sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: move some services to other domain

Browse source
This commit is contained in:
oddlama 2024-03-12 19:40:09 +01:00
parent fcc159ed12
commit dfe0345888
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
15 changed files with 31 additions and 38 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/sentinel/net.nix
View file

@ -1,6 +1,6 @@
{config, ...}: { {config, ...}: {
networking.hostId = config.repo.secrets.local.networking.hostId; networking.hostId = config.repo.secrets.local.networking.hostId;
networking.domain = config.repo.secrets.local.personalDomain; networking.domain = config.repo.secrets.global.domains.me;
# Forwarding required for forgejo 9922->22 # Forwarding required for forgejo 9922->22
boot.kernel.sysctl."net.ipv4.ip_forward" = 1; boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

4
hosts/sentinel/oauth2.nix
View file

@ -5,8 +5,8 @@
}: { }: {
meta.oauth2_proxy = { meta.oauth2_proxy = {
enable = true; enable = true;
cookieDomain = config.repo.secrets.local.personalDomain; cookieDomain = config.repo.secrets.global.domains.me;
portalDomain = "oauth2.${config.repo.secrets.local.personalDomain}"; portalDomain = "oauth2.${config.repo.secrets.global.domains.me}";
# TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services") # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services")
}; };

BIN
hosts/sentinel/secrets/local.nix.age
View file

Binary file not shown.

4
hosts/sire/guests/grafana.nix
View file

@ -4,7 +4,7 @@
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
grafanaDomain = "grafana.${sentinelCfg.repo.secrets.local.personalDomain}"; grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}";
in { in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port]; meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
@ -124,7 +124,7 @@ in {
use_pkce = true; use_pkce = true;
# Allow mapping oauth2 roles to server admin # Allow mapping oauth2 roles to server admin
allow_assign_grafana_admin = true; allow_assign_grafana_admin = true;
role_attribute_path = "contains(scopes[*], 'server_admin') && 'GrafanaAdmin' || contains(scopes[*], 'admin') && 'Admin' || contains(scopes[*], 'editor') && 'Editor' || 'Viewer'"; role_attribute_path = "contains(groups[*], 'server_admin') && 'GrafanaAdmin' || contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'";
}; };
}; };

5
hosts/sire/guests/immich.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
immichDomain = "immich.${sentinelCfg.repo.secrets.local.personalDomain}"; immichDomain = "immich.${config.repo.secrets.global.domains.me}";
ipImmichMachineLearning = "10.89.0.10"; ipImmichMachineLearning = "10.89.0.10";
ipImmichMicroservices = "10.89.0.11"; ipImmichMicroservices = "10.89.0.11";
@ -74,9 +74,6 @@
lightStyle = ""; lightStyle = "";
}; };
newVersionCheck.enabled = true; newVersionCheck.enabled = true;
# XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run:
# kanidm system oauth2 warning-insecure-client-disable-pkce immich
# kanidm system oauth2 warning-enable-legacy-crypto immich
oauth = rec { oauth = rec {
enabled = true; enabled = true;
autoLaunch = false; autoLaunch = false;

2
hosts/sire/guests/influxdb.nix
View file

@ -6,7 +6,7 @@
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}"; influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}";
influxdbPort = 8086; influxdbPort = 8086;
in { in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [influxdbPort]; meta.wireguard-proxy.sentinel.allowedTCPPorts = [influxdbPort];

2
hosts/sire/guests/loki.nix
View file

@ -4,7 +4,7 @@
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
lokiDomain = "loki.${sentinelCfg.repo.secrets.local.personalDomain}"; lokiDomain = "loki.${config.repo.secrets.global.domains.me}";
in { in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port]; meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];

2
hosts/sire/guests/paperless.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}"; paperlessDomain = "paperless.${config.repo.secrets.global.domains.me}";
paperlessBackupDir = "/var/cache/paperless-backup"; paperlessBackupDir = "/var/cache/paperless-backup";
in { in {
microvm.mem = 1024 * 9; microvm.mem = 1024 * 9;

7
hosts/ward/guests/adguardhome.nix
View file

@ -5,8 +5,7 @@
pkgs, pkgs,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; adguardhomeDomain = "adguardhome.${config.repo.secrets.global.domains.me}";
adguardhomeDomain = "adguardhome.${sentinelCfg.repo.secrets.local.personalDomain}";
in { in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port]; meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
@ -81,8 +80,8 @@ in {
# wireguard address for influxdb # wireguard address for influxdb
rewrites = [ rewrites = [
{ {
domain = sentinelCfg.networking.providedDomains.influxdb; domain = nodes.sentinel.config.networking.providedDomains.influxdb;
answer = sentinelCfg.repo.secrets.local.personalDomain; answer = config.repo.secrets.global.domains.me;
} }
]; ];
filters = [ filters = [

3
hosts/ward/guests/forgejo.nix
View file

@ -6,8 +6,7 @@
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
# XXX: other domain on other proxy? forgejoDomain = "git.${config.repo.secrets.global.domains.me}";
forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}";
in { in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [ meta.wireguard-proxy.sentinel.allowedTCPPorts = [
config.services.forgejo.settings.server.HTTP_PORT config.services.forgejo.settings.server.HTTP_PORT

19
hosts/ward/guests/kanidm.nix
View file

@ -3,9 +3,9 @@
nodes, nodes,
... ...
}: let }: let
inherit (sentinelCfg.repo.secrets.local) personalDomain; inherit (config.repo.secrets.global) domains;
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
kanidmDomain = "auth.${personalDomain}"; kanidmDomain = "auth.${domains.me}";
kanidmPort = 8300; kanidmPort = 8300;
in { in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort]; meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
@ -122,26 +122,31 @@ in {
displayName = "Immich"; displayName = "Immich";
originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/"; originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path; basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
preferShortUsername = true;
# XXX: PKCE is currently not supported by immich
allowInsecureClientDisablePkce = true;
scopeMaps."immich.access" = ["openid" "email" "profile"]; scopeMaps."immich.access" = ["openid" "email" "profile"];
}; };
# Grafana # Grafana
groups."grafana.access" = {}; groups."grafana.access" = {};
groups."grafana.admins" = {};
groups."grafana.editors" = {}; groups."grafana.editors" = {};
groups."grafana.admins" = {};
groups."grafana.server-admins" = {}; groups."grafana.server-admins" = {};
systems.oauth2.grafana = { systems.oauth2.grafana = {
displayName = "Grafana"; displayName = "Grafana";
originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/"; originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path; basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
scopeMaps."grafana.access" = ["openid" "email" "profile"]; scopeMaps."grafana.access" = ["openid" "email" "profile"];
# FIXME: use new group claims k thx claimMaps.groups = {
supplementaryScopeMaps = { joinType = "array";
"grafana.admins" = ["admin"]; valuesByGroup = {
"grafana.editors" = ["editor"]; "grafana.editors" = ["editor"];
"grafana.admins" = ["admin"];
"grafana.server-admins" = ["server_admin"]; "grafana.server-admins" = ["server_admin"];
}; };
}; };
};
# Forgejo # Forgejo
groups."forgejo.access" = {}; groups."forgejo.access" = {};
@ -167,7 +172,7 @@ in {
groups."web-sentinel.influxdb" = {}; groups."web-sentinel.influxdb" = {};
systems.oauth2.web-sentinel = { systems.oauth2.web-sentinel = {
displayName = "Web Sentinel"; displayName = "Web Sentinel";
originUrl = "https://oauth2.${personalDomain}/"; originUrl = "https://oauth2.${domains.me}/";
basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path; basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
scopeMaps."web-sentinel.access" = ["openid" "email"]; scopeMaps."web-sentinel.access" = ["openid" "email"];
claimMaps.groups = { claimMaps.groups = {

9
hosts/ward/guests/radicale.nix
View file

@ -1,10 +1,5 @@
{ {config, ...}: let
config, radicaleDomain = "radicale.${config.repo.secrets.global.domains.personal}";
nodes,
...
}: let
sentinelCfg = nodes.sentinel.config;
radicaleDomain = "radicale.${sentinelCfg.repo.secrets.local.personalDomain}";
in { in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [ meta.wireguard-proxy.sentinel.allowedTCPPorts = [
8000 8000

4
hosts/ward/guests/vaultwarden.nix
View file

@ -1,11 +1,9 @@
{ {
config, config,
lib, lib,
nodes,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; vaultwardenDomain = "pw.${config.repo.secrets.global.domains.personal}";
vaultwardenDomain = "pw.${sentinelCfg.repo.secrets.local.personalDomain}";
in { in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [ meta.wireguard-proxy.sentinel.allowedTCPPorts = [
config.services.vaultwarden.config.rocketPort config.services.vaultwarden.config.rocketPort

2
hosts/zackbiene/home-assistant.nix
View file

@ -5,7 +5,7 @@
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
homeDomain = "home.${sentinelCfg.repo.secrets.local.personalDomain}"; homeDomain = "home.${sentinelCfg.repo.secrets.global.domains.personal}";
in { in {
meta.wireguard-proxy.sentinel.allowedTCPPorts = [80]; meta.wireguard-proxy.sentinel.allowedTCPPorts = [80];

BIN
secrets/global.nix.age
View file

Binary file not shown.