mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
feat(exports): service access
This commit is contained in:
arcnmx
parent
91918b8061
commit
871b1c5b2d
69 changed files with 1317 additions and 509 deletions
|
|
@ -7,5 +7,9 @@ _: {
|
|||
modules = [
|
||||
./nixos.nix
|
||||
];
|
||||
access.tailscale.enable = true;
|
||||
exports = {
|
||||
services = {
|
||||
tailscale.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@
|
|||
];
|
||||
specialArgs = {
|
||||
inherit name inputs std meta;
|
||||
inherit (inputs.self.lib) gensokyo-zone;
|
||||
};
|
||||
})
|
||||
(set.map (_: c: c) meta.systems);
|
||||
|
|
|
|||
|
|
@ -30,4 +30,11 @@ _: {
|
|||
mode = "0600";
|
||||
};
|
||||
};
|
||||
exports = {
|
||||
services = {
|
||||
freeipa.enable = true;
|
||||
ldap.enable = true;
|
||||
kerberos.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,4 +14,9 @@ _: {
|
|||
};
|
||||
};
|
||||
};
|
||||
exports = {
|
||||
services = {
|
||||
freepbx.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,19 @@ _: {
|
|||
};
|
||||
};
|
||||
access = {
|
||||
tailscale.enable = true;
|
||||
global.enable = true;
|
||||
};
|
||||
exports = {
|
||||
services = {
|
||||
tailscale.enable = true;
|
||||
samba.enable = true;
|
||||
vouch-proxy = {
|
||||
enable = true;
|
||||
id = "login.local";
|
||||
};
|
||||
};
|
||||
exports = {
|
||||
plex.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,16 +3,11 @@
|
|||
meta,
|
||||
lib,
|
||||
access,
|
||||
gensokyo-zone,
|
||||
...
|
||||
}: let
|
||||
inherit (gensokyo-zone.lib) mkAddress6;
|
||||
inherit (lib.modules) mkIf mkMerge;
|
||||
keycloak = access.nixosFor "keycloak";
|
||||
mediabox = access.nixosFor "mediabox";
|
||||
tei = access.nixosFor "tei";
|
||||
utsuho = access.nixosFor "utsuho";
|
||||
inherit (mediabox.services) plex;
|
||||
inherit (tei.services) home-assistant zigbee2mqtt;
|
||||
inherit (utsuho.services) unifi mosquitto;
|
||||
inherit (config.services) nginx;
|
||||
inherit (nginx) virtualHosts;
|
||||
in {
|
||||
|
|
@ -218,29 +213,8 @@ in {
|
|||
};
|
||||
};
|
||||
|
||||
services.nginx = let
|
||||
inherit (nginx) access;
|
||||
#inherit (config.lib.access) getHostnameFor;
|
||||
getHostnameFor = config.lib.access.getAddress4For;
|
||||
in {
|
||||
services.nginx = {
|
||||
vouch.enableLocal = false;
|
||||
access.mosquitto = assert mosquitto.enable; {
|
||||
host = getHostnameFor "utsuho" "lan";
|
||||
};
|
||||
access.plex = assert plex.enable; {
|
||||
url = "http://${getHostnameFor "mediabox" "lan"}:${toString plex.port}";
|
||||
externalPort = 41324;
|
||||
};
|
||||
access.unifi = assert unifi.enable; {
|
||||
host = getHostnameFor "utsuho" "lan";
|
||||
};
|
||||
access.freeipa = {
|
||||
host = getHostnameFor "freeipa" "lan";
|
||||
kerberos.ports.kpasswd = 464;
|
||||
};
|
||||
access.kitchencam = {
|
||||
streamPort = 41081;
|
||||
};
|
||||
stream.servers = {
|
||||
mosquitto.ssl.cert.name = "mosquitto";
|
||||
};
