sokai/mynixos-config
1
1
Fork 0
forked from mirrors_public/oddlama_nix-config
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: preferably bind to 0.0.0.0 in vms to remove issues with wireguard

Browse source 
coming up late; also increase default vm memory to 2G
This commit is contained in:
oddlama 2023-08-17 17:10:14 +02:00
parent af066925b4
commit f29318a5ac
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
9 changed files with 30 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/ward/microvms/adguardhome.nix
View file

@ -3,7 +3,6 @@
lib, lib,
nodes, nodes,
pkgs, pkgs,
utils,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
@ -16,7 +15,7 @@ in {
services.nginx = { services.nginx = {
upstreams.adguardhome = { upstreams.adguardhome = {
servers."${config.services.adguardhome.settings.bind_host}:${toString config.services.adguardhome.settings.bind_port}" = {}; servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.adguardhome.settings.bind_port}" = {};
extraConfig = '' extraConfig = ''
zone adguardhome 64k; zone adguardhome 64k;
keepalive 2; keepalive 2;
@ -46,7 +45,7 @@ in {
# simpler sed dns.host_addr logic. # simpler sed dns.host_addr logic.
mutableSettings = false; mutableSettings = false;
settings = { settings = {
bind_host = config.meta.wireguard.proxy-sentinel.ipv4; bind_host = "0.0.0.0";
bind_port = 3000; bind_port = 3000;
dns = { dns = {
bind_hosts = [ bind_hosts = [
@ -76,7 +75,6 @@ in {
}; };
systemd.services.adguardhome = { systemd.services.adguardhome = {
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "wan"}.device"];
preStart = lib.mkAfter '' preStart = lib.mkAfter ''
INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show wan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+") INTERFACE_ADDR=$(${pkgs.iproute2}/bin/ip -family inet -brief addr show wan | grep -o "[0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+")
sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml" sed -i -e "s/123.123.123.123/$INTERFACE_ADDR/" "$STATE_DIRECTORY/AdGuardHome.yaml"

4
hosts/ward/microvms/forgejo.nix
View file

@ -3,7 +3,6 @@
lib, lib,
nodes, nodes,
pkgs, pkgs,
utils,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
@ -101,7 +100,7 @@ in {
ENABLE_PUSH_CREATE_ORG = true; ENABLE_PUSH_CREATE_ORG = true;
}; };
server = { server = {
HTTP_ADDR = config.meta.wireguard.proxy-sentinel.ipv4; HTTP_ADDR = "0.0.0.0";
HTTP_PORT = 3000; HTTP_PORT = 3000;
DOMAIN = forgejoDomain; DOMAIN = forgejoDomain;
ROOT_URL = "https://${forgejoDomain}/"; ROOT_URL = "https://${forgejoDomain}/";
@ -126,7 +125,6 @@ in {
}; };
systemd.services.gitea = { systemd.services.gitea = {
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
serviceConfig.RestartSec = "600"; # Retry every 10 minutes serviceConfig.RestartSec = "600"; # Retry every 10 minutes
#preStart = let #preStart = let
# exe = lib.getExe config.services.gitea.package; # exe = lib.getExe config.services.gitea.package;

10
hosts/ward/microvms/grafana.nix
View file

@ -2,7 +2,6 @@
config, config,
lib, lib,
nodes, nodes,
utils,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
@ -58,7 +57,7 @@ in {
services.nginx = { services.nginx = {
upstreams.grafana = { upstreams.grafana = {
servers."${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}" = {}; servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.grafana.settings.server.http_port}" = {};
extraConfig = '' extraConfig = ''
zone grafana 64k; zone grafana 64k;
keepalive 2; keepalive 2;
@ -86,7 +85,7 @@ in {
root_url = "https://${grafanaDomain}"; root_url = "https://${grafanaDomain}";
enforce_domain = true; enforce_domain = true;
enable_gzip = true; enable_gzip = true;
http_addr = config.meta.wireguard.proxy-sentinel.ipv4; http_addr = "0.0.0.0";
http_port = 3001; http_port = 3001;
}; };
@ -149,8 +148,5 @@ in {
}; };
}; };
systemd.services.grafana = { systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
};
} }

8
hosts/ward/microvms/influxdb.nix
View file

@ -2,7 +2,6 @@
config, config,
lib, lib,
nodes, nodes,
utils,
pkgs, pkgs,
... ...
}: let }: let
@ -18,7 +17,7 @@ in {
services.nginx = { services.nginx = {
upstreams.influxdb = { upstreams.influxdb = {
servers."${config.services.influxdb2.settings.http-bind-address}" = {}; servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}" = {};
extraConfig = '' extraConfig = ''
zone influxdb 64k; zone influxdb 64k;
keepalive 2; keepalive 2;
@ -74,7 +73,7 @@ in {
enable = true; enable = true;
settings = { settings = {
reporting-disabled = true; reporting-disabled = true;
http-bind-address = "${config.meta.wireguard.proxy-sentinel.ipv4}:${toString influxdbPort}"; http-bind-address = "0.0.0.0:${toString influxdbPort}";
}; };
provision = { provision = {
enable = true; enable = true;
@ -100,6 +99,5 @@ in {
environment.systemPackages = [pkgs.influxdb2-cli]; environment.systemPackages = [pkgs.influxdb2-cli];
# Do NOT configure RestartSec here, this must be left short to allow token manipulation systemd.services.grafana.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
systemd.services.influxdb2.after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
} }

12
hosts/ward/microvms/kanidm.nix
View file

@ -3,7 +3,6 @@
lib, lib,
nodes, nodes,
pkgs, pkgs,
utils,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
@ -29,7 +28,7 @@ in {
services.nginx = { services.nginx = {
upstreams.kanidm = { upstreams.kanidm = {
servers."${config.services.kanidm.serverSettings.bindaddress}" = {}; servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}" = {};
extraConfig = '' extraConfig = ''
zone kanidm 64k; zone kanidm 64k;
keepalive 2; keepalive 2;
@ -56,7 +55,7 @@ in {
origin = "https://${kanidmDomain}"; origin = "https://${kanidmDomain}";
tls_chain = config.age.secrets."kanidm-self-signed.crt".path; tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
tls_key = config.age.secrets."kanidm-self-signed.key".path; tls_key = config.age.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.meta.wireguard.proxy-sentinel.ipv4}:${toString kanidmPort}"; bindaddress = "0.0.0.0:${toString kanidmPort}";
trust_x_forward_for = true; trust_x_forward_for = true;
}; };
}; };
@ -72,10 +71,5 @@ in {
}; };
}; };
systemd.services.kanidm = { systemd.services.grafana.serviceConfig.RestartSec = "60"; # Retry every minute
# TODO this doesn't suffice, percieved 1 in 50 this fails because kanidm starts too soon,
# a requiredforonline might be necessary
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
serviceConfig.RestartSec = "60"; # Retry every minute
};
} }

10
hosts/ward/microvms/loki.nix
View file

@ -2,7 +2,6 @@
config, config,
lib, lib,
nodes, nodes,
utils,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
@ -21,7 +20,7 @@ in {
services.nginx = { services.nginx = {
upstreams.loki = { upstreams.loki = {
servers."${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}" = {}; servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.loki.configuration.server.http_listen_port}" = {};
extraConfig = '' extraConfig = ''
zone loki 64k; zone loki 64k;
keepalive 2; keepalive 2;
@ -63,7 +62,7 @@ in {
auth_enabled = false; auth_enabled = false;
server = { server = {
http_listen_address = config.meta.wireguard.proxy-sentinel.ipv4; http_listen_address = "0.0.0.0";
http_listen_port = 3100; http_listen_port = 3100;
log_level = "warn"; log_level = "warn";
}; };
@ -124,8 +123,5 @@ in {
}; };
}; };
systemd.services.loki = { systemd.services.loki.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
};
} }

13
hosts/ward/microvms/paperless.nix
View file

@ -2,7 +2,6 @@
config, config,
lib, lib,
nodes, nodes,
utils,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
@ -28,7 +27,7 @@ in {
services.nginx = { services.nginx = {
upstreams.paperless = { upstreams.paperless = {
servers."${config.services.paperless.address}:${toString config.services.paperless.port}" = {}; servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.paperless.port}" = {};
extraConfig = '' extraConfig = ''
zone paperless 64k; zone paperless 64k;
keepalive 2; keepalive 2;
@ -51,11 +50,13 @@ in {
services.paperless = { services.paperless = {
enable = true; enable = true;
address = config.meta.wireguard.proxy-sentinel.ipv4; address = "0.0.0.0";
passwordFile = config.age.secrets.paperless-admin-password.path; passwordFile = config.age.secrets.paperless-admin-password.path;
extraConfig = { extraConfig = {
PAPERLESS_URL = "https://${paperlessDomain}"; PAPERLESS_URL = "https://${paperlessDomain}";
PAPERLESS_CONSUMER_ENABLE_BARCODES = true;
PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true; PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE = true;
PAPERLESS_CONSUMER_BARCODE_SCANNER = "ZXING";
PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}"; PAPERLESS_FILENAME_FORMAT = "{created_year}-{created_month}-{created_day}_{asn}_{title}";
#PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates; #PAPERLESS_IGNORE_DATES = concatStringsSep "," ignoreDates;
PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4; PAPERLESS_NUMBER_OF_SUGGESTED_DATES = 4;
@ -65,9 +66,5 @@ in {
}; };
}; };
#systemd.services.paperless = { systemd.services.paperless.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
# after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"];
# serviceConfig.StateDirectory = lib.mkForce "paperless";
# serviceConfig.RestartSec = "600"; # Retry every 10 minutes
#};
} }

16
hosts/ward/microvms/vaultwarden.nix
View file

@ -2,7 +2,6 @@
config, config,
lib, lib,
nodes, nodes,
utils,
... ...
}: let }: let
sentinelCfg = nodes.sentinel.config; sentinelCfg = nodes.sentinel.config;
@ -24,14 +23,14 @@ in {
services.nginx = { services.nginx = {
upstreams.vaultwarden = { upstreams.vaultwarden = {
servers."${config.services.vaultwarden.config.rocketAddress}:${toString config.services.vaultwarden.config.rocketPort}" = {}; servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.rocketPort}" = {};
extraConfig = '' extraConfig = ''
zone vaultwarden 64k; zone vaultwarden 64k;
keepalive 2; keepalive 2;
''; '';
}; };
upstreams.vaultwarden-websocket = { upstreams.vaultwarden-websocket = {
servers."${config.services.vaultwarden.config.websocketAddress}:${toString config.services.vaultwarden.config.websocketPort}" = {}; servers."${config.meta.wireguard.proxy-sentinel.ipv4}:${toString config.services.vaultwarden.config.websocketPort}" = {};
extraConfig = '' extraConfig = ''
zone vaultwarden-websocket 64k; zone vaultwarden-websocket 64k;
keepalive 2; keepalive 2;
@ -66,9 +65,9 @@ in {
webVaultEnabled = true; webVaultEnabled = true;
websocketEnabled = true; websocketEnabled = true;
websocketAddress = config.meta.wireguard.proxy-sentinel.ipv4; websocketAddress = "0.0.0.0";
websocketPort = 3012; websocketPort = 3012;
rocketAddress = config.meta.wireguard.proxy-sentinel.ipv4; rocketAddress = "0.0.0.0";
rocketPort = 8012; rocketPort = 8012;
signupsAllowed = false; signupsAllowed = false;
@ -87,9 +86,8 @@ in {
# Replace uses of old name # Replace uses of old name
systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden"; systemd.services.backup-vaultwarden.environment.DATA_FOLDER = lib.mkForce "/var/lib/vaultwarden";
systemd.services.vaultwarden = { systemd.services.vaultwarden.serviceConfig = {
after = ["sys-subsystem-net-devices-${utils.escapeSystemdPath "proxy-sentinel"}.device"]; StateDirectory = lib.mkForce "vaultwarden";
serviceConfig.StateDirectory = lib.mkForce "vaultwarden"; RestartSec = "600"; # Retry every 10 minutes
serviceConfig.RestartSec = "600"; # Retry every 10 minutes
}; };
} }

3
modules/meta/microvms.nix
View file

@ -112,6 +112,9 @@
microvm = { microvm = {
hypervisor = mkDefault "qemu"; hypervisor = mkDefault "qemu";
# Give them some juice by default
mem = mkDefault (2 * 1024);
# MACVTAP bridge to the host's network # MACVTAP bridge to the host's network
interfaces = [ interfaces = [
{ {