refactor: ward microvms are now own folders

2025-10-11 07:10:39 +02:00 · 2023-06-12 00:23:07 +02:00 · 2023-06-12 00:23:07 +02:00 · dfe1abdfde
commit dfe1abdfde
parent 3f19475eda
4 changed files with 258 additions and 291 deletions
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -36,8 +36,8 @@
    };
  in {
    kanidm = defaults;
-    grafana = defaultsa;
-    loki = defaults
+    grafana = defaults;
+    loki = defaults;
  };

  #ddclient = defineVm;
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@ -1,125 +1,114 @@
 {
-  extra.microvms.vms.grafana = {
-    system = "x86_64-linux";
-    autostart = true;
-    zfs = {
-      enable = true;
-      pool = "rpool";
+  config,
+  lib,
+  nodeName,
+  nodes,
+  utils,
+  ...
+}: {
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
+
+  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+
+  networking.nftables.firewall = {
+    zones = lib.mkForce {
+      proxy-sentinel.interfaces = ["proxy-sentinel"];
+      sentinel = {
+        parent = "proxy-sentinel";
+        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
+        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
+      };
+    };
+
+    rules = lib.mkForce {
+      sentinel-to-local = {
+        from = ["sentinel"];
+        to = ["local"];
+        allowedTCPPorts = [3001];
+      };
    };
  };

-  microvm.vms.grafana.config = {
-    config,
-    lib,
-    nodeName,
-    nodes,
-    utils,
-    ...
-  }: {
-    age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
-
-    extra.wireguard.proxy-sentinel.client.via = "sentinel";
-
-    networking.nftables.firewall = {
-      zones = lib.mkForce {
-        proxy-sentinel.interfaces = ["proxy-sentinel"];
-        sentinel = {
-          parent = "proxy-sentinel";
-          ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-          ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-        };
-      };
-
-      rules = lib.mkForce {
-        sentinel-to-local = {
-          from = ["sentinel"];
-          to = ["local"];
-          allowedTCPPorts = [3001];
-        };
-      };
-    };
-
-    age.secrets.grafana-secret-key = {
-      rekeyFile = ./secrets/grafana-secret-key.age;
-      mode = "440";
-      group = "grafana";
-    };
-
-    age.secrets.loki-basic-auth-password = {
-      rekeyFile = ./secrets/loki-basic-auth-password.age;
-      generator = "alnum";
-      mode = "440";
-      group = "grafana";
-    };
-
-    services.grafana = {
-      enable = true;
-      settings = {
-        analytics.reporting_enabled = false;
-        users.allow_sign_up = false;
-
-        server = {
-          domain = nodes.sentinel.config.proxiedDomains.grafana;
-          root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}";
-          enforce_domain = true;
-          enable_gzip = true;
-          http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
-          http_port = 3001;
-        };
-
-        security = {
-          disable_initial_admin_creation = true;
-          secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}";
-          cookie_secure = true;
-          disable_gravatar = true;
-          hide_version = true;
-        };
-
-        auth.disable_login_form = true;
-        "auth.generic_oauth" = {
-          enabled = true;
-          name = "Kanidm";
-          icon = "signin";
-          allow_sign_up = true;
-          auto_login = true;
-          client_id = "grafana";
-          #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
-          client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
-          scopes = "openid email profile";
-          login_attribute_path = "prefered_username";
-          auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2";
-          token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token";
-          api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
-          use_pkce = true;
-          # Allow mapping oauth2 roles to server admin
-          allow_assign_grafana_admin = true;
-          role_attribute_path = "contains(scopes[*], 'server_admin') && 'GrafanaAdmin' || contains(scopes[*], 'admin') && 'Admin' || contains(scopes[*], 'editor') && 'Editor' || 'Viewer'";
-        };
-      };
-
-      provision = {
-        enable = true;
-        datasources.settings.datasources = [
-          #{
-          #  name = "Prometheus";
-          #  type = "prometheus";
-          #  url = "http://127.0.0.1:9090";
-          #  orgId = 1;
-          #}
-          {
-            name = "Loki";
-            type = "loki";
-            access = "proxy";
-            url = "https://${nodes.sentinel.config.proxiedDomains.loki}";
-            orgId = 1;
-            basicAuth = true;
-            basicAuthUser = nodeName;
-            secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
-          }
-        ];
-      };
-    };
-
-    systemd.services.grafana.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  age.secrets.grafana-secret-key = {
+    rekeyFile = ./secrets/grafana-secret-key.age;
+    mode = "440";
+    group = "grafana";
  };
+
+  age.secrets.loki-basic-auth-password = {
+    rekeyFile = ./secrets/loki-basic-auth-password.age;
+    generator = "alnum";
+    mode = "440";
+    group = "grafana";
+  };
+
+  services.grafana = {
+    enable = true;
+    settings = {
+      analytics.reporting_enabled = false;
+      users.allow_sign_up = false;
+
+      server = {
+        domain = nodes.sentinel.config.proxiedDomains.grafana;
+        root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}";
+        enforce_domain = true;
+        enable_gzip = true;
+        http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
+        http_port = 3001;
+      };
+
+      security = {
+        disable_initial_admin_creation = true;
+        secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}";
+        cookie_secure = true;
+        disable_gravatar = true;
+        hide_version = true;
+      };
+
+      auth.disable_login_form = true;
+      "auth.generic_oauth" = {
+        enabled = true;
+        name = "Kanidm";
+        icon = "signin";
+        allow_sign_up = true;
+        auto_login = true;
+        client_id = "grafana";
+        #client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
+        client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
+        scopes = "openid email profile";
+        login_attribute_path = "prefered_username";
+        auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2";
+        token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token";
+        api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
+        use_pkce = true;
+        # Allow mapping oauth2 roles to server admin
+        allow_assign_grafana_admin = true;
+        role_attribute_path = "contains(scopes[*], 'server_admin') && 'GrafanaAdmin' || contains(scopes[*], 'admin') && 'Admin' || contains(scopes[*], 'editor') && 'Editor' || 'Viewer'";
+      };
+    };
+
+    provision = {
+      enable = true;
+      datasources.settings.datasources = [
+        #{
+        #  name = "Prometheus";
+        #  type = "prometheus";
+        #  url = "http://127.0.0.1:9090";
+        #  orgId = 1;
+        #}
+        {
+          name = "Loki";
+          type = "loki";
+          access = "proxy";
+          url = "https://${nodes.sentinel.config.proxiedDomains.loki}";
+          orgId = 1;
+          basicAuth = true;
+          basicAuthUser = nodeName;
+          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
+        }
+      ];
+    };
+  };
+
+  systemd.services.grafana.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
 }
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@ -1,81 +1,70 @@
 {
-  extra.microvms.vms.kanidm = {
-    system = "x86_64-linux";
-    autostart = true;
-    zfs = {
-      enable = true;
-      pool = "rpool";
+  config,
+  lib,
+  nodes,
+  pkgs,
+  utils,
+  ...
+}: {
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
+
+  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+
+  # TODO this as includable module?
+  networking.nftables.firewall = {
+    zones = lib.mkForce {
+      proxy-sentinel.interfaces = ["proxy-sentinel"];
+      sentinel = {
+        parent = "proxy-sentinel";
+        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
+        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
+      };
+    };
+
+    rules = lib.mkForce {
+      sentinel-to-local = {
+        from = ["sentinel"];
+        to = ["local"];
+        allowedTCPPorts = [8300];
+      };
    };
  };

-  microvm.vms.kanidm.config = {
-    config,
-    lib,
-    nodes,
-    pkgs,
-    utils,
-    ...
-  }: {
-    age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
-
-    extra.wireguard.proxy-sentinel.client.via = "sentinel";
-
-    # TODO this as includable module?
-    networking.nftables.firewall = {
-      zones = lib.mkForce {
-        proxy-sentinel.interfaces = ["proxy-sentinel"];
-        sentinel = {
-          parent = "proxy-sentinel";
-          ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-          ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-        };
-      };
-
-      rules = lib.mkForce {
-        sentinel-to-local = {
-          from = ["sentinel"];
-          to = ["local"];
-          allowedTCPPorts = [8300];
-        };
-      };
-    };
-
-    age.secrets."kanidm-self-signed.crt" = {
-      rekeyFile = ./secrets/kanidm-self-signed.crt.age;
-      mode = "440";
-      group = "kanidm";
-    };
-
-    age.secrets."kanidm-self-signed.key" = {
-      rekeyFile = ./secrets/kanidm-self-signed.key.age;
-      mode = "440";
-      group = "kanidm";
-    };
-
-    services.kanidm = {
-      enableServer = true;
-      # enablePAM = true;
-      serverSettings = {
-        domain = nodes.sentinel.config.proxiedDomains.kanidm;
-        origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
-        tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
-        tls_key = config.age.secrets."kanidm-self-signed.key".path;
-        bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
-        trust_x_forward_for = true;
-      };
-    };
-
-    environment.systemPackages = [pkgs.kanidm];
-
-    services.kanidm = {
-      enableClient = true;
-      clientSettings = {
-        uri = config.services.kanidm.serverSettings.origin;
-        verify_ca = true;
-        verify_hostnames = true;
-      };
-    };
-
-    systemd.services.kanidm.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
+  age.secrets."kanidm-self-signed.crt" = {
+    rekeyFile = ./secrets/kanidm-self-signed.crt.age;
+    mode = "440";
+    group = "kanidm";
  };
+
+  age.secrets."kanidm-self-signed.key" = {
+    rekeyFile = ./secrets/kanidm-self-signed.key.age;
+    mode = "440";
+    group = "kanidm";
+  };
+
+  services.kanidm = {
+    enableServer = true;
+    # enablePAM = true;
+    serverSettings = {
+      domain = nodes.sentinel.config.proxiedDomains.kanidm;
+      origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
+      tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
+      tls_key = config.age.secrets."kanidm-self-signed.key".path;
+      bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
+      trust_x_forward_for = true;
+    };
+  };
+
+  environment.systemPackages = [pkgs.kanidm];
+
+  services.kanidm = {
+    enableClient = true;
+    clientSettings = {
+      uri = config.services.kanidm.serverSettings.origin;
+      verify_ca = true;
+      verify_hostnames = true;
+    };
+  };
+
+  systemd.services.kanidm.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
 }
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@ -1,113 +1,102 @@
 {
-  extra.microvms.vms.loki = {
-    system = "x86_64-linux";
-    autostart = true;
-    zfs = {
-      enable = true;
-      pool = "rpool";
+  config,
+  lib,
+  nodes,
+  utils,
+  ...
+}: {
+  age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
+
+  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+
+  networking.nftables.firewall = {
+    zones = lib.mkForce {
+      proxy-sentinel.interfaces = ["proxy-sentinel"];
+      sentinel = {
+        parent = "proxy-sentinel";
+        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
+        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
+      };
+    };
+
+    rules = lib.mkForce {
+      sentinel-to-local = {
+        from = ["sentinel"];
+        to = ["local"];
+        allowedTCPPorts = [3100];
+      };
    };
  };

-  microvm.vms.loki.config = {
-    config,
-    lib,
-    nodes,
-    utils,
-    ...
-  }: {
-    age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
+  services.loki = let
+    lokiDir = "/var/lib/loki";
+  in {
+    enable = true;
+    configuration = {
+      analytics.reporting_enabled = false;
+      auth_enabled = false;

-    extra.wireguard.proxy-sentinel.client.via = "sentinel";
-
-    networking.nftables.firewall = {
-      zones = lib.mkForce {
-        proxy-sentinel.interfaces = ["proxy-sentinel"];
-        sentinel = {
-          parent = "proxy-sentinel";
-          ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-          ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-        };
+      server = {
+        http_listen_address = config.extra.wireguard.proxy-sentinel.ipv4;
+        http_listen_port = 3100;
+        log_level = "warn";
      };

-      rules = lib.mkForce {
-        sentinel-to-local = {
-          from = ["sentinel"];
-          to = ["local"];
-          allowedTCPPorts = [3100];
+      ingester = {
+        lifecycler = {
+          interface_names = ["proxy-sentinel"];
+          ring = {
+            kvstore.store = "inmemory";
+            replication_factor = 1;
+          };
+          final_sleep = "0s";
        };
+        chunk_idle_period = "5m";
+        chunk_retain_period = "30s";
      };
-    };

-    services.loki = let
-      lokiDir = "/var/lib/loki";
-    in {
-      enable = true;
-      configuration = {
-        analytics.reporting_enabled = false;
-        auth_enabled = false;
-
-        server = {
-          http_listen_address = config.extra.wireguard.proxy-sentinel.ipv4;
-          http_listen_port = 3100;
-          log_level = "warn";
-        };
-
-        ingester = {
-          lifecycler = {
-            interface_names = ["proxy-sentinel"];
-            ring = {
-              kvstore.store = "inmemory";
-              replication_factor = 1;
-            };
-            final_sleep = "0s";
+      schema_config.configs = [
+        {
+          from = "2023-06-01";
+          store = "tsdb";
+          object_store = "filesystem";
+          schema = "v12";
+          index = {
+            prefix = "index_";
+            period = "24h";
          };
-          chunk_idle_period = "5m";
-          chunk_retain_period = "30s";
-        };
+        }
+      ];

-        schema_config.configs = [
-          {
-            from = "2023-06-01";
-            store = "tsdb";
-            object_store = "filesystem";
-            schema = "v12";
-            index = {
-              prefix = "index_";
-              period = "24h";
-            };
-          }
-        ];
-
-        storage_config = {
-          tsdb_shipper = {
-            active_index_directory = "${lokiDir}/tsdb-index";
-            cache_location = "${lokiDir}/tsdb-cache";
-            cache_ttl = "24h";
-            shared_store = "filesystem";
-          };
-          filesystem.directory = "${lokiDir}/chunks";
-        };
-
-        # Do not accept new logs that are ingressed when they are actually already old.
-        limits_config = {
-          reject_old_samples = true;
-          reject_old_samples_max_age = "168h";
-        };
-
-        # Do not delete old logs automatically
-        table_manager = {
-          retention_deletes_enabled = false;
-          retention_period = "0s";
-        };
-
-        compactor = {
-          working_directory = lokiDir;
+      storage_config = {
+        tsdb_shipper = {
+          active_index_directory = "${lokiDir}/tsdb-index";
+          cache_location = "${lokiDir}/tsdb-cache";
+          cache_ttl = "24h";
          shared_store = "filesystem";
-          compactor_ring.kvstore.store = "inmemory";
        };
+        filesystem.directory = "${lokiDir}/chunks";
+      };
+
+      # Do not accept new logs that are ingressed when they are actually already old.
+      limits_config = {
+        reject_old_samples = true;
+        reject_old_samples_max_age = "168h";
+      };
+
+      # Do not delete old logs automatically
+      table_manager = {
+        retention_deletes_enabled = false;
+        retention_period = "0s";
+      };
+
+      compactor = {
+        working_directory = lokiDir;
+        shared_store = "filesystem";
+        compactor_ring.kvstore.store = "inmemory";
      };
    };
-
-    systemd.services.loki.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
  };
+
+  systemd.services.loki.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
 }