sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: define registry for proxied domains

Browse source
This commit is contained in:
oddlama 2023-06-12 00:20:45 +02:00
parent 2c81b11696
commit e4199be809
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
3 changed files with 41 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

39
hosts/sentinel/caddy.nix
View file

@ -2,11 +2,10 @@
config, config,
lib, lib,
nodes, nodes,
nodeName,
pkgs, pkgs,
... ...
}: let }: {
inherit (config.repo.secrets.local) acme personalDomain;
in {
users.groups.acme.members = ["caddy"]; users.groups.acme.members = ["caddy"];
# TODO assertions = lib.flip lib.mapAttrsToList config.users.users # TODO assertions = lib.flip lib.mapAttrsToList config.users.users
@ -18,11 +17,8 @@ in {
age.secrets.loki-basic-auth-hashes = { age.secrets.loki-basic-auth-hashes = {
rekeyFile = ./secrets/loki-basic-auth-hashes.age; rekeyFile = ./secrets/loki-basic-auth-hashes.age;
generator = { generator = {
dependencies = [ # Dependencies are added by the nodes that define passwords using
# TODO allow defining these from other nodes like nodes.sentinel.age.secrets....dependenices = []; # distributed-config.
nodes.ward.config.age.secrets.loki-basic-auth-password
nodes.ward-grafana.config.age.secrets.loki-basic-auth-password
];
script = { script = {
pkgs, pkgs,
lib, lib,
@ -46,14 +42,7 @@ in {
group = "caddy"; group = "caddy";
}; };
services.caddy = let services.caddy = {
authDomain = nodes.ward-kanidm.config.services.kanidm.serverSettings.domain;
authPort = lib.last (lib.splitString ":" nodes.ward-kanidm.config.services.kanidm.serverSettings.bindaddress);
grafanaDomain = nodes.ward-grafana.config.services.grafana.settings.server.domain;
grafanaPort = toString nodes.ward-grafana.config.services.grafana.settings.server.http_port;
lokiDomain = "loki.${personalDomain}";
lokiPort = toString nodes.ward-loki.config.services.loki.configuration.server.http_listen_port;
in {
enable = true; enable = true;
package = pkgs.caddy.withPackages { package = pkgs.caddy.withPackages {
plugins = [ plugins = [
@ -122,12 +111,12 @@ in {
# -> have something like merged config nodes.<name>.... # -> have something like merged config nodes.<name>....
# -> needs to be in a way that doesn't trigger infinite recursion # -> needs to be in a way that doesn't trigger infinite recursion
virtualHosts.${authDomain} = { virtualHosts.${config.proxyDomains.kanidm} = {
useACMEHost = config.lib.extra.matchingWildcardCert authDomain; useACMEHost = config.lib.extra.matchingWildcardCert config.proxyDomains.kanidm;
extraConfig = '' extraConfig = ''
encode zstd gzip encode zstd gzip
reverse_proxy { reverse_proxy {
to https://${nodes.ward-kanidm.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort} to https://${nodes.ward-kanidm.config.extra.wireguard.proxy-sentinel.ipv4}:${lib.last (lib.splitString ":" nodes.ward-kanidm.config.services.kanidm.serverSettings.bindaddress)}
transport http { transport http {
tls_insecure_skip_verify tls_insecure_skip_verify
} }
@ -135,18 +124,18 @@ in {
''; '';
}; };
virtualHosts.${grafanaDomain} = { virtualHosts.${config.proxyDomains.grafana} = {
useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain; useACMEHost = config.lib.extra.matchingWildcardCert config.proxyDomains.grafana;
extraConfig = '' extraConfig = ''
encode zstd gzip encode zstd gzip
reverse_proxy { reverse_proxy {
to http://${nodes.ward-grafana.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort} to http://${nodes.ward-grafana.config.extra.wireguard.proxy-sentinel.ipv4}:${toString nodes.ward-grafana.config.services.grafana.settings.server.http_port}
} }
''; '';
}; };
virtualHosts.${lokiDomain} = { virtualHosts.${config.proxyDomains.loki} = {
useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain; useACMEHost = config.lib.extra.matchingWildcardCert config.proxyDomains.loki;
extraConfig = '' extraConfig = ''
encode zstd gzip encode zstd gzip
skip_log skip_log
@ -154,7 +143,7 @@ in {
import ${config.age.secrets.loki-basic-auth-hashes.path} import ${config.age.secrets.loki-basic-auth-hashes.path}
} }
reverse_proxy { reverse_proxy {
to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort} to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${toString nodes.ward-loki.config.services.loki.configuration.server.http_listen_port}
} }
''; '';
}; };

2
hosts/sentinel/default.nix
View file

@ -12,6 +12,8 @@
./fs.nix ./fs.nix
./net.nix ./net.nix
./proxied-domains.nix
./acme.nix ./acme.nix
./caddy.nix ./caddy.nix
]; ];

25
hosts/sentinel/proxied-domains.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
lib,
...
}: let
inherit
(lib)
mkOption
types
;
inherit (config.repo.secrets.local) personalDomain;
in {
options.proxiedDomains = mkOption {
type = types.attrsOf types.str;
default = {};
description = "Registry of relevant proxied domains";
};
config.proxiedDomains = {
grafana = "grafana.${personalDomain}";
kanidm = "auth.${personalDomain}";
loki = "loki.${personalDomain}";
};
}