diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index ca50317..07f3b72 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -16,15 +16,30 @@ ./fs.nix ./net.nix - ./promtail.nix - - ./kanidm.nix - ./grafana.nix - ./loki.nix ]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"]; + extra.promtail = { + enable = true; + proxy = "sentinel"; + }; + + extra.microvms.vms = let + defaults = { + system = "x86_64-linux"; + autostart = true; + zfs = { + enable = true; + pool = "rpool"; + }; + }; + in { + kanidm = defaults; + grafana = defaultsa; + loki = defaults + }; + #ddclient = defineVm; #kanidm = defineVm; #gitea/forgejo = defineVm; @@ -35,6 +50,8 @@ #paperless = defineVm; #radicale = defineVm; #minecraft = defineVm; + #firefly + #adguardhome #prometheus #influxdb diff --git a/hosts/ward/grafana.nix b/hosts/ward/microvms/grafana/default.nix similarity index 85% rename from hosts/ward/grafana.nix rename to hosts/ward/microvms/grafana/default.nix index 0216007..7f207de 100644 --- a/hosts/ward/grafana.nix +++ b/hosts/ward/microvms/grafana/default.nix @@ -59,8 +59,8 @@ users.allow_sign_up = false; server = { - domain = "grafana.${nodes.sentinel.config.repo.secrets.local.personalDomain}"; - root_url = "https://${config.services.grafana.settings.server.domain}"; + domain = nodes.sentinel.config.proxiedDomains.grafana; + root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}"; enforce_domain = true; enable_gzip = true; http_addr = config.extra.wireguard.proxy-sentinel.ipv4; @@ -76,9 +76,7 @@ }; auth.disable_login_form = true; - "auth.generic_oauth" = let - authDomain = nodes.ward-kanidm.config.services.kanidm.serverSettings.domain; - in { + "auth.generic_oauth" = { enabled = true; name = "Kanidm"; icon = "signin"; @@ -89,9 +87,9 @@ client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret scopes = "openid email profile"; login_attribute_path = "prefered_username"; - auth_url = "https://${authDomain}/ui/oauth2"; - token_url = "https://${authDomain}/oauth2/token"; - api_url = "https://${authDomain}/oauth2/openid/grafana/userinfo"; + auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2"; + token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token"; + api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo"; use_pkce = true; # Allow mapping oauth2 roles to server admin allow_assign_grafana_admin = true; @@ -112,7 +110,7 @@ name = "Loki"; type = "loki"; access = "proxy"; - url = "https://loki.${nodes.sentinel.config.repo.secrets.local.personalDomain}"; + url = "https://${nodes.sentinel.config.proxiedDomains.loki}"; orgId = 1; basicAuth = true; basicAuthUser = nodeName; diff --git a/hosts/ward/kanidm.nix b/hosts/ward/microvms/kanidm/default.nix similarity index 92% rename from hosts/ward/kanidm.nix rename to hosts/ward/microvms/kanidm/default.nix index 515e483..5edba9e 100644 --- a/hosts/ward/kanidm.nix +++ b/hosts/ward/microvms/kanidm/default.nix @@ -56,8 +56,8 @@ enableServer = true; # enablePAM = true; serverSettings = { - domain = "auth.${nodes.sentinel.config.repo.secrets.local.personalDomain}"; - origin = "https://${config.services.kanidm.serverSettings.domain}"; + domain = nodes.sentinel.config.proxiedDomains.kanidm; + origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}"; tls_chain = config.age.secrets."kanidm-self-signed.crt".path; tls_key = config.age.secrets."kanidm-self-signed.key".path; bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300"; diff --git a/hosts/ward/loki.nix b/hosts/ward/microvms/loki/default.nix similarity index 100% rename from hosts/ward/loki.nix rename to hosts/ward/microvms/loki/default.nix