mirror of
https://github.com/gensokyo-zone/infrastructure.git
synced 2026-02-09 12:29:19 -08:00
refactor: move kanidm to tei
This commit is contained in:
arcnmx
parent
b9e1f544f7
commit
b892e420ab
7 changed files with 80 additions and 28 deletions
24
modules/nixos/access.nix
Normal file
24
modules/nixos/access.nix
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}: let
|
||||
inherit (lib.modules) mkIf;
|
||||
inherit (lib.options) mkOption;
|
||||
inherit (config.networking) hostName;
|
||||
in {
|
||||
options.networking.access = with lib.types; {
|
||||
hostnameForNetwork = mkOption {
|
||||
type = attrsOf str;
|
||||
default = { };
|
||||
};
|
||||
};
|
||||
|
||||
config.networking.access = {
|
||||
hostnameForNetwork = {
|
||||
local = mkIf config.services.avahi.enable "${hostName}.local";
|
||||
tail = mkIf config.services.tailscale.enable "${hostName}.tail.cutie.moe";
|
||||
global = mkIf config.networking.enableIPv6 "${hostName}.cutie.moe";
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -4,19 +4,41 @@
|
|||
...
|
||||
}:
|
||||
let
|
||||
inherit (lib.modules) mkDefault;
|
||||
inherit (lib.options) mkOption;
|
||||
inherit (lib.modules) mkIf mkDefault mkOptionDefault;
|
||||
cfg = config.services.zigbee2mqtt;
|
||||
access = config.services.nginx.access.zigbee2mqtt;
|
||||
in {
|
||||
services.nginx.virtualHosts.${cfg.domain} = {
|
||||
vouch.enable = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = mkDefault "http://127.0.0.1:${toString cfg.settings.frontend.port}";
|
||||
extraConfig = ''
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_http_version 1.1;
|
||||
'';
|
||||
options.services.nginx.access.zigbee2mqtt = with lib.types; {
|
||||
host = mkOption {
|
||||
type = str;
|
||||
};
|
||||
domain = mkOption {
|
||||
type = str;
|
||||
};
|
||||
port = mkOption {
|
||||
type = port;
|
||||
};
|
||||
};
|
||||
config.services.nginx = {
|
||||
access.zigbee2mqtt = mkIf cfg.enable {
|
||||
domain = mkOptionDefault cfg.domain;
|
||||
host = mkOptionDefault "localhost";
|
||||
port = mkIf (cfg.settings ? frontend.port) (
|
||||
mkOptionDefault cfg.settings.frontend.port
|
||||
);
|
||||
};
|
||||
virtualHosts.${access.domain} = {
|
||||
vouch.enable = true;
|
||||
locations = {
|
||||
"/" = {
|
||||
proxyPass = mkDefault "http://${access.host}:${toString access.port}";
|
||||
extraConfig = ''
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_http_version 1.1;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -12,11 +12,8 @@
|
|||
systemFor = hostName: if hostName == config.networking.hostName
|
||||
then config
|
||||
else meta.network.nodes.${hostName};
|
||||
accessHostFor = { hostName, access ? "local", ... }: let
|
||||
host = {
|
||||
local = "${hostName}.local";
|
||||
tail = "${hostName}.tail.cutie.moe";
|
||||
}.${access} or (throw "unsupported access ${access}");
|
||||
accessHostFor = { hostName, system ? systemFor hostName, access ? "local", ... }: let
|
||||
host = system.networking.access.hostnameForNetwork.${access} or (throw "unsupported access ${access}");
|
||||
in if hostName == config.networking.hostName then "localhost" else host;
|
||||
ingressForNginx = { host ? system.networking.fqdn, port ? 80, hostName, system ? systemFor hostName }@args: nameValuePair host {
|
||||
service = "http://${accessHostFor args}:${toString port}";
|
||||
|
|
@ -44,10 +41,10 @@ in {
|
|||
default = "http_status:404";
|
||||
ingress = listToAttrs [
|
||||
(ingressForNginx { host = config.networking.domain; inherit hostName; })
|
||||
(ingressForNginx rec { host = (systemFor hostName).services.zigbee2mqtt.domain; hostName = "tewi"; })
|
||||
(ingressForNginx { host = (systemFor "tewi").services.zigbee2mqtt.domain; inherit hostName; })
|
||||
(ingressForHass { hostName = "tewi"; })
|
||||
(ingressForVouch { hostName = "tewi"; })
|
||||
(ingressForKanidm { hostName = "tewi"; })
|
||||
(ingressForVouch { inherit hostName; })
|
||||
(ingressForKanidm { inherit hostName; })
|
||||
];
|
||||
extraTunnel.ingress = mkMerge [
|
||||
(listToAttrs [
|
||||
|
|
|
|||
|
|
@ -11,10 +11,22 @@
|
|||
nixos.postgres
|
||||
nixos.nginx
|
||||
nixos.access.gensokyo
|
||||
nixos.access.zigbee2mqtt
|
||||
nixos.vouch
|
||||
nixos.kanidm
|
||||
./cloudflared.nix
|
||||
];
|
||||
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
|
||||
services.nginx.access.zigbee2mqtt = let
|
||||
inherit (meta.network.nodes) tewi;
|
||||
z2m = tewi.services.zigbee2mqtt;
|
||||
in {
|
||||
inherit (z2m) domain;
|
||||
inherit (z2m.settings.frontend) port;
|
||||
host = tewi.networking.access.hostnameForNetwork.tail;
|
||||
};
|
||||
|
||||
system.stateVersion = "23.11";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,6 @@
|
|||
tailscale-key: ENC[AES256_GCM,data:0ify9ntv5wgr8S8wUdV72mbjt3h/jjceFnocMEIndeEJ1VYTINKlyoPL8VxVJpsi0QxtH7T7pvw=,iv:iapyEmjAT2gGBj+fTfSRtGX1/cvBmqbyI9h1flPprPM=,tag:UZDyojQcVwkquDPiRtfGKQ==,type:str]
|
||||
vouch-client-secret: ENC[AES256_GCM,data:NSWRuvWo0uI1F4VP3NcMGwzlt1ctiaKG1g8XX91t2OU9UvdkuLYZYEzWfG7UEk2d,iv:HP3Q3kABV2tdHITPJlYQmv/iA4cu/ldC0BwPxKGFJU8=,tag:zCNF6POLbB5+Yzq+LeK5WQ==,type:str]
|
||||
vouch-jwt: ENC[AES256_GCM,data:Oh6iNnyx6LnlBAW+Hs94qdVOxPJ/fiKDxCN+FRTp+yp8xReC8Ky0tC+NlO18hwuAiFoR++sQ4cUlWJbGZqmtRA==,iv:TNDcvq8LeWYENc+oY+JIgM6pdbkEj/PFhBjpO2UIPCg=,tag:zt5kivDX4WTLwcWmR4vmpQ==,type:str]
|
||||
postgresql-init: ENC[AES256_GCM,data:AJY1PhgQ/vPYAugA+oqlm2CUjI+RZ3zVOd2zdMMtFt+uLmcxoAyap/zxvVDzCzzNY/jqAJnUaAr1aYw9Nd2icSMurR4=,iv:S4d4+1ncVlEzy50eU1lyPi3gPC+yvVZe6kGZa+oK2KU=,tag:U98pYwYf3sJRmB7Ac8g9Fw==,type:str]
|
||||
cloudflared-tunnel-apartment: ENC[AES256_GCM,data:ysak+T+01jwznciOLY8xq6vkL+7ELiby7EBoEU2fdJSblsnd6EX736vkNZQV8QznDy5hdJtMLddFGSxUHgWujkFIK7Ra8dbK+QoYLdEmgkaZqyHy95fWwkjUc4d8OyxPA4YVRfGYh2NOBhE++YXy7zeZbvlau55CydQT9EyiCh1QkJwCURfG65iCJ7Ml36X+GeB4F4i1JZsvqsz4mXhP9WgqgzwuWA==,iv:PHRsxe+0P20TwT/a14AeiLjh5RFbY1zm9HKaIiunTw8=,tag:/z4dsGKjKz5l6ISL0lX0KQ==,type:str]
|
||||
cloudflared-tunnel-apartment-deluge: ENC[AES256_GCM,data:Itq8yrIwCsvc3E2KOijK8TJqdw==,iv:+MMas0vLUb5p0kvXduMFa0D/nxkIZ6rOG9EpTjnCL0U=,tag:rD0NPDfP+wemrEsFbN/ZXA==,type:str]
|
||||
|
|
@ -18,8 +20,8 @@ sops:
|
|||
bGU0VHd0aFhHRC91WHh0Z0Y4TTE5QzgKpHehWfoJT4F1TtMHJ0tZkoJAPFAihQ7T
|
||||
aunsQeLHJkHv1eWKpraTmo+04GVZofwId/1TtOContveBynfxcuG7Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-01-13T20:45:42Z"
|
||||
mac: ENC[AES256_GCM,data:SVaQKEzVgl50f73vQHmAyy/Wq7fiiB5a5tZgToQ/Nc6yaC40ktApvhjVwlsNTJS6lfuLZ6krM+Ka0XzO3GRnj8MsrlIinhZaK7kP7+wPODZrSBVxgqT8Dpp/0JnB6/pplR1aVooC3GfP66Q3RPowkS+3CI/Oeor7D3hdDyX4b+0=,iv:+vp9BUG6N/lPeYFjtxM41JqpXKvX3oRqF6lSgZnN92Q=,tag:uPYI+XE218bjmacO9LWkIw==,type:str]
|
||||
lastmodified: "2024-01-14T17:09:19Z"
|
||||
mac: ENC[AES256_GCM,data:EiWpfwx/hiad44XeqmIYUvrvM5h/qzMScfwmbPBal+Za8edTGZ4tD+pD0+HDj/V7AQj4d7sSMtg9Y4UZnmyYK1qUD1Yx0BF2+9XjtGNAtayZc1rkoD7aBsb5IlTymp8GIJrEgUhBZAOPbrgMgqHHgZQXN9ym4bDRjPIwY/u0aUs=,iv:WhWGzQk4anrdIaf7EbVeReKiMw6z1w1wdrdpAGjJqIs=,tag:k8G5rvOgdjBaVVRmVyL9hg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-01-07T21:18:21Z"
|
||||
enc: |-
|
||||
|
|
|
|||
|
|
@ -44,9 +44,6 @@ in {
|
|||
nixos.sops
|
||||
nixos.tailscale
|
||||
nixos.nginx
|
||||
nixos.access.zigbee2mqtt
|
||||
nixos.vouch
|
||||
nixos.kanidm
|
||||
nixos.mosquitto
|
||||
nixos.zigbee2mqtt
|
||||
nixos.deluge
|
||||
|
|
|
|||
|
|
@ -3,8 +3,6 @@ hass-pass: ENC[AES256_GCM,data:LvoI4sQ77HpYdmNoPLQ=,iv:oAQGTqBh1sf4fbuWGs9AqCE1y
|
|||
systemd-pass: ENC[AES256_GCM,data:3bEqqWsnBHOgzD95YqwDvg==,iv:ack6EGhE2GzxwRi3gwj1A19Tzi2PJ9iiisMrKozPV/M=,tag:uCR51yn9dAG2x9DCfo1mGQ==,type:str]
|
||||
z2m-pass: ENC[AES256_GCM,data:1bqOab8EQbniAMeL9XRmDg==,iv:uUU3kbuCRIGaueTPE54EHwm4IGwUu+67O4gPYZmd1h4=,tag:iceTSLsRuADiOgZ5cnlnjw==,type:str]
|
||||
tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/FltOKExby0=,iv:c8yN1XLk3ZAAzkBozzHJ9BWerWdiNQG/p8e46j8cZyo=,tag:E5Ey5R+t372yLE6XegoOrA==,type:str]
|
||||
vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str]
|
||||
vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str]
|
||||
openiscsi-config: ENC[AES256_GCM,data:xyZVJRzR4vK+UAtq3+/QcszLIlcHXYifHnFKm5tVbFUj3c7PjxYGLkvXZfFvERStewdNIQ==,iv:BcbEupXiLECXwfETaVOqfHQ+vkBbrGxkQn54WBYug54=,tag:e0cddYTQAfzSk2AhvzJFvA==,type:str]
|
||||
openiscsi-env: ENC[AES256_GCM,data:uAlnrtk64UQukKBWHYrH5J4Ys+GIpu5zDg==,iv:7ahUk9nocs4cSgtr/A4G0Xhlp7pZj/bUlUDLMMYEAMk=,tag:rE2mdBGT3kZqyoDIaKUY3w==,type:str]
|
||||
systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str]
|
||||
|
|
@ -39,8 +37,8 @@ sops:
|
|||
VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR
|
||||
7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-01-13T20:45:28Z"
|
||||
mac: ENC[AES256_GCM,data:733JRbccdRsiar7P00Dbg91w6qyORH7D0dC+11xhx50SAI5PHr9yAjQyP5lFqf629imNMUBmZ3Fh/eC+BlZSoCuUWheQvQVXUmPsI1RftOgRFzOHqIn/ColrG2PkaOzNHrpWMzRa3mpe0q4bQLco10/rcUPYZtbRNGZbSBta/M4=,iv:1z+h3ZLi+f8qQfN8amejoX8akN6j4+mdW+/02mEh6Pk=,tag:KsTaK+EIYLI9BHNsaPODwA==,type:str]
|
||||
lastmodified: "2024-01-14T17:09:08Z"
|
||||
mac: ENC[AES256_GCM,data:8c0s0CS48jjcnrT45el5qWWI9MAIF4zP3vhR7B0I1QDSBk6id52t9x0N+/yF/VwfDOpZ5rj72GxI46yleMQqgutzuqZve3Bwhk46uVoPQ+21lgVAzHd+DJ3pBddczSjzFKrKWi4HJz1jhf3bsNxIMqDhxj0TPcgnRnsn98M6rqc=,iv:sQEttA+NTQqLptxyCquOgjc6pyLRei8500DQHB3fAnU=,tag:Z5dL7mRIy+1wsrrIR1oMEA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-03-10T17:06:53Z"
|
||||
enc: |
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue