feat: prepare local mirror web-proxy to speed up internal service access

hosts/kroma/default.nix

@@ -82,14 +82,20 @@
     port = 51820;
     name = "netbird-home";
     interface = "wt-home";
+    autoStart = false;
     openFirewall = true;
     config.ServerSSHAllowed = false;
     environment = rec {
       NB_MANAGEMENT_URL = "https://${nodes.sentinel.config.networking.providedDomains.netbird}";
       NB_ADMIN_URL = NB_MANAGEMENT_URL;
-      NB_HOSTNAME = "home-gateway";
     };
   };
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/netbird-home";
+      mode = "0700";
+    }
+  ];
 
   topology.self.icon = "devices.desktop";
 }

hosts/sentinel/default.nix

@@ -19,9 +19,9 @@
 
   boot.mode = "bios";
 
-  users.groups.acme.members = ["nginx"];
   wireguard.proxy-sentinel.firewallRuleForAll.allowedTCPPorts = [80 443];
 
+  users.groups.acme.members = ["nginx"];
   services.nginx.enable = true;
   services.nginx.recommendedSetup = true;
 

hosts/sire/guests/grafana.nix

@@ -9,6 +9,7 @@ in {
   wireguard.proxy-sentinel = {
     client.via = "sentinel";
     firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
+    firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
   };
 
   age.secrets.grafana-secret-key = {
@@ -78,6 +79,30 @@ in {
     };
   };
 
+  nodes.ward-web-proxy = {
+    services.nginx = {
+      upstreams.grafana = {
+        servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
+        extraConfig = ''
+          zone grafana 64k;
+          keepalive 2;
+        '';
+      };
+      virtualHosts.${grafanaDomain} = {
+        forceSSL = true;
+        useACMEWildcardHost = true;
+        locations."/" = {
+          proxyPass = "http://grafana";
+          proxyWebsockets = true;
+        };
+        extraConfig = ''
+          allow 192.168.1.0/24;
+          deny all;
+        '';
+      };
+    };
+  };
+
   environment.persistence."/persist".directories = [
     {
       directory = config.services.grafana.dataDir;

hosts/ward/default.nix

@@ -111,5 +111,6 @@
       // mkMicrovm "netbird"
       // mkMicrovm "radicale"
       // mkMicrovm "vaultwarden"
+      // mkMicrovm "web-proxy"
     );
 }

hosts/ward/guests/netbird.nix

@@ -47,8 +47,9 @@ in {
       dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird";
 
       management = {
+        singleAccountModeDomain = "internal.${config.repo.secrets.global.domains.me}";
         dnsDomain = "internal.${config.repo.secrets.global.domains.me}";
-        singleAccountModeDomain = "home.lan";
+        disableAnonymousMetrics = true;
         oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration";
         turnDomain = sentinelCfg.networking.providedDomains.coturn;
         turnPort = sentinelCfg.services.coturn.tls-listening-port;

hosts/ward/guests/web-proxy.nix

@@ -0,0 +1,37 @@
+{config, ...}: let
+  inherit (config.repo.secrets.local) acme;
+in {
+  age.secrets.acme-cloudflare-dns-token = {
+    rekeyFile = config.node.secretsDir + "/acme-cloudflare-dns-token.age";
+    mode = "440";
+    group = "acme";
+  };
+
+  age.secrets.acme-cloudflare-zone-token = {
+    rekeyFile = config.node.secretsDir + "/acme-cloudflare-zone-token.age";
+    mode = "440";
+    group = "acme";
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      credentialFiles = {
+        CF_DNS_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-dns-token.path;
+        CF_ZONE_API_TOKEN_FILE = config.age.secrets.acme-cloudflare-zone-token.path;
+      };
+      dnsProvider = "cloudflare";
+      dnsPropagationCheck = true;
+      reloadServices = ["nginx"];
+    };
+    inherit (acme) certs wildcardDomains;
+  };
+
+  #nodes.sentinel = {
+  #  # port forward 80,443 (ward) to 80,443 (web-proxy)
+  #};
+
+  users.groups.acme.members = ["nginx"];
+  services.nginx.enable = true;
+  services.nginx.recommendedSetup = true;
+}

