refactor: major refactor into proper reusable modules. No logical changes.

This commit is contained in:
oddlama 2023-06-29 00:27:54 +02:00
parent 04872f6ec5
commit 84ac34cb6c
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
80 changed files with 761 additions and 776 deletions

View file

@ -17,5 +17,5 @@ in {
reloadServices = ["nginx"];
};
};
extra.acme.wildcardDomains = acme.domains;
security.acme.wildcardDomains = acme.domains;
}

View file

@ -4,32 +4,32 @@
...
}: {
imports = [
../common/core
../common/hardware/hetzner-cloud.nix
../common/bios-boot.nix
../common/initrd-ssh.nix
../common/zfs.nix
../../modules/optional/hardware/hetzner-cloud.nix
./fs.nix
./net.nix
../../modules
../../modules/optional/boot-bios.nix
../../modules/optional/initrd-ssh.nix
../../modules/optional/zfs.nix
./acme.nix
./fs.nix
./net.nix
./oauth2.nix
];
users.groups.acme.members = ["nginx"];
services.nginx.enable = true;
extra.promtail = {
meta.promtail = {
enable = true;
proxy = "sentinel";
};
# Connect safely via wireguard to skip authentication
networking.hosts.${config.extra.wireguard.proxy-sentinel.ipv4} = [config.providedDomains.influxdb];
extra.telegraf = {
networking.hosts.${config.meta.wireguard.proxy-sentinel.ipv4} = [config.networking.providedDomains.influxdb];
meta.telegraf = {
enable = true;
influxdb2.domain = config.providedDomains.influxdb;
influxdb2.domain = config.networking.providedDomains.influxdb;
influxdb2.organization = "servers";
influxdb2.bucket = "telegraf";
};

View file

@ -52,7 +52,7 @@
};
};
extra.wireguard.proxy-sentinel.server = {
meta.wireguard.proxy-sentinel.server = {
host = config.networking.fqdn;
port = 51443;
reservedAddresses = ["10.43.0.0/24" "fd00:43::/120"];

View file

@ -4,7 +4,7 @@
pkgs,
...
}: {
extra.oauth2_proxy = {
meta.oauth2_proxy = {
enable = true;
cookieDomain = config.repo.secrets.local.personalDomain;
portalDomain = "oauth2.${config.repo.secrets.local.personalDomain}";
@ -22,15 +22,15 @@
in {
provider = "oidc";
scope = "openid email";
loginURL = "https://${config.providedDomains.kanidm}/ui/oauth2";
redeemURL = "https://${config.providedDomains.kanidm}/oauth2/token";
validateURL = "https://${config.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
loginURL = "https://${config.networking.providedDomains.kanidm}/ui/oauth2";
redeemURL = "https://${config.networking.providedDomains.kanidm}/oauth2/token";
validateURL = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}/userinfo";
clientID = clientId;
keyFile = config.age.secrets.oauth2-proxy-secret.path;
email.domains = ["*"];
extraConfig = {
oidc-issuer-url = "https://${config.providedDomains.kanidm}/oauth2/openid/${clientId}";
oidc-issuer-url = "https://${config.networking.providedDomains.kanidm}/oauth2/openid/${clientId}";
provider-display-name = "Kanidm";
#skip-provider-button = true;
};