forked from mirrors_public/oddlama_nix-config
feat: finish migration to new globals system for wireguard
This commit is contained in:
oddlama
parent
b885d1062b
commit
a1623fb97c
29 changed files with 204 additions and 214 deletions
|
|
@ -10,10 +10,10 @@ in
|
|||
microvm.mem = 1024 * 16;
|
||||
microvm.vcpu = 20;
|
||||
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.open-webui.port ];
|
||||
};
|
||||
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
|
||||
[
|
||||
config.services.open-webui.port
|
||||
];
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ config.services.ollama.port ];
|
||||
|
||||
|
|
|
|||
|
|
@ -80,21 +80,17 @@ let
|
|||
};
|
||||
in
|
||||
{
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [
|
||||
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
|
||||
[
|
||||
8080
|
||||
9000
|
||||
];
|
||||
};
|
||||
|
||||
wireguard.proxy-home = {
|
||||
client.via = "ward";
|
||||
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
|
||||
globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
|
||||
[
|
||||
8080
|
||||
9000
|
||||
];
|
||||
};
|
||||
|
||||
globals.services.ente.domain = entePhotosDomain;
|
||||
# FIXME: also monitor from internal network
|
||||
|
|
|
|||
|
|
@ -9,19 +9,15 @@ let
|
|||
grafanaDomain = "grafana.${globals.domains.me}";
|
||||
in
|
||||
{
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [
|
||||
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
|
||||
[
|
||||
config.services.grafana.settings.server.http_port
|
||||
];
|
||||
};
|
||||
|
||||
wireguard.proxy-home = {
|
||||
client.via = "ward";
|
||||
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
|
||||
globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
|
||||
[
|
||||
config.services.grafana.settings.server.http_port
|
||||
];
|
||||
};
|
||||
|
||||
age.secrets.grafana-secret-key = {
|
||||
rekeyFile = config.node.secretsDir + "/grafana-secret-key.age";
|
||||
|
|
|
|||
|
|
@ -19,14 +19,10 @@ in
|
|||
group = "immich";
|
||||
};
|
||||
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [ 2283 ];
|
||||
};
|
||||
wireguard.proxy-home = {
|
||||
client.via = "ward";
|
||||
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ 2283 ];
|
||||
};
|
||||
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
|
||||
[ 2283 ];
|
||||
globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
|
||||
[ 2283 ];
|
||||
|
||||
globals.services.immich.domain = immichDomain;
|
||||
globals.monitoring.http.immich = {
|
||||
|
|
|
|||
|
|
@ -10,15 +10,10 @@ let
|
|||
influxdbPort = 8086;
|
||||
in
|
||||
{
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [ influxdbPort ];
|
||||
};
|
||||
|
||||
wireguard.proxy-home = {
|
||||
client.via = "ward";
|
||||
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ influxdbPort ];
|
||||
};
|
||||
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
|
||||
[ influxdbPort ];
|
||||
globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
|
||||
[ influxdbPort ];
|
||||
|
||||
age.secrets.github-access-token = {
|
||||
rekeyFile = config.node.secretsDir + "/github-access-token.age";
|
||||
|
|
|
|||
|
|
@ -10,19 +10,15 @@ let
|
|||
lokiDomain = "loki.${globals.domains.me}";
|
||||
in
|
||||
{
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [
|
||||
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
|
||||
[
|
||||
config.services.loki.configuration.server.http_listen_port
|
||||
];
|
||||
};
|
||||
|
||||
wireguard.proxy-home = {
|
||||
client.via = "ward";
|
||||
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [
|
||||
globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
|
||||
[
|
||||
config.services.loki.configuration.server.http_listen_port
|
||||
];
|
||||
};
|
||||
|
||||
globals.services.loki.domain = lokiDomain;
|
||||
|
||||
|
|
|
|||
|
|
@ -350,14 +350,12 @@ in
|
|||
microvm.mem = 1024 * 24;
|
||||
microvm.vcpu = 16;
|
||||
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [
|
||||
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
|
||||
[
|
||||
80
|
||||
25565
|
||||
25566
|
||||
];
|
||||
};
|
||||
|
||||
users.groups.minecraft.members = [ "nginx" ];
|
||||
users.users.minecraft = {
|
||||
|
|
|
|||
|
|
@ -14,15 +14,15 @@ in
|
|||
microvm.mem = 1024 * 9;
|
||||
microvm.vcpu = 8;
|
||||
|
||||
wireguard.proxy-sentinel = {
|
||||
client.via = "sentinel";
|
||||
firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.paperless.port ];
|
||||
};
|
||||
globals.wireguard.proxy-sentinel.hosts.${config.node.name}.firewallRuleForNode.sentinel.allowedTCPPorts =
|
||||
[
|
||||
config.services.paperless.port
|
||||
];
|
||||
|
||||
wireguard.proxy-home = {
|
||||
client.via = "ward";
|
||||
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.paperless.port ];
|
||||
};
|
||||
globals.wireguard.proxy-home.hosts.${config.node.name}.firewallRuleForNode.ward-web-proxy.allowedTCPPorts =
|
||||
[
|
||||
config.services.paperless.port
|
||||
];
|
||||
|
||||
globals.services.paperless.domain = paperlessDomain;
|
||||
# FIXME: also monitor from internal network
|
||||
|
|
|
|||
|
|
@ -27,7 +27,8 @@ let
|
|||
"create mask" = "0740";
|
||||
"directory mask" = "0750";
|
||||
"acl allow execute always" = "yes";
|
||||
} // cfg;
|
||||
}
|
||||
// cfg;
|
||||
};
|
||||
|
||||
mkGroupShares =
|
||||
|
|
@ -77,9 +78,6 @@ let
|
|||
);
|
||||
in
|
||||
{
|
||||
# For influxdb communication channel
|
||||
wireguard.proxy-home.client.via = "ward";
|
||||
|
||||
age.secrets."samba-passdb.tdb" = {
|
||||
rekeyFile = config.node.secretsDir + "/samba-passdb.tdb.age";
|
||||
mode = "600";
|
||||
|
|
@ -383,7 +381,8 @@ in
|
|||
|
||||
users.groups = {
|
||||
paperless.gid = config.ids.gids.paperless;
|
||||
} // lib.mapAttrs (_: cfg: { gid = cfg.id; }) (smbUsers // smbGroups);
|
||||
}
|
||||
// lib.mapAttrs (_: cfg: { gid = cfg.id; }) (smbUsers // smbGroups);
|
||||
|
||||
backups.storageBoxes.dusk = {
|
||||
subuser = "samba";
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue