mirror of
https://github.com/oddlama/nix-config.git
synced 2025-10-11 07:10:39 +02:00
feat: preferably bind to 0.0.0.0 in vms to remove issues with wireguard
coming up late; also increase default vm memory to 2G
This commit is contained in:
oddlama
parent
af066925b4
commit
f29318a5ac
9 changed files with 30 additions and 52 deletions
|
|
@ -3,7 +3,6 @@
|
||||||
lib,
|
lib,
|
||||||
nodes,
|
nodes,
|
||||||
pkgs,
|
pkgs,
|
||||||
utils,
|
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
sentinelCfg = nodes.sentinel.config;
|
sentinelCfg = nodes.sentinel.config;
|
||||||
|
|
@ -16,7 +15,7 @@ in {
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
upstreams.adguardhome = {
|
upstreams.adguardhome = {
|
||||||
servers."${config.services.adguardhome.settings.bind_host}:${toString config.services.adguardhome.settings.bind_port}" = {};
|
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.bind_port}" = {};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
zone adguardhome 64k;
|
zone adguardhome 64k;
|
||||||
keepalive 2;
|
keepalive 2;
|
||||||
|
|
@ -46,7 +45,7 @@ in {
|
||||||
# simpler sed dns.host_addr logic.
|
# simpler sed dns.host_addr logic.
|
||||||
mutableSettings = false;
|
mutableSettings = false;
|
||||||
settings = {
|
settings = {
|
||||||
bind_host = config.meta.wireguard.proxy-sentinel.ipv4;
|
bind_host = "0.0.0.0";
|
||||||
bind_port = 3000;
|
bind_port = 3000;
|
||||||
dns = {
|
dns = {
|
||||||
bind_hosts = [
|
bind_hosts = [
|
||||||
|
|
@ -76,7 +75,6 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.adguardhome = {
|
systemd.services.adguardhome = {
|
||||||
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wan"}.device"];
|
|
||||||
preStart = lib.mkAfter ''
|
preStart = lib.mkAfter ''
|
||||||
INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show wan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+")
|
INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show wan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+")
|
||||||
sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml"
|
sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml"
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,6 @@
|
||||||
lib,
|
lib,
|
||||||
nodes,
|
nodes,
|
||||||
pkgs,
|
pkgs,
|
||||||
utils,
|
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
sentinelCfg = nodes.sentinel.config;
|
sentinelCfg = nodes.sentinel.config;
|
||||||
|
|
@ -101,7 +100,7 @@ in {
|
||||||
ENABLE_PUSH_CREATE_ORG = true;
|
ENABLE_PUSH_CREATE_ORG = true;
|
||||||
};
|
};
|
||||||
server = {
|
server = {
|
||||||
HTTP_ADDR = config.meta.wireguard.proxy-sentinel.ipv4;
|
HTTP_ADDR = "0.0.0.0";
|
||||||
HTTP_PORT = 3000;
|
HTTP_PORT = 3000;
|
||||||
DOMAIN = forgejoDomain;
|
DOMAIN = forgejoDomain;
|
||||||
ROOT_URL = "https://${forgejoDomain}/";
|
ROOT_URL = "https://${forgejoDomain}/";
|
||||||
|
|
@ -126,7 +125,6 @@ in {
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.gitea = {
|
systemd.services.gitea = {
|
||||||
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
|
|
||||||
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
||||||
#preStart = let
|
#preStart = let
|
||||||
# exe = lib.getExe config.services.gitea.package;
|
# exe = lib.getExe config.services.gitea.package;
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,6 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
nodes,
|
nodes,
|
||||||
utils,
|
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
sentinelCfg = nodes.sentinel.config;
|
sentinelCfg = nodes.sentinel.config;
|
||||||
|
|
@ -58,7 +57,7 @@ in {
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
upstreams.grafana = {
|
upstreams.grafana = {
|
||||||
servers."${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}" = {};
|
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
zone grafana 64k;
|
zone grafana 64k;
|
||||||
keepalive 2;
|
keepalive 2;
|
||||||
|
|
@ -86,7 +85,7 @@ in {
|
||||||
root_url = "https://${grafanaDomain}";
|
root_url = "https://${grafanaDomain}";
|
||||||
enforce_domain = true;
|
enforce_domain = true;
|
||||||
enable_gzip = true;
|
enable_gzip = true;
|
||||||
http_addr = config.meta.wireguard.proxy-sentinel.ipv4;
|
http_addr = "0.0.0.0";
|
||||||
http_port = 3001;
|
http_port = 3001;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -149,8 +148,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.grafana = {
|
systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
||||||
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
|
|
||||||
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,6 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
nodes,
|
nodes,
|
||||||
utils,
|
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
|
|
@ -18,7 +17,7 @@ in {
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
upstreams.influxdb = {
|
upstreams.influxdb = {
|
||||||
servers."${config.services.influxdb2.settings.http-bind-address}" = {};
|
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = {};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
zone influxdb 64k;
|
zone influxdb 64k;
|
||||||
keepalive 2;
|
keepalive 2;
|
||||||
|
|
@ -74,7 +73,7 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
reporting-disabled = true;
|
reporting-disabled = true;
|
||||||
http-bind-address = "${config.meta.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}";
|
http-bind-address = "0.0.0.0:${toString influxdbPort}";
|
||||||
};
|
};
|
||||||
provision = {
|
provision = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
@ -100,6 +99,5 @@ in {
|
||||||
|
|
||||||
environment.systemPackages = [pkgs.influxdb2-cli];
|
environment.systemPackages = [pkgs.influxdb2-cli];
|
||||||
|
|
||||||
# Do NOT configure RestartSec here, this must be left short to allow token manipulation
|
systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
||||||
systemd.services.influxdb2.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,6 @@
|
||||||
lib,
|
lib,
|
||||||
nodes,
|
nodes,
|
||||||
pkgs,
|
pkgs,
|
||||||
utils,
|
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
sentinelCfg = nodes.sentinel.config;
|
sentinelCfg = nodes.sentinel.config;
|
||||||
|
|
@ -29,7 +28,7 @@ in {
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
upstreams.kanidm = {
|
upstreams.kanidm = {
|
||||||
servers."${config.services.kanidm.serverSettings.bindaddress}" = {};
|
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = {};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
zone kanidm 64k;
|
zone kanidm 64k;
|
||||||
keepalive 2;
|
keepalive 2;
|
||||||
|
|
@ -56,7 +55,7 @@ in {
|
||||||
origin = "https://${kanidmDomain}";
|
origin = "https://${kanidmDomain}";
|
||||||
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
|
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
|
||||||
tls_key = config.age.secrets."kanidm-self-signed.key".path;
|
tls_key = config.age.secrets."kanidm-self-signed.key".path;
|
||||||
bindaddress = "${config.meta.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}";
|
bindaddress = "0.0.0.0:${toString kanidmPort}";
|
||||||
trust_x_forward_for = true;
|
trust_x_forward_for = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
@ -72,10 +71,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.kanidm = {
|
systemd.services.grafana.serviceConfig.RestartSec = "60"; # Retry every minute
|
||||||
# TODO this doesn't suffice, percieved 1 in 50 this fails because kanidm starts too soon,
|
|
||||||
# a requiredforonline might be necessary
|
|
||||||
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
|
|
||||||
serviceConfig.RestartSec = "60"; # Retry every minute
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,6 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
nodes,
|
nodes,
|
||||||
utils,
|
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
sentinelCfg = nodes.sentinel.config;
|
sentinelCfg = nodes.sentinel.config;
|
||||||
|
|
@ -21,7 +20,7 @@ in {
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
upstreams.loki = {
|
upstreams.loki = {
|
||||||
servers."${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}" = {};
|
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = {};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
zone loki 64k;
|
zone loki 64k;
|
||||||
keepalive 2;
|
keepalive 2;
|
||||||
|
|
@ -63,7 +62,7 @@ in {
|
||||||
auth_enabled = false;
|
auth_enabled = false;
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
http_listen_address = config.meta.wireguard.proxy-sentinel.ipv4;
|
http_listen_address = "0.0.0.0";
|
||||||
http_listen_port = 3100;
|
http_listen_port = 3100;
|
||||||
log_level = "warn";
|
log_level = "warn";
|
||||||
};
|
};
|
||||||
|
|
@ -124,8 +123,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.loki = {
|
systemd.services.loki.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
||||||
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
|
|
||||||
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,6 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
nodes,
|
nodes,
|
||||||
utils,
|
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
sentinelCfg = nodes.sentinel.config;
|
sentinelCfg = nodes.sentinel.config;
|
||||||
|
|
@ -28,7 +27,7 @@ in {
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
upstreams.paperless = {
|
upstreams.paperless = {
|
||||||
servers."${config.services.paperless.address}:${toString config.services.paperless.port}" = {};
|
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = {};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
zone paperless 64k;
|
zone paperless 64k;
|
||||||
keepalive 2;
|
keepalive 2;
|
||||||
|
|
@ -51,11 +50,13 @@ in {
|
||||||
|
|
||||||
services.paperless = {
|
services.paperless = {
|
||||||
enable = true;
|
enable = true;
|
||||||
address = config.meta.wireguard.proxy-sentinel.ipv4;
|
address = "0.0.0.0";
|
||||||
passwordFile = config.age.secrets.paperless-admin-password.path;
|
passwordFile = config.age.secrets.paperless-admin-password.path;
|
||||||
extraConfig = {
|
extraConfig = {
|
||||||
PAPERLESS_URL = "https://${paperlessDomain}";
|
PAPERLESS_URL = "https://${paperlessDomain}";
|
||||||
|
PAPERLESS_CONSUMER_ENABLE_BARCODES = true;
|
||||||
PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
|
PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
|
||||||
|
PAPERLESS_CONSUMER_BARCODE_SCANNER = "ZXING";
|
||||||
PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}";
|
PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}";
|
||||||
#PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates;
|
#PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates;
|
||||||
PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4;
|
PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4;
|
||||||
|
|
@ -65,9 +66,5 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
#systemd.services.paperless = {
|
systemd.services.paperless.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
||||||
# after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
|
|
||||||
# serviceConfig.StateDirectory = lib.mkForce "paperless";
|
|
||||||
# serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
|
||||||
#};
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -2,7 +2,6 @@
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
nodes,
|
nodes,
|
||||||
utils,
|
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
sentinelCfg = nodes.sentinel.config;
|
sentinelCfg = nodes.sentinel.config;
|
||||||
|
|
@ -24,14 +23,14 @@ in {
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
upstreams.vaultwarden = {
|
upstreams.vaultwarden = {
|
||||||
servers."${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}" = {};
|
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = {};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
zone vaultwarden 64k;
|
zone vaultwarden 64k;
|
||||||
keepalive 2;
|
keepalive 2;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
upstreams.vaultwarden-websocket = {
|
upstreams.vaultwarden-websocket = {
|
||||||
servers."${config.services.vaultwarden.config.websocketAddress}:${toString config.services.vaultwarden.config.websocketPort}" = {};
|
servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.websocketPort}" = {};
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
zone vaultwarden-websocket 64k;
|
zone vaultwarden-websocket 64k;
|
||||||
keepalive 2;
|
keepalive 2;
|
||||||
|
|
@ -66,9 +65,9 @@ in {
|
||||||
webVaultEnabled = true;
|
webVaultEnabled = true;
|
||||||
|
|
||||||
websocketEnabled = true;
|
websocketEnabled = true;
|
||||||
websocketAddress = config.meta.wireguard.proxy-sentinel.ipv4;
|
websocketAddress = "0.0.0.0";
|
||||||
websocketPort = 3012;
|
websocketPort = 3012;
|
||||||
rocketAddress = config.meta.wireguard.proxy-sentinel.ipv4;
|
rocketAddress = "0.0.0.0";
|
||||||
rocketPort = 8012;
|
rocketPort = 8012;
|
||||||
|
|
||||||
signupsAllowed = false;
|
signupsAllowed = false;
|
||||||
|
|
@ -87,9 +86,8 @@ in {
|
||||||
|
|
||||||
# Replace uses of old name
|
# Replace uses of old name
|
||||||
systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
|
systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
|
||||||
systemd.services.vaultwarden = {
|
systemd.services.vaultwarden.serviceConfig = {
|
||||||
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
|
StateDirectory = lib.mkForce "vaultwarden";
|
||||||
serviceConfig.StateDirectory = lib.mkForce "vaultwarden";
|
RestartSec = "600"; # Retry every 10 minutes
|
||||||
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -112,6 +112,9 @@
|
||||||
microvm = {
|
microvm = {
|
||||||
hypervisor = mkDefault "qemu";
|
hypervisor = mkDefault "qemu";
|
||||||
|
|
||||||
|
# Give them some juice by default
|
||||||
|
mem = mkDefault (2 * 1024);
|
||||||
|
|
||||||
# MACVTAP bridge to the host's network
|
# MACVTAP bridge to the host's network
|
||||||
interfaces = [
|
interfaces = [
|
||||||
{
|
{
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue