gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(utsuho): post-apply setup

Browse source
This commit is contained in:
arcnmx 2024-03-21 08:19:43 -07:00
parent 64354376c7
commit a6fced79d5
10 changed files with 371 additions and 206 deletions
Download patch file Download diff file Expand all files Collapse all files

16
systems/hakurei/nixos.nix
View file

@ -109,13 +109,12 @@ in {
(mkIf tailscale.enable virtualHosts.vouch'tail.allServerNames)
];
};
${access.unifi.domain} = {
unifi = {
inherit (nginx) group;
domain = virtualHosts.unifi.serverName;
extraDomainNames = mkMerge [
[access.unifi.localDomain]
(mkIf tailscale.enable [
access.unifi.tailDomain
])
virtualHosts.unifi.serverAliases
virtualHosts.unifi'local.allServerNames
];
};
${access.freeipa.domain} = {
@ -195,7 +194,6 @@ in {
};
access.unifi = {
host = tei.lib.access.hostnameForNetwork.local;
useACMEHost = access.unifi.domain;
};
access.freeipa = {
useACMEHost = access.freeipa.domain;
@ -224,6 +222,12 @@ in {
vouch'tail = mkIf tailscale.enable {
ssl.cert.name = "vouch";
};
unifi = {
# we're not the real unifi record-holder, so don't respond globally..
local.denyGlobal = true;
ssl.cert.name = "unifi";
};
unifi'local.ssl.cert.name = "unifi";
home-assistant = assert home-assistant.enable; {
# not the real hass record-holder, so don't respond globally..
local.denyGlobal = true;

4
systems/tei/cloudflared.nix
View file

@ -53,10 +53,6 @@ in {
host = nginx.virtualHosts.zigbee2mqtt.serverName;
inherit hostName;
})
(ingressForNginx {
host = nginx.access.unifi.domain;
inherit hostName;
})
(ingressForNginx {
host = nginx.virtualHosts.grocy.serverName;
inherit hostName;

38
systems/utsuho/nixos.nix
View file

@ -1,11 +1,47 @@
{meta, config, ...}: {
{meta, config, access, ...}: let
inherit (config.services.nginx) virtualHosts;
tei = access.nixosFor "tei";
in {
imports = let
inherit (meta) nixos;
in [
nixos.sops
nixos.base
nixos.reisen-ct
nixos.cloudflared
nixos.nginx
nixos.access.unifi
];
services.cloudflared = let
tunnelId = "28bcd3fc-3467-4997-806b-546ba9995028";
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflared-tunnel-utsuho.path;
ingress = {
${virtualHosts.unifi.serverName} = {
service = "http://localhost";
};
};
};
};
services.nginx = {
access.unifi = {
host = tei.lib.access.hostnameForNetwork.local;
};
virtualHosts = {
unifi.proxied.enable = "cloudflared";
};
};
sops.secrets.cloudflared-tunnel-utsuho = {
owner = config.services.cloudflared.user;
};
sops.defaultSopsFile = ./secrets.yaml;
systemd.network.networks.eth0 = {
name = "eth0";
matchConfig = {

57
systems/utsuho/secrets.yaml Normal file
View file

@ -0,0 +1,57 @@
cloudflared-tunnel-utsuho: ENC[AES256_GCM,data:GqhrwmOjfmj4VhecMS8765MPBq0URQlW64Hs7ljLVKFZdUKOz4trT+GusDEmTnHTSo+Tl24Bd6Z6TdyFKgacVOUFaPhO3EBkMrZ0rjFWVib4LsH3IH3/hctLiGJDbXLpu3WGnY/lYopPWr5870gzRfJCvbQecrFibsD9osksScttKOUVziTKSmYeOWHiTzI/ZrMUa3HMH3+O6rfajY2qq+v3O31/PS1cHEl+A2zfdmKVMbF/ugyVn/8cveYQGz5fsIDm11i5J9BrbWvaTH8=,iv:d9bW/dYRgk6QzWzUXu6IXUuwQo+Ghm1OPqU/lQLlss0=,tag:NNAOb/QUM41x/1Qhp2MWqw==,type:str]
sops:
shamir_threshold: 1
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age15hmlkd9p5rladsjzpmvrh6u34xvggu9mzdsdxdj3ms43tltxeuhq4g7g9k
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKK2ZGOWJvbXNRTlVJNkNR
STlHNjg3SXlWcFJGQ2ZSVDJ0UytRUFYycVFrCnFaTjJ5T2dQNnNTak8yZ2VFZ2U1
U3lpVHhlcUl6cGNTSVRpT1VTczJBOGMKLS0tIGVlQW91bmZoclNpRkVWRk8xR29n
aGMvcU4xQVNuczB5NGhZMnFlWnlkSGsKm8Z3rSM/uNN1522p0inM5vQ8+OY83FDI
I69BH9qL2ekRG2e2Qw+bjeHOUm9Qe9QSRsQPW3Z3XDdxEVxRgE9Avw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-21T17:43:11Z"
mac: ENC[AES256_GCM,data:g/e7TsFAbKZZpbbJyKZxbyjJ0fIDoPA+hrh7NbuJKJw8sSVBnhxbDBVzMELpekRg/HuXlYB9vf/2tVgIrDdSN8oF+JP6E5O5i7pebDSibpQ2aAsUadWBQfuzaCAu/jfbKbe7lAfU631nnkVP0K9wdj2aRRjElr68sbdfeSFIeBs=,iv:5Zr5dWk63ebyxNwXBOTjjmBg9UBJqB7BOQKtrJUafYM=,tag:D3gz/tEyZY6IIHhT19x/cw==,type:str]
pgp:
- created_at: "2024-03-21T17:32:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA82M54yws73UAQ//TULZQkT0H8Wit0cjltcimg4JPaeiWHKoe7CdjwWJ94u2
G7IqyYFg/BdZG45C2BFno5gH/xl4JIfuCHrqWqmpAUy5h+wTC9jWZE717YxYXv+Z
yoIo713u5+1zJ4U/LuXzxxgTdL6niuOMii6u3PCP3AuyvEg5zbCoTJ317y9TE67Y
o5OXjo02JP/UVbU66HGMOXhj5dSqss34QSdIen7atUWoLLa9hmtKvCBUKj49niaN
FRK/UTEi2D/C0Hm6qmpNWdT9XxXSPpYSKm9YSl0qatsIhxKxyg69Zb9WRQwc/MS2
D4ioH3uViOBOGMfJNqUSQoB5f0OpN2iDPWnmXymgCbDvnhZ3jOGhK+xOI7RotUj+
lTQ+iMzsOh5pVgdINLk8sak/ZUaURy5Wro+mbr0HErgqR9TX1BgmmLHgSY5NqjVL
z6YLmvZbyrio1033ulaqOhRnBfO2yILobjaRweA+fDqtRD8MhljuYzz4VN6Su1L4
7oFEqSeTDKb9x2ZU7NQcOPIg4LwXhkdQvTP5k33BtwA9oZbk3iSQ8eSsbRlrRXos
YWVlyM5JWLFoNrE+sXFPYSHx4WbZ3QmSvPLjTOLSfMYLXQi+ZnYX09bzOTU3tqPG
JH2dIMWdHLaN3BpnG6SZol2kh2Yv9Kh3UUDbzjRzisSwW7jdrY4G/dz0UG2lyljS
XgGbjRzz9LmzX7g5Jse74MLcJyyRO8CiRb3J6niKyQ5sCK8Cd+hoosIeGYvIYkjE
JtGkN54B7BZcqOx03LyLQcSr7trfOD8dmmHpjUdfxyy33T2iTkH3qaHX8IGLL/Y=
=gsOE
-----END PGP MESSAGE-----
fp: CD8CE78CB0B3BDD4
- created_at: "2024-03-21T17:32:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMA2W9MER3HLb7AQf+OxaKJJ2PbrHc+gnstVKXXk5PrUBxxPE5a2SmVxAS25IH
5pRpRBsXMsdeIbX5N0FPxE+6ry1+hSbzfQaFfaOBdrWcvPAj7S2LbckhR3QKEydI
tHxjhsNVDGL9zUe5cHc8+1lXylB0rZeYNXrttv9tk6k17FgxBOs2nGqVBE4qMcHK
oubUZ2JAvz4iMcbTCM/2gotf5dC2j5tyPserLJzZvgjOP7c2PWlIeauulIa+zmw0
xLqUR2mk3T/IuIAsmKMeG6MBCkcEuK3bSJwvuf8MId+nJMG75hQ0O8LiafVEsROa
QGv6MGdSsN4fPAD7KEkf3CvWYjdhmx1eLDu7VLSzXdJeAV64z11mXomX2R4D5zb2
9u+U5FhLt7atr6YmTz7E3x3hytcKp8jXc2q4WMibw34bs6wFuOtey/2CAJWzp9Ba
19oU8CuAoFGxHo9SGqweuqU7qrF2bjmFyGJzPiNJYA==
=AWUc
-----END PGP MESSAGE-----
fp: 65BD3044771CB6FB
unencrypted_suffix: _unencrypted
version: 3.8.1