From b892e420aba0fa286e2186bde4826f0814694076 Mon Sep 17 00:00:00 2001 From: arcnmx Date: Sun, 14 Jan 2024 09:40:34 -0800 Subject: [PATCH] refactor: move kanidm to tei --- modules/nixos/access.nix | 24 ++++++++++++++++++++ nixos/access/zigbee2mqtt.nix | 44 +++++++++++++++++++++++++++--------- systems/tei/cloudflared.nix | 13 ++++------- systems/tei/nixos.nix | 12 ++++++++++ systems/tei/secrets.yaml | 6 +++-- systems/tewi/nixos.nix | 3 --- systems/tewi/secrets.yaml | 6 ++--- 7 files changed, 80 insertions(+), 28 deletions(-) create mode 100644 modules/nixos/access.nix diff --git a/modules/nixos/access.nix b/modules/nixos/access.nix new file mode 100644 index 00000000..00452943 --- /dev/null +++ b/modules/nixos/access.nix @@ -0,0 +1,24 @@ +{ + config, + lib, + ... +}: let + inherit (lib.modules) mkIf; + inherit (lib.options) mkOption; + inherit (config.networking) hostName; +in { + options.networking.access = with lib.types; { + hostnameForNetwork = mkOption { + type = attrsOf str; + default = { }; + }; + }; + + config.networking.access = { + hostnameForNetwork = { + local = mkIf config.services.avahi.enable "${hostName}.local"; + tail = mkIf config.services.tailscale.enable "${hostName}.tail.cutie.moe"; + global = mkIf config.networking.enableIPv6 "${hostName}.cutie.moe"; + }; + }; +} diff --git a/nixos/access/zigbee2mqtt.nix b/nixos/access/zigbee2mqtt.nix index a719fcf8..e8226090 100644 --- a/nixos/access/zigbee2mqtt.nix +++ b/nixos/access/zigbee2mqtt.nix @@ -4,19 +4,41 @@ ... }: let - inherit (lib.modules) mkDefault; + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf mkDefault mkOptionDefault; cfg = config.services.zigbee2mqtt; + access = config.services.nginx.access.zigbee2mqtt; in { - services.nginx.virtualHosts.${cfg.domain} = { - vouch.enable = true; - locations = { - "/" = { - proxyPass = mkDefault "http://127.0.0.1:${toString cfg.settings.frontend.port}"; - extraConfig = '' - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; - ''; + options.services.nginx.access.zigbee2mqtt = with lib.types; { + host = mkOption { + type = str; + }; + domain = mkOption { + type = str; + }; + port = mkOption { + type = port; + }; + }; + config.services.nginx = { + access.zigbee2mqtt = mkIf cfg.enable { + domain = mkOptionDefault cfg.domain; + host = mkOptionDefault "localhost"; + port = mkIf (cfg.settings ? frontend.port) ( + mkOptionDefault cfg.settings.frontend.port + ); + }; + virtualHosts.${access.domain} = { + vouch.enable = true; + locations = { + "/" = { + proxyPass = mkDefault "http://${access.host}:${toString access.port}"; + extraConfig = '' + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_http_version 1.1; + ''; + }; }; }; }; diff --git a/systems/tei/cloudflared.nix b/systems/tei/cloudflared.nix index a80c193d..ebdd9d1c 100644 --- a/systems/tei/cloudflared.nix +++ b/systems/tei/cloudflared.nix @@ -12,11 +12,8 @@ systemFor = hostName: if hostName == config.networking.hostName then config else meta.network.nodes.${hostName}; - accessHostFor = { hostName, access ? "local", ... }: let - host = { - local = "${hostName}.local"; - tail = "${hostName}.tail.cutie.moe"; - }.${access} or (throw "unsupported access ${access}"); + accessHostFor = { hostName, system ? systemFor hostName, access ? "local", ... }: let + host = system.networking.access.hostnameForNetwork.${access} or (throw "unsupported access ${access}"); in if hostName == config.networking.hostName then "localhost" else host; ingressForNginx = { host ? system.networking.fqdn, port ? 80, hostName, system ? systemFor hostName }@args: nameValuePair host { service = "http://${accessHostFor args}:${toString port}"; @@ -44,10 +41,10 @@ in { default = "http_status:404"; ingress = listToAttrs [ (ingressForNginx { host = config.networking.domain; inherit hostName; }) - (ingressForNginx rec { host = (systemFor hostName).services.zigbee2mqtt.domain; hostName = "tewi"; }) + (ingressForNginx { host = (systemFor "tewi").services.zigbee2mqtt.domain; inherit hostName; }) (ingressForHass { hostName = "tewi"; }) - (ingressForVouch { hostName = "tewi"; }) - (ingressForKanidm { hostName = "tewi"; }) + (ingressForVouch { inherit hostName; }) + (ingressForKanidm { inherit hostName; }) ]; extraTunnel.ingress = mkMerge [ (listToAttrs [ diff --git a/systems/tei/nixos.nix b/systems/tei/nixos.nix index 369c0f77..ddca09a2 100644 --- a/systems/tei/nixos.nix +++ b/systems/tei/nixos.nix @@ -11,10 +11,22 @@ nixos.postgres nixos.nginx nixos.access.gensokyo + nixos.access.zigbee2mqtt + nixos.vouch + nixos.kanidm ./cloudflared.nix ]; sops.defaultSopsFile = ./secrets.yaml; + services.nginx.access.zigbee2mqtt = let + inherit (meta.network.nodes) tewi; + z2m = tewi.services.zigbee2mqtt; + in { + inherit (z2m) domain; + inherit (z2m.settings.frontend) port; + host = tewi.networking.access.hostnameForNetwork.tail; + }; + system.stateVersion = "23.11"; } diff --git a/systems/tei/secrets.yaml b/systems/tei/secrets.yaml index 19d17739..580a8c85 100644 --- a/systems/tei/secrets.yaml +++ b/systems/tei/secrets.yaml @@ -1,4 +1,6 @@ tailscale-key: ENC[AES256_GCM,data:0ify9ntv5wgr8S8wUdV72mbjt3h/jjceFnocMEIndeEJ1VYTINKlyoPL8VxVJpsi0QxtH7T7pvw=,iv:iapyEmjAT2gGBj+fTfSRtGX1/cvBmqbyI9h1flPprPM=,tag:UZDyojQcVwkquDPiRtfGKQ==,type:str] +vouch-client-secret: ENC[AES256_GCM,data:NSWRuvWo0uI1F4VP3NcMGwzlt1ctiaKG1g8XX91t2OU9UvdkuLYZYEzWfG7UEk2d,iv:HP3Q3kABV2tdHITPJlYQmv/iA4cu/ldC0BwPxKGFJU8=,tag:zCNF6POLbB5+Yzq+LeK5WQ==,type:str] +vouch-jwt: ENC[AES256_GCM,data:Oh6iNnyx6LnlBAW+Hs94qdVOxPJ/fiKDxCN+FRTp+yp8xReC8Ky0tC+NlO18hwuAiFoR++sQ4cUlWJbGZqmtRA==,iv:TNDcvq8LeWYENc+oY+JIgM6pdbkEj/PFhBjpO2UIPCg=,tag:zt5kivDX4WTLwcWmR4vmpQ==,type:str] postgresql-init: ENC[AES256_GCM,data:AJY1PhgQ/vPYAugA+oqlm2CUjI+RZ3zVOd2zdMMtFt+uLmcxoAyap/zxvVDzCzzNY/jqAJnUaAr1aYw9Nd2icSMurR4=,iv:S4d4+1ncVlEzy50eU1lyPi3gPC+yvVZe6kGZa+oK2KU=,tag:U98pYwYf3sJRmB7Ac8g9Fw==,type:str] cloudflared-tunnel-apartment: ENC[AES256_GCM,data:ysak+T+01jwznciOLY8xq6vkL+7ELiby7EBoEU2fdJSblsnd6EX736vkNZQV8QznDy5hdJtMLddFGSxUHgWujkFIK7Ra8dbK+QoYLdEmgkaZqyHy95fWwkjUc4d8OyxPA4YVRfGYh2NOBhE++YXy7zeZbvlau55CydQT9EyiCh1QkJwCURfG65iCJ7Ml36X+GeB4F4i1JZsvqsz4mXhP9WgqgzwuWA==,iv:PHRsxe+0P20TwT/a14AeiLjh5RFbY1zm9HKaIiunTw8=,tag:/z4dsGKjKz5l6ISL0lX0KQ==,type:str] cloudflared-tunnel-apartment-deluge: ENC[AES256_GCM,data:Itq8yrIwCsvc3E2KOijK8TJqdw==,iv:+MMas0vLUb5p0kvXduMFa0D/nxkIZ6rOG9EpTjnCL0U=,tag:rD0NPDfP+wemrEsFbN/ZXA==,type:str] @@ -18,8 +20,8 @@ sops: bGU0VHd0aFhHRC91WHh0Z0Y4TTE5QzgKpHehWfoJT4F1TtMHJ0tZkoJAPFAihQ7T aunsQeLHJkHv1eWKpraTmo+04GVZofwId/1TtOContveBynfxcuG7Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-13T20:45:42Z" - mac: ENC[AES256_GCM,data:SVaQKEzVgl50f73vQHmAyy/Wq7fiiB5a5tZgToQ/Nc6yaC40ktApvhjVwlsNTJS6lfuLZ6krM+Ka0XzO3GRnj8MsrlIinhZaK7kP7+wPODZrSBVxgqT8Dpp/0JnB6/pplR1aVooC3GfP66Q3RPowkS+3CI/Oeor7D3hdDyX4b+0=,iv:+vp9BUG6N/lPeYFjtxM41JqpXKvX3oRqF6lSgZnN92Q=,tag:uPYI+XE218bjmacO9LWkIw==,type:str] + lastmodified: "2024-01-14T17:09:19Z" + mac: ENC[AES256_GCM,data:EiWpfwx/hiad44XeqmIYUvrvM5h/qzMScfwmbPBal+Za8edTGZ4tD+pD0+HDj/V7AQj4d7sSMtg9Y4UZnmyYK1qUD1Yx0BF2+9XjtGNAtayZc1rkoD7aBsb5IlTymp8GIJrEgUhBZAOPbrgMgqHHgZQXN9ym4bDRjPIwY/u0aUs=,iv:WhWGzQk4anrdIaf7EbVeReKiMw6z1w1wdrdpAGjJqIs=,tag:k8G5rvOgdjBaVVRmVyL9hg==,type:str] pgp: - created_at: "2024-01-07T21:18:21Z" enc: |- diff --git a/systems/tewi/nixos.nix b/systems/tewi/nixos.nix index 5706b36c..69409330 100644 --- a/systems/tewi/nixos.nix +++ b/systems/tewi/nixos.nix @@ -44,9 +44,6 @@ in { nixos.sops nixos.tailscale nixos.nginx - nixos.access.zigbee2mqtt - nixos.vouch - nixos.kanidm nixos.mosquitto nixos.zigbee2mqtt nixos.deluge diff --git a/systems/tewi/secrets.yaml b/systems/tewi/secrets.yaml index 760a944a..f927802a 100644 --- a/systems/tewi/secrets.yaml +++ b/systems/tewi/secrets.yaml @@ -3,8 +3,6 @@ hass-pass: ENC[AES256_GCM,data:LvoI4sQ77HpYdmNoPLQ=,iv:oAQGTqBh1sf4fbuWGs9AqCE1y systemd-pass: ENC[AES256_GCM,data:3bEqqWsnBHOgzD95YqwDvg==,iv:ack6EGhE2GzxwRi3gwj1A19Tzi2PJ9iiisMrKozPV/M=,tag:uCR51yn9dAG2x9DCfo1mGQ==,type:str] z2m-pass: ENC[AES256_GCM,data:1bqOab8EQbniAMeL9XRmDg==,iv:uUU3kbuCRIGaueTPE54EHwm4IGwUu+67O4gPYZmd1h4=,tag:iceTSLsRuADiOgZ5cnlnjw==,type:str] tailscale-key: ENC[AES256_GCM,data:dGqnKoCFSF6ZmeptOP7bGy4HYDdUCC1oTdXpiUURDgXl/FltOKExby0=,iv:c8yN1XLk3ZAAzkBozzHJ9BWerWdiNQG/p8e46j8cZyo=,tag:E5Ey5R+t372yLE6XegoOrA==,type:str] -vouch-client-secret: ENC[AES256_GCM,data:4MZL99JM4AeUcUfZ8a335utxgqvdH5PCc1R3KAvuOGpaWFGmU7CaD3vV5eLJ62gJ,iv:n1xbPBHi2TcZ12lm7LqItv2aOo7dkgzRh10uxFsy3yM=,tag:+fmJzYMhbiUae/kSyWbT5Q==,type:str] -vouch-jwt: ENC[AES256_GCM,data:XDalZtedsBNnDYApmWpdYR9yHBvNXA2DlMmKyCPmcMlqTlbAIVL702/HzTaWLvwpgVXpn3pgG8hNXm9rUE764Q==,iv:qyvGCsildhYgzQiYQ4M0H6eFYrKp8aTkwEeZywpQqHM=,tag:ogtAgvpYE43VPhLhD4NuNA==,type:str] openiscsi-config: ENC[AES256_GCM,data:xyZVJRzR4vK+UAtq3+/QcszLIlcHXYifHnFKm5tVbFUj3c7PjxYGLkvXZfFvERStewdNIQ==,iv:BcbEupXiLECXwfETaVOqfHQ+vkBbrGxkQn54WBYug54=,tag:e0cddYTQAfzSk2AhvzJFvA==,type:str] openiscsi-env: ENC[AES256_GCM,data:uAlnrtk64UQukKBWHYrH5J4Ys+GIpu5zDg==,iv:7ahUk9nocs4cSgtr/A4G0Xhlp7pZj/bUlUDLMMYEAMk=,tag:rE2mdBGT3kZqyoDIaKUY3w==,type:str] systemd2mqtt-env: ENC[AES256_GCM,data:Zo3+acCcMWgai2ERKbmOlI0hvdkOlNviBqeLb1ALuA==,iv:NxXBDCEevBRqMDY9/3z/Uq2+vENswkYTgTa82wKc32U=,tag:01WUphYRJrwmHv9HE4ac8w==,type:str] @@ -39,8 +37,8 @@ sops: VndVTG0zQWhsUHcwTkFjK2ZPdzRPUUEKJ3flgZ6/s+TjlFgzsANYaOFiEPQuE4zR 7npNUDFLe26Q32G3j/lLSBzZZfKoOC5SOSp9TB8eWMYSxfNnXEIu0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-13T20:45:28Z" - mac: ENC[AES256_GCM,data:733JRbccdRsiar7P00Dbg91w6qyORH7D0dC+11xhx50SAI5PHr9yAjQyP5lFqf629imNMUBmZ3Fh/eC+BlZSoCuUWheQvQVXUmPsI1RftOgRFzOHqIn/ColrG2PkaOzNHrpWMzRa3mpe0q4bQLco10/rcUPYZtbRNGZbSBta/M4=,iv:1z+h3ZLi+f8qQfN8amejoX8akN6j4+mdW+/02mEh6Pk=,tag:KsTaK+EIYLI9BHNsaPODwA==,type:str] + lastmodified: "2024-01-14T17:09:08Z" + mac: ENC[AES256_GCM,data:8c0s0CS48jjcnrT45el5qWWI9MAIF4zP3vhR7B0I1QDSBk6id52t9x0N+/yF/VwfDOpZ5rj72GxI46yleMQqgutzuqZve3Bwhk46uVoPQ+21lgVAzHd+DJ3pBddczSjzFKrKWi4HJz1jhf3bsNxIMqDhxj0TPcgnRnsn98M6rqc=,iv:sQEttA+NTQqLptxyCquOgjc6pyLRei8500DQHB3fAnU=,tag:Z5dL7mRIy+1wsrrIR1oMEA==,type:str] pgp: - created_at: "2023-03-10T17:06:53Z" enc: |