sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: bind kanidm to proxy

Browse source
This commit is contained in:
oddlama 2023-05-31 18:07:07 +02:00
parent ef03fd0594
commit 6cedaa53e6
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
2 changed files with 7 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

12
hosts/ward/default.nix
View file

@ -25,13 +25,6 @@ in {
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"]; boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" "r8169"];
extra.wireguard.proxy-sentinel.server = {
host = "TODO REMOVE";
port = 51443;
reservedAddresses = ["10.43.0.0/24" "fd00:43::/120"];
openFirewallRules = ["untrusted-to-local"];
};
extra.microvms.vms = let extra.microvms.vms = let
defineVm = id: { defineVm = id: {
inherit id; inherit id;
@ -73,7 +66,6 @@ in {
microvm.vms.nginx.config = { microvm.vms.nginx.config = {
lib, lib,
config, config,
parentNodeName,
... ...
}: { }: {
rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq"; rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
@ -113,11 +105,9 @@ in {
serverSettings = { serverSettings = {
domain = authDomain; domain = authDomain;
origin = "https://${config.services.kanidm.serverSettings.domain}"; origin = "https://${config.services.kanidm.serverSettings.domain}";
#tls_chain = "/run/credentials/kanidm.service/fullchain.pem";
#tls_key = "/run/credentials/kanidm.service/key.pem";
tls_chain = config.rekey.secrets."kanidm-self-signed.crt".path; tls_chain = config.rekey.secrets."kanidm-self-signed.crt".path;
tls_key = config.rekey.secrets."kanidm-self-signed.key".path; tls_key = config.rekey.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:8300"; bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
trust_x_forward_for = true; trust_x_forward_for = true;
}; };
}; };

6
hosts/ward/net.nix
View file

@ -84,6 +84,12 @@ in {
}; };
linkConfig.RequiredForOnline = "routable"; linkConfig.RequiredForOnline = "routable";
}; };
# Remaining macvtap interfaces should not be touched.
"90-macvtap-ignore" = {
matchConfig.Kind = "macvtap";
linkConfig.ActivationPolicy = "manual";
linkConfig.Unmanaged = "yes";
};
}; };
# TODO mkForce nftables # TODO mkForce nftables