mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00
Code Activity
oddlama_nix-config/hosts/ward/default.nix

144 lines
3.8 KiB
Nix
Raw Permalink Blame History

{
config,
globals,
inputs,
lib,
minimal,
nodes,
...
}:
let
# FIXME: dont hardcode, filter global service domains by internal state
# FIXME: new entry here? make new adguardhome entry too.
# FIXME: new entry here? make new firezone entry too.
homeDomains = [
globals.services.grafana.domain
globals.services.mealie.domain
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain
globals.services.paperless.domain
globals.services.esphome.domain
globals.services.home-assistant.domain
"fritzbox.${globals.domains.personal}"
];
in
{
imports = [
inputs.nixos-hardware.nixosModules.common-cpu-intel
inputs.nixos-hardware.nixosModules.common-pc-ssd
../../config
../../config/hardware/intel.nix
../../config/hardware/physical.nix
../../config/optional/zfs.nix
./fs.nix
./net.nix
./kea.nix
];
topology.self.hardware.image = ../../topology/images/odroid-h3.png;
topology.self.hardware.info = "O-Droid H3, 64GB RAM";
nixpkgs.hostPlatform = "x86_64-linux";
boot.mode = "efi";
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
"r8169"
];
meta.promtail = {
enable = true;
proxy = "sentinel";
};
# Connect safely via wireguard to skip authentication
networking.hosts.${globals.wireguard.proxy-home.hosts.ward-web-proxy.ipv4} = [
globals.services.influxdb.domain
];
meta.telegraf = {
enable = true;
influxdb2 = {
inherit (globals.services.influxdb) domain;
organization = "machines";
bucket = "telegraf";
node = "sire-influxdb";
};
};
# NOTE: state: this token is from a manually created service account
age.secrets.firezone-gateway-token = {
rekeyFile = config.node.secretsDir + "/firezone-gateway-token.age";
};
networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv6} = homeDomains;
networking.hosts.${globals.net.home-lan.vlans.services.hosts.ward-web-proxy.ipv4} = homeDomains;
systemd.services.firezone-gateway.environment.HEALTH_CHECK_ADDR = "127.0.0.1:17999";
services.firezone.gateway = {
enable = true;
name = "ward";
apiUrl = "wss://${globals.services.firezone.domain}/api/";
tokenFile = config.age.secrets.firezone-gateway-token.path;
};
guests =
let
mkGuest = guestName: {
autostart = true;
zfs."/state" = {
pool = "rpool";
dataset = "local/guests/${guestName}";
};
zfs."/persist" = {
pool = "rpool";
dataset = "safe/guests/${guestName}";
};
modules = [
../../config
./guests/common.nix
./guests/${guestName}.nix
{
node.secretsDir = ./secrets/${guestName};
networking.nftables.firewall = {
zones.untrusted.interfaces = lib.mkIf (
lib.length config.guests.${guestName}.networking.links == 1
) config.guests.${guestName}.networking.links;
};
}
];
};
mkMicrovm = guestName: {
${guestName} = mkGuest guestName // {
backend = "microvm";
microvm = {
system = "x86_64-linux";
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
interfaces.vlan-services = { };
};
extraSpecialArgs = {
inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal;
};
};
};
in
lib.mkIf (!minimal) (
{ }
// mkMicrovm "adguardhome"
// mkMicrovm "forgejo"
// mkMicrovm "kanidm"
// mkMicrovm "mealie"
// mkMicrovm "radicale"
// mkMicrovm "vaultwarden"
// mkMicrovm "web-proxy"
);
}
View git blame Copy permalink