forked from mirrors_public/oddlama_nix-config
wip: prepare moving microvms definitions to own folders
This commit is contained in:
parent
e4199be809
commit
3f19475eda
4 changed files with 31 additions and 16 deletions
|
@ -16,15 +16,30 @@
|
||||||
|
|
||||||
./fs.nix
|
./fs.nix
|
||||||
./net.nix
|
./net.nix
|
||||||
./promtail.nix
|
|
||||||
|
|
||||||
./kanidm.nix
|
|
||||||
./grafana.nix
|
|
||||||
./loki.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
|
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
|
||||||
|
|
||||||
|
extra.promtail = {
|
||||||
|
enable = true;
|
||||||
|
proxy = "sentinel";
|
||||||
|
};
|
||||||
|
|
||||||
|
extra.microvms.vms = let
|
||||||
|
defaults = {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
autostart = true;
|
||||||
|
zfs = {
|
||||||
|
enable = true;
|
||||||
|
pool = "rpool";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
kanidm = defaults;
|
||||||
|
grafana = defaultsa;
|
||||||
|
loki = defaults
|
||||||
|
};
|
||||||
|
|
||||||
#ddclient = defineVm;
|
#ddclient = defineVm;
|
||||||
#kanidm = defineVm;
|
#kanidm = defineVm;
|
||||||
#gitea/forgejo = defineVm;
|
#gitea/forgejo = defineVm;
|
||||||
|
@ -35,6 +50,8 @@
|
||||||
#paperless = defineVm;
|
#paperless = defineVm;
|
||||||
#radicale = defineVm;
|
#radicale = defineVm;
|
||||||
#minecraft = defineVm;
|
#minecraft = defineVm;
|
||||||
|
#firefly
|
||||||
|
#adguardhome
|
||||||
|
|
||||||
#prometheus
|
#prometheus
|
||||||
#influxdb
|
#influxdb
|
||||||
|
|
|
@ -59,8 +59,8 @@
|
||||||
users.allow_sign_up = false;
|
users.allow_sign_up = false;
|
||||||
|
|
||||||
server = {
|
server = {
|
||||||
domain = "grafana.${nodes.sentinel.config.repo.secrets.local.personalDomain}";
|
domain = nodes.sentinel.config.proxiedDomains.grafana;
|
||||||
root_url = "https://${config.services.grafana.settings.server.domain}";
|
root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}";
|
||||||
enforce_domain = true;
|
enforce_domain = true;
|
||||||
enable_gzip = true;
|
enable_gzip = true;
|
||||||
http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
|
http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
|
||||||
|
@ -76,9 +76,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
auth.disable_login_form = true;
|
auth.disable_login_form = true;
|
||||||
"auth.generic_oauth" = let
|
"auth.generic_oauth" = {
|
||||||
authDomain = nodes.ward-kanidm.config.services.kanidm.serverSettings.domain;
|
|
||||||
in {
|
|
||||||
enabled = true;
|
enabled = true;
|
||||||
name = "Kanidm";
|
name = "Kanidm";
|
||||||
icon = "signin";
|
icon = "signin";
|
||||||
|
@ -89,9 +87,9 @@
|
||||||
client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
|
client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
|
||||||
scopes = "openid email profile";
|
scopes = "openid email profile";
|
||||||
login_attribute_path = "prefered_username";
|
login_attribute_path = "prefered_username";
|
||||||
auth_url = "https://${authDomain}/ui/oauth2";
|
auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2";
|
||||||
token_url = "https://${authDomain}/oauth2/token";
|
token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token";
|
||||||
api_url = "https://${authDomain}/oauth2/openid/grafana/userinfo";
|
api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
|
||||||
use_pkce = true;
|
use_pkce = true;
|
||||||
# Allow mapping oauth2 roles to server admin
|
# Allow mapping oauth2 roles to server admin
|
||||||
allow_assign_grafana_admin = true;
|
allow_assign_grafana_admin = true;
|
||||||
|
@ -112,7 +110,7 @@
|
||||||
name = "Loki";
|
name = "Loki";
|
||||||
type = "loki";
|
type = "loki";
|
||||||
access = "proxy";
|
access = "proxy";
|
||||||
url = "https://loki.${nodes.sentinel.config.repo.secrets.local.personalDomain}";
|
url = "https://${nodes.sentinel.config.proxiedDomains.loki}";
|
||||||
orgId = 1;
|
orgId = 1;
|
||||||
basicAuth = true;
|
basicAuth = true;
|
||||||
basicAuthUser = nodeName;
|
basicAuthUser = nodeName;
|
|
@ -56,8 +56,8 @@
|
||||||
enableServer = true;
|
enableServer = true;
|
||||||
# enablePAM = true;
|
# enablePAM = true;
|
||||||
serverSettings = {
|
serverSettings = {
|
||||||
domain = "auth.${nodes.sentinel.config.repo.secrets.local.personalDomain}";
|
domain = nodes.sentinel.config.proxiedDomains.kanidm;
|
||||||
origin = "https://${config.services.kanidm.serverSettings.domain}";
|
origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
|
||||||
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
|
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
|
||||||
tls_key = config.age.secrets."kanidm-self-signed.key".path;
|
tls_key = config.age.secrets."kanidm-self-signed.key".path;
|
||||||
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
|
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
|
Loading…
Add table
Add a link
Reference in a new issue