diff --git a/flake/hosts.nix b/flake/hosts.nix index 896b804..6a85d10 100644 --- a/flake/hosts.nix +++ b/flake/hosts.nix @@ -84,12 +84,5 @@ nodes = config.nixosConfigurations // config.guestConfigs; # Add a shorthand to easily target toplevel derivations "@" = mapAttrs (_: v: v.config.system.build.toplevel) config.nodes; - - # Pre-evaluate the wireguard network information to avoid recalculating it - # for every host and every location it is used. - wireguardEvalCache = config.pkgs.x86_64-linux.lib.wireguard.createEvalCache inputs [ - "proxy-sentinel" - "proxy-home" - ]; }; } diff --git a/globals.nix b/globals.nix index 5c321a3..32667a7 100644 --- a/globals.nix +++ b/globals.nix @@ -21,6 +21,9 @@ in ]; globals = { + wireguard = { + }; + net = { home-wan = { cidrv4 = "192.168.178.0/24"; diff --git a/hosts/envoy/default.nix b/hosts/envoy/default.nix index d3e1358..3ba7849 100644 --- a/hosts/envoy/default.nix +++ b/hosts/envoy/default.nix @@ -1,6 +1,5 @@ { globals, - nodes, ... }: { @@ -29,7 +28,7 @@ }; # Connect safely via wireguard to skip authentication - networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [ + networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [ globals.services.influxdb.domain ]; meta.telegraf = { diff --git a/hosts/kroma/default.nix b/hosts/kroma/default.nix index da8e2f8..7530581 100644 --- a/hosts/kroma/default.nix +++ b/hosts/kroma/default.nix @@ -76,7 +76,7 @@ #}; ## Connect safely via wireguard to skip authentication - #networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain]; + #networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [globals.services.influxdb.domain]; #meta.telegraf = { # enable = true; # influxdb2 = { diff --git a/hosts/sausebiene/default.nix b/hosts/sausebiene/default.nix index 706cea6..9bae3be 100644 --- a/hosts/sausebiene/default.nix +++ b/hosts/sausebiene/default.nix @@ -1,7 +1,6 @@ { globals, inputs, - nodes, pkgs, lib, ... @@ -63,7 +62,7 @@ }; # Connect safely via wireguard to skip authentication - networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [ + networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [ globals.services.influxdb.domain ]; meta.telegraf = { diff --git a/hosts/sausebiene/esphome.nix b/hosts/sausebiene/esphome.nix index 422ee98..81a74e1 100644 --- a/hosts/sausebiene/esphome.nix +++ b/hosts/sausebiene/esphome.nix @@ -35,7 +35,10 @@ in nodes.ward-web-proxy = { services.nginx = { upstreams."esphome" = { - servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.esphome.port}" = { }; + servers."${ + globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4 + }:${toString config.services.esphome.port}" = + { }; extraConfig = '' zone esphome 64k; keepalive 2; diff --git a/hosts/sausebiene/home-assistant.nix b/hosts/sausebiene/home-assistant.nix index edfdf30..d980f19 100644 --- a/hosts/sausebiene/home-assistant.nix +++ b/hosts/sausebiene/home-assistant.nix @@ -2,7 +2,6 @@ config, globals, lib, - nodes, pkgs, ... }: @@ -89,7 +88,7 @@ in server_host = [ "0.0.0.0" ]; server_port = 8123; use_x_forwarded_for = true; - trusted_proxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ]; + trusted_proxies = [ globals.wireguard.proxy-home.hosts.nodes.ward-web-proxy.ipv4 ]; }; zha.zigpy_config.source_routing = true; @@ -210,14 +209,16 @@ in fritzboxDomain ]; - networking.hosts.${nodes.ward-adguardhome.config.wireguard.proxy-home.ipv4} = [ + networking.hosts.${globals.wireguard.proxy-home.hosts.ward-adguardhome.ipv4} = [ "adguardhome.internal" ]; nodes.ward-web-proxy = { services.nginx = { upstreams."home-assistant" = { - servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.home-assistant.config.http.server_port}" = + servers."${ + globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4 + }:${toString config.services.home-assistant.config.http.server_port}" = { }; extraConfig = '' zone home-assistant 64k; diff --git a/hosts/sentinel/default.nix b/hosts/sentinel/default.nix index 6e9f76f..7f75a8f 100644 --- a/hosts/sentinel/default.nix +++ b/hosts/sentinel/default.nix @@ -40,7 +40,9 @@ }; # Connect safely via wireguard to skip authentication - networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [ globals.services.influxdb.domain ]; + networking.hosts.${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4} = [ + globals.services.influxdb.domain + ]; meta.telegraf = { enable = true; scrapeSensors = false; diff --git a/hosts/sentinel/net.nix b/hosts/sentinel/net.nix index 73e53a6..ef3de56 100644 --- a/hosts/sentinel/net.nix +++ b/hosts/sentinel/net.nix @@ -53,13 +53,11 @@ in rules = [ "ct status dnat accept" ]; }; - wireguard.proxy-sentinel.server = { + globals.wireguard.proxy-sentinel = { host = config.networking.fqdn; port = 51443; - reservedAddresses = [ - "10.43.0.0/24" - "fd00:43::/120" - ]; + cidrv4 = "10.43.0.0/24"; + cidrv6 = "fd00:43::/120"; openFirewall = true; }; } diff --git a/hosts/sire/default.nix b/hosts/sire/default.nix index 6287694..18a92fe 100644 --- a/hosts/sire/default.nix +++ b/hosts/sire/default.nix @@ -42,7 +42,7 @@ }; # Connect safely via wireguard to skip authentication - networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [ + networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [ globals.services.influxdb.domain ]; meta.telegraf = { diff --git a/hosts/sire/guests/ai.nix b/hosts/sire/guests/ai.nix index dfcf083..45e9c18 100644 --- a/hosts/sire/guests/ai.nix +++ b/hosts/sire/guests/ai.nix @@ -66,7 +66,10 @@ in nodes.sentinel = { services.nginx = { upstreams.open-webui = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.open-webui.port}" = { }; + servers."${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }:${toString config.services.open-webui.port}" = + { }; extraConfig = '' zone open-webui 64k; keepalive 2; diff --git a/hosts/sire/guests/common.nix b/hosts/sire/guests/common.nix index 323491a..35b4e9d 100644 --- a/hosts/sire/guests/common.nix +++ b/hosts/sire/guests/common.nix @@ -2,13 +2,8 @@ config, globals, lib, - nodes, ... }: -let - sentinelCfg = nodes.sentinel.config; - wardWebProxyCfg = nodes.ward-web-proxy.config; -in { meta.promtail = { enable = true; @@ -17,11 +12,12 @@ in # Connect safely via wireguard to skip http authentication networking.hosts.${ - if config.wireguard ? proxy-home then - wardWebProxyCfg.wireguard.proxy-home.ipv4 + if globals.wireguard ? proxy-home then + globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4 else - sentinelCfg.wireguard.proxy-sentinel.ipv4 - } = [ globals.services.influxdb.domain ]; + globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4 + } = + [ globals.services.influxdb.domain ]; meta.telegraf = lib.mkIf (!config.boot.isContainer) { enable = true; diff --git a/hosts/sire/guests/ente.nix b/hosts/sire/guests/ente.nix index 52796fd..5c9e0de 100644 --- a/hosts/sire/guests/ente.nix +++ b/hosts/sire/guests/ente.nix @@ -43,30 +43,30 @@ let }; }; - virtualHosts = - { - ${enteApiDomain} = { - forceSSL = true; - useACMEWildcardHost = true; - locations."/".proxyPass = "http://museum"; - extraConfig = '' - client_max_body_size 4M; - ${nginxExtraConfig} - ''; - }; - ${s3Domain} = { - forceSSL = true; - useACMEWildcardHost = true; - locations."/".proxyPass = "http://minio"; - extraConfig = '' - client_max_body_size 32M; - proxy_buffering off; - proxy_request_buffering off; - ${nginxExtraConfig} - ''; - }; - } - // lib.genAttrs + virtualHosts = { + ${enteApiDomain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations."/".proxyPass = "http://museum"; + extraConfig = '' + client_max_body_size 4M; + ${nginxExtraConfig} + ''; + }; + ${s3Domain} = { + forceSSL = true; + useACMEWildcardHost = true; + locations."/".proxyPass = "http://minio"; + extraConfig = '' + client_max_body_size 32M; + proxy_buffering off; + proxy_request_buffering off; + ${nginxExtraConfig} + ''; + }; + } + // + lib.genAttrs [ enteAccountsDomain enteAlbumsDomain @@ -244,13 +244,17 @@ in }; # NOTE: services.ente.web is configured separately on both proxy servers! - nodes.sentinel.services.nginx = proxyConfig config.wireguard.proxy-sentinel.ipv4 ""; - nodes.ward-web-proxy.services.nginx = proxyConfig config.wireguard.proxy-home.ipv4 '' - allow ${globals.net.home-lan.vlans.home.cidrv4}; - allow ${globals.net.home-lan.vlans.home.cidrv6}; - # Firezone traffic - allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4}; - allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6}; - deny all; - ''; + nodes.sentinel.services.nginx = + proxyConfig globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + ""; + nodes.ward-web-proxy.services.nginx = + proxyConfig globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4 + '' + allow ${globals.net.home-lan.vlans.home.cidrv4}; + allow ${globals.net.home-lan.vlans.home.cidrv6}; + # Firezone traffic + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4}; + allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6}; + deny all; + ''; } diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index 91a0cc7..ef2febd 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -6,7 +6,6 @@ ... }: let - wardWebProxyCfg = nodes.ward-web-proxy.config; grafanaDomain = "grafana.${globals.domains.me}"; in { @@ -88,7 +87,9 @@ in services.nginx = { upstreams.grafana = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = + servers."${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }:${toString config.services.grafana.settings.server.http_port}" = { }; extraConfig = '' zone grafana 64k; @@ -113,7 +114,9 @@ in nodes.ward-web-proxy = { services.nginx = { upstreams.grafana = { - servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.grafana.settings.server.http_port}" = + servers."${ + globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4 + }:${toString config.services.grafana.settings.server.http_port}" = { }; extraConfig = '' zone grafana 64k; @@ -152,7 +155,7 @@ in } ]; - networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [ + networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [ globals.services.influxdb.domain # technically a duplicate (see ./common.nix)... globals.services.loki.domain ]; diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index c0436f2..e2f64de 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -218,7 +218,7 @@ in nodes.sentinel = { services.nginx = { upstreams.immich = { - servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = { }; + servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:2283" = { }; extraConfig = '' zone immich 64k; keepalive 2; @@ -250,7 +250,7 @@ in nodes.ward-web-proxy = { services.nginx = { upstreams.immich = { - servers."${config.wireguard.proxy-home.ipv4}:2283" = { }; + servers."${globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4}:2283" = { }; extraConfig = '' zone immich 64k; keepalive 2; diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix index 6115dfd..cfa984b 100644 --- a/hosts/sire/guests/influxdb.nix +++ b/hosts/sire/guests/influxdb.nix @@ -2,13 +2,10 @@ config, globals, lib, - nodes, pkgs, ... }: let - sentinelCfg = nodes.sentinel.config; - wardCfg = nodes.ward.config; influxdbDomain = "influxdb.${globals.domains.me}"; influxdbPort = 8086; in @@ -55,7 +52,10 @@ in nodes.sentinel = { services.nginx = { upstreams.influxdb = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = { }; + servers."${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }:${toString influxdbPort}" = + { }; extraConfig = '' zone influxdb 64k; keepalive 2; @@ -68,9 +68,8 @@ in virtualHosts.${influxdbDomain} = let accessRules = '' - ${lib.concatMapStrings ( - cidr: "allow ${cidr};\n" - ) sentinelCfg.wireguard.proxy-sentinel.server.reservedAddresses} + allow ${globals.wireguard.proxy-sentinel.cidrv4}; + allow ${globals.wireguard.proxy-sentinel.cidrv6}; deny all; ''; in @@ -97,7 +96,8 @@ in nodes.ward-web-proxy = { services.nginx = { upstreams.influxdb = { - servers."${config.wireguard.proxy-home.ipv4}:${toString influxdbPort}" = { }; + servers."${globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4}:${toString influxdbPort}" = + { }; extraConfig = '' zone influxdb 64k; keepalive 2; @@ -110,7 +110,8 @@ in virtualHosts.${influxdbDomain} = let accessRules = '' - ${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses} + allow ${globals.wireguard.proxy-home.cidrv4}; + allow ${globals.wireguard.proxy-home.cidrv6}; deny all; ''; in diff --git a/hosts/sire/guests/loki.nix b/hosts/sire/guests/loki.nix index 9925626..8762fd2 100644 --- a/hosts/sire/guests/loki.nix +++ b/hosts/sire/guests/loki.nix @@ -35,7 +35,9 @@ in services.nginx = { upstreams.loki = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = + servers."${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }:${toString config.services.loki.configuration.server.http_listen_port}" = { }; extraConfig = '' zone loki 64k; @@ -83,7 +85,9 @@ in services.nginx = { upstreams.loki = { - servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = + servers."${ + globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4 + }:${toString config.services.loki.configuration.server.http_listen_port}" = { }; extraConfig = '' zone loki 64k; diff --git a/hosts/sire/guests/minecraft.nix b/hosts/sire/guests/minecraft.nix index d53b0d9..13088e4 100644 --- a/hosts/sire/guests/minecraft.nix +++ b/hosts/sire/guests/minecraft.nix @@ -396,26 +396,42 @@ in postrouting.to-minecraft = { after = [ "hook" ]; rules = [ - "iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 25565 masquerade random" - "iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 25565 masquerade random" - "iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 25566 masquerade random" - "iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 25566 masquerade random" + "iifname wan ip daddr ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + } tcp dport 25565 masquerade random" + "iifname wan ip6 daddr ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6 + } tcp dport 25565 masquerade random" + "iifname wan ip daddr ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + } tcp dport 25566 masquerade random" + "iifname wan ip6 daddr ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6 + } tcp dport 25566 masquerade random" ]; }; prerouting.to-minecraft = { after = [ "hook" ]; rules = [ - "iifname wan tcp dport 25565 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}" - "iifname wan tcp dport 25565 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}" - "iifname wan tcp dport 25566 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}" - "iifname wan tcp dport 25566 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}" + "iifname wan tcp dport 25565 dnat ip to ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }" + "iifname wan tcp dport 25565 dnat ip6 to ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6 + }" + "iifname wan tcp dport 25566 dnat ip to ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }" + "iifname wan tcp dport 25566 dnat ip6 to ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6 + }" ]; }; }; services.nginx = { upstreams.minecraft = { - servers."${config.wireguard.proxy-sentinel.ipv4}:80" = { }; + servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:80" = { }; extraConfig = '' zone minecraft 64k; keepalive 2; diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix index 1908e81..4b057c9 100644 --- a/hosts/sire/guests/paperless.nix +++ b/hosts/sire/guests/paperless.nix @@ -7,8 +7,6 @@ ... }: let - sentinelCfg = nodes.sentinel.config; - wardWebProxyCfg = nodes.ward-web-proxy.config; paperlessDomain = "paperless.${globals.domains.me}"; paperlessBackupDir = "/var/cache/paperless-backup"; in @@ -37,7 +35,10 @@ in nodes.sentinel = { services.nginx = { upstreams.paperless = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = { }; + servers."${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }:${toString config.services.paperless.port}" = + { }; extraConfig = '' zone paperless 64k; keepalive 2; @@ -65,7 +66,10 @@ in nodes.ward-web-proxy = { services.nginx = { upstreams.paperless = { - servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.paperless.port}" = { }; + servers."${ + globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4 + }:${toString config.services.paperless.port}" = + { }; extraConfig = '' zone paperless 64k; keepalive 2; @@ -129,8 +133,8 @@ in PAPERLESS_ALLOWED_HOSTS = paperlessDomain; PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}"; PAPERLESS_TRUSTED_PROXIES = lib.concatStringsSep "," [ - sentinelCfg.wireguard.proxy-sentinel.ipv4 - wardWebProxyCfg.wireguard.proxy-home.ipv4 + globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4 + globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4 ]; # Authentication via kanidm diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 0a08a1f..6c92b2b 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -67,7 +67,7 @@ in }; # Connect safely via wireguard to skip authentication - networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [ + networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [ globals.services.influxdb.domain ]; meta.telegraf = { diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 7f2816a..555b1bd 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -29,7 +29,9 @@ in nodes.sentinel = { services.nginx = { upstreams.adguardhome = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" = + servers."${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }:${toString config.services.adguardhome.port}" = { }; extraConfig = '' zone adguardhome 64k; diff --git a/hosts/ward/guests/common.nix b/hosts/ward/guests/common.nix index 323491a..35b4e9d 100644 --- a/hosts/ward/guests/common.nix +++ b/hosts/ward/guests/common.nix @@ -2,13 +2,8 @@ config, globals, lib, - nodes, ... }: -let - sentinelCfg = nodes.sentinel.config; - wardWebProxyCfg = nodes.ward-web-proxy.config; -in { meta.promtail = { enable = true; @@ -17,11 +12,12 @@ in # Connect safely via wireguard to skip http authentication networking.hosts.${ - if config.wireguard ? proxy-home then - wardWebProxyCfg.wireguard.proxy-home.ipv4 + if globals.wireguard ? proxy-home then + globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4 else - sentinelCfg.wireguard.proxy-sentinel.ipv4 - } = [ globals.services.influxdb.domain ]; + globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4 + } = + [ globals.services.influxdb.domain ]; meta.telegraf = lib.mkIf (!config.boot.isContainer) { enable = true; diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix index 2dac6cf..cfbad53 100644 --- a/hosts/ward/guests/forgejo.nix +++ b/hosts/ward/guests/forgejo.nix @@ -42,22 +42,32 @@ in postrouting.to-forgejo = { after = [ "hook" ]; rules = [ - "iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 22 masquerade random" - "iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 22 masquerade random" + "iifname wan ip daddr ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + } tcp dport 22 masquerade random" + "iifname wan ip6 daddr ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6 + } tcp dport 22 masquerade random" ]; }; prerouting.to-forgejo = { after = [ "hook" ]; rules = [ - "iifname wan tcp dport 9922 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}:22" - "iifname wan tcp dport 9922 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}:22" + "iifname wan tcp dport 9922 dnat ip to ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }:22" + "iifname wan tcp dport 9922 dnat ip6 to ${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6 + }:22" ]; }; }; services.nginx = { upstreams.forgejo = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.forgejo.settings.server.HTTP_PORT}" = + servers."${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }:${toString config.services.forgejo.settings.server.HTTP_PORT}" = { }; extraConfig = '' zone forgejo 64k; diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index b657913..80c011a 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -54,7 +54,10 @@ in nodes.sentinel = { services.nginx = { upstreams.kanidm = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = { }; + servers."${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }:${toString kanidmPort}" = + { }; extraConfig = '' zone kanidm 64k; keepalive 2; diff --git a/hosts/ward/guests/mealie.nix b/hosts/ward/guests/mealie.nix index 8db50a8..ce92411 100644 --- a/hosts/ward/guests/mealie.nix +++ b/hosts/ward/guests/mealie.nix @@ -69,14 +69,17 @@ in OIDC_USER_GROUP = "mealie.access@${globals.services.kanidm.domain}"; OIDC_ADMIN_GROUP = "mealie.admins@${globals.services.kanidm.domain}"; }; - trustedProxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ]; + trustedProxies = [ globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4 ]; credentialsFile = config.age.secrets.oauth2-client-secret.path; }; nodes.ward-web-proxy = { services.nginx = { upstreams.mealie = { - servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.mealie.port}" = { }; + servers."${ + globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4 + }:${toString config.services.mealie.port}" = + { }; extraConfig = '' zone mealie 64k; keepalive 2; diff --git a/hosts/ward/guests/radicale.nix b/hosts/ward/guests/radicale.nix index 8705740..375428b 100644 --- a/hosts/ward/guests/radicale.nix +++ b/hosts/ward/guests/radicale.nix @@ -22,7 +22,7 @@ in nodes.sentinel = { services.nginx = { upstreams.radicale = { - servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = { }; + servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:8000" = { }; extraConfig = '' zone radicale 64k; keepalive 2; diff --git a/hosts/ward/guests/vaultwarden.nix b/hosts/ward/guests/vaultwarden.nix index 25453c6..2a88086 100644 --- a/hosts/ward/guests/vaultwarden.nix +++ b/hosts/ward/guests/vaultwarden.nix @@ -38,7 +38,9 @@ in nodes.sentinel = { services.nginx = { upstreams.vaultwarden = { - servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = + servers."${ + globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4 + }:${toString config.services.vaultwarden.config.rocketPort}" = { }; extraConfig = '' zone vaultwarden 64k; diff --git a/hosts/ward/net.nix b/hosts/ward/net.nix index 3bbb087..1a506c0 100644 --- a/hosts/ward/net.nix +++ b/hosts/ward/net.nix @@ -261,7 +261,7 @@ services-to-local = { from = [ "vlan-services" ]; to = [ "local" ]; - allowedUDPPorts = [ config.wireguard.proxy-home.server.port ]; + allowedUDPPorts = [ globals.wireguard.proxy-home.port ]; }; # Forward traffic between wireguard participants @@ -331,20 +331,11 @@ }; }; - #wireguard.home.server = { - # host = todo # config.networking.fqdn; - # port = 51192; - # reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"]; - # openFirewall = true; - #}; - - wireguard.proxy-home.server = { + globals.wireguard.proxy-home.server = { host = globals.net.home-lan.vlans.services.hosts.ward.ipv4; port = 51444; - reservedAddresses = [ - globals.net.proxy-home.cidrv4 - globals.net.proxy-home.cidrv6 - ]; + inherit (globals.net.proxy-home) cidrv4; + inherit (globals.net.proxy-home) cidrv6; openFirewall = false; # Explicitly opened only for lan }; }