.domains.personal}"; in { - wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ - config.services.esphome.port - ]; + globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = + [ + config.services.esphome.port + ]; environment.persistence."/persist".directories = [ { diff --git a/hosts/sausebiene/home-assistant.nix b/hosts/sausebiene/home-assistant.nix index d980f19..221dae8 100644 --- a/hosts/sausebiene/home-assistant.nix +++ b/hosts/sausebiene/home-assistant.nix @@ -12,9 +12,10 @@ in { imports = [ ./hass-modbus/mennekes-amtron-xtra.nix ]; - wireguard.proxy-home.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ - config.services.home-assistant.config.http.server_port - ]; + globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = + [ + config.services.home-assistant.config.http.server_port + ]; environment.persistence."/persist".directories = [ { diff --git a/hosts/sausebiene/net.nix b/hosts/sausebiene/net.nix index 902c230..51cf238 100644 --- a/hosts/sausebiene/net.nix +++ b/hosts/sausebiene/net.nix @@ -59,43 +59,41 @@ in } ); - systemd.network.networks = - { - "10-lan" = { - matchConfig.Name = "lan"; - # This interface should only be used from attached vlans. - # So don't acquire a link local address and only wait for - # this interface to gain a carrier. - networkConfig.LinkLocalAddressing = "no"; - linkConfig.RequiredForOnline = "carrier"; - vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans); + systemd.network.networks = { + "10-lan" = { + matchConfig.Name = "lan"; + # This interface should only be used from attached vlans. + # So don't acquire a link local address and only wait for + # this interface to gain a carrier. + networkConfig.LinkLocalAddressing = "no"; + linkConfig.RequiredForOnline = "carrier"; + vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans); + }; + } + // lib.flip lib.concatMapAttrs localVlans ( + vlanName: vlanCfg: { + "30-vlan-${vlanName}" = { + address = [ + vlanCfg.hosts.sausebiene.cidrv4 + vlanCfg.hosts.sausebiene.cidrv6 + ]; + gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ]; + matchConfig.Name = "vlan-${vlanName}"; + networkConfig.IPv6PrivacyExtensions = "yes"; + linkConfig.RequiredForOnline = "routable"; }; } - // lib.flip lib.concatMapAttrs localVlans ( - vlanName: vlanCfg: { - "30-vlan-${vlanName}" = { - address = [ - vlanCfg.hosts.sausebiene.cidrv4 - vlanCfg.hosts.sausebiene.cidrv6 - ]; - gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ]; - matchConfig.Name = "vlan-${vlanName}"; - networkConfig.IPv6PrivacyExtensions = "yes"; - linkConfig.RequiredForOnline = "routable"; - }; - } - ); + ); networking.nftables.firewall = { - zones = - { - untrusted.interfaces = [ "vlan-services" ]; + zones = { + untrusted.interfaces = [ "vlan-services" ]; + } + // lib.flip lib.concatMapAttrs localVlans ( + vlanName: _: { + "vlan-${vlanName}".interfaces = [ "vlan-${vlanName}" ]; } - // lib.flip lib.concatMapAttrs localVlans ( - vlanName: _: { - "vlan-${vlanName}".interfaces = [ "vlan-${vlanName}" ]; - } - ); + ); rules = { # Allow devices to be discovered through various protocols @@ -134,6 +132,4 @@ in }; }; }; - - wireguard.proxy-home.client.via = "ward"; } diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 7f75a8f..4a58c9f 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -22,13 +22,15 @@ nixpkgs.hostPlatform = "x86_64-linux"; boot.mode = "bios"; - wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [ - 80 - 443 - ]; - wireguard.proxy-sentinel.firewallRuleForAll.allowedUDPPorts = [ - 443 - ]; + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForAll = { + allowedTCPPorts = [ + 80 + 443 + ]; + allowedUDPPorts = [ + 443 + ]; + }; users.groups.acme.members = [ "nginx" ]; services.nginx.enable = true; diff --git a/hosts/sentinel/net.nix b/hosts/sentinel/net.nix index ef3de56..d7eb46d 100644 --- a/hosts/sentinel/net.nix +++ b/hosts/sentinel/net.nix @@ -55,9 +55,7 @@ in globals.wireguard.proxy-sentinel = { host = config.networking.fqdn; - port = 51443; - cidrv4 = "10.43.0.0/24"; - cidrv6 = "fd00:43::/120"; openFirewall = true; + hosts.${config.node.name}.server = true; }; } diff --git a/hosts/sire/guests/ai.nix b/hosts/sire/guests/ai.nix index 45e9c18..abb3876 100644 --- a/hosts/sire/guests/ai.nix +++ b/hosts/sire/guests/ai.nix @@ -10,10 +10,10 @@ in microvm.mem = 1024 * 16; microvm.vcpu = 20; - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.open-webui.port ]; - }; + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ + config.services.open-webui.port + ]; networking.firewall.allowedTCPPorts = [ config.services.ollama.port ]; diff --git a/hosts/sire/guests/ente.nix b/hosts/sire/guests/ente.nix index 5c9e0de..5c21486 100644 --- a/hosts/sire/guests/ente.nix +++ b/hosts/sire/guests/ente.nix @@ -80,21 +80,17 @@ let }; in { - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ 8080 9000 ]; - }; - wireguard.proxy-home = { - client.via = "ward"; - firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ + globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = + [ 8080 9000 ]; - }; globals.services.ente.domain = entePhotosDomain; # FIXME: also monitor from internal network diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index ef2febd..d3e635f 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -9,19 +9,15 @@ let grafanaDomain = "grafana.${globals.domains.me}"; in { - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ config.services.grafana.settings.server.http_port ]; - }; - wireguard.proxy-home = { - client.via = "ward"; - firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ + globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = + [ config.services.grafana.settings.server.http_port ]; - }; age.secrets.grafana-secret-key = { rekeyFile = config.node.secretsDir + "/grafana-secret-key.age"; diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index e2f64de..9c494dc 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -19,14 +19,10 @@ in group = "immich"; }; - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ 2283 ]; - }; - wireguard.proxy-home = { - client.via = "ward"; - firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ 2283 ]; - }; + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ 2283 ]; + globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = + [ 2283 ]; globals.services.immich.domain = immichDomain; globals.monitoring.http.immich = { diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix index cfa984b..8fe7962 100644 --- a/hosts/sire/guests/influxdb.nix +++ b/hosts/sire/guests/influxdb.nix @@ -10,15 +10,10 @@ let influxdbPort = 8086; in { - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ influxdbPort ]; - }; - - wireguard.proxy-home = { - client.via = "ward"; - firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ influxdbPort ]; - }; + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ influxdbPort ]; + globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = + [ influxdbPort ]; age.secrets.github-access-token = { rekeyFile = config.node.secretsDir + "/github-access-token.age"; diff --git a/hosts/sire/guests/loki.nix b/hosts/sire/guests/loki.nix index 8762fd2..fe0484f 100644 --- a/hosts/sire/guests/loki.nix +++ b/hosts/sire/guests/loki.nix @@ -10,19 +10,15 @@ let lokiDomain = "loki.${globals.domains.me}"; in { - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ config.services.loki.configuration.server.http_listen_port ]; - }; - wireguard.proxy-home = { - client.via = "ward"; - firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ + globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = + [ config.services.loki.configuration.server.http_listen_port ]; - }; globals.services.loki.domain = lokiDomain; diff --git a/hosts/sire/guests/minecraft.nix b/hosts/sire/guests/minecraft.nix index 13088e4..69f488b 100644 --- a/hosts/sire/guests/minecraft.nix +++ b/hosts/sire/guests/minecraft.nix @@ -350,14 +350,12 @@ in microvm.mem = 1024 * 24; microvm.vcpu = 16; - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ 80 25565 25566 ]; - }; users.groups.minecraft.members = [ "nginx" ]; users.users.minecraft = { diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix index 4b057c9..e0d5fcd 100644 --- a/hosts/sire/guests/paperless.nix +++ b/hosts/sire/guests/paperless.nix @@ -14,15 +14,15 @@ in microvm.mem = 1024 * 9; microvm.vcpu = 8; - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.paperless.port ]; - }; + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ + config.services.paperless.port + ]; - wireguard.proxy-home = { - client.via = "ward"; - firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.paperless.port ]; - }; + globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = + [ + config.services.paperless.port + ]; globals.services.paperless.domain = paperlessDomain; # FIXME: also monitor from internal network diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix index 3f8ca3e..e90fb1a 100644 --- a/hosts/sire/guests/samba.nix +++ b/hosts/sire/guests/samba.nix @@ -27,7 +27,8 @@ let "create mask" = "0740"; "directory mask" = "0750"; "acl allow execute always" = "yes"; - } // cfg; + } + // cfg; }; mkGroupShares = @@ -77,9 +78,6 @@ let ); in { - # For influxdb communication channel - wireguard.proxy-home.client.via = "ward"; - age.secrets."samba-passdb.tdb" = { rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age"; mode = "600"; @@ -383,7 +381,8 @@ in users.groups = { paperless.gid = config.ids.gids.paperless; - } // lib.mapAttrs (_: cfg: { gid = cfg.id; }) (smbUsers // smbGroups); + } + // lib.mapAttrs (_: cfg: { gid = cfg.id; }) (smbUsers // smbGroups); backups.storageBoxes.dusk = { subuser = "samba"; diff --git a/hosts/sire/net.nix b/hosts/sire/net.nix index 9c5ad22..7af180f 100644 --- a/hosts/sire/net.nix +++ b/hosts/sire/net.nix @@ -71,52 +71,48 @@ in } ); - systemd.network.networks = - { - "10-lan" = { - matchConfig.Name = "lan"; - # This interface should only be used from attached vlans. + systemd.network.networks = { + "10-lan" = { + matchConfig.Name = "lan"; + # This interface should only be used from attached vlans. + # So don't acquire a link local address and only wait for + # this interface to gain a carrier. + networkConfig.LinkLocalAddressing = "no"; + linkConfig.RequiredForOnline = "carrier"; + vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans); + }; + # Remaining macvtap interfaces should not be touched. + "90-macvtap-ignore" = { + matchConfig.Kind = "macvtap"; + linkConfig.ActivationPolicy = "manual"; + linkConfig.Unmanaged = "yes"; + }; + } + // lib.flip lib.concatMapAttrs localVlans ( + vlanName: vlanCfg: { + "30-vlan-${vlanName}" = { + matchConfig.Name = "vlan-${vlanName}"; + # This interface should only be used from attached macvlans. # So don't acquire a link local address and only wait for # this interface to gain a carrier. networkConfig.LinkLocalAddressing = "no"; + networkConfig.MACVLAN = "me-${vlanName}"; linkConfig.RequiredForOnline = "carrier"; - vlan = map (name: "vlan-${name}") (builtins.attrNames localVlans); }; - # Remaining macvtap interfaces should not be touched. - "90-macvtap-ignore" = { - matchConfig.Kind = "macvtap"; - linkConfig.ActivationPolicy = "manual"; - linkConfig.Unmanaged = "yes"; + "40-me-${vlanName}" = { + address = [ + vlanCfg.hosts.sire.cidrv4 + vlanCfg.hosts.sire.cidrv6 + ]; + gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ]; + matchConfig.Name = "me-${vlanName}"; + networkConfig.IPv6PrivacyExtensions = "yes"; + linkConfig.RequiredForOnline = "routable"; }; } - // lib.flip lib.concatMapAttrs localVlans ( - vlanName: vlanCfg: { - "30-vlan-${vlanName}" = { - matchConfig.Name = "vlan-${vlanName}"; - # This interface should only be used from attached macvlans. - # So don't acquire a link local address and only wait for - # this interface to gain a carrier. - networkConfig.LinkLocalAddressing = "no"; - networkConfig.MACVLAN = "me-${vlanName}"; - linkConfig.RequiredForOnline = "carrier"; - }; - "40-me-${vlanName}" = { - address = [ - vlanCfg.hosts.sire.cidrv4 - vlanCfg.hosts.sire.cidrv6 - ]; - gateway = lib.optionals (vlanName == "services") [ vlanCfg.hosts.ward.ipv4 ]; - matchConfig.Name = "me-${vlanName}"; - networkConfig.IPv6PrivacyExtensions = "yes"; - linkConfig.RequiredForOnline = "routable"; - }; - } - ); + ); networking.nftables.firewall = { zones.untrusted.interfaces = [ "me-services" ]; }; - - # Allow accessing influx - wireguard.proxy-sentinel.client.via = "sentinel"; } diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 555b1bd..bdb1876 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -8,16 +8,16 @@ let adguardhomeDomain = "adguardhome.${globals.domains.me}"; in { - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.adguardhome.port ]; - }; + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ + config.services.adguardhome.port + ]; # Allow home-assistant to access it directly - wireguard.proxy-home = { - client.via = "ward"; - firewallRuleForNode.sausebiene.allowedTCPPorts = [ config.services.adguardhome.port ]; - }; + globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.sausebiene.allowedTCPPorts = + [ + config.services.adguardhome.port + ]; globals.services.adguardhome.domain = adguardhomeDomain; globals.monitoring.dns.adguardhome = { diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix index cfbad53..6c8ece9 100644 --- a/hosts/ward/guests/forgejo.nix +++ b/hosts/ward/guests/forgejo.nix @@ -10,12 +10,10 @@ let forgejoDomain = "git.${globals.domains.me}"; in { - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ config.services.forgejo.settings.server.HTTP_PORT ]; - }; age.secrets.forgejo-mailer-password.rekeyFile = config.node.secretsDir + "/forgejo-mailer-password.age"; diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index 80c011a..299ecf4 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -15,10 +15,8 @@ let }; in { - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ kanidmPort ]; - }; + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ kanidmPort ]; age.secrets."kanidm-self-signed.crt" = { rekeyFile = config.node.secretsDir + "/kanidm-self-signed.crt.age"; diff --git a/hosts/ward/guests/mealie.nix b/hosts/ward/guests/mealie.nix index ce92411..1908d37 100644 --- a/hosts/ward/guests/mealie.nix +++ b/hosts/ward/guests/mealie.nix @@ -8,10 +8,10 @@ let mealieDomain = "mealie.${globals.domains.me}"; in { - wireguard.proxy-home = { - client.via = "ward"; - firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.mealie.port ]; - }; + globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts = + [ + config.services.mealie.port + ]; # Mirror the original oauth2 secret, but prepend OIDC_CLIENT_SECRET= # so it can be used as an EnvironmentFile diff --git a/hosts/ward/guests/radicale.nix b/hosts/ward/guests/radicale.nix index 375428b..a1dd110 100644 --- a/hosts/ward/guests/radicale.nix +++ b/hosts/ward/guests/radicale.nix @@ -7,10 +7,8 @@ let radicaleDomain = "radicale.${globals.domains.personal}"; in { - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ 8000 ]; - }; + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ 8000 ]; globals.services.radicale.domain = radicaleDomain; globals.monitoring.http.radicale = { diff --git a/hosts/ward/guests/vaultwarden.nix b/hosts/ward/guests/vaultwarden.nix index 2a88086..9cfd655 100644 --- a/hosts/ward/guests/vaultwarden.nix +++ b/hosts/ward/guests/vaultwarden.nix @@ -8,10 +8,10 @@ let vaultwardenDomain = "pw.${globals.domains.personal}"; in { - wireguard.proxy-sentinel = { - client.via = "sentinel"; - firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.vaultwarden.config.rocketPort ]; - }; + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts = + [ + config.services.vaultwarden.config.rocketPort + ]; age.secrets.vaultwarden-env = { rekeyFile = config.node.secretsDir + "/vaultwarden-env.age"; diff --git a/hosts/ward/guests/web-proxy.nix b/hosts/ward/guests/web-proxy.nix index 45ffe09..b6a682d 100644 --- a/hosts/ward/guests/web-proxy.nix +++ b/hosts/ward/guests/web-proxy.nix @@ -10,8 +10,7 @@ in { microvm.mem = 1024 * 4; # Need more /tmp space so nginx can store intermediary files - wireguard.proxy-home = { - client.via = "ward"; + globals.wireguard.proxy-home.hosts.${config.node.name} = { firewallRuleForAll.allowedTCPPorts = [ 80 443 diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 1a506c0..f4e3afa 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -331,11 +331,8 @@ }; }; - globals.wireguard.proxy-home.server = { - host = globals.net.home-lan.vlans.services.hosts.ward.ipv4; - port = 51444; - inherit (globals.net.proxy-home) cidrv4; - inherit (globals.net.proxy-home) cidrv6; + globals.wireguard.proxy-home = { openFirewall = false; # Explicitly opened only for lan + hosts.${config.node.name}.server = true; }; } diff --git a/modules/globals.nix b/modules/globals.nix index 0e4fd06..eb76a5d 100644 --- a/modules/globals.nix +++ b/modules/globals.nix @@ -1,6 +1,5 @@ { lib, - options, ... }: let @@ -366,12 +365,5 @@ in }; }; }; - - _globalsDefs = mkOption { - type = types.unspecified; - default = options.globals.definitions; - readOnly = true; - internal = true; - }; }; }