mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity

refactor: adjust wireguard accessors to use globals

Browse source
This commit is contained in:
oddlama 2025-09-13 21:14:50 +02:00
parent 157c303f38
commit b885d1062b
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
28 changed files with 169 additions and 133 deletions
Download patch file Download diff file Expand all files Collapse all files

7
flake/hosts.nix
View file

@ -84,12 +84,5 @@
nodes = config.nixosConfigurations // config.guestConfigs; nodes = config.nixosConfigurations // config.guestConfigs;
# Add a shorthand to easily target toplevel derivations # Add a shorthand to easily target toplevel derivations
"@" = mapAttrs (_: v: v.config.system.build.toplevel) config.nodes; "@" = mapAttrs (_: v: v.config.system.build.toplevel) config.nodes;
# Pre-evaluate the wireguard network information to avoid recalculating it
# for every host and every location it is used.
wireguardEvalCache = config.pkgs.x86_64-linux.lib.wireguard.createEvalCache inputs [
"proxy-sentinel"
"proxy-home"
];
}; };
} }

3
globals.nix
View file

@ -21,6 +21,9 @@ in
]; ];
globals = { globals = {
wireguard = {
};
net = { net = {
home-wan = { home-wan = {
cidrv4 = "192.168.178.0/24"; cidrv4 = "192.168.178.0/24";

3
hosts/envoy/default.nix
View file

@ -1,6 +1,5 @@
{ {
globals, globals,
nodes,
... ...
}: }:
{ {
@ -29,7 +28,7 @@
}; };
# Connect safely via wireguard to skip authentication # Connect safely via wireguard to skip authentication
networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [ networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [
globals.services.influxdb.domain globals.services.influxdb.domain
]; ];
meta.telegraf = { meta.telegraf = {

2
hosts/kroma/default.nix
View file

@ -76,7 +76,7 @@
#}; #};
## Connect safely via wireguard to skip authentication ## Connect safely via wireguard to skip authentication
#networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain]; #networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [globals.services.influxdb.domain];
#meta.telegraf = { #meta.telegraf = {
# enable = true; # enable = true;
# influxdb2 = { # influxdb2 = {

3
hosts/sausebiene/default.nix
View file

@ -1,7 +1,6 @@
{ {
globals, globals,
inputs, inputs,
nodes,
pkgs, pkgs,
lib, lib,
... ...
@ -63,7 +62,7 @@
}; };
# Connect safely via wireguard to skip authentication # Connect safely via wireguard to skip authentication
networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [ networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
globals.services.influxdb.domain globals.services.influxdb.domain
]; ];
meta.telegraf = { meta.telegraf = {

5
hosts/sausebiene/esphome.nix
View file

@ -35,7 +35,10 @@ in
nodes.ward-web-proxy = { nodes.ward-web-proxy = {
services.nginx = { services.nginx = {
upstreams."esphome" = { upstreams."esphome" = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.esphome.port}" = { }; servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.esphome.port}" =
{ };
extraConfig = '' extraConfig = ''
zone esphome 64k; zone esphome 64k;
keepalive 2; keepalive 2;

9
hosts/sausebiene/home-assistant.nix
View file

@ -2,7 +2,6 @@
config, config,
globals, globals,
lib, lib,
nodes,
pkgs, pkgs,
... ...
}: }:
@ -89,7 +88,7 @@ in
server_host = [ "0.0.0.0" ]; server_host = [ "0.0.0.0" ];
server_port = 8123; server_port = 8123;
use_x_forwarded_for = true; use_x_forwarded_for = true;
trusted_proxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ]; trusted_proxies = [ globals.wireguard.proxy-home.hosts.nodes.ward-web-proxy.ipv4 ];
}; };
zha.zigpy_config.source_routing = true; zha.zigpy_config.source_routing = true;
@ -210,14 +209,16 @@ in
fritzboxDomain fritzboxDomain
]; ];
networking.hosts.${nodes.ward-adguardhome.config.wireguard.proxy-home.ipv4} = [ networking.hosts.${globals.wireguard.proxy-home.hosts.ward-adguardhome.ipv4} = [
"adguardhome.internal" "adguardhome.internal"
]; ];
nodes.ward-web-proxy = { nodes.ward-web-proxy = {
services.nginx = { services.nginx = {
upstreams."home-assistant" = { upstreams."home-assistant" = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.home-assistant.config.http.server_port}" = servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.home-assistant.config.http.server_port}" =
{ }; { };
extraConfig = '' extraConfig = ''
zone home-assistant 64k; zone home-assistant 64k;

