sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: move some services to other domain

Browse source
This commit is contained in:
oddlama 2024-03-12 19:40:09 +01:00
parent fcc159ed12
commit dfe0345888
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
15 changed files with 31 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

7
hosts/ward/guests/adguardhome.nix
View file

@ -5,8 +5,7 @@
pkgs,
...
}: let
sentinelCfg = nodes.sentinel.config;
adguardhomeDomain = "adguardhome.${sentinelCfg.repo.secrets.local.personalDomain}";
adguardhomeDomain = "adguardhome.${config.repo.secrets.global.domains.me}";
in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
@ -81,8 +80,8 @@ in {
# wireguard address for influxdb
rewrites = [
{
domain = sentinelCfg.networking.providedDomains.influxdb;
answer = sentinelCfg.repo.secrets.local.personalDomain;
domain = nodes.sentinel.config.networking.providedDomains.influxdb;
answer = config.repo.secrets.global.domains.me;
}
];
filters = [

3
hosts/ward/guests/forgejo.nix
View file

@ -6,8 +6,7 @@
...
}: let
sentinelCfg = nodes.sentinel.config;
# XXX: other domain on other proxy?
forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}";
forgejoDomain = "git.${config.repo.secrets.global.domains.me}";
in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
config.services.forgejo.settings.server.HTTP_PORT

23
hosts/ward/guests/kanidm.nix
View file

@ -3,9 +3,9 @@
nodes,
...
}: let
inherit (sentinelCfg.repo.secrets.local) personalDomain;
inherit (config.repo.secrets.global) domains;
sentinelCfg = nodes.sentinel.config;
kanidmDomain = "auth.${personalDomain}";
kanidmDomain = "auth.${domains.me}";
kanidmPort = 8300;
in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
@ -122,24 +122,29 @@ in {
displayName = "Immich";
originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
preferShortUsername = true;
# XXX: PKCE is currently not supported by immich
allowInsecureClientDisablePkce = true;
scopeMaps."immich.access" = ["openid" "email" "profile"];
};
# Grafana
groups."grafana.access" = {};
groups."grafana.admins" = {};
groups."grafana.editors" = {};
groups."grafana.admins" = {};
groups."grafana.server-admins" = {};
systems.oauth2.grafana = {
displayName = "Grafana";
originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
scopeMaps."grafana.access" = ["openid" "email" "profile"];
# FIXME: use new group claims k thx
supplementaryScopeMaps = {
"grafana.admins" = ["admin"];
"grafana.editors" = ["editor"];
"grafana.server-admins" = ["server_admin"];
claimMaps.groups = {
joinType = "array";
valuesByGroup = {
"grafana.editors" = ["editor"];
"grafana.admins" = ["admin"];
"grafana.server-admins" = ["server_admin"];
};
};
};
@ -167,7 +172,7 @@ in {
groups."web-sentinel.influxdb" = {};
systems.oauth2.web-sentinel = {
displayName = "Web Sentinel";
originUrl = "https://oauth2.${personalDomain}/";
originUrl = "https://oauth2.${domains.me}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
scopeMaps."web-sentinel.access" = ["openid" "email"];
claimMaps.groups = {

9
hosts/ward/guests/radicale.nix
View file

@ -1,10 +1,5 @@
{
config,
nodes,
...
}: let
sentinelCfg = nodes.sentinel.config;
radicaleDomain = "radicale.${sentinelCfg.repo.secrets.local.personalDomain}";
{config, ...}: let
radicaleDomain = "radicale.${config.repo.secrets.global.domains.personal}";
in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
8000

4
hosts/ward/guests/vaultwarden.nix
View file

@ -1,11 +1,9 @@
{
config,
lib,
nodes,
...
}: let
sentinelCfg = nodes.sentinel.config;
vaultwardenDomain = "pw.${sentinelCfg.repo.secrets.local.personalDomain}";
vaultwardenDomain = "pw.${config.repo.secrets.global.domains.personal}";
in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [
config.services.vaultwarden.config.rocketPort