sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: get rid of providedDomains in favor of globals

Browse source
This commit is contained in:
oddlama 2024-06-02 16:59:14 +02:00
parent b6cd74c732
commit 68b12b865c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
31 changed files with 103 additions and 107 deletions
Download patch file Download diff file Expand all files Collapse all files

10
config/default.nix
View file

@ -35,14 +35,4 @@
./topology.nix ./topology.nix
./users.nix ./users.nix
]; ];
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays =
import ../pkgs/default.nix
++ [
inputs.nix-topology.overlays.default
inputs.nixos-extra-modules.overlays.default
inputs.nixvim.overlays.default
inputs.wired-notify.overlays.default
];
} }

10
hosts/envoy/default.nix
View file

@ -1,4 +1,8 @@
{nodes, ...}: { {
globals,
nodes,
...
}: {
imports = [ imports = [
../../config ../../config
../../config/hardware/hetzner-cloud.nix ../../config/hardware/hetzner-cloud.nix
@ -25,12 +29,12 @@
}; };
# Connect safely via wireguard to skip authentication # Connect safely via wireguard to skip authentication
networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb]; networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
meta.telegraf = { meta.telegraf = {
enable = true; enable = true;
scrapeSensors = false; scrapeSensors = false;
influxdb2 = { influxdb2 = {
domain = nodes.sentinel.config.networking.providedDomains.influxdb; inherit (globals.services.influxdb) domain;
organization = "machines"; organization = "machines";
bucket = "telegraf"; bucket = "telegraf";
node = "sire-influxdb"; node = "sire-influxdb";

8
hosts/kroma/default.nix
View file

@ -1,8 +1,8 @@
{ {
globals,
inputs, inputs,
lib, lib,
minimal, minimal,
nodes,
... ...
}: }:
{ {
@ -67,11 +67,11 @@
#}; #};
## Connect safely via wireguard to skip authentication ## Connect safely via wireguard to skip authentication
#networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb]; #networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
#meta.telegraf = { #meta.telegraf = {
# enable = true; # enable = true;
# influxdb2 = { # influxdb2 = {
# domain = nodes.sentinel.config.networking.providedDomains.influxdb; # domain = globals.services.influxdb.domain;
# organization = "machines"; # organization = "machines";
# bucket = "telegraf"; # bucket = "telegraf";
# node = "sire-influxdb"; # node = "sire-influxdb";
@ -89,7 +89,7 @@
openFirewall = true; openFirewall = true;
config.ServerSSHAllowed = false; config.ServerSSHAllowed = false;
environment = rec { environment = rec {
NB_MANAGEMENT_URL = "https://${nodes.sentinel.config.networking.providedDomains.netbird}"; NB_MANAGEMENT_URL = "https://${globals.services.netbird.domain}";
NB_ADMIN_URL = NB_MANAGEMENT_URL; NB_ADMIN_URL = NB_MANAGEMENT_URL;
}; };
}; };

2
hosts/sentinel/coturn.nix
View file

@ -38,7 +38,7 @@ in {
to = config.services.coturn.max-port; to = config.services.coturn.max-port;
} }
]; ];
networking.providedDomains.coturn = coturnDomain; globals.services.coturn.domain = coturnDomain;
services.coturn = { services.coturn = {
enable = true; enable = true;

5
hosts/sentinel/default.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
pkgs, pkgs,
... ...
}: { }: {
@ -44,12 +45,12 @@
}; };
# Connect safely via wireguard to skip authentication # Connect safely via wireguard to skip authentication
networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [config.networking.providedDomains.influxdb]; networking.hosts.${config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
meta.telegraf = { meta.telegraf = {
enable = true; enable = true;
scrapeSensors = false; scrapeSensors = false;
influxdb2 = { influxdb2 = {
domain = config.networking.providedDomains.influxdb; inherit (globals.services.influxdb) domain;
organization = "machines"; organization = "machines";
bucket = "telegraf"; bucket = "telegraf";
node = "sire-influxdb"; node = "sire-influxdb";

9
hosts/sentinel/oauth2.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
nodes, nodes,
... ...
}: { }: {
@ -40,14 +41,14 @@
in { in {
provider = "oidc"; provider = "oidc";
scope = "openid email"; scope = "openid email";
loginURL = "https://${config.networking.providedDomains.kanidm}/ui/oauth2"; loginURL = "https://${globals.services.kanidm.domain}/ui/oauth2";
redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token"; redeemURL = "https://${globals.services.kanidm.domain}/oauth2/token";
validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo"; validateURL = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}/userinfo";
clientID = clientId; clientID = clientId;
email.domains = ["*"]; email.domains = ["*"];
extraConfig = { extraConfig = {
oidc-issuer-url = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}"; oidc-issuer-url = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}";
provider-display-name = "Kanidm"; provider-display-name = "Kanidm";
#skip-provider-button = true; #skip-provider-button = true;
}; };

7
hosts/sire/default.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
inputs, inputs,
lib, lib,
nodes, nodes,
@ -32,11 +33,11 @@
}; };
# Connect safely via wireguard to skip authentication # Connect safely via wireguard to skip authentication
networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb]; networking.hosts.${nodes.sentinel.config.wireguard.proxy-sentinel.ipv4} = [globals.services.influxdb.domain];
meta.telegraf = { meta.telegraf = {
enable = true; enable = true;
influxdb2 = { influxdb2 = {
domain = nodes.sentinel.config.networking.providedDomains.influxdb; inherit (globals.services.influxdb) domain;
organization = "machines"; organization = "machines";
bucket = "telegraf"; bucket = "telegraf";
node = "sire-influxdb"; node = "sire-influxdb";
@ -96,7 +97,7 @@
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac; baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
}; };
extraSpecialArgs = { extraSpecialArgs = {
inherit (inputs.self) nodes; inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib; inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal; inherit inputs minimal;
}; };

5
hosts/sire/guests/common.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
lib, lib,
nodes, nodes,
... ...
@ -17,13 +18,13 @@ in {
if config.wireguard ? proxy-home if config.wireguard ? proxy-home
then wardWebProxyCfg.wireguard.proxy-home.ipv4 then wardWebProxyCfg.wireguard.proxy-home.ipv4
else sentinelCfg.wireguard.proxy-sentinel.ipv4 else sentinelCfg.wireguard.proxy-sentinel.ipv4
} = [sentinelCfg.networking.providedDomains.influxdb]; } = [globals.services.influxdb.domain];
meta.telegraf = lib.mkIf (!config.boot.isContainer) { meta.telegraf = lib.mkIf (!config.boot.isContainer) {
enable = true; enable = true;
scrapeSensors = false; scrapeSensors = false;
influxdb2 = { influxdb2 = {
domain = sentinelCfg.networking.providedDomains.influxdb; inherit (globals.services.influxdb) domain;
organization = "machines"; organization = "machines";
bucket = "telegraf"; bucket = "telegraf";
node = "sire-influxdb"; node = "sire-influxdb";

20
hosts/sire/guests/grafana.nix
View file

@ -1,9 +1,9 @@
{ {
config, config,
globals,
nodes, nodes,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config;
wardWebProxyCfg = nodes.ward-web-proxy.config; wardWebProxyCfg = nodes.ward-web-proxy.config;
grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}"; grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}";
in { in {
@ -83,8 +83,6 @@ in {
config.age.secrets.grafana-loki-basic-auth-password config.age.secrets.grafana-loki-basic-auth-password
]; ];
networking.providedDomains.grafana = grafanaDomain;
services.nginx = { services.nginx = {
upstreams.grafana = { upstreams.grafana = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
@ -140,8 +138,8 @@ in {
]; ];
networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [ networking.hosts.${wardWebProxyCfg.wireguard.proxy-home.ipv4} = [
sentinelCfg.networking.providedDomains.influxdb # technically a duplicate (see ./common.nix)... globals.services.influxdb.domain # technically a duplicate (see ./common.nix)...
sentinelCfg.networking.providedDomains.loki globals.services.loki.domain
]; ];
services.grafana = { services.grafana = {
@ -178,9 +176,9 @@ in {
client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}"; client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}";
scopes = "openid email profile"; scopes = "openid email profile";
login_attribute_path = "preferred_username"; login_attribute_path = "preferred_username";
auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2"; auth_url = "https://${globals.services.kanidm.domain}/ui/oauth2";
token_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/token"; token_url = "https://${globals.services.kanidm.domain}/oauth2/token";
api_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/grafana/userinfo"; api_url = "https://${globals.services.kanidm.domain}/oauth2/openid/grafana/userinfo";
use_pkce = true; use_pkce = true;
# Allow mapping oauth2 roles to server admin # Allow mapping oauth2 roles to server admin
allow_assign_grafana_admin = true; allow_assign_grafana_admin = true;
@ -195,7 +193,7 @@ in {
name = "InfluxDB (machines)"; name = "InfluxDB (machines)";
type = "influxdb"; type = "influxdb";
access = "proxy"; access = "proxy";
url = "https://${sentinelCfg.networking.providedDomains.influxdb}"; url = "https://${globals.services.influxdb.domain}";
orgId = 1; orgId = 1;
secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-machines.path}}"; secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-machines.path}}";
jsonData.version = "Flux"; jsonData.version = "Flux";
@ -206,7 +204,7 @@ in {
name = "InfluxDB (home_assistant)"; name = "InfluxDB (home_assistant)";
type = "influxdb"; type = "influxdb";
access = "proxy"; access = "proxy";
url = "https://${sentinelCfg.networking.providedDomains.influxdb}"; url = "https://${globals.services.influxdb.domain}";
orgId = 1; orgId = 1;
secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-home.path}}"; secureJsonData.token = "$__file{${config.age.secrets.grafana-influxdb-token-home.path}}";
jsonData.version = "Flux"; jsonData.version = "Flux";
@ -217,7 +215,7 @@ in {
name = "Loki"; name = "Loki";
type = "loki"; type = "loki";
access = "proxy"; access = "proxy";
url = "https://${sentinelCfg.networking.providedDomains.loki}"; url = "https://${globals.services.loki.domain}";
orgId = 1; orgId = 1;
basicAuth = true; basicAuth = true;
basicAuthUser = "${config.node.name}+grafana-loki-basic-auth-password"; basicAuthUser = "${config.node.name}+grafana-loki-basic-auth-password";

8
hosts/sire/guests/immich.nix
View file

@ -1,7 +1,8 @@
{ {
pkgs,
config, config,
globals,
nodes, nodes,
pkgs,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
@ -86,7 +87,7 @@
clientId = "immich"; clientId = "immich";
# clientSecret will be dynamically added in activation script # clientSecret will be dynamically added in activation script
issuerUrl = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}"; issuerUrl = "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}";
scope = "openid email profile"; scope = "openid email profile";
storageLabelClaim = "preferred_username"; storageLabelClaim = "preferred_username";
}; };
@ -183,9 +184,8 @@ in {
]; ];
}; };
globals.services.immich.domain = immichDomain;
nodes.sentinel = { nodes.sentinel = {
networking.providedDomains.immich = immichDomain;
services.nginx = { services.nginx = {
upstreams.immich = { upstreams.immich = {
servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:2283" = {};

2
hosts/sire/guests/influxdb.nix
View file

@ -89,8 +89,6 @@ in {
globals.services.influxdb.domain = influxdbDomain; globals.services.influxdb.domain = influxdbDomain;
nodes.sentinel = { nodes.sentinel = {
networking.providedDomains.influxdb = influxdbDomain;
services.nginx = { services.nginx = {
upstreams.influxdb = { upstreams.influxdb = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = {};

3
hosts/sire/guests/loki.nix
View file

@ -17,9 +17,8 @@ in {
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port]; firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
}; };
globals.services.loki.domain = lokiDomain;
nodes.sentinel = { nodes.sentinel = {
networking.providedDomains.loki = lokiDomain;
age.secrets.loki-basic-auth-hashes = { age.secrets.loki-basic-auth-hashes = {
generator.script = "basic-auth"; generator.script = "basic-auth";
mode = "440"; mode = "440";

3
hosts/sire/guests/minecraft.nix
View file

@ -359,6 +359,7 @@ in {
} }
]; ];
globals.services.minecraft.domain = minecraftDomain;
nodes.sentinel = { nodes.sentinel = {
# Rewrite destination addr with dnat on incoming connections # Rewrite destination addr with dnat on incoming connections
# and masquerade responses to make them look like they originate from this host. # and masquerade responses to make them look like they originate from this host.
@ -384,8 +385,6 @@ in {
}; };
}; };
networking.providedDomains.minecraft = minecraftDomain;
services.nginx = { services.nginx = {
upstreams.minecraft = { upstreams.minecraft = {
servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:80" = {};

6
hosts/sire/guests/paperless.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
lib, lib,
nodes, nodes,
pkgs, pkgs,
@ -23,9 +24,8 @@ in {
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.paperless.port]; firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [config.services.paperless.port];
}; };
globals.services.paperless.domain = paperlessDomain;
nodes.sentinel = { nodes.sentinel = {
networking.providedDomains.paperless = paperlessDomain;
services.nginx = { services.nginx = {
upstreams.paperless = { upstreams.paperless = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = {};
@ -126,7 +126,7 @@ in {
client_id = "paperless"; client_id = "paperless";
# secret will be added dynamically # secret will be added dynamically
#secret = ""; #secret = "";
settings.server_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${client_id}/.well-known/openid-configuration"; settings.server_url = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
} }
]; ];
}; };

9
hosts/ward/default.nix
View file

@ -1,9 +1,10 @@
{ {
config, config,
globals,
inputs, inputs,
lib, lib,
nodes,
minimal, minimal,
nodes,
... ...
}: { }: {
imports = [ imports = [
@ -34,11 +35,11 @@
}; };
# Connect safely via wireguard to skip authentication # Connect safely via wireguard to skip authentication
networking.hosts.${config.wireguard.proxy-home.ipv4} = [nodes.sentinel.config.networking.providedDomains.influxdb]; networking.hosts.${config.wireguard.proxy-home.ipv4} = [globals.services.influxdb.domain];
meta.telegraf = { meta.telegraf = {
enable = true; enable = true;
influxdb2 = { influxdb2 = {
domain = nodes.sentinel.config.networking.providedDomains.influxdb; inherit (globals.services.influxdb) domain;
organization = "machines"; organization = "machines";
bucket = "telegraf"; bucket = "telegraf";
node = "sire-influxdb"; node = "sire-influxdb";
@ -83,7 +84,7 @@
baseMac = config.repo.secrets.local.networking.interfaces.lan.mac; baseMac = config.repo.secrets.local.networking.interfaces.lan.mac;
}; };
extraSpecialArgs = { extraSpecialArgs = {
inherit (inputs.self) nodes; inherit (inputs.self) nodes globals;
inherit (inputs.self.pkgs.x86_64-linux) lib; inherit (inputs.self.pkgs.x86_64-linux) lib;
inherit inputs minimal; inherit inputs minimal;
}; };

18
hosts/ward/guests/adguardhome.nix
View file

@ -1,7 +1,7 @@
{ {
config, config,
globals,
lib, lib,
nodes,
pkgs, pkgs,
... ...
}: let }: let
@ -12,9 +12,8 @@ in {
firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.port]; firewallRuleForNode.sentinel.allowedTCPPorts = [config.services.adguardhome.port];
}; };
globals.services.adguardhome.domain = adguardhomeDomain;
nodes.sentinel = { nodes.sentinel = {
networking.providedDomains.adguard = adguardhomeDomain;
services.nginx = { services.nginx = {
upstreams.adguardhome = { upstreams.adguardhome = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.port}" = {};
@ -78,7 +77,7 @@ in {
# Undo the /etc/hosts entry so we don't answer with the internal # Undo the /etc/hosts entry so we don't answer with the internal
# wireguard address for influxdb # wireguard address for influxdb
{ {
domain = nodes.sentinel.config.networking.providedDomains.influxdb; inherit (globals.services.influxdb) domain;
answer = config.repo.secrets.global.domains.me; answer = config.repo.secrets.global.domains.me;
} }
] ]
@ -87,11 +86,12 @@ in {
inherit domain; inherit domain;
answer = "192.168.1.4"; answer = "192.168.1.4";
}) [ }) [
nodes.sentinel.config.networking.providedDomains.grafana # FIXME: dont hardcode, filter global service domains by internal state
nodes.sentinel.config.networking.providedDomains.immich globals.services.grafana.domain
nodes.sentinel.config.networking.providedDomains.influxdb globals.services.immich.domain
nodes.sentinel.config.networking.providedDomains.loki globals.services.influxdb.domain
nodes.sentinel.config.networking.providedDomains.paperless globals.services.loki.domain
globals.services.paperless.domain
"home.${config.repo.secrets.global.domains.me}" "home.${config.repo.secrets.global.domains.me}"
"fritzbox.${config.repo.secrets.global.domains.me}" "fritzbox.${config.repo.secrets.global.domains.me}"
]; ];

5
hosts/ward/guests/common.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
lib, lib,
nodes, nodes,
... ...
@ -17,13 +18,13 @@ in {
if config.wireguard ? proxy-home if config.wireguard ? proxy-home
then wardWebProxyCfg.wireguard.proxy-home.ipv4 then wardWebProxyCfg.wireguard.proxy-home.ipv4
else sentinelCfg.wireguard.proxy-sentinel.ipv4 else sentinelCfg.wireguard.proxy-sentinel.ipv4
} = [sentinelCfg.networking.providedDomains.influxdb]; } = [globals.services.influxdb.domain];
meta.telegraf = lib.mkIf (!config.boot.isContainer) { meta.telegraf = lib.mkIf (!config.boot.isContainer) {
enable = true; enable = true;
scrapeSensors = false; scrapeSensors = false;
influxdb2 = { influxdb2 = {
domain = sentinelCfg.networking.providedDomains.influxdb; inherit (globals.services.influxdb) domain;
organization = "machines"; organization = "machines";
bucket = "telegraf"; bucket = "telegraf";
node = "sire-influxdb"; node = "sire-influxdb";

7
hosts/ward/guests/forgejo.nix
View file

@ -1,11 +1,11 @@
{ {
config, config,
globals,
lib, lib,
nodes, nodes,
pkgs, pkgs,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config;
forgejoDomain = "git.${config.repo.secrets.global.domains.me}"; forgejoDomain = "git.${config.repo.secrets.global.domains.me}";
in { in {
wireguard.proxy-sentinel = { wireguard.proxy-sentinel = {
@ -26,9 +26,8 @@ in {
inherit (config.services.forgejo) group; inherit (config.services.forgejo) group;
}; };
globals.services.forgejo.domain = forgejoDomain;
nodes.sentinel = { nodes.sentinel = {
networking.providedDomains.forgejo = forgejoDomain;
# Rewrite destination addr with dnat on incoming connections # Rewrite destination addr with dnat on incoming connections
# and masquerade responses to make them look like they originate from this host. # and masquerade responses to make them look like they originate from this host.
# - 9922 (wan) -> 22 (proxy-sentinel) # - 9922 (wan) -> 22 (proxy-sentinel)
@ -190,7 +189,7 @@ in {
["--name" providerName] ["--name" providerName]
["--provider" "openidConnect"] ["--provider" "openidConnect"]
["--key" clientId] ["--key" clientId]
["--auto-discover-url" "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/.well-known/openid-configuration"] ["--auto-discover-url" "https://${globals.services.kanidm.domain}/oauth2/openid/${clientId}/.well-known/openid-configuration"]
["--scopes" "email"] ["--scopes" "email"]
["--scopes" "profile"] ["--scopes" "profile"]
["--group-claim-name" "groups"] ["--group-claim-name" "groups"]

4
hosts/ward/guests/home-gateway.nix
View file

@ -1,4 +1,4 @@
{nodes, ...}: { {globals, ...}: {
# Forwarding required to masquerade netbird network # Forwarding required to masquerade netbird network
boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
@ -25,7 +25,7 @@
openFirewall = true; openFirewall = true;
config.ServerSSHAllowed = false; config.ServerSSHAllowed = false;
environment = rec { environment = rec {
NB_MANAGEMENT_URL = "https://${nodes.sentinel.config.networking.providedDomains.netbird}"; NB_MANAGEMENT_URL = "https://${globals.services.netbird.domain}";
NB_ADMIN_URL = NB_MANAGEMENT_URL; NB_ADMIN_URL = NB_MANAGEMENT_URL;
NB_HOSTNAME = "home-gateway"; NB_HOSTNAME = "home-gateway";
}; };

16
hosts/ward/guests/kanidm.nix
View file

@ -1,10 +1,9 @@
{ {
config, config,
nodes, globals,
... ...
}: let }: let
inherit (config.repo.secrets.global) domains; inherit (config.repo.secrets.global) domains;
sentinelCfg = nodes.sentinel.config;
kanidmDomain = "auth.${domains.me}"; kanidmDomain = "auth.${domains.me}";
kanidmPort = 8300; kanidmPort = 8300;
@ -40,9 +39,8 @@ in {
age.secrets.kanidm-oauth2-paperless = mkRandomSecret; age.secrets.kanidm-oauth2-paperless = mkRandomSecret;
age.secrets.kanidm-oauth2-web-sentinel = mkRandomSecret; age.secrets.kanidm-oauth2-web-sentinel = mkRandomSecret;
globals.services.kanidm.domain = kanidmDomain;
nodes.sentinel = { nodes.sentinel = {
networking.providedDomains.kanidm = kanidmDomain;
services.nginx = { services.nginx = {
upstreams.kanidm = { upstreams.kanidm = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = {};
@ -102,7 +100,7 @@ in {
groups."immich.access" = {}; groups."immich.access" = {};
systems.oauth2.immich = { systems.oauth2.immich = {
displayName = "Immich"; displayName = "Immich";
originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/"; originUrl = "https://${globals.services.immich.domain}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path; basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
preferShortUsername = true; preferShortUsername = true;
# XXX: PKCE is currently not supported by immich # XXX: PKCE is currently not supported by immich
@ -117,7 +115,7 @@ in {
systems.oauth2.netbird = { systems.oauth2.netbird = {
public = true; public = true;
displayName = "Netbird"; displayName = "Netbird";
originUrl = "https://${sentinelCfg.networking.providedDomains.netbird}/"; originUrl = "https://${globals.services.netbird.domain}/";
preferShortUsername = true; preferShortUsername = true;
enableLocalhostRedirects = true; enableLocalhostRedirects = true;
enableLegacyCrypto = true; enableLegacyCrypto = true;
@ -128,7 +126,7 @@ in {
groups."paperless.access" = {}; groups."paperless.access" = {};
systems.oauth2.paperless = { systems.oauth2.paperless = {
displayName = "Paperless"; displayName = "Paperless";
originUrl = "https://${sentinelCfg.networking.providedDomains.paperless}/"; originUrl = "https://${globals.services.paperless.domain}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-paperless.path; basicSecretFile = config.age.secrets.kanidm-oauth2-paperless.path;
preferShortUsername = true; preferShortUsername = true;
scopeMaps."paperless.access" = ["openid" "email" "profile"]; scopeMaps."paperless.access" = ["openid" "email" "profile"];
@ -141,7 +139,7 @@ in {
groups."grafana.server-admins" = {}; groups."grafana.server-admins" = {};
systems.oauth2.grafana = { systems.oauth2.grafana = {
displayName = "Grafana"; displayName = "Grafana";
originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/"; originUrl = "https://${globals.services.grafana.domain}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path; basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
preferShortUsername = true; preferShortUsername = true;
scopeMaps."grafana.access" = ["openid" "email" "profile"]; scopeMaps."grafana.access" = ["openid" "email" "profile"];
@ -160,7 +158,7 @@ in {
groups."forgejo.admins" = {}; groups."forgejo.admins" = {};
systems.oauth2.forgejo = { systems.oauth2.forgejo = {
displayName = "Forgejo"; displayName = "Forgejo";
originUrl = "https://${sentinelCfg.networking.providedDomains.forgejo}/"; originUrl = "https://${globals.services.forgejo.domain}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path; basicSecretFile = config.age.secrets.kanidm-oauth2-forgejo.path;
scopeMaps."forgejo.access" = ["openid" "email" "profile"]; scopeMaps."forgejo.access" = ["openid" "email" "profile"];
# XXX: PKCE is currently not supported by gitea/forgejo, # XXX: PKCE is currently not supported by gitea/forgejo,

10
hosts/ward/guests/netbird.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
lib, lib,
nodes, nodes,
... ...
@ -44,14 +45,14 @@ in {
enable = true; enable = true;
domain = netbirdDomain; domain = netbirdDomain;
dashboard.settings.AUTH_AUTHORITY = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird"; dashboard.settings.AUTH_AUTHORITY = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird";
management = { management = {
singleAccountModeDomain = "internal.${config.repo.secrets.global.domains.me}"; singleAccountModeDomain = "internal.${config.repo.secrets.global.domains.me}";
dnsDomain = "internal.${config.repo.secrets.global.domains.me}"; dnsDomain = "internal.${config.repo.secrets.global.domains.me}";
disableAnonymousMetrics = true; disableAnonymousMetrics = true;
oidcConfigEndpoint = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/netbird/.well-known/openid-configuration"; oidcConfigEndpoint = "https://${globals.services.kanidm.domain}/oauth2/openid/netbird/.well-known/openid-configuration";
turnDomain = sentinelCfg.networking.providedDomains.coturn; turnDomain = globals.services.coturn.domain;
turnPort = sentinelCfg.services.coturn.tls-listening-port; turnPort = sentinelCfg.services.coturn.tls-listening-port;
settings = { settings = {
HttpConfig = { HttpConfig = {
@ -76,9 +77,8 @@ in {
}; };
}; };
globals.services.netbird.domain = netbirdDomain;
nodes.sentinel = { nodes.sentinel = {
networking.providedDomains.netbird = netbirdDomain;
services.nginx = { services.nginx = {
upstreams.netbird-mgmt = { upstreams.netbird-mgmt = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${builtins.toString config.services.netbird.server.management.port}" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:${builtins.toString config.services.netbird.server.management.port}" = {};

3
hosts/ward/guests/radicale.nix
View file

@ -6,9 +6,8 @@ in {
firewallRuleForNode.sentinel.allowedTCPPorts = [8000]; firewallRuleForNode.sentinel.allowedTCPPorts = [8000];
}; };
globals.services.radicale.domain = radicaleDomain;
nodes.sentinel = { nodes.sentinel = {
networking.providedDomains.radicale = radicaleDomain;
services.nginx = { services.nginx = {
upstreams.radicale = { upstreams.radicale = {
servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:8000" = {};

3
hosts/ward/guests/vaultwarden.nix
View file

@ -25,9 +25,8 @@ in {
} }
]; ];
globals.services.vaultwarden.domain = vaultwardenDomain;
nodes.sentinel = { nodes.sentinel = {
networking.providedDomains.vaultwarden = vaultwardenDomain;
services.nginx = { services.nginx = {
upstreams.vaultwarden = { upstreams.vaultwarden = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = {}; servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = {};

5
hosts/zackbiene/default.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
lib, lib,
nodes, nodes,
... ...
@ -41,12 +42,12 @@ in {
if config.wireguard ? proxy-home if config.wireguard ? proxy-home
then wardWebProxyCfg.wireguard.proxy-home.ipv4 then wardWebProxyCfg.wireguard.proxy-home.ipv4
else sentinelCfg.wireguard.proxy-sentinel.ipv4 else sentinelCfg.wireguard.proxy-sentinel.ipv4
} = [sentinelCfg.networking.providedDomains.influxdb]; } = [globals.services.influxdb.domain];
meta.telegraf = { meta.telegraf = {
enable = true; enable = true;
influxdb2 = { influxdb2 = {
domain = sentinelCfg.networking.providedDomains.influxdb; inherit (globals.services.influxdb) domain;
organization = "machines"; organization = "machines";
bucket = "telegraf"; bucket = "telegraf";
node = "sire-influxdb"; node = "sire-influxdb";

3
hosts/zackbiene/home-assistant.nix
View file

@ -1,5 +1,6 @@
{ {
config, config,
globals,
lib, lib,
nodes, nodes,
pkgs, pkgs,
@ -88,7 +89,7 @@ in {
influxdb = { influxdb = {
api_version = 2; api_version = 2;
host = nodes.sentinel.config.networking.providedDomains.influxdb; host = globals.services.influxdb.domain;
port = "443"; port = "443";
max_retries = 10; max_retries = 10;
ssl = true; ssl = true;

1
modules/default.nix
View file

@ -15,7 +15,6 @@
./netbird-client.nix ./netbird-client.nix
./oauth2-proxy.nix ./oauth2-proxy.nix
./promtail.nix ./promtail.nix
./provided-domains.nix
./secrets.nix ./secrets.nix
./telegraf.nix ./telegraf.nix
]; ];

1
modules/distributed-config.nix
View file

@ -40,7 +40,6 @@
forwardedOptions = [ forwardedOptions = [
["age" "secrets"] ["age" "secrets"]
["networking" "providedDomains"]
["networking" "nftables" "chains"] ["networking" "nftables" "chains"]
["services" "nginx" "upstreams"] ["services" "nginx" "upstreams"]
["services" "nginx" "virtualHosts"] ["services" "nginx" "virtualHosts"]

3
modules/promtail.nix
View file

@ -3,6 +3,7 @@
lib, lib,
minimal, minimal,
nodes, nodes,
globals,
... ...
}: let }: let
inherit inherit
@ -48,7 +49,7 @@ in {
{ {
basic_auth.username = "${config.node.name}+promtail-loki-basic-auth-password"; basic_auth.username = "${config.node.name}+promtail-loki-basic-auth-password";
basic_auth.password_file = config.age.secrets.promtail-loki-basic-auth-password.path; basic_auth.password_file = config.age.secrets.promtail-loki-basic-auth-password.path;
url = "https://${nodes.${cfg.proxy}.config.networking.providedDomains.loki}/loki/api/v1/push"; url = "https://${globals.services.loki.domain}/loki/api/v1/push";
} }
]; ];

7
modules/provided-domains.nix
View file

@ -1,7 +0,0 @@
{lib, ...}: {
options.networking.providedDomains = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = {};
description = "Registry of domains that this host 'provides' (that refer to this host with some functionality). For easy cross-node referencing.";
};
}

7
nix/globals.nix
View file

@ -20,7 +20,10 @@
}) })
]; ];
}; };
in in {
globalsSystem.config.globals; # Make sure the keys of this attrset are trivially evaluatable to avoid infinite recursion,
# therefore we inherit relevant attributes from the config.
inherit (globalsSystem.config.globals) services;
};
}; };
} }

10
nix/hosts.nix
View file

@ -28,6 +28,16 @@
}; };
modules = [ modules = [
{ {
nixpkgs.config.allowUnfree = true;
nixpkgs.overlays =
import ../pkgs/default.nix
++ [
inputs.nix-topology.overlays.default
inputs.nixos-extra-modules.overlays.default
inputs.nixvim.overlays.default
inputs.wired-notify.overlays.default
];
node.name = name; node.name = name;
node.secretsDir = ../hosts/${name}/secrets; node.secretsDir = ../hosts/${name}/secrets;
} }