forked from mirrors_public/oddlama_nix-config
refactor: get rid of providedDomains in favor of globals
This commit is contained in:
oddlama
parent
b6cd74c732
commit
68b12b865c
31 changed files with 103 additions and 107 deletions
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
config,
|
||||
globals,
|
||||
lib,
|
||||
nodes,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
|
|
@ -12,9 +12,8 @@ in {
|
|||
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.port];
|
||||
};
|
||||
|
||||
globals.services.adguardhome.domain = adguardhomeDomain;
|
||||
nodes.sentinel = {
|
||||
networking.providedDomains.adguard = adguardhomeDomain;
|
||||
|
||||
services.nginx = {
|
||||
upstreams.adguardhome = {
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" = {};
|
||||
|
|
@ -78,7 +77,7 @@ in {
|
|||
# Undo the /etc/hosts entry so we don't answer with the internal
|
||||
# wireguard address for influxdb
|
||||
{
|
||||
domain = nodes.sentinel.config.networking.providedDomains.influxdb;
|
||||
inherit (globals.services.influxdb) domain;
|
||||
answer = config.repo.secrets.global.domains.me;
|
||||
}
|
||||
]
|
||||
|
|
@ -87,11 +86,12 @@ in {
|
|||
inherit domain;
|
||||
answer = "192.168.1.4";
|
||||
}) [
|
||||
nodes.sentinel.config.networking.providedDomains.grafana
|
||||
nodes.sentinel.config.networking.providedDomains.immich
|
||||
nodes.sentinel.config.networking.providedDomains.influxdb
|
||||
nodes.sentinel.config.networking.providedDomains.loki
|
||||
nodes.sentinel.config.networking.providedDomains.paperless
|
||||
# FIXME: dont hardcode, filter global service domains by internal state
|
||||
globals.services.grafana.domain
|
||||
globals.services.immich.domain
|
||||
globals.services.influxdb.domain
|
||||
globals.services.loki.domain
|
||||
globals.services.paperless.domain
|
||||
"home.${config.repo.secrets.global.domains.me}"
|
||||
"fritzbox.${config.repo.secrets.global.domains.me}"
|
||||
];
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
config,
|
||||
globals,
|
||||
lib,
|
||||
nodes,
|
||||
...
|
||||
|
|
@ -17,13 +18,13 @@ in {
|
|||
if config.wireguard ? proxy-home
|
||||
then wardWebProxyCfg.wireguard.proxy-home.ipv4
|
||||
else sentinelCfg.wireguard.proxy-sentinel.ipv4
|
||||
} = [sentinelCfg.networking.providedDomains.influxdb];
|
||||
} = [globals.services.influxdb.domain];
|
||||
|
||||
meta.telegraf = lib.mkIf (!config.boot.isContainer) {
|
||||
enable = true;
|
||||
scrapeSensors = false;
|
||||
influxdb2 = {
|
||||
domain = sentinelCfg.networking.providedDomains.influxdb;
|
||||
inherit (globals.services.influxdb) domain;
|
||||
organization = "machines";
|
||||
bucket = "telegraf";
|
||||
node = "sire-influxdb";
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
{
|
||||
config,
|
||||
globals,
|
||||
lib,
|
||||
nodes,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
sentinelCfg = nodes.sentinel.config;
|
||||
forgejoDomain = "git.${config.repo.secrets.global.domains.me}";
|
||||
in {
|
||||
wireguard.proxy-sentinel = {
|
||||
|
|
@ -26,9 +26,8 @@ in {
|
|||
inherit (config.services.forgejo) group;
|
||||
};
|
||||
|
||||
globals.services.forgejo.domain = forgejoDomain;
|
||||
nodes.sentinel = {
|
||||
networking.providedDomains.forgejo = forgejoDomain;
|
||||
|
||||
# Rewrite destination addr with dnat on incoming connections
|
||||
# and masquerade responses to make them look like they originate from this host.
|
||||
# - 9922 (wan) -> 22 (proxy-sentinel)
|
||||
|
|
@ -190,7 +189,7 @@ in {
|
|||
["--name" providerName]
|
||||
["--provider" "openidConnect"]
|
||||
["--key" clientId]
|
||||
["--auto-discover-url" "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/.well-known/openid-configuration"]
|
||||
["--auto-discover-url" "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}/.well-known/openid-configuration"]
|
||||
["--scopes" "email"]
|
||||
["--scopes" "profile"]
|
||||
["--group-claim-name" "groups"]
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{nodes, ...}: {
|
||||
{globals, ...}: {
|
||||
# Forwarding required to masquerade netbird network
|
||||
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
|
||||
|
||||
|
|
@ -25,7 +25,7 @@
|
|||
openFirewall = true;
|
||||
config.ServerSSHAllowed = false;
|
||||
environment = rec {
|
||||
NB_MANAGEMENT_URL = "https://${nodes.sentinel.config.networking.providedDomains.netbird}";
|
||||
NB_MANAGEMENT_URL = "https://${globals.services.netbird.domain}";
|
||||
NB_ADMIN_URL = NB_MANAGEMENT_URL;
|
||||
NB_HOSTNAME = "home-gateway";
|
||||
};
|
||||
|
|
|
|||
|
|
@ -1,10 +1,9 @@
|
|||
{
|
||||
config,
|
||||
nodes,
|
||||
globals,
|
||||
...
|
||||
}: let
|
||||
inherit (config.repo.secrets.global) domains;
|
||||
sentinelCfg = nodes.sentinel.config;
|
||||
kanidmDomain = "auth.${domains.me}";
|
||||
kanidmPort = 8300;
|
||||
|
||||
|
|
@ -40,9 +39,8 @@ in {
|
|||
age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
|
||||
age.secrets.kanidm-oauth2-web-sentinel = mkRandomSecret;
|
||||
|
||||
globals.services.kanidm.domain = kanidmDomain;
|
||||
nodes.sentinel = {
|
||||
networking.providedDomains.kanidm = kanidmDomain;
|
||||
|
||||
services.nginx = {
|
||||
upstreams.kanidm = {
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = {};
|
||||
|
|
@ -102,7 +100,7 @@ in {
|
|||
groups."immich.access" = {};
|
||||
systems.oauth2.immich = {
|
||||
displayName = "Immich";
|
||||
originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/";
|
||||
originUrl = "https://${globals.services.immich.domain}/";
|
||||
basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
|
||||
preferShortUsername = true;
|
||||
# XXX: PKCE is currently not supported by immich
|
||||
|
|
@ -117,7 +115,7 @@ in {
|
|||
systems.oauth2.netbird = {
|
||||
public = true;
|
||||
displayName = "Netbird";
|
||||
originUrl = "https://${sentinelCfg.networking.providedDomains.netbird}/";
|
||||
originUrl = "https://${globals.services.netbird.domain}/";
|
||||
preferShortUsername = true;
|
||||
enableLocalhostRedirects = true;
|
||||
enableLegacyCrypto = true;
|
||||
|
|
@ -128,7 +126,7 @@ in {
|
|||
groups."paperless.access" = {};
|
||||
systems.oauth2.paperless = {
|
||||
displayName = "Paperless";
|
||||
originUrl = "https://${sentinelCfg.networking.providedDomains.paperless}/";
|
||||
originUrl = "https://${globals.services.paperless.domain}/";
|
||||
basicSecretFile = config.age.secrets.kanidm-oauth2-paperless.path;
|
||||
preferShortUsername = true;
|
||||
scopeMaps."paperless.access" = ["openid" "email" "profile"];
|
||||
|
|
@ -141,7 +139,7 @@ in {
|
|||
groups."grafana.server-admins" = {};
|
||||
systems.oauth2.grafana = {
|
||||
displayName = "Grafana";
|
||||
originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
|
||||
originUrl = "https://${globals.services.grafana.domain}/";
|
||||
basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
|
||||
preferShortUsername = true;
|
||||
scopeMaps."grafana.access" = ["openid" "email" "profile"];
|
||||
|
|
@ -160,7 +158,7 @@ in {
|
|||
groups."forgejo.admins" = {};
|
||||
systems.oauth2.forgejo = {
|
||||
displayName = "Forgejo";
|
||||
originUrl = "https://${sentinelCfg.networking.providedDomains.forgejo}/";
|
||||
originUrl = "https://${globals.services.forgejo.domain}/";
|
||||
basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
|
||||
scopeMaps."forgejo.access" = ["openid" "email" "profile"];
|
||||
# XXX: PKCE is currently not supported by gitea/forgejo,
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{
|
||||
config,
|
||||
globals,
|
||||
lib,
|
||||
nodes,
|
||||
...
|
||||
|
|
@ -44,14 +45,14 @@ in {
|
|||
enable = true;
|
||||
domain = netbirdDomain;
|
||||
|
||||
dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird";
|
||||
dashboard.settings.AUTH_AUTHORITY = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird";
|
||||
|
||||
management = {
|
||||
singleAccountModeDomain = "internal.${config.repo.secrets.global.domains.me}";
|
||||
dnsDomain = "internal.${config.repo.secrets.global.domains.me}";
|
||||
disableAnonymousMetrics = true;
|
||||
oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration";
|
||||
turnDomain = sentinelCfg.networking.providedDomains.coturn;
|
||||
oidcConfigEndpoint = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird/.well-known/openid-configuration";
|
||||
turnDomain = globals.services.coturn.domain;
|
||||
turnPort = sentinelCfg.services.coturn.tls-listening-port;
|
||||
settings = {
|
||||
HttpConfig = {
|
||||
|
|
@ -76,9 +77,8 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
globals.services.netbird.domain = netbirdDomain;
|
||||
nodes.sentinel = {
|
||||
networking.providedDomains.netbird = netbirdDomain;
|
||||
|
||||
services.nginx = {
|
||||
upstreams.netbird-mgmt = {
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${builtins.toString config.services.netbird.server.management.port}" = {};
|
||||
|
|
|
|||
|
|
@ -6,9 +6,8 @@ in {
|
|||
firewallRuleForNode.sentinel.allowedTCPPorts = [8000];
|
||||
};
|
||||
|
||||
globals.services.radicale.domain = radicaleDomain;
|
||||
nodes.sentinel = {
|
||||
networking.providedDomains.radicale = radicaleDomain;
|
||||
|
||||
services.nginx = {
|
||||
upstreams.radicale = {
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = {};
|
||||
|
|
|
|||
|
|
@ -25,9 +25,8 @@ in {
|
|||
}
|
||||
];
|
||||
|
||||
globals.services.vaultwarden.domain = vaultwardenDomain;
|
||||
nodes.sentinel = {
|
||||
networking.providedDomains.vaultwarden = vaultwardenDomain;
|
||||
|
||||
services.nginx = {
|
||||
upstreams.vaultwarden = {
|
||||
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = {};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue