wip: prepare moving microvms definitions to own folders

2023-06-12 00:21:25 +02:00 · 2023-06-12 00:21:25 +02:00 · 3f19475eda
commit 3f19475eda
parent e4199be809
4 changed files with 31 additions and 16 deletions
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -16,15 +16,30 @@

    ./fs.nix
    ./net.nix
-    ./promtail.nix
-
-    ./kanidm.nix
-    ./grafana.nix
-    ./loki.nix
  ];

  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];

+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
+
+  extra.microvms.vms = let
+    defaults = {
+      system = "x86_64-linux";
+      autostart = true;
+      zfs = {
+        enable = true;
+        pool = "rpool";
+      };
+    };
+  in {
+    kanidm = defaults;
+    grafana = defaultsa;
+    loki = defaults
+  };
+
  #ddclient = defineVm;
  #kanidm = defineVm;
  #gitea/forgejo = defineVm;
@ -35,6 +50,8 @@
  #paperless = defineVm;
  #radicale = defineVm;
  #minecraft = defineVm;
+  #firefly
+  #adguardhome

  #prometheus
  #influxdb
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@ -59,8 +59,8 @@
        users.allow_sign_up = false;

        server = {
-          domain = "grafana.${nodes.sentinel.config.repo.secrets.local.personalDomain}";
-          root_url = "https://${config.services.grafana.settings.server.domain}";
+          domain = nodes.sentinel.config.proxiedDomains.grafana;
+          root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}";
          enforce_domain = true;
          enable_gzip = true;
          http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
@ -76,9 +76,7 @@
        };

        auth.disable_login_form = true;
-        "auth.generic_oauth" = let
-          authDomain = nodes.ward-kanidm.config.services.kanidm.serverSettings.domain;
-        in {
+        "auth.generic_oauth" = {
          enabled = true;
          name = "Kanidm";
          icon = "signin";
@ -89,9 +87,9 @@
          client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
          scopes = "openid email profile";
          login_attribute_path = "prefered_username";
-          auth_url = "https://${authDomain}/ui/oauth2";
-          token_url = "https://${authDomain}/oauth2/token";
-          api_url = "https://${authDomain}/oauth2/openid/grafana/userinfo";
+          auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2";
+          token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token";
+          api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
          use_pkce = true;
          # Allow mapping oauth2 roles to server admin
          allow_assign_grafana_admin = true;
@ -112,7 +110,7 @@
            name = "Loki";
            type = "loki";
            access = "proxy";
-            url = "https://loki.${nodes.sentinel.config.repo.secrets.local.personalDomain}";
+            url = "https://${nodes.sentinel.config.proxiedDomains.loki}";
            orgId = 1;
            basicAuth = true;
            basicAuthUser = nodeName;
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@ -56,8 +56,8 @@
      enableServer = true;
      # enablePAM = true;
      serverSettings = {
-        domain = "auth.${nodes.sentinel.config.repo.secrets.local.personalDomain}";
-        origin = "https://${config.services.kanidm.serverSettings.domain}";
+        domain = nodes.sentinel.config.proxiedDomains.kanidm;
+        origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
        tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
        tls_key = config.age.secrets."kanidm-self-signed.key".path;
        bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix