wip: prepare moving microvms definitions to own folders

This commit is contained in:
oddlama 2023-06-12 00:21:25 +02:00
parent e4199be809
commit 3f19475eda
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 31 additions and 16 deletions

View file

@ -16,15 +16,30 @@
./fs.nix ./fs.nix
./net.nix ./net.nix
./promtail.nix
./kanidm.nix
./grafana.nix
./loki.nix
]; ];
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
extra.promtail = {
enable = true;
proxy = "sentinel";
};
extra.microvms.vms = let
defaults = {
system = "x86_64-linux";
autostart = true;
zfs = {
enable = true;
pool = "rpool";
};
};
in {
kanidm = defaults;
grafana = defaultsa;
loki = defaults
};
#ddclient = defineVm; #ddclient = defineVm;
#kanidm = defineVm; #kanidm = defineVm;
#gitea/forgejo = defineVm; #gitea/forgejo = defineVm;
@ -35,6 +50,8 @@
#paperless = defineVm; #paperless = defineVm;
#radicale = defineVm; #radicale = defineVm;
#minecraft = defineVm; #minecraft = defineVm;
#firefly
#adguardhome
#prometheus #prometheus
#influxdb #influxdb

View file

@ -59,8 +59,8 @@
users.allow_sign_up = false; users.allow_sign_up = false;
server = { server = {
domain = "grafana.${nodes.sentinel.config.repo.secrets.local.personalDomain}"; domain = nodes.sentinel.config.proxiedDomains.grafana;
root_url = "https://${config.services.grafana.settings.server.domain}"; root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}";
enforce_domain = true; enforce_domain = true;
enable_gzip = true; enable_gzip = true;
http_addr = config.extra.wireguard.proxy-sentinel.ipv4; http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
@ -76,9 +76,7 @@
}; };
auth.disable_login_form = true; auth.disable_login_form = true;
"auth.generic_oauth" = let "auth.generic_oauth" = {
authDomain = nodes.ward-kanidm.config.services.kanidm.serverSettings.domain;
in {
enabled = true; enabled = true;
name = "Kanidm"; name = "Kanidm";
icon = "signin"; icon = "signin";
@ -89,9 +87,9 @@
client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
scopes = "openid email profile"; scopes = "openid email profile";
login_attribute_path = "prefered_username"; login_attribute_path = "prefered_username";
auth_url = "https://${authDomain}/ui/oauth2"; auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2";
token_url = "https://${authDomain}/oauth2/token"; token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token";
api_url = "https://${authDomain}/oauth2/openid/grafana/userinfo"; api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
use_pkce = true; use_pkce = true;
# Allow mapping oauth2 roles to server admin # Allow mapping oauth2 roles to server admin
allow_assign_grafana_admin = true; allow_assign_grafana_admin = true;
@ -112,7 +110,7 @@
name = "Loki"; name = "Loki";
type = "loki"; type = "loki";
access = "proxy"; access = "proxy";
url = "https://loki.${nodes.sentinel.config.repo.secrets.local.personalDomain}"; url = "https://${nodes.sentinel.config.proxiedDomains.loki}";
orgId = 1; orgId = 1;
basicAuth = true; basicAuth = true;
basicAuthUser = nodeName; basicAuthUser = nodeName;

View file

@ -56,8 +56,8 @@
enableServer = true; enableServer = true;
# enablePAM = true; # enablePAM = true;
serverSettings = { serverSettings = {
domain = "auth.${nodes.sentinel.config.repo.secrets.local.personalDomain}"; domain = nodes.sentinel.config.proxiedDomains.kanidm;
origin = "https://${config.services.kanidm.serverSettings.domain}"; origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
tls_chain = config.age.secrets."kanidm-self-signed.crt".path; tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
tls_key = config.age.secrets."kanidm-self-signed.key".path; tls_key = config.age.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300"; bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";