sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix: missing opened firewall port for proxy-home

Browse source
This commit is contained in:
oddlama 2024-05-20 13:20:54 +02:00
parent 20a5e1e66a
commit 1b1a19e377
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 13 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/sire/guests/paperless.nix
View file

@ -107,7 +107,7 @@ in {
PAPERLESS_URL = "https://${paperlessDomain}"; PAPERLESS_URL = "https://${paperlessDomain}";
PAPERLESS_ALLOWED_HOSTS = paperlessDomain; PAPERLESS_ALLOWED_HOSTS = paperlessDomain;
PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}"; PAPERLESS_CORS_ALLOWED_HOSTS = "https://${paperlessDomain}";
PAPERLESS_TRUSTED_PROXIES = lib.concatStringSep "," [ PAPERLESS_TRUSTED_PROXIES = lib.concatStringsSep "," [
sentinelCfg.wireguard.proxy-sentinel.ipv4 sentinelCfg.wireguard.proxy-sentinel.ipv4
wardWebProxyCfg.wireguard.proxy-home.ipv4 wardWebProxyCfg.wireguard.proxy-home.ipv4
]; ];

8
hosts/ward/guests/common.nix
View file

@ -5,6 +5,7 @@
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config;
in { in {
meta.promtail = { meta.promtail = {
enable = true; enable = true;
@ -12,7 +13,12 @@ in {
}; };
# Connect safely via wireguard to skip http authentication # Connect safely via wireguard to skip http authentication
networking.hosts.${sentinelCfg.wireguard.proxy-sentinel.ipv4} = [sentinelCfg.networking.providedDomains.influxdb]; networking.hosts.${
if config.wireguard ? proxy-home
then wardWebProxyCfg.wireguard.proxy-home.ipv4
else sentinelCfg.wireguard.proxy-sentinel.ipv4
} = [sentinelCfg.networking.providedDomains.influxdb];
meta.telegraf = lib.mkIf (!config.boot.isContainer) { meta.telegraf = lib.mkIf (!config.boot.isContainer) {
enable = true; enable = true;
scrapeSensors = false; scrapeSensors = false;

5
hosts/ward/guests/web-proxy.nix
View file

@ -1,7 +1,10 @@
{config, ...}: let {config, ...}: let
inherit (config.repo.secrets.local) acme; inherit (config.repo.secrets.local) acme;
in { in {
wireguard.proxy-home.client.via = "ward"; wireguard.proxy-home = {
client.via = "ward";
firewallRuleForAll.allowedTCPPorts = [80 443];
};
age.secrets.acme-cloudflare-dns-token = { age.secrets.acme-cloudflare-dns-token = {
rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age"; rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age";

1
modules/promtail.nix
View file

@ -17,6 +17,7 @@
in { in {
options.meta.promtail = { options.meta.promtail = {
enable = mkEnableOption "promtail to push logs to a loki instance."; enable = mkEnableOption "promtail to push logs to a loki instance.";
# TODO: FIXME: this should not be named proxy. get domain from globals and name this secretAggregatorNode or smth.
proxy = mkOption { proxy = mkOption {
type = types.str; type = types.str;
description = "The node name of the proxy server which provides the https loki api endpoint."; description = "The node name of the proxy server which provides the https loki api endpoint.";