mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-10 23:00:39 +02:00
feat: move wireguard module to nixos-extra-modules
This commit is contained in:
oddlama
parent
621d725af3
commit
a4844807e6
27 changed files with 73 additions and 783 deletions
|
|
@ -63,7 +63,7 @@
|
|||
#};
|
||||
|
||||
## Connect safely via wireguard to skip authentication
|
||||
#networking.hosts.${nodes.sentinel.config.meta.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
|
||||
#networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
|
||||
#meta.telegraf = {
|
||||
# enable = true;
|
||||
# influxdb2 = {
|
||||
|
|
|
|||
|
|
@ -15,6 +15,7 @@
|
|||
boot.mode = "bios";
|
||||
|
||||
users.groups.acme.members = ["nginx"];
|
||||
wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443];
|
||||
services.nginx.enable = true;
|
||||
services.nginx.recommendedSetup = true;
|
||||
|
||||
|
|
@ -24,7 +25,7 @@
|
|||
};
|
||||
|
||||
# Connect safely via wireguard to skip authentication
|
||||
networking.hosts.${config.meta.wireguard.proxy-sentinel.ipv4} = [config.networking.providedDomains.influxdb];
|
||||
networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [config.networking.providedDomains.influxdb];
|
||||
meta.telegraf = {
|
||||
enable = true;
|
||||
scrapeSensors = false;
|
||||
|
|
|
|||
|
|
@ -34,23 +34,12 @@
|
|||
};
|
||||
};
|
||||
|
||||
networking.nftables.firewall = {
|
||||
zones = {
|
||||
untrusted.interfaces = ["wan"];
|
||||
proxy-sentinel.interfaces = ["proxy-sentinel"];
|
||||
};
|
||||
# Allow accessing nginx through the proxy
|
||||
rules.proxy-sentinel-to-local = {
|
||||
from = ["proxy-sentinel"];
|
||||
to = ["local"];
|
||||
allowedTCPPorts = [80 443];
|
||||
};
|
||||
};
|
||||
networking.nftables.firewall.zones.untrusted.interfaces = ["wan"];
|
||||
|
||||
meta.wireguard.proxy-sentinel.server = {
|
||||
wireguard.proxy-sentinel.server = {
|
||||
host = config.networking.fqdn;
|
||||
port = 51443;
|
||||
reservedAddresses = ["10.43.0.0/24" "fd00:43::/120"];
|
||||
openFirewallRules = ["untrusted-to-local"];
|
||||
openFirewall = true;
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@
|
|||
};
|
||||
|
||||
# Connect safely via wireguard to skip authentication
|
||||
networking.hosts.${nodes.sentinel.config.meta.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
|
||||
networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
|
||||
meta.telegraf = {
|
||||
enable = true;
|
||||
influxdb2 = {
|
||||
|
|
|
|||
|
|
@ -6,14 +6,13 @@
|
|||
}: let
|
||||
sentinelCfg = nodes.sentinel.config;
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel = {};
|
||||
meta.promtail = {
|
||||
enable = true;
|
||||
proxy = "sentinel";
|
||||
};
|
||||
|
||||
# Connect safely via wireguard to skip http authentication
|
||||
networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
|
||||
networking.hosts.${sentinelCfg.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
|
||||
meta.telegraf = lib.mkIf (!config.boot.isContainer) {
|
||||
enable = true;
|
||||
scrapeSensors = false;
|
||||
|
|
|
|||
|
|
@ -6,7 +6,10 @@
|
|||
sentinelCfg = nodes.sentinel.config;
|
||||
grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}";
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
|
||||
};
|
||||
|
||||
age.secrets.grafana-secret-key = {
|
||||
rekeyFile = config.node.secretsDir + "/grafana-secret-key.age";
|
||||
|
|
@ -58,7 +61,7 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
upstreams.grafana = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
|
||||
extraConfig = ''
|
||||
zone grafana 64k;
|
||||
keepalive 2;
|
||||
|
|
|
|||
|
|
@ -165,7 +165,10 @@ in {
|
|||
'';
|
||||
};
|
||||
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [2283];
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [2283];
|
||||
};
|
||||
networking.nftables.chains.forward.into-immich-container = {
|
||||
after = ["conntrack"];
|
||||
rules = [
|
||||
|
|
@ -179,7 +182,7 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
upstreams.immich = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:2283" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = {};
|
||||
extraConfig = ''
|
||||
zone immich 64k;
|
||||
keepalive 2;
|
||||
|
|
|
|||
|
|
@ -9,14 +9,17 @@
|
|||
influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}";
|
||||
influxdbPort = 8086;
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [influxdbPort];
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [influxdbPort];
|
||||
};
|
||||
|
||||
nodes.sentinel = {
|
||||
networking.providedDomains.influxdb = influxdbDomain;
|
||||
|
||||
services.nginx = {
|
||||
upstreams.influxdb = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = {};
|
||||
extraConfig = ''
|
||||
zone influxdb 64k;
|
||||
keepalive 2;
|
||||
|
|
@ -25,7 +28,7 @@ in {
|
|||
virtualHosts.${influxdbDomain} = let
|
||||
accessRules = ''
|
||||
satisfy any;
|
||||
${lib.concatMapStrings (ip: "allow ${ip};\n") sentinelCfg.meta.wireguard.proxy-sentinel.server.reservedAddresses}
|
||||
${lib.concatMapStrings (ip: "allow ${ip};\n") sentinelCfg.wireguard.proxy-sentinel.server.reservedAddresses}
|
||||
deny all;
|
||||
'';
|
||||
in {
|
||||
|
|
|
|||
|
|
@ -6,7 +6,10 @@
|
|||
sentinelCfg = nodes.sentinel.config;
|
||||
lokiDomain = "loki.${config.repo.secrets.global.domains.me}";
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
|
||||
};
|
||||
|
||||
nodes.sentinel = {
|
||||
networking.providedDomains.loki = lokiDomain;
|
||||
|
|
@ -19,7 +22,7 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
upstreams.loki = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = {};
|
||||
extraConfig = ''
|
||||
zone loki 64k;
|
||||
keepalive 2;
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
upstreams.paperless = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = {};
|
||||
extraConfig = ''
|
||||
zone paperless 64k;
|
||||
keepalive 2;
|
||||
|
|
@ -38,9 +38,10 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
|
||||
config.services.paperless.port
|
||||
];
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.paperless.port];
|
||||
};
|
||||
|
||||
age.secrets.paperless-admin-password = {
|
||||
generator.script = "alnum";
|
||||
|
|
@ -74,7 +75,7 @@ in {
|
|||
PAPERLESS_URL = "https://${paperlessDomain}";
|
||||
PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
|
||||
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
|
||||
PAPERLESS_TRUSTED_PROXIES = sentinelCfg.meta.wireguard.proxy-sentinel.ipv4;
|
||||
PAPERLESS_TRUSTED_PROXIES = sentinelCfg.wireguard.proxy-sentinel.ipv4;
|
||||
|
||||
# Authentication via kanidm
|
||||
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
|
||||
|
|
|
|||
|
|
@ -64,5 +64,5 @@
|
|||
};
|
||||
|
||||
# Allow accessing influx
|
||||
meta.wireguard.proxy-sentinel.client.via = "sentinel";
|
||||
wireguard.proxy-sentinel.client.via = "sentinel";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@
|
|||
};
|
||||
|
||||
# Connect safely via wireguard to skip authentication
|
||||
networking.hosts.${nodes.sentinel.config.meta.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
|
||||
networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb];
|
||||
meta.telegraf = {
|
||||
enable = true;
|
||||
influxdb2 = {
|
||||
|
|
|
|||
|
|
@ -7,14 +7,17 @@
|
|||
}: let
|
||||
adguardhomeDomain = "adguardhome.${config.repo.secrets.global.domains.me}";
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
|
||||
};
|
||||
|
||||
nodes.sentinel = {
|
||||
networking.providedDomains.adguard = adguardhomeDomain;
|
||||
|
||||
services.nginx = {
|
||||
upstreams.adguardhome = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.bind_port}" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.bind_port}" = {};
|
||||
extraConfig = ''
|
||||
zone adguardhome 64k;
|
||||
keepalive 2;
|
||||
|
|
|
|||
|
|
@ -6,14 +6,13 @@
|
|||
}: let
|
||||
sentinelCfg = nodes.sentinel.config;
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel = {};
|
||||
meta.promtail = {
|
||||
enable = true;
|
||||
proxy = "sentinel";
|
||||
};
|
||||
|
||||
# Connect safely via wireguard to skip http authentication
|
||||
networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
|
||||
networking.hosts.${sentinelCfg.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
|
||||
meta.telegraf = lib.mkIf (!config.boot.isContainer) {
|
||||
enable = true;
|
||||
scrapeSensors = false;
|
||||
|
|
|
|||
|
|
@ -8,9 +8,10 @@
|
|||
sentinelCfg = nodes.sentinel.config;
|
||||
forgejoDomain = "git.${config.repo.secrets.global.domains.me}";
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
|
||||
config.services.forgejo.settings.server.HTTP_PORT
|
||||
];
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.forgejo.settings.server.HTTP_PORT];
|
||||
};
|
||||
|
||||
age.secrets.forgejo-mailer-password = {
|
||||
rekeyFile = config.node.secretsDir + "/forgejo-mailer-password.age";
|
||||
|
|
@ -37,22 +38,22 @@ in {
|
|||
postrouting.to-forgejo = {
|
||||
after = ["hook"];
|
||||
rules = [
|
||||
"iifname wan ip daddr ${config.meta.wireguard.proxy-sentinel.ipv4} tcp dport 22 masquerade random"
|
||||
"iifname wan ip6 daddr ${config.meta.wireguard.proxy-sentinel.ipv6} tcp dport 22 masquerade random"
|
||||
"iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 22 masquerade random"
|
||||
"iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 22 masquerade random"
|
||||
];
|
||||
};
|
||||
prerouting.to-forgejo = {
|
||||
after = ["hook"];
|
||||
rules = [
|
||||
"iifname wan tcp dport 9922 dnat ip to ${config.meta.wireguard.proxy-sentinel.ipv4}:22"
|
||||
"iifname wan tcp dport 9922 dnat ip6 to ${config.meta.wireguard.proxy-sentinel.ipv6}:22"
|
||||
"iifname wan tcp dport 9922 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}:22"
|
||||
"iifname wan tcp dport 9922 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}:22"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx = {
|
||||
upstreams.forgejo = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.forgejo.settings.server.HTTP_PORT}" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.forgejo.settings.server.HTTP_PORT}" = {};
|
||||
extraConfig = ''
|
||||
zone forgejo 64k;
|
||||
keepalive 2;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,10 @@
|
|||
group = "kanidm";
|
||||
};
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [kanidmPort];
|
||||
};
|
||||
|
||||
age.secrets."kanidm-self-signed.crt" = {
|
||||
rekeyFile = config.node.secretsDir + "/kanidm-self-signed.crt.age";
|
||||
|
|
@ -42,7 +45,7 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
upstreams.kanidm = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = {};
|
||||
extraConfig = ''
|
||||
zone kanidm 64k;
|
||||
keepalive 2;
|
||||
|
|
|
|||
|
|
@ -1,16 +1,17 @@
|
|||
{config, ...}: let
|
||||
radicaleDomain = "radicale.${config.repo.secrets.global.domains.personal}";
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
|
||||
8000
|
||||
];
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [8000];
|
||||
};
|
||||
|
||||
nodes.sentinel = {
|
||||
networking.providedDomains.radicale = radicaleDomain;
|
||||
|
||||
services.nginx = {
|
||||
upstreams.radicale = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:8000" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = {};
|
||||
extraConfig = ''
|
||||
zone radicale 64k;
|
||||
keepalive 2;
|
||||
|
|
|
|||
|
|
@ -5,9 +5,10 @@
|
|||
}: let
|
||||
vaultwardenDomain = "pw.${config.repo.secrets.global.domains.personal}";
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
|
||||
config.services.vaultwarden.config.rocketPort
|
||||
];
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.vaultwarden.config.rocketPort];
|
||||
};
|
||||
|
||||
age.secrets.vaultwarden-env = {
|
||||
rekeyFile = config.node.secretsDir + "/vaultwarden-env.age";
|
||||
|
|
@ -29,7 +30,7 @@ in {
|
|||
|
||||
services.nginx = {
|
||||
upstreams.vaultwarden = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = {};
|
||||
extraConfig = ''
|
||||
zone vaultwarden 64k;
|
||||
keepalive 2;
|
||||
|
|
|
|||
|
|
@ -114,5 +114,5 @@ in {
|
|||
};
|
||||
|
||||
# Allow accessing influx
|
||||
meta.wireguard.proxy-sentinel.client.via = "sentinel";
|
||||
wireguard.proxy-sentinel.client.via = "sentinel";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -37,14 +37,13 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
meta.wireguard-proxy.sentinel = {};
|
||||
meta.promtail = {
|
||||
enable = true;
|
||||
proxy = "sentinel";
|
||||
};
|
||||
|
||||
# Connect safely via wireguard to skip http authentication
|
||||
networking.hosts.${sentinelCfg.meta.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
|
||||
networking.hosts.${sentinelCfg.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb];
|
||||
meta.telegraf = {
|
||||
enable = true;
|
||||
influxdb2 = {
|
||||
|
|
|
|||
|
|
@ -7,8 +7,6 @@
|
|||
sentinelCfg = nodes.sentinel.config;
|
||||
homeDomain = "home.${sentinelCfg.repo.secrets.global.domains.personal}";
|
||||
in {
|
||||
meta.wireguard-proxy.sentinel.allowedTCPPorts = [80];
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = config.services.home-assistant.configDir;
|
||||
|
|
@ -145,7 +143,7 @@ in {
|
|||
nodes.sentinel = {
|
||||
services.nginx = {
|
||||
upstreams."zackbiene" = {
|
||||
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:80" = {};
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {};
|
||||
extraConfig = ''
|
||||
zone zackbiene 64k;
|
||||
keepalive 2;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue