mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

refactor: adjust wireguard accessors to use globals

Browse source
This commit is contained in:
oddlama 2025-09-13 21:14:50 +02:00
parent 157c303f38
commit b885d1062b
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
28 changed files with 169 additions and 133 deletions
Download patch file Download diff file Expand all files Collapse all files

5
hosts/sire/guests/ai.nix
View file

@ -66,7 +66,10 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.open-webui = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.open-webui.port}" = { };
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.open-webui.port}" =
{ };
extraConfig = ''
zone open-webui 64k;
keepalive 2;

14
hosts/sire/guests/common.nix
View file

@ -2,13 +2,8 @@
config,
globals,
lib,
nodes,
...
}:
let
sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config;
in
{
meta.promtail = {
enable = true;
@ -17,11 +12,12 @@ in
# Connect safely via wireguard to skip http authentication
networking.hosts.${
if config.wireguard ? proxy-home then
wardWebProxyCfg.wireguard.proxy-home.ipv4
if globals.wireguard ? proxy-home then
globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
else
sentinelCfg.wireguard.proxy-sentinel.ipv4
} = [ globals.services.influxdb.domain ];
globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
} =
[ globals.services.influxdb.domain ];
meta.telegraf = lib.mkIf (!config.boot.isContainer) {
enable = true;

70
hosts/sire/guests/ente.nix
View file

@ -43,30 +43,30 @@ let
};
};
virtualHosts =
{
${enteApiDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/".proxyPass = "http://museum";
extraConfig = ''
client_max_body_size 4M;
${nginxExtraConfig}
'';
};
${s3Domain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/".proxyPass = "http://minio";
extraConfig = ''
client_max_body_size 32M;
proxy_buffering off;
proxy_request_buffering off;
${nginxExtraConfig}
'';
};
}
// lib.genAttrs
virtualHosts = {
${enteApiDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/".proxyPass = "http://museum";
extraConfig = ''
client_max_body_size 4M;
${nginxExtraConfig}
'';
};
${s3Domain} = {
forceSSL = true;
useACMEWildcardHost = true;
locations."/".proxyPass = "http://minio";
extraConfig = ''
client_max_body_size 32M;
proxy_buffering off;
proxy_request_buffering off;
${nginxExtraConfig}
'';
};
}
//
lib.genAttrs
[
enteAccountsDomain
enteAlbumsDomain
@ -244,13 +244,17 @@ in
};
# NOTE: services.ente.web is configured separately on both proxy servers!
nodes.sentinel.services.nginx = proxyConfig config.wireguard.proxy-sentinel.ipv4 "";
nodes.ward-web-proxy.services.nginx = proxyConfig config.wireguard.proxy-home.ipv4 ''
allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6};
# Firezone traffic
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
deny all;
'';
nodes.sentinel.services.nginx =
proxyConfig globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
"";
nodes.ward-web-proxy.services.nginx =
proxyConfig globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
''
allow ${globals.net.home-lan.vlans.home.cidrv4};
allow ${globals.net.home-lan.vlans.home.cidrv6};
# Firezone traffic
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
deny all;
'';
}

11
hosts/sire/guests/grafana.nix
View file

@ -6,7 +6,6 @@
...
}:
let
wardWebProxyCfg = nodes.ward-web-proxy.config;
grafanaDomain = "grafana.${globals.domains.me}";
in
{
@ -88,7 +87,9 @@ in
services.nginx = {
upstreams.grafana = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" =
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.grafana.settings.server.http_port}" =
{ };
extraConfig = ''
zone grafana 64k;
@ -113,7 +114,9 @@ in
nodes.ward-web-proxy = {
services.nginx = {
upstreams.grafana = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.grafana.settings.server.http_port}" =
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.grafana.settings.server.http_port}" =
{ };
extraConfig = ''
zone grafana 64k;
@ -152,7 +155,7 @@ in
}
];
networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
globals.services.influxdb.domain # technically a duplicate (see ./common.nix)...
globals.services.loki.domain
];

4
hosts/sire/guests/immich.nix
View file

@ -218,7 +218,7 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.immich = {
servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = { };
servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:2283" = { };
extraConfig = ''
zone immich 64k;
keepalive 2;
@ -250,7 +250,7 @@ in
nodes.ward-web-proxy = {
services.nginx = {
upstreams.immich = {
servers."${config.wireguard.proxy-home.ipv4}:2283" = { };
servers."${globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4}:2283" = { };
extraConfig = ''
zone immich 64k;
keepalive 2;

19
hosts/sire/guests/influxdb.nix
View file

@ -2,13 +2,10 @@
config,
globals,
lib,
nodes,
pkgs,
...
}:
let
sentinelCfg = nodes.sentinel.config;
wardCfg = nodes.ward.config;
influxdbDomain = "influxdb.${globals.domains.me}";
influxdbPort = 8086;
in
@ -55,7 +52,10 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.influxdb = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = { };
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString influxdbPort}" =
{ };
extraConfig = ''
zone influxdb 64k;
keepalive 2;
@ -68,9 +68,8 @@ in
virtualHosts.${influxdbDomain} =
let
accessRules = ''
${lib.concatMapStrings (
cidr: "allow ${cidr};\n"
) sentinelCfg.wireguard.proxy-sentinel.server.reservedAddresses}
allow ${globals.wireguard.proxy-sentinel.cidrv4};
allow ${globals.wireguard.proxy-sentinel.cidrv6};
deny all;
'';
in
@ -97,7 +96,8 @@ in
nodes.ward-web-proxy = {
services.nginx = {
upstreams.influxdb = {
servers."${config.wireguard.proxy-home.ipv4}:${toString influxdbPort}" = { };
servers."${globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4}:${toString influxdbPort}" =
{ };
extraConfig = ''
zone influxdb 64k;
keepalive 2;
@ -110,7 +110,8 @@ in
virtualHosts.${influxdbDomain} =
let
accessRules = ''
${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses}
allow ${globals.wireguard.proxy-home.cidrv4};
allow ${globals.wireguard.proxy-home.cidrv6};
deny all;
'';
in

8
hosts/sire/guests/loki.nix
View file

@ -35,7 +35,9 @@ in
services.nginx = {
upstreams.loki = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" =
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.loki.configuration.server.http_listen_port}" =
{ };
extraConfig = ''
zone loki 64k;
@ -83,7 +85,9 @@ in
services.nginx = {
upstreams.loki = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" =
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.loki.configuration.server.http_listen_port}" =
{ };
extraConfig = ''
zone loki 64k;

34
hosts/sire/guests/minecraft.nix
View file

@ -396,26 +396,42 @@ in
postrouting.to-minecraft = {
after = [ "hook" ];
rules = [
"iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 25565 masquerade random"
"iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 25565 masquerade random"
"iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 25566 masquerade random"
"iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 25566 masquerade random"
"iifname wan ip daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
} tcp dport 25565 masquerade random"
"iifname wan ip6 daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
} tcp dport 25565 masquerade random"
"iifname wan ip daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
} tcp dport 25566 masquerade random"
"iifname wan ip6 daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
} tcp dport 25566 masquerade random"
];
};
prerouting.to-minecraft = {
after = [ "hook" ];
rules = [
"iifname wan tcp dport 25565 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}"
"iifname wan tcp dport 25565 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}"
"iifname wan tcp dport 25566 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}"
"iifname wan tcp dport 25566 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}"
"iifname wan tcp dport 25565 dnat ip to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}"
"iifname wan tcp dport 25565 dnat ip6 to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
}"
"iifname wan tcp dport 25566 dnat ip to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}"
"iifname wan tcp dport 25566 dnat ip6 to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
}"
];
};
};
services.nginx = {
upstreams.minecraft = {
servers."${config.wireguard.proxy-sentinel.ipv4}:80" = { };
servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:80" = { };
extraConfig = ''
zone minecraft 64k;
keepalive 2;

16
hosts/sire/guests/paperless.nix
View file

@ -7,8 +7,6 @@
...
}:
let
sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config;
paperlessDomain = "paperless.${globals.domains.me}";
paperlessBackupDir = "/var/cache/paperless-backup";
in
@ -37,7 +35,10 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.paperless = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = { };
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.paperless.port}" =
{ };
extraConfig = ''
zone paperless 64k;
keepalive 2;
@ -65,7 +66,10 @@ in
nodes.ward-web-proxy = {
services.nginx = {
upstreams.paperless = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.paperless.port}" = { };
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.paperless.port}" =
{ };
extraConfig = ''
zone paperless 64k;
keepalive 2;
@ -129,8 +133,8 @@ in
PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
PAPERLESS_TRUSTED_PROXIES = lib.concatStringsSep "," [
sentinelCfg.wireguard.proxy-sentinel.ipv4
wardWebProxyCfg.wireguard.proxy-home.ipv4
globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
];
# Authentication via kanidm