oddlama_nix-config/hosts/sentinel/default.nix

{
  config,
  globals,
  ...
}:
{
  imports = [
    ../../config
    ../../config/hardware/hetzner-cloud.nix
    ../../config/optional/zfs.nix

    ./acme.nix
    ./blog.nix
    ./fs.nix
    ./net.nix
    ./firezone.nix
    ./oauth2.nix
    ./plausible.nix
    ./postgresql.nix
  ];

  nixpkgs.hostPlatform = "x86_64-linux";
  boot.mode = "bios";

  globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForAll = {
    allowedTCPPorts = [
      80
      443
    ];
    allowedUDPPorts = [
      443
    ];
  };

  users.groups.acme.members = [ "nginx" ];
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;

  meta.promtail = {
    enable = true;
    proxy = "sentinel";
  };

  # Connect safely via wireguard to skip authentication
  networking.hosts.${globals.wireguard.proxy-sentinel.hosts.${config.node.name}.ipv4} = [
    globals.services.influxdb.domain
  ];
  meta.telegraf = {
    enable = true;
    scrapeSensors = false;
    influxdb2 = {
      inherit (globals.services.influxdb) domain;
      organization = "machines";
      bucket = "telegraf";
      node = "sire-influxdb";
    };

    # This node shall monitor the infrastructure
    availableMonitoringNetworks = [ "internet" ];
  };
}