hosts/ward/secrets/web-proxy/acme-cloudflare-dns-token.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 GLh/xkRHD1zOOGYiWxlORV+qzYaTNvnXZoGe9qdxXUI
+2TMHIo8emk76HOEgOpSOR3t1ib87kAGcH9FmZSLyhlU
+-> piv-p256 xqSe8Q A6KvjXG2UNrpvNfY924v9/DVz7Ooncem24keDbtWXp7i
+fNiibPhEaeRaXV8AxKFL2T7Er8byHmGCGT8ciwye1Kw
+-> l1G-grease w;*@H4
+r4rvf0/eUQYWuhKWMIR94Uww+bgbr2GBP4oEWM8TftQFcioNNEK1Zm8bwocMvhM9
+i/KA6H6qw5yR68gKU3CPDzlMaIM99Oit3p7+3NdM2QPFKqvdYr9MdBcI
+--- RGaCUY59RAiy0MUYasVeUf2cCfJqil3YTJmL0cXrmjA
+M~¦�õÜB{`\’½BÞvWñÏžŠ4™ã’b`aRîÜ^›l8ËK¹Ö;†ðû
Zþ5ß\ùW·¿.[ÎP,~éAqÕ

hosts/ward/secrets/web-proxy/acme-cloudflare-zone-token.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 Y7J0KmGssDwytzJSMTKnb2qVfCBEl4nMiKeg4PDhbhM
+R+FV22jr0XcybGJk8Z2o40O5ptRK3NPgQOxJ7HlORho
+-> piv-p256 xqSe8Q AyC1XlhbGhbfUBn4gV56t48AazKi5Lt9H5BCOZqbTtOp
+s3mrvVrMZ/kTdUSjKyBWa5hUFL2fwL2xRo7UFF0AwP0
+-> Ao-grease vp@ m_b
+oV7D7L5dZtF75bJ6Ms0yZr92rENJmE4xKpdlBp4h40onYWv1Z17R2/bmygv5MD9+
+S7J25g3rxfk00fUOK8cwDcWyRtp4jQqcooJyrQ
+--- J/aXuudcbUAfU06R065fsvPTX2qZr0w0eZ9gI6I+McY
+vÂâ-##·¬=|Ú•˝-IÝR†·żÝn<§z´fÄ.\śő‘cU/OÓ	6÷¶ëĽ±�Üož’Ţ$ő¶8\Ň6E•ËeËí†n

hosts/ward/secrets/web-proxy/host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHAuNTD4wF9XIR/m2TlLoHK/jSNus3gBCUKKsF4unKSm

hosts/ward/secrets/web-proxy/local.nix.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 NIQfcq9fdcwAm3/7bqVw9XKuHxH6r2r7Lbqjjr/u+2w
+Cfz/aTYCh4gNWo+dOzDKXNBaAlt0W/aqTb30ho/i5nM
+-> piv-p256 xqSe8Q Al+FYiIKhA9B31HjuxCNE65MfYWKIxO+ZefbPsDWljxu
++K47WX1YQpRkvIzR4ALVucSj21YIv9WUluEQ62ccEWk
+-> a"CCg7E9-grease ~ &+9|O
+fuXdG2v+8S2Bti9ifpvRPfRZfh9ioXzOuYXcPkyPynbQPy2isAksKx83FgQeRoID
+VHH/CKTjy/qFCDec9MXX2i9GCWWrva1n2tfOXl9kh2IZ1Zl2te2rsA
+--- Tg/N4zk19YF7LCLd9wb95nyQJs0B59SHO4nh76xif0c
+ÄíNÑõ9Þ�}òõ¸–wÁÿ2Û
Q/çzbC—AuŸÇ{O
&âÎiR­ïž,E 1šúë9=Ñ”�íÏÓ‡òM
C¨ñìÞñÉæî±pæF:9�=È"‡¼[Èß–6»ò­ŸÁ§‚&}ú3E&%º²ýYŽA´í))¸Ä´Í‡mïË
+_³o¯V@U*½Q1ÄȈ_L²