From f29318a5ac842c2eb96c47eea0cf45b194cb23d3 Mon Sep 17 00:00:00 2001 From: oddlama Date: Thu, 17 Aug 2023 17:10:14 +0200 Subject: [PATCH] feat: preferably bind to 0.0.0.0 in vms to remove issues with wireguard coming up late; also increase default vm memory to 2G --- hosts/ward/microvms/adguardhome.nix | 6 ++---- hosts/ward/microvms/forgejo.nix | 4 +--- hosts/ward/microvms/grafana.nix | 10 +++------- hosts/ward/microvms/influxdb.nix | 8 +++----- hosts/ward/microvms/kanidm.nix | 12 +++--------- hosts/ward/microvms/loki.nix | 10 +++------- hosts/ward/microvms/paperless.nix | 13 +++++-------- hosts/ward/microvms/vaultwarden.nix | 16 +++++++--------- modules/meta/microvms.nix | 3 +++ 9 files changed, 30 insertions(+), 52 deletions(-) diff --git a/hosts/ward/microvms/adguardhome.nix b/hosts/ward/microvms/adguardhome.nix index 48a6452..36e8647 100644 --- a/hosts/ward/microvms/adguardhome.nix +++ b/hosts/ward/microvms/adguardhome.nix @@ -3,7 +3,6 @@ lib, nodes, pkgs, - utils, ... }: let sentinelCfg = nodes.sentinel.config; @@ -16,7 +15,7 @@ in { services.nginx = { upstreams.adguardhome = { - servers."${config.services.adguardhome.settings.bind_host}:${toString config.services.adguardhome.settings.bind_port}" = {}; + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.bind_port}" = {}; extraConfig = '' zone adguardhome 64k; keepalive 2; @@ -46,7 +45,7 @@ in { # simpler sed dns.host_addr logic. mutableSettings = false; settings = { - bind_host = config.meta.wireguard.proxy-sentinel.ipv4; + bind_host = "0.0.0.0"; bind_port = 3000; dns = { bind_hosts = [ @@ -76,7 +75,6 @@ in { }; systemd.services.adguardhome = { - after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wan"}.device"]; preStart = lib.mkAfter '' INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show wan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+") sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml" diff --git a/hosts/ward/microvms/forgejo.nix b/hosts/ward/microvms/forgejo.nix index 14755ee..285e48d 100644 --- a/hosts/ward/microvms/forgejo.nix +++ b/hosts/ward/microvms/forgejo.nix @@ -3,7 +3,6 @@ lib, nodes, pkgs, - utils, ... }: let sentinelCfg = nodes.sentinel.config; @@ -101,7 +100,7 @@ in { ENABLE_PUSH_CREATE_ORG = true; }; server = { - HTTP_ADDR = config.meta.wireguard.proxy-sentinel.ipv4; + HTTP_ADDR = "0.0.0.0"; HTTP_PORT = 3000; DOMAIN = forgejoDomain; ROOT_URL = "https://${forgejoDomain}/"; @@ -126,7 +125,6 @@ in { }; systemd.services.gitea = { - after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; serviceConfig.RestartSec = "600"; # Retry every 10 minutes #preStart = let # exe = lib.getExe config.services.gitea.package; diff --git a/hosts/ward/microvms/grafana.nix b/hosts/ward/microvms/grafana.nix index 1b3af52..b017682 100644 --- a/hosts/ward/microvms/grafana.nix +++ b/hosts/ward/microvms/grafana.nix @@ -2,7 +2,6 @@ config, lib, nodes, - utils, ... }: let sentinelCfg = nodes.sentinel.config; @@ -58,7 +57,7 @@ in { services.nginx = { upstreams.grafana = { - servers."${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}" = {}; + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {}; extraConfig = '' zone grafana 64k; keepalive 2; @@ -86,7 +85,7 @@ in { root_url = "https://${grafanaDomain}"; enforce_domain = true; enable_gzip = true; - http_addr = config.meta.wireguard.proxy-sentinel.ipv4; + http_addr = "0.0.0.0"; http_port = 3001; }; @@ -149,8 +148,5 @@ in { }; }; - systemd.services.grafana = { - after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; - serviceConfig.RestartSec = "600"; # Retry every 10 minutes - }; + systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes } diff --git a/hosts/ward/microvms/influxdb.nix b/hosts/ward/microvms/influxdb.nix index d347330..e6b2689 100644 --- a/hosts/ward/microvms/influxdb.nix +++ b/hosts/ward/microvms/influxdb.nix @@ -2,7 +2,6 @@ config, lib, nodes, - utils, pkgs, ... }: let @@ -18,7 +17,7 @@ in { services.nginx = { upstreams.influxdb = { - servers."${config.services.influxdb2.settings.http-bind-address}" = {}; + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = {}; extraConfig = '' zone influxdb 64k; keepalive 2; @@ -74,7 +73,7 @@ in { enable = true; settings = { reporting-disabled = true; - http-bind-address = "${config.meta.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}"; + http-bind-address = "0.0.0.0:${toString influxdbPort}"; }; provision = { enable = true; @@ -100,6 +99,5 @@ in { environment.systemPackages = [pkgs.influxdb2-cli]; - # Do NOT configure RestartSec here, this must be left short to allow token manipulation - systemd.services.influxdb2.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; + systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes } diff --git a/hosts/ward/microvms/kanidm.nix b/hosts/ward/microvms/kanidm.nix index 08416e7..00c9473 100644 --- a/hosts/ward/microvms/kanidm.nix +++ b/hosts/ward/microvms/kanidm.nix @@ -3,7 +3,6 @@ lib, nodes, pkgs, - utils, ... }: let sentinelCfg = nodes.sentinel.config; @@ -29,7 +28,7 @@ in { services.nginx = { upstreams.kanidm = { - servers."${config.services.kanidm.serverSettings.bindaddress}" = {}; + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = {}; extraConfig = '' zone kanidm 64k; keepalive 2; @@ -56,7 +55,7 @@ in { origin = "https://${kanidmDomain}"; tls_chain = config.age.secrets."kanidm-self-signed.crt".path; tls_key = config.age.secrets."kanidm-self-signed.key".path; - bindaddress = "${config.meta.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}"; + bindaddress = "0.0.0.0:${toString kanidmPort}"; trust_x_forward_for = true; }; }; @@ -72,10 +71,5 @@ in { }; }; - systemd.services.kanidm = { - # TODO this doesn't suffice, percieved 1 in 50 this fails because kanidm starts too soon, - # a requiredforonline might be necessary - after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; - serviceConfig.RestartSec = "60"; # Retry every minute - }; + systemd.services.grafana.serviceConfig.RestartSec = "60"; # Retry every minute } diff --git a/hosts/ward/microvms/loki.nix b/hosts/ward/microvms/loki.nix index 8ab86ab..d7c6a88 100644 --- a/hosts/ward/microvms/loki.nix +++ b/hosts/ward/microvms/loki.nix @@ -2,7 +2,6 @@ config, lib, nodes, - utils, ... }: let sentinelCfg = nodes.sentinel.config; @@ -21,7 +20,7 @@ in { services.nginx = { upstreams.loki = { - servers."${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}" = {}; + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = {}; extraConfig = '' zone loki 64k; keepalive 2; @@ -63,7 +62,7 @@ in { auth_enabled = false; server = { - http_listen_address = config.meta.wireguard.proxy-sentinel.ipv4; + http_listen_address = "0.0.0.0"; http_listen_port = 3100; log_level = "warn"; }; @@ -124,8 +123,5 @@ in { }; }; - systemd.services.loki = { - after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; - serviceConfig.RestartSec = "600"; # Retry every 10 minutes - }; + systemd.services.loki.serviceConfig.RestartSec = "600"; # Retry every 10 minutes } diff --git a/hosts/ward/microvms/paperless.nix b/hosts/ward/microvms/paperless.nix index 4d33984..69c1b3e 100644 --- a/hosts/ward/microvms/paperless.nix +++ b/hosts/ward/microvms/paperless.nix @@ -2,7 +2,6 @@ config, lib, nodes, - utils, ... }: let sentinelCfg = nodes.sentinel.config; @@ -28,7 +27,7 @@ in { services.nginx = { upstreams.paperless = { - servers."${config.services.paperless.address}:${toString config.services.paperless.port}" = {}; + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = {}; extraConfig = '' zone paperless 64k; keepalive 2; @@ -51,11 +50,13 @@ in { services.paperless = { enable = true; - address = config.meta.wireguard.proxy-sentinel.ipv4; + address = "0.0.0.0"; passwordFile = config.age.secrets.paperless-admin-password.path; extraConfig = { PAPERLESS_URL = "https://${paperlessDomain}"; + PAPERLESS_CONSUMER_ENABLE_BARCODES = true; PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true; + PAPERLESS_CONSUMER_BARCODE_SCANNER = "ZXING"; PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}"; #PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates; PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4; @@ -65,9 +66,5 @@ in { }; }; - #systemd.services.paperless = { - # after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; - # serviceConfig.StateDirectory = lib.mkForce "paperless"; - # serviceConfig.RestartSec = "600"; # Retry every 10 minutes - #}; + systemd.services.paperless.serviceConfig.RestartSec = "600"; # Retry every 10 minutes } diff --git a/hosts/ward/microvms/vaultwarden.nix b/hosts/ward/microvms/vaultwarden.nix index b76f87e..6f1230e 100644 --- a/hosts/ward/microvms/vaultwarden.nix +++ b/hosts/ward/microvms/vaultwarden.nix @@ -2,7 +2,6 @@ config, lib, nodes, - utils, ... }: let sentinelCfg = nodes.sentinel.config; @@ -24,14 +23,14 @@ in { services.nginx = { upstreams.vaultwarden = { - servers."${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}" = {}; + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = {}; extraConfig = '' zone vaultwarden 64k; keepalive 2; ''; }; upstreams.vaultwarden-websocket = { - servers."${config.services.vaultwarden.config.websocketAddress}:${toString config.services.vaultwarden.config.websocketPort}" = {}; + servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.websocketPort}" = {}; extraConfig = '' zone vaultwarden-websocket 64k; keepalive 2; @@ -66,9 +65,9 @@ in { webVaultEnabled = true; websocketEnabled = true; - websocketAddress = config.meta.wireguard.proxy-sentinel.ipv4; + websocketAddress = "0.0.0.0"; websocketPort = 3012; - rocketAddress = config.meta.wireguard.proxy-sentinel.ipv4; + rocketAddress = "0.0.0.0"; rocketPort = 8012; signupsAllowed = false; @@ -87,9 +86,8 @@ in { # Replace uses of old name systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden"; - systemd.services.vaultwarden = { - after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; - serviceConfig.StateDirectory = lib.mkForce "vaultwarden"; - serviceConfig.RestartSec = "600"; # Retry every 10 minutes + systemd.services.vaultwarden.serviceConfig = { + StateDirectory = lib.mkForce "vaultwarden"; + RestartSec = "600"; # Retry every 10 minutes }; } diff --git a/modules/meta/microvms.nix b/modules/meta/microvms.nix index b6aeec1..297cff9 100644 --- a/modules/meta/microvms.nix +++ b/modules/meta/microvms.nix @@ -112,6 +112,9 @@ microvm = { hypervisor = mkDefault "qemu"; + # Give them some juice by default + mem = mkDefault (2 * 1024); + # MACVTAP bridge to the host's network interfaces = [ {