|
||||
|
|
@ -254,18 +228,11 @@ in {
|
|||
# we're not the real sso record-holder, so don't respond globally..
|
||||
local.denyGlobal = true;
|
||||
ssl.cert.enable = true;
|
||||
locations."/".proxyPass = "https://${getHostnameFor "keycloak" "lan"}:8443";
|
||||
};
|
||||
vouch = let
|
||||
inherit (keycloak.services) vouch-proxy;
|
||||
in assert vouch-proxy.enable; {
|
||||
vouch = {
|
||||
ssl.cert.enable = true;
|
||||
locations."/".proxyPass = "http://${getHostnameFor "keycloak" "lan"}:${toString vouch-proxy.settings.vouch.port}";
|
||||
};
|
||||
vouch'local = let
|
||||
vouch-proxy = config.services.vouch-proxy;
|
||||
in assert vouch-proxy.enable; {
|
||||
locations."/".proxyPass = "http://localhost:${toString vouch-proxy.settings.vouch.port}";
|
||||
vouch'local = {
|
||||
# we're not running another for tailscale sorry...
|
||||
name.includeTailscale = true;
|
||||
};
|
||||
|
|
@ -274,29 +241,27 @@ in {
|
|||
local.denyGlobal = true;
|
||||
ssl.cert.enable = true;
|
||||
};
|
||||
home-assistant = assert home-assistant.enable; {
|
||||
home-assistant = {
|
||||
# not the real hass record-holder, so don't respond globally..
|
||||
local.denyGlobal = true;
|
||||
ssl.cert.enable = true;
|
||||
locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}:${toString home-assistant.config.http.server_port}";
|
||||
};
|
||||
zigbee2mqtt = assert zigbee2mqtt.enable; {
|
||||
zigbee2mqtt = {
|
||||
# not the real z2m record-holder, so don't respond globally..
|
||||
local.denyGlobal = true;
|
||||
ssl.cert.enable = true;
|
||||
locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}:${toString zigbee2mqtt.settings.frontend.port}";
|
||||
};
|
||||
grocy = {
|
||||
# not the real grocy record-holder, so don't respond globally..
|
||||
local.denyGlobal = true;
|
||||
ssl.cert.enable = true;
|
||||
locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}";
|
||||
locations."/".proxyPass = "http://${mkAddress6 (access.getAddressFor "tei" "lan")}";
|
||||
};
|
||||
barcodebuddy = {
|
||||
# not the real bbuddy record-holder, so don't respond globally..
|
||||
local.denyGlobal = true;
|
||||
ssl.cert.enable = true;
|
||||
locations."/".proxyPass = "http://${getHostnameFor "tei" "lan"}";
|
||||
locations."/".proxyPass = "http://${mkAddress6 (access.getAddressFor "tei" "lan")}";
|
||||
};
|
||||
freepbx = {
|
||||
ssl.cert.enable = true;
|
||||
|
|
@ -305,14 +270,17 @@ in {
|
|||
proxied.enable = "cloudflared";
|
||||
ssl.cert.enable = true;
|
||||
};
|
||||
plex.ssl.cert.enable = true;
|
||||
plex = {
|
||||
ssl.cert.enable = true;
|
||||
listen'.external = {
|
||||
enable = true;
|
||||
port = 41324;
|
||||
};
|
||||
};
|
||||
kitchencam.ssl.cert.enable = true;
|
||||
invidious = {
|
||||
ssl.cert.enable = true;
|
||||
};
|
||||
invidious'int = {
|
||||
locations."/".proxyPass = "http://${getHostnameFor "mediabox" "lan"}:${toString mediabox.services.invidious.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
services.samba.tls = {
|
||||
|
|
|
|||
|
|
@ -7,5 +7,10 @@ _: {
|
|||
modules = [
|
||||
./nixos.nix
|
||||
];
|
||||
access.tailscale.enable = true;
|
||||
exports = {
|
||||
services = {
|
||||
keycloak.enable = true;
|
||||
vouch-proxy.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{meta, config, ...}: {
|
||||
{meta, config, access, ...}: {
|
||||
imports = let
|
||||
inherit (meta) nixos;
|
||||
in [
|
||||
|
|
@ -13,21 +13,25 @@
|
|||
|
||||
services.cloudflared = let
|
||||
tunnelId = "c9a4b8c9-42d9-4566-8cff-eb63ca26809d";
|
||||
inherit (config.services) keycloak vouch-proxy;
|
||||
in {
|
||||
tunnels.${tunnelId} = {
|
||||
default = "http_status:404";
|
||||
credentialsFile = config.sops.secrets.cloudflared-tunnel-keycloak.path;
|
||||
ingress = let
|
||||
keycloakHost = if keycloak.settings.hostname != null then keycloak.settings.hostname else "sso.${config.networking.domain}";
|
||||
keyCloakScheme = if keycloak.sslCertificate != null then "https" else "http";
|
||||
keycloakPort = keycloak.settings."${keyCloakScheme}-port";
|
||||
keycloak'system = access.systemForService "keycloak";
|
||||
inherit (keycloak'system.exports.services) keycloak;
|
||||
vouch'system = access.systemForServiceId "login";
|
||||
inherit (vouch'system.exports.services) vouch-proxy;
|
||||
in {
|
||||
${keycloakHost} = assert keycloak.enable; {
|
||||
service = "${keyCloakScheme}://localhost:${toString keycloakPort}";
|
||||
originRequest.${if keyCloakScheme == "https" then "noTLSVerify" else null} = true;
|
||||
"${keycloak.id}.${config.networking.domain}" = let
|
||||
portName = if keycloak.ports.https.enable then "https" else "http";
|
||||
in {
|
||||
service = access.proxyUrlFor { system = keycloak'system; service = keycloak; inherit portName; };
|
||||
originRequest.${if keycloak.ports.${portName}.protocol == "https" then "noTLSVerify" else null} = true;
|
||||
};
|
||||
"${vouch-proxy.id}.${config.networking.domain}" = {
|
||||
service = access.proxyUrlFor { system = vouch'system; service = vouch-proxy; };
|
||||
};
|
||||
${vouch-proxy.domain}.service = assert vouch-proxy.enable; "http://localhost:${toString vouch-proxy.settings.vouch.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -15,4 +15,13 @@ _: {
|
|||
address6 = "fd0a::ba27:ebff:fea8:f4ff";
|
||||
};
|
||||
};
|
||||
exports = {
|
||||
services = {
|
||||
motion = {
|
||||
id = "kitchen";
|
||||
enable = true;
|
||||
ports.stream.port = 41081;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,5 +7,9 @@ _: {
|
|||
modules = [
|
||||
./nixos.nix
|
||||
];
|
||||
access.tailscale.enable = true;
|
||||
exports = {
|
||||
services = {
|
||||
tailscale.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,4 +7,10 @@ _: {
|
|||
modules = [
|
||||
./nixos.nix
|
||||
];
|
||||
exports = {
|
||||
services = {
|
||||
plex.enable = true;
|
||||
invidious.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,5 +7,10 @@ _: {
|
|||
modules = [
|
||||
./nixos.nix
|
||||
];
|
||||
access.tailscale.enable = true;
|
||||
exports = {
|
||||
services = {
|
||||
tailscale.enable = true;
|
||||
nfs.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,4 +10,9 @@ _: {
|
|||
address6 = "fd0c::2";
|
||||
};
|
||||
};
|
||||
exports = {
|
||||
services = {
|
||||
proxmox.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,46 +1,14 @@
|
|||
{
|
||||
access,
|
||||
config,
|
||||
lib,
|
||||
access,
|
||||
...
|
||||
}: let
|
||||
inherit (lib.modules) mkIf;
|
||||
inherit (lib.attrsets) listToAttrs nameValuePair;
|
||||
inherit (access) nixosFor;
|
||||
inherit (config.networking) hostName;
|
||||
inherit (config.services) nginx;
|
||||
inherit (config.services) home-assistant nginx;
|
||||
cfg = config.services.cloudflared;
|
||||
apartment = "5e85d878-c6b2-4b15-b803-9aeb63d63543";
|
||||
accessHostFor = {
|
||||
hostName,
|
||||
system ? nixosFor hostName,
|
||||
network ? "lan",
|
||||
...
|
||||
}: let
|
||||
host = access.getHostnameFor hostName network;
|
||||
in
|
||||
if hostName == config.networking.hostName
|
||||
then "localhost"
|
||||
else host;
|
||||
ingressForNginx = {
|
||||
host ? system.networking.fqdn,
|
||||
port ? 80,
|
||||
hostName,
|
||||
system ? nixosFor hostName,
|
||||
} @ args:
|
||||
nameValuePair host {
|
||||
service = "http://${accessHostFor args}:${toString port}";
|
||||
};
|
||||
ingressForHass = {
|
||||
host ? system.services.home-assistant.domain,
|
||||
port ? system.services.home-assistant.config.http.server_port,
|
||||
hostName,
|
||||
system ? nixosFor hostName,
|
||||
...
|
||||
} @ args:
|
||||
nameValuePair host {
|
||||
service = "http://${accessHostFor args}:${toString port}";
|
||||
};
|
||||
localNginx = "http://localhost:${toString nginx.defaultHTTPListenPort}";
|
||||
in {
|
||||
sops.secrets.cloudflared-tunnel-apartment.owner = cfg.user;
|
||||
services.cloudflared = {
|
||||
|
|
@ -48,21 +16,20 @@ in {
|
|||
${apartment} = {
|
||||
credentialsFile = config.sops.secrets.cloudflared-tunnel-apartment.path;
|
||||
default = "http_status:404";
|
||||
ingress = listToAttrs [
|
||||
(ingressForNginx {
|
||||
host = nginx.virtualHosts.zigbee2mqtt.serverName;
|
||||
inherit hostName;
|
||||
})
|
||||
(ingressForNginx {
|
||||
host = nginx.virtualHosts.grocy.serverName;
|
||||
inherit hostName;
|
||||
})
|
||||
(ingressForNginx {
|
||||
host = nginx.virtualHosts.barcodebuddy.serverName;
|
||||
inherit hostName;
|
||||
})
|
||||
(ingressForHass {inherit hostName;})
|
||||
];
|
||||
ingress = {
|
||||
${nginx.virtualHosts.zigbee2mqtt.serverName} = {
|
||||
service = localNginx;
|
||||
};
|
||||
${nginx.virtualHosts.grocy.serverName} = {
|
||||
service = localNginx;
|
||||
};
|
||||
${nginx.virtualHosts.barcodebuddy.serverName} = {
|
||||
service = localNginx;
|
||||
};
|
||||
${home-assistant.domain} = assert home-assistant.enable; {
|
||||
service = access.proxyUrlFor { serviceName = "home-assistant"; };
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -7,5 +7,12 @@ _: {
|
|||
modules = [
|
||||
./nixos.nix
|
||||
];
|
||||
access.tailscale.enable = true;
|
||||
exports = {
|
||||
services = {
|
||||
tailscale.enable = true;
|
||||
home-assistant.enable = true;
|
||||
zigbee2mqtt.enable = true;
|
||||
postgresql.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -7,4 +7,11 @@ _: {
|
|||
modules = [
|
||||
./nixos.nix
|
||||
];
|
||||
exports = {
|
||||
services = {
|
||||
unifi.enable = true;
|
||||
mosquitto.enable = true;
|
||||
dnsmasq.enable = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -18,7 +18,6 @@ in {
|
|||
];
|
||||
|
||||
services.cloudflared = let
|
||||
inherit (config.services) unifi;
|
||||
inherit (nginx) virtualHosts defaultHTTPListenPort;
|
||||
tunnelId = "28bcd3fc-3467-4997-806b-546ba9995028";
|
||||
localNginx = "http://localhost:${toString defaultHTTPListenPort}";
|
||||
|
|
@ -27,7 +26,7 @@ in {
|
|||
default = "http_status:404";
|
||||
credentialsFile = config.sops.secrets.cloudflared-tunnel-utsuho.path;
|
||||
ingress = {
|
||||
${virtualHosts.unifi.serverName} = assert unifi.enable; {
|
||||
${virtualHosts.unifi.serverName} = {
|
||||
service = localNginx;
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue