sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refactor: ward microvms are now own folders

Browse source
This commit is contained in:
oddlama 2023-06-12 00:23:07 +02:00
parent 3f19475eda
commit dfe1abdfde
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
4 changed files with 258 additions and 291 deletions
Download patch file Download diff file Expand all files Collapse all files

4
hosts/ward/default.nix
View file

@ -36,8 +36,8 @@
}; };
in { in {
kanidm = defaults; kanidm = defaults;
grafana = defaultsa; grafana = defaults;
loki = defaults loki = defaults;
}; };
#ddclient = defineVm; #ddclient = defineVm;

227
hosts/ward/microvms/grafana/default.nix
View file

@ -1,125 +1,114 @@
{ {
extra.microvms.vms.grafana = { config,
system = "x86_64-linux"; lib,
autostart = true; nodeName,
zfs = { nodes,
enable = true; utils,
pool = "rpool"; ...
}: {
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
extra.wireguard.proxy-sentinel.client.via = "sentinel";
networking.nftables.firewall = {
zones = lib.mkForce {
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
};
rules = lib.mkForce {
sentinel-to-local = {
from = ["sentinel"];
to = ["local"];
allowedTCPPorts = [3001];
};
}; };
}; };
microvm.vms.grafana.config = { age.secrets.grafana-secret-key = {
config, rekeyFile = ./secrets/grafana-secret-key.age;
lib, mode = "440";
nodeName, group = "grafana";
nodes,
utils,
...
}: {
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g";
extra.wireguard.proxy-sentinel.client.via = "sentinel";
networking.nftables.firewall = {
zones = lib.mkForce {
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
};
rules = lib.mkForce {
sentinel-to-local = {
from = ["sentinel"];
to = ["local"];
allowedTCPPorts = [3001];
};
};
};
age.secrets.grafana-secret-key = {
rekeyFile = ./secrets/grafana-secret-key.age;
mode = "440";
group = "grafana";
};
age.secrets.loki-basic-auth-password = {
rekeyFile = ./secrets/loki-basic-auth-password.age;
generator = "alnum";
mode = "440";
group = "grafana";
};
services.grafana = {
enable = true;
settings = {
analytics.reporting_enabled = false;
users.allow_sign_up = false;
server = {
domain = nodes.sentinel.config.proxiedDomains.grafana;
root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}";
enforce_domain = true;
enable_gzip = true;
http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
http_port = 3001;
};
security = {
disable_initial_admin_creation = true;
secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}";
cookie_secure = true;
disable_gravatar = true;
hide_version = true;
};
auth.disable_login_form = true;
"auth.generic_oauth" = {
enabled = true;
name = "Kanidm";
icon = "signin";
allow_sign_up = true;
auto_login = true;
client_id = "grafana";
#client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
scopes = "openid email profile";
login_attribute_path = "prefered_username";
auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2";
token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token";
api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
use_pkce = true;
# Allow mapping oauth2 roles to server admin
allow_assign_grafana_admin = true;
role_attribute_path = "contains(scopes[*], 'server_admin') && 'GrafanaAdmin' || contains(scopes[*], 'admin') && 'Admin' || contains(scopes[*], 'editor') && 'Editor' || 'Viewer'";
};
};
provision = {
enable = true;
datasources.settings.datasources = [
#{
# name = "Prometheus";
# type = "prometheus";
# url = "http://127.0.0.1:9090";
# orgId = 1;
#}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "https://${nodes.sentinel.config.proxiedDomains.loki}";
orgId = 1;
basicAuth = true;
basicAuthUser = nodeName;
secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
}
];
};
};
systemd.services.grafana.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
}; };
age.secrets.loki-basic-auth-password = {
rekeyFile = ./secrets/loki-basic-auth-password.age;
generator = "alnum";
mode = "440";
group = "grafana";
};
services.grafana = {
enable = true;
settings = {
analytics.reporting_enabled = false;
users.allow_sign_up = false;
server = {
domain = nodes.sentinel.config.proxiedDomains.grafana;
root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}";
enforce_domain = true;
enable_gzip = true;
http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
http_port = 3001;
};
security = {
disable_initial_admin_creation = true;
secret_key = "$__file{${config.age.secrets.grafana-secret-key.path}}";
cookie_secure = true;
disable_gravatar = true;
hide_version = true;
};
auth.disable_login_form = true;
"auth.generic_oauth" = {
enabled = true;
name = "Kanidm";
icon = "signin";
allow_sign_up = true;
auto_login = true;
client_id = "grafana";
#client_secret = "$__file{${config.age.secrets.grafana-oauth-client-secret.path}}";
client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
scopes = "openid email profile";
login_attribute_path = "prefered_username";
auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2";
token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token";
api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
use_pkce = true;
# Allow mapping oauth2 roles to server admin
allow_assign_grafana_admin = true;
role_attribute_path = "contains(scopes[*], 'server_admin') && 'GrafanaAdmin' || contains(scopes[*], 'admin') && 'Admin' || contains(scopes[*], 'editor') && 'Editor' || 'Viewer'";
};
};
provision = {
enable = true;
datasources.settings.datasources = [
#{
# name = "Prometheus";
# type = "prometheus";
# url = "http://127.0.0.1:9090";
# orgId = 1;
#}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "https://${nodes.sentinel.config.proxiedDomains.loki}";
orgId = 1;
basicAuth = true;
basicAuthUser = nodeName;
secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
}
];
};
};
systemd.services.grafana.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
} }

139
hosts/ward/microvms/kanidm/default.nix
View file

@ -1,81 +1,70 @@
{ {
extra.microvms.vms.kanidm = { config,
system = "x86_64-linux"; lib,
autostart = true; nodes,
zfs = { pkgs,
enable = true; utils,
pool = "rpool"; ...
}: {
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
extra.wireguard.proxy-sentinel.client.via = "sentinel";
# TODO this as includable module?
networking.nftables.firewall = {
zones = lib.mkForce {
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
};
rules = lib.mkForce {
sentinel-to-local = {
from = ["sentinel"];
to = ["local"];
allowedTCPPorts = [8300];
};
}; };
}; };
microvm.vms.kanidm.config = { age.secrets."kanidm-self-signed.crt" = {
config, rekeyFile = ./secrets/kanidm-self-signed.crt.age;
lib, mode = "440";
nodes, group = "kanidm";
pkgs,
utils,
...
}: {
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq";
extra.wireguard.proxy-sentinel.client.via = "sentinel";
# TODO this as includable module?
networking.nftables.firewall = {
zones = lib.mkForce {
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
};
rules = lib.mkForce {
sentinel-to-local = {
from = ["sentinel"];
to = ["local"];
allowedTCPPorts = [8300];
};
};
};
age.secrets."kanidm-self-signed.crt" = {
rekeyFile = ./secrets/kanidm-self-signed.crt.age;
mode = "440";
group = "kanidm";
};
age.secrets."kanidm-self-signed.key" = {
rekeyFile = ./secrets/kanidm-self-signed.key.age;
mode = "440";
group = "kanidm";
};
services.kanidm = {
enableServer = true;
# enablePAM = true;
serverSettings = {
domain = nodes.sentinel.config.proxiedDomains.kanidm;
origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
tls_key = config.age.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
trust_x_forward_for = true;
};
};
environment.systemPackages = [pkgs.kanidm];
services.kanidm = {
enableClient = true;
clientSettings = {
uri = config.services.kanidm.serverSettings.origin;
verify_ca = true;
verify_hostnames = true;
};
};
systemd.services.kanidm.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
}; };
age.secrets."kanidm-self-signed.key" = {
rekeyFile = ./secrets/kanidm-self-signed.key.age;
mode = "440";
group = "kanidm";
};
services.kanidm = {
enableServer = true;
# enablePAM = true;
serverSettings = {
domain = nodes.sentinel.config.proxiedDomains.kanidm;
origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
tls_key = config.age.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
trust_x_forward_for = true;
};
};
environment.systemPackages = [pkgs.kanidm];
services.kanidm = {
enableClient = true;
clientSettings = {
uri = config.services.kanidm.serverSettings.origin;
verify_ca = true;
verify_hostnames = true;
};
};
systemd.services.kanidm.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
} }

179
hosts/ward/microvms/loki/default.nix
View file

@ -1,113 +1,102 @@
{ {
extra.microvms.vms.loki = { config,
system = "x86_64-linux"; lib,
autostart = true; nodes,
zfs = { utils,
enable = true; ...
pool = "rpool"; }: {
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
extra.wireguard.proxy-sentinel.client.via = "sentinel";
networking.nftables.firewall = {
zones = lib.mkForce {
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
};
rules = lib.mkForce {
sentinel-to-local = {
from = ["sentinel"];
to = ["local"];
allowedTCPPorts = [3100];
};
}; };
}; };
microvm.vms.loki.config = { services.loki = let
config, lokiDir = "/var/lib/loki";
lib, in {
nodes, enable = true;
utils, configuration = {
... analytics.reporting_enabled = false;
}: { auth_enabled = false;
age.rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
extra.wireguard.proxy-sentinel.client.via = "sentinel"; server = {
http_listen_address = config.extra.wireguard.proxy-sentinel.ipv4;
networking.nftables.firewall = { http_listen_port = 3100;
zones = lib.mkForce { log_level = "warn";
proxy-sentinel.interfaces = ["proxy-sentinel"];
sentinel = {
parent = "proxy-sentinel";
ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
};
}; };
rules = lib.mkForce { ingester = {
sentinel-to-local = { lifecycler = {
from = ["sentinel"]; interface_names = ["proxy-sentinel"];
to = ["local"]; ring = {
allowedTCPPorts = [3100]; kvstore.store = "inmemory";
replication_factor = 1;
};
final_sleep = "0s";
}; };
chunk_idle_period = "5m";
chunk_retain_period = "30s";
}; };
};
services.loki = let schema_config.configs = [
lokiDir = "/var/lib/loki"; {
in { from = "2023-06-01";
enable = true; store = "tsdb";
configuration = { object_store = "filesystem";
analytics.reporting_enabled = false; schema = "v12";
auth_enabled = false; index = {
prefix = "index_";
server = { period = "24h";
http_listen_address = config.extra.wireguard.proxy-sentinel.ipv4;
http_listen_port = 3100;
log_level = "warn";
};
ingester = {
lifecycler = {
interface_names = ["proxy-sentinel"];
ring = {
kvstore.store = "inmemory";
replication_factor = 1;
};
final_sleep = "0s";
}; };
chunk_idle_period = "5m"; }
chunk_retain_period = "30s"; ];
};
schema_config.configs = [ storage_config = {
{ tsdb_shipper = {
from = "2023-06-01"; active_index_directory = "${lokiDir}/tsdb-index";
store = "tsdb"; cache_location = "${lokiDir}/tsdb-cache";
object_store = "filesystem"; cache_ttl = "24h";
schema = "v12";
index = {
prefix = "index_";
period = "24h";
};
}
];
storage_config = {
tsdb_shipper = {
active_index_directory = "${lokiDir}/tsdb-index";
cache_location = "${lokiDir}/tsdb-cache";
cache_ttl = "24h";
shared_store = "filesystem";
};
filesystem.directory = "${lokiDir}/chunks";
};
# Do not accept new logs that are ingressed when they are actually already old.
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
# Do not delete old logs automatically
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = lokiDir;
shared_store = "filesystem"; shared_store = "filesystem";
compactor_ring.kvstore.store = "inmemory";
}; };
filesystem.directory = "${lokiDir}/chunks";
};
# Do not accept new logs that are ingressed when they are actually already old.
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
# Do not delete old logs automatically
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = lokiDir;
shared_store = "filesystem";
compactor_ring.kvstore.store = "inmemory";
}; };
}; };
systemd.services.loki.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
}; };
systemd.services.loki.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
} }