4
hosts/sentinel/default.nix
View file

@ -40,7 +40,9 @@
}; };
# Connect safely via wireguard to skip authentication # Connect safely via wireguard to skip authentication
networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [ globals.services.influxdb.domain ]; networking.hosts.${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4} = [
globals.services.influxdb.domain
];
meta.telegraf = { meta.telegraf = {
enable = true; enable = true;
scrapeSensors = false; scrapeSensors = false;

8
hosts/sentinel/net.nix
View file

@ -53,13 +53,11 @@ in
rules = [ "ct status dnat accept" ]; rules = [ "ct status dnat accept" ];
}; };
wireguard.proxy-sentinel.server = { globals.wireguard.proxy-sentinel = {
host = config.networking.fqdn; host = config.networking.fqdn;
port = 51443; port = 51443;
reservedAddresses = [ cidrv4 = "10.43.0.0/24";
"10.43.0.0/24" cidrv6 = "fd00:43::/120";
"fd00:43::/120"
];
openFirewall = true; openFirewall = true;
}; };
} }

2
hosts/sire/default.nix
View file

@ -42,7 +42,7 @@
}; };
# Connect safely via wireguard to skip authentication # Connect safely via wireguard to skip authentication
networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [ networking.hosts.${globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4} = [
globals.services.influxdb.domain globals.services.influxdb.domain
]; ];
meta.telegraf = { meta.telegraf = {

5
hosts/sire/guests/ai.nix
View file

@ -66,7 +66,10 @@ in
nodes.sentinel = { nodes.sentinel = {
services.nginx = { services.nginx = {
upstreams.open-webui = { upstreams.open-webui = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.open-webui.port}" = { }; servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.open-webui.port}" =
{ };
extraConfig = '' extraConfig = ''
zone open-webui 64k; zone open-webui 64k;
keepalive 2; keepalive 2;

14
hosts/sire/guests/common.nix
View file

@ -2,13 +2,8 @@
config, config,
globals, globals,
lib, lib,
nodes,
... ...
}: }:
let
sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config;
in
{ {
meta.promtail = { meta.promtail = {
enable = true; enable = true;
@ -17,11 +12,12 @@ in
# Connect safely via wireguard to skip http authentication # Connect safely via wireguard to skip http authentication
networking.hosts.${ networking.hosts.${
if config.wireguard ? proxy-home then if globals.wireguard ? proxy-home then
wardWebProxyCfg.wireguard.proxy-home.ipv4 globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
else else
sentinelCfg.wireguard.proxy-sentinel.ipv4 globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
} = [ globals.services.influxdb.domain ]; } =
[ globals.services.influxdb.domain ];
meta.telegraf = lib.mkIf (!config.boot.isContainer) { meta.telegraf = lib.mkIf (!config.boot.isContainer) {
enable = true; enable = true;

70
hosts/sire/guests/ente.nix
View file

@ -43,30 +43,30 @@ let
}; };
}; };
virtualHosts = virtualHosts = {
{ ${enteApiDomain} = {
${enteApiDomain} = { forceSSL = true;
forceSSL = true; useACMEWildcardHost = true;
useACMEWildcardHost = true; locations."/".proxyPass = "http://museum";
locations."/".proxyPass = "http://museum"; extraConfig = ''
extraConfig = '' client_max_body_size 4M;
client_max_body_size 4M; ${nginxExtraConfig}
${nginxExtraConfig} '';
''; };
}; ${s3Domain} = {
${s3Domain} = { forceSSL = true;
forceSSL = true; useACMEWildcardHost = true;
useACMEWildcardHost = true; locations."/".proxyPass = "http://minio";
locations."/".proxyPass = "http://minio"; extraConfig = ''
extraConfig = '' client_max_body_size 32M;
client_max_body_size 32M; proxy_buffering off;
proxy_buffering off; proxy_request_buffering off;
proxy_request_buffering off; ${nginxExtraConfig}
${nginxExtraConfig} '';
''; };
}; }
} //
// lib.genAttrs lib.genAttrs
[ [
enteAccountsDomain enteAccountsDomain
enteAlbumsDomain enteAlbumsDomain
@ -244,13 +244,17 @@ in
}; };
# NOTE: services.ente.web is configured separately on both proxy servers! # NOTE: services.ente.web is configured separately on both proxy servers!
nodes.sentinel.services.nginx = proxyConfig config.wireguard.proxy-sentinel.ipv4 ""; nodes.sentinel.services.nginx =
nodes.ward-web-proxy.services.nginx = proxyConfig config.wireguard.proxy-home.ipv4 '' proxyConfig globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
allow ${globals.net.home-lan.vlans.home.cidrv4}; "";
allow ${globals.net.home-lan.vlans.home.cidrv6}; nodes.ward-web-proxy.services.nginx =
# Firezone traffic proxyConfig globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4}; ''
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6}; allow ${globals.net.home-lan.vlans.home.cidrv4};
deny all; allow ${globals.net.home-lan.vlans.home.cidrv6};
''; # Firezone traffic
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
deny all;
'';
} }

11
hosts/sire/guests/grafana.nix
View file

@ -6,7 +6,6 @@
... ...
}: }:
let let
wardWebProxyCfg = nodes.ward-web-proxy.config;
grafanaDomain = "grafana.${globals.domains.me}"; grafanaDomain = "grafana.${globals.domains.me}";
in in
{ {
@ -88,7 +87,9 @@ in
services.nginx = { services.nginx = {
upstreams.grafana = { upstreams.grafana = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.grafana.settings.server.http_port}" =
{ }; { };
extraConfig = '' extraConfig = ''
zone grafana 64k; zone grafana 64k;
@ -113,7 +114,9 @@ in
nodes.ward-web-proxy = { nodes.ward-web-proxy = {
services.nginx = { services.nginx = {
upstreams.grafana = { upstreams.grafana = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.grafana.settings.server.http_port}" = servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.grafana.settings.server.http_port}" =
{ }; { };
extraConfig = '' extraConfig = ''
zone grafana 64k; zone grafana 64k;
@ -152,7 +155,7 @@ in
} }
]; ];
networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [ networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
globals.services.influxdb.domain # technically a duplicate (see ./common.nix)... globals.services.influxdb.domain # technically a duplicate (see ./common.nix)...
globals.services.loki.domain globals.services.loki.domain
]; ];

4
hosts/sire/guests/immich.nix
View file

@ -218,7 +218,7 @@ in
nodes.sentinel = { nodes.sentinel = {
services.nginx = { services.nginx = {
upstreams.immich = { upstreams.immich = {
servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = { }; servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:2283" = { };
extraConfig = '' extraConfig = ''
zone immich 64k; zone immich 64k;
keepalive 2; keepalive 2;
@ -250,7 +250,7 @@ in
nodes.ward-web-proxy = { nodes.ward-web-proxy = {
services.nginx = { services.nginx = {
upstreams.immich = { upstreams.immich = {
servers."${config.wireguard.proxy-home.ipv4}:2283" = { }; servers."${globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4}:2283" = { };
extraConfig = '' extraConfig = ''
zone immich 64k; zone immich 64k;
keepalive 2; keepalive 2;

19
hosts/sire/guests/influxdb.nix
View file

@ -2,13 +2,10 @@
config, config,
globals, globals,
lib, lib,
nodes,
pkgs, pkgs,
... ...
}: }:
let let
sentinelCfg = nodes.sentinel.config;
wardCfg = nodes.ward.config;
influxdbDomain = "influxdb.${globals.domains.me}"; influxdbDomain = "influxdb.${globals.domains.me}";
influxdbPort = 8086; influxdbPort = 8086;
in in
@ -55,7 +52,10 @@ in
nodes.sentinel = { nodes.sentinel = {
services.nginx = { services.nginx = {
upstreams.influxdb = { upstreams.influxdb = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = { }; servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString influxdbPort}" =
{ };
extraConfig = '' extraConfig = ''
zone influxdb 64k; zone influxdb 64k;
keepalive 2; keepalive 2;
@ -68,9 +68,8 @@ in
virtualHosts.${influxdbDomain} = virtualHosts.${influxdbDomain} =
let let
accessRules = '' accessRules = ''
${lib.concatMapStrings ( allow ${globals.wireguard.proxy-sentinel.cidrv4};
cidr: "allow ${cidr};\n" allow ${globals.wireguard.proxy-sentinel.cidrv6};
) sentinelCfg.wireguard.proxy-sentinel.server.reservedAddresses}
deny all; deny all;
''; '';
in in
@ -97,7 +96,8 @@ in
nodes.ward-web-proxy = { nodes.ward-web-proxy = {
services.nginx = { services.nginx = {
upstreams.influxdb = { upstreams.influxdb = {
servers."${config.wireguard.proxy-home.ipv4}:${toString influxdbPort}" = { }; servers."${globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4}:${toString influxdbPort}" =
{ };
extraConfig = '' extraConfig = ''
zone influxdb 64k; zone influxdb 64k;
keepalive 2; keepalive 2;
@ -110,7 +110,8 @@ in
virtualHosts.${influxdbDomain} = virtualHosts.${influxdbDomain} =
let let
accessRules = '' accessRules = ''
${lib.concatMapStrings (ip: "allow ${ip};\n") wardCfg.wireguard.proxy-home.server.reservedAddresses} allow ${globals.wireguard.proxy-home.cidrv4};
allow ${globals.wireguard.proxy-home.cidrv6};
deny all; deny all;
''; '';
in in

8
hosts/sire/guests/loki.nix
View file

@ -35,7 +35,9 @@ in
services.nginx = { services.nginx = {
upstreams.loki = { upstreams.loki = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.loki.configuration.server.http_listen_port}" =
{ }; { };
extraConfig = '' extraConfig = ''
zone loki 64k; zone loki 64k;
@ -83,7 +85,9 @@ in
services.nginx = { services.nginx = {
upstreams.loki = { upstreams.loki = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.loki.configuration.server.http_listen_port}" =
{ }; { };
extraConfig = '' extraConfig = ''
zone loki 64k; zone loki 64k;

34
hosts/sire/guests/minecraft.nix
View file

@ -396,26 +396,42 @@ in
postrouting.to-minecraft = { postrouting.to-minecraft = {
after = [ "hook" ]; after = [ "hook" ];
rules = [ rules = [
"iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 25565 masquerade random" "iifname wan ip daddr ${
"iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 25565 masquerade random" globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
"iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 25566 masquerade random" } tcp dport 25565 masquerade random"
"iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 25566 masquerade random" "iifname wan ip6 daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
} tcp dport 25565 masquerade random"
"iifname wan ip daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
} tcp dport 25566 masquerade random"
"iifname wan ip6 daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
} tcp dport 25566 masquerade random"
]; ];
}; };
prerouting.to-minecraft = { prerouting.to-minecraft = {
after = [ "hook" ]; after = [ "hook" ];
rules = [ rules = [
"iifname wan tcp dport 25565 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}" "iifname wan tcp dport 25565 dnat ip to ${
"iifname wan tcp dport 25565 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}" globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
"iifname wan tcp dport 25566 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}" }"
"iifname wan tcp dport 25566 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}" "iifname wan tcp dport 25565 dnat ip6 to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
}"
"iifname wan tcp dport 25566 dnat ip to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}"
"iifname wan tcp dport 25566 dnat ip6 to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
}"
]; ];
}; };
}; };
services.nginx = { services.nginx = {
upstreams.minecraft = { upstreams.minecraft = {
servers."${config.wireguard.proxy-sentinel.ipv4}:80" = { }; servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:80" = { };
extraConfig = '' extraConfig = ''
zone minecraft 64k; zone minecraft 64k;
keepalive 2; keepalive 2;

16
hosts/sire/guests/paperless.nix
View file

@ -7,8 +7,6 @@
... ...
}: }:
let let
sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config;
paperlessDomain = "paperless.${globals.domains.me}"; paperlessDomain = "paperless.${globals.domains.me}";
paperlessBackupDir = "/var/cache/paperless-backup"; paperlessBackupDir = "/var/cache/paperless-backup";
in in
@ -37,7 +35,10 @@ in
nodes.sentinel = { nodes.sentinel = {
services.nginx = { services.nginx = {
upstreams.paperless = { upstreams.paperless = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = { }; servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.paperless.port}" =
{ };
extraConfig = '' extraConfig = ''
zone paperless 64k; zone paperless 64k;
keepalive 2; keepalive 2;
@ -65,7 +66,10 @@ in
nodes.ward-web-proxy = { nodes.ward-web-proxy = {
services.nginx = { services.nginx = {
upstreams.paperless = { upstreams.paperless = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.paperless.port}" = { }; servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.paperless.port}" =
{ };
extraConfig = '' extraConfig = ''
zone paperless 64k; zone paperless 64k;
keepalive 2; keepalive 2;
@ -129,8 +133,8 @@ in
PAPERLESS_ALLOWED_HOSTS = paperlessDomain; PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}"; PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
PAPERLESS_TRUSTED_PROXIES = lib.concatStringsSep "," [ PAPERLESS_TRUSTED_PROXIES = lib.concatStringsSep "," [
sentinelCfg.wireguard.proxy-sentinel.ipv4 globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
wardWebProxyCfg.wireguard.proxy-home.ipv4 globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
]; ];
# Authentication via kanidm # Authentication via kanidm

2
hosts/ward/default.nix
View file

@ -67,7 +67,7 @@ in
}; };
# Connect safely via wireguard to skip authentication # Connect safely via wireguard to skip authentication
networking.hosts.${nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4} = [ networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
globals.services.influxdb.domain globals.services.influxdb.domain
]; ];
meta.telegraf = { meta.telegraf = {

4
hosts/ward/guests/adguardhome.nix
View file

@ -29,7 +29,9 @@ in
nodes.sentinel = { nodes.sentinel = {
services.nginx = { services.nginx = {
upstreams.adguardhome = { upstreams.adguardhome = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" = servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.adguardhome.port}" =
{ }; { };
extraConfig = '' extraConfig = ''
zone adguardhome 64k; zone adguardhome 64k;

14
hosts/ward/guests/common.nix
View file

@ -2,13 +2,8 @@
config, config,
globals, globals,
lib, lib,
nodes,
... ...
}: }:
let
sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config;
in
{ {
meta.promtail = { meta.promtail = {
enable = true; enable = true;
@ -17,11 +12,12 @@ in
# Connect safely via wireguard to skip http authentication # Connect safely via wireguard to skip http authentication
networking.hosts.${ networking.hosts.${
if config.wireguard ? proxy-home then if globals.wireguard ? proxy-home then
wardWebProxyCfg.wireguard.proxy-home.ipv4 globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4
else else
sentinelCfg.wireguard.proxy-sentinel.ipv4 globals.wireguard.proxy-sentinel.hosts.sentinel.ipv4
} = [ globals.services.influxdb.domain ]; } =
[ globals.services.influxdb.domain ];
meta.telegraf = lib.mkIf (!config.boot.isContainer) { meta.telegraf = lib.mkIf (!config.boot.isContainer) {
enable = true; enable = true;

20
hosts/ward/guests/forgejo.nix
View file

@ -42,22 +42,32 @@ in
postrouting.to-forgejo = { postrouting.to-forgejo = {
after = [ "hook" ]; after = [ "hook" ];
rules = [ rules = [
"iifname wan ip daddr ${config.wireguard.proxy-sentinel.ipv4} tcp dport 22 masquerade random" "iifname wan ip daddr ${
"iifname wan ip6 daddr ${config.wireguard.proxy-sentinel.ipv6} tcp dport 22 masquerade random" globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
} tcp dport 22 masquerade random"
"iifname wan ip6 daddr ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
} tcp dport 22 masquerade random"
]; ];
}; };
prerouting.to-forgejo = { prerouting.to-forgejo = {
after = [ "hook" ]; after = [ "hook" ];
rules = [ rules = [
"iifname wan tcp dport 9922 dnat ip to ${config.wireguard.proxy-sentinel.ipv4}:22" "iifname wan tcp dport 9922 dnat ip to ${
"iifname wan tcp dport 9922 dnat ip6 to ${config.wireguard.proxy-sentinel.ipv6}:22" globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:22"
"iifname wan tcp dport 9922 dnat ip6 to ${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv6
}:22"
]; ];
}; };
}; };
services.nginx = { services.nginx = {
upstreams.forgejo = { upstreams.forgejo = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.forgejo.settings.server.HTTP_PORT}" = servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.forgejo.settings.server.HTTP_PORT}" =
{ }; { };
extraConfig = '' extraConfig = ''
zone forgejo 64k; zone forgejo 64k;

5
hosts/ward/guests/kanidm.nix
View file

@ -54,7 +54,10 @@ in
nodes.sentinel = { nodes.sentinel = {
services.nginx = { services.nginx = {
upstreams.kanidm = { upstreams.kanidm = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = { }; servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString kanidmPort}" =
{ };
extraConfig = '' extraConfig = ''
zone kanidm 64k; zone kanidm 64k;
keepalive 2; keepalive 2;

7
hosts/ward/guests/mealie.nix
View file

@ -69,14 +69,17 @@ in
OIDC_USER_GROUP = "mealie.access@${globals.services.kanidm.domain}"; OIDC_USER_GROUP = "mealie.access@${globals.services.kanidm.domain}";
OIDC_ADMIN_GROUP = "mealie.admins@${globals.services.kanidm.domain}"; OIDC_ADMIN_GROUP = "mealie.admins@${globals.services.kanidm.domain}";
}; };
trustedProxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ]; trustedProxies = [ globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4 ];
credentialsFile = config.age.secrets.oauth2-client-secret.path; credentialsFile = config.age.secrets.oauth2-client-secret.path;
}; };
nodes.ward-web-proxy = { nodes.ward-web-proxy = {
services.nginx = { services.nginx = {
upstreams.mealie = { upstreams.mealie = {
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.mealie.port}" = { }; servers."${
globals.wireguard.proxy-home.hosts.${config.node.name}.ipv4
}:${toString config.services.mealie.port}" =
{ };
extraConfig = '' extraConfig = ''
zone mealie 64k; zone mealie 64k;
keepalive 2; keepalive 2;

2
hosts/ward/guests/radicale.nix
View file

@ -22,7 +22,7 @@ in
nodes.sentinel = { nodes.sentinel = {
services.nginx = { services.nginx = {
upstreams.radicale = { upstreams.radicale = {
servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = { }; servers."${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4}:8000" = { };
extraConfig = '' extraConfig = ''
zone radicale 64k; zone radicale 64k;
keepalive 2; keepalive 2;

4
hosts/ward/guests/vaultwarden.nix
View file

@ -38,7 +38,9 @@ in
nodes.sentinel = { nodes.sentinel = {
services.nginx = { services.nginx = {
upstreams.vaultwarden = { upstreams.vaultwarden = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = servers."${
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4
}:${toString config.services.vaultwarden.config.rocketPort}" =
{ }; { };
extraConfig = '' extraConfig = ''
zone vaultwarden 64k; zone vaultwarden 64k;

17
hosts/ward/net.nix
View file

@ -261,7 +261,7 @@
services-to-local = { services-to-local = {
from = [ "vlan-services" ]; from = [ "vlan-services" ];
to = [ "local" ]; to = [ "local" ];
allowedUDPPorts = [ config.wireguard.proxy-home.server.port ]; allowedUDPPorts = [ globals.wireguard.proxy-home.port ];
}; };
# Forward traffic between wireguard participants # Forward traffic between wireguard participants
@ -331,20 +331,11 @@
}; };
}; };
#wireguard.home.server = { globals.wireguard.proxy-home.server = {
# host = todo # config.networking.fqdn;
# port = 51192;
# reservedAddresses = ["10.10.0.1/24" "fd00:10::/120"];
# openFirewall = true;
#};
wireguard.proxy-home.server = {
host = globals.net.home-lan.vlans.services.hosts.ward.ipv4; host = globals.net.home-lan.vlans.services.hosts.ward.ipv4;
port = 51444; port = 51444;
reservedAddresses = [ inherit (globals.net.proxy-home) cidrv4;
globals.net.proxy-home.cidrv4 inherit (globals.net.proxy-home) cidrv6;
globals.net.proxy-home.cidrv6
];
openFirewall = false; # Explicitly opened only for lan openFirewall = false; # Explicitly opened only for lan
}; };
} }