mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-11 07:10:39 +02:00
Code Activity

feat: add adguardhome microvm

Browse source
This commit is contained in:
oddlama 2023-06-21 01:37:25 +02:00
parent 6b81ecd961
commit b545967e7a
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 79 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

4
hosts/ward/default.nix
View file

@ -39,12 +39,11 @@
grafana = defaults; grafana = defaults;
loki = defaults; loki = defaults;
vaultwarden = defaults; vaultwarden = defaults;
adguardhome = defaults;
}; };
#ddclient = defineVm; #ddclient = defineVm;
#kanidm = defineVm;
#gitea/forgejo = defineVm; #gitea/forgejo = defineVm;
#vaultwarden = defineVm;
#samba+wsdd = defineVm; #samba+wsdd = defineVm;
#fasten-health = defineVm; #fasten-health = defineVm;
#immich = defineVm; #immich = defineVm;
@ -52,7 +51,6 @@
#radicale = defineVm; #radicale = defineVm;
#minecraft = defineVm; #minecraft = defineVm;
#firefly #firefly
#adguardhome
#prometheus #prometheus
#influxdb #influxdb

68
hosts/ward/microvms/adguardhome/default.nix Normal file
View file

@ -0,0 +1,68 @@
{
config,
lib,
nodes,
utils,
...
}: let
sentinelCfg = nodes.sentinel.config;
adguardDomain = "adguardhome.${sentinelCfg.repo.secrets.local.personalDomain}";
in {
imports = [
../../../../modules/proxy-via-sentinel.nix
];
extra.promtail = {
enable = true;
proxy = "sentinel";
};
networking.nftables.firewall.rules = lib.mkForce {
sentinel-to-local.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
};
nodes.sentinel = {
proxiedDomains.adguard = adguardDomain;
globalConfig = ''
security {
authorization policy mypolicy {
set auth url https://auth.myfiosgateway.com:8443/
allow roles authp/user
crypto key verify {env.JWT_SHARED_KEY}
}
}
'';
services.caddy.virtualHosts.${adguardDomain} = {
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert adguardDomain;
extraConfig = ''
import common
reverse_proxy {
to http://${config.services.adguardhome.settings.bind_host}:${toString config.services.adguardhome.settings.bind_port}
header_up X-Real-IP {remote_host}
}
'';
};
};
services.adguardhome = {
enable = true;
settings = {
bind_host = config.extra.wireguard.proxy-sentinel.ipv4;
bind_port = 3000;
#dns = {
# edns_client_subnet.enabled = false;
# bind_hosts = [ "127.0.0.1" ];
# bootstrap_dns = [
# "8.8.8.8"
# "8.8.4.4"
# "2001:4860:4860::8888"
# "2001:4860:4860::8844"
# ];
#};
};
};
systemd.services.influxdb.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
}

1
hosts/ward/microvms/adguardhome/secrets/host.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno

9
hosts/ward/microvms/adguardhome/secrets/promtail-loki-basic-auth-password.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 bh8fwQruEHmdxScw+dcMTWh0glw6YiRNMgjbMdo5OEE
0dj/BAUTL3s3KS5SYKSGoQBlFTVbWJwShKEZCK8JiH8
-> piv-p256 xqSe8Q AvDgcX/5rsg9BeqDFRhk74nA1iDKAb27Nr83IxhYvsDC
incamQkzY1sjpqZyAsiYfPXRo6Wmpy1v+HPwEJ6bxOI
-> QiWG-grease 9Ye .2/ `ao[ 79Qu+e
/XooMMBJ7rlyir1gJg
--- D/V5bteoODs/ogRGHrFVGWblgwpKwdtvL3wG7EaJpf4
ªúÈ•Jö‹æy�㥨œâ8î¸õ/xzLFdÁ·çÊ�«µ(ÈÝ¢±õu‚!ÐIÜ›8‹þzŸŒ“jˆI�­ˆU0`Ëac®1ûó‚Û}‡