mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

refactor: adjust wireguard accessors to use globals

Browse source
This commit is contained in:
oddlama 2025-09-13 21:14:50 +02:00
parent 157c303f38
commit b885d1062b
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
28 changed files with 169 additions and 133 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/ward/default.nix
View file

@ -67,7 +67,7 @@ in
};
# Connect safely via wireguard to skip authentication
networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [
networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
globals.services.influxdb.domain
];
meta.telegraf = {

4
hosts/ward/guests/adguardhome.nix
View file

@ -29,7 +29,9 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.adguardhome = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" =
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.adguardhome.port}" =
{ };
extraConfig = ''
zone adguardhome 64k;

14
hosts/ward/guests/common.nix
View file

@ -2,13 +2,8 @@
config,
globals,
lib,
nodes,
...
}:
let
sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config;
in
{
meta.promtail = {
enable = true;
@ -17,11 +12,12 @@ in
# Connect safely via wireguard to skip http authentication
networking.hosts.${
if config.wireguard ? proxy-home then
wardWebProxyCfg.wireguard.proxy-home.ipv4
if globals.wireguard ? proxy-home then
globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
else
sentinelCfg.wireguard.proxy-sentinel.ipv4
} = [ globals.services.influxdb.domain ];
globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
} =
[ globals.services.influxdb.domain ];
meta.telegraf = lib.mkIf (!config.boot.isContainer) {
enable = true;

20
hosts/ward/guests/forgejo.nix
View file

@ -42,22 +42,32 @@ in
postrouting.to-forgejo = {
after = [ "hook" ];
rules = [
"iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 22 masquerade random"
"iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 22 masquerade random"
"iifname wan ip daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
} tcp dport 22 masquerade random"
"iifname wan ip6 daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
} tcp dport 22 masquerade random"
];
};
prerouting.to-forgejo = {
after = [ "hook" ];
rules = [
"iifname wan tcp dport 9922 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}:22"
"iifname wan tcp dport 9922 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}:22"
"iifname wan tcp dport 9922 dnat ip to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:22"
"iifname wan tcp dport 9922 dnat ip6 to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
}:22"
];
};
};
services.nginx = {
upstreams.forgejo = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.forgejo.settings.server.HTTP_PORT}" =
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.forgejo.settings.server.HTTP_PORT}" =
{ };
extraConfig = ''
zone forgejo 64k;

5
hosts/ward/guests/kanidm.nix
View file

@ -54,7 +54,10 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.kanidm = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = { };
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString kanidmPort}" =
{ };
extraConfig = ''
zone kanidm 64k;
keepalive 2;

7
hosts/ward/guests/mealie.nix
View file

@ -69,14 +69,17 @@ in
OIDC_USER_GROUP = "mealie.access@${globals.services.kanidm.domain}";
OIDC_ADMIN_GROUP = "mealie.admins@${globals.services.kanidm.domain}";
};
trustedProxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ];
trustedProxies = [ globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4 ];
credentialsFile = config.age.secrets.oauth2-client-secret.path;
};
nodes.ward-web-proxy = {
services.nginx = {
upstreams.mealie = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.mealie.port}" = { };
servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.mealie.port}" =
{ };
extraConfig = ''
zone mealie 64k;
keepalive 2;

2
hosts/ward/guests/radicale.nix
View file

@ -22,7 +22,7 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.radicale = {
servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = { };
servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:8000" = { };
extraConfig = ''
zone radicale 64k;
keepalive 2;

4
hosts/ward/guests/vaultwarden.nix
View file

@ -38,7 +38,9 @@ in
nodes.sentinel = {
services.nginx = {
upstreams.vaultwarden = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" =
servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.vaultwarden.config.rocketPort}" =
{ };
extraConfig = ''
zone vaultwarden 64k;

17
hosts/ward/net.nix
View file

@ -261,7 +261,7 @@
services-to-local = {
from = [ "vlan-services" ];
to = [ "local" ];
allowedUDPPorts = [ config.wireguard.proxy-home.server.port ];
allowedUDPPorts = [ globals.wireguard.proxy-home.port ];
};
# Forward traffic between wireguard participants
@ -331,20 +331,11 @@
};
};
#wireguard.home.server = {
# host = todo # config.networking.fqdn;
# port = 51192;
# reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"];
# openFirewall = true;
#};
wireguard.proxy-home.server = {
globals.wireguard.proxy-home.server = {
host = globals.net.home-lan.vlans.services.hosts.ward.ipv4;
port = 51444;
reservedAddresses = [
globals.net.proxy-home.cidrv4
globals.net.proxy-home.cidrv6
];
inherit (globals.net.proxy-home) cidrv4;
inherit (globals.net.proxy-home) cidrv6;
openFirewall = false; # Explicitly opened only for lan
};
}