privatevoid.net/depot
1
1
Fork 0
Code Issues 23 Pull requests 2 Projects 3 Releases Packages Wiki Activity Actions

treewide: implement port-magic v2

Browse source
This commit is contained in:
Max Headroom 2022-06-18 02:44:51 +02:00
parent 76b5dddf81
commit 59d5f9d884
18 changed files with 122 additions and 92 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
hosts/VEGAS/services/api/default.nix
View file

@ -2,19 +2,19 @@
let let
inherit (tools.meta) domain; inherit (tools.meta) domain;
apiAddr = "api.${domain}"; apiAddr = "api.${domain}";
proxyTarget = "http://127.0.0.1:${config.portsStr.api}"; proxyTarget = config.links.api.url;
proxy = tools.nginx.vhosts.proxy proxyTarget; proxy = tools.nginx.vhosts.proxy proxyTarget;
in in
{ {
# n8n uses "Sustainable Use License" # n8n uses "Sustainable Use License"
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
reservePortsFor = [ "api" ]; links.api.protocol = "http";
services.n8n = { services.n8n = {
enable = true; enable = true;
settings = { settings = {
port = config.ports.api; inherit (config.links.api) port;
}; };
}; };

6
hosts/VEGAS/services/bitwarden/default.nix
View file

@ -1,17 +1,17 @@
{ config, lib, tools, ... }: { config, lib, tools, ... }:
with tools.nginx; with tools.nginx;
{ {
reservePortsFor = [ "bitwarden" ]; links.bitwarden.protocol = "http";
services.nginx.virtualHosts = mappers.mapSubdomains { services.nginx.virtualHosts = mappers.mapSubdomains {
keychain = vhosts.proxy "http://127.0.0.1:${config.portsStr.bitwarden}"; keychain = vhosts.proxy config.links.bitwarden.url;
}; };
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
backupDir = "/srv/storage/private/bitwarden/backups"; backupDir = "/srv/storage/private/bitwarden/backups";
config = { config = {
dataFolder = "/srv/storage/private/bitwarden/data"; dataFolder = "/srv/storage/private/bitwarden/data";
rocketPort = config.ports.bitwarden; rocketPort = config.links.bitwarden.port;
}; };
#environmentFile = ""; # TODO: agenix #environmentFile = ""; # TODO: agenix
}; };

8
hosts/VEGAS/services/blog/default.nix
View file

@ -17,8 +17,6 @@ let
(mapPaths config) (mapPaths config)
); );
port = config.portsStr.ghost;
contentPath = "/srv/storage/private/ghost"; contentPath = "/srv/storage/private/ghost";
in in
@ -29,7 +27,7 @@ in
mode = "0400"; mode = "0400";
}; };
reservePortsFor = [ "ghost" ]; links.ghost.protocol = "http";
users.users.ghost = { users.users.ghost = {
isSystemUser = true; isSystemUser = true;
@ -99,7 +97,7 @@ in
}; };
server = { server = {
host = "127.0.0.1"; host = "127.0.0.1";
inherit port; inherit (config.links.ghost) port;
}; };
privacy.useTinfoil = true; privacy.useTinfoil = true;
@ -110,6 +108,6 @@ in
}; };
}; };
services.nginx.virtualHosts."blog.${domain}" = tools.nginx.vhosts.proxy "http://127.0.0.1:${port}"; services.nginx.virtualHosts."blog.${domain}" = tools.nginx.vhosts.proxy config.links.ghost.url;
} }

28
hosts/VEGAS/services/fbi/default.nix
View file

@ -1,7 +1,21 @@
{ config, lib, tools, ... }: { config, lib, tools, ... }:
with tools.nginx; with tools.nginx;
{ {
reservePortsFor = [ "ombi" ]; links = {
ombi.protocol = "http";
radarr = {
protocol = "http";
port = 7878;
};
sonarr = {
protocol = "http";
port = 8989;
};
prowlarr = {
protocol = "http";
port = 9696;
};
};
services = { services = {
radarr = { radarr = {
@ -15,14 +29,14 @@ with tools.nginx;
}; };
ombi = { ombi = {
enable = true; enable = true;
port = config.ports.ombi; inherit (config.links.ombi) port;
}; };
nginx.virtualHosts = mappers.mapSubdomains { nginx.virtualHosts = with config.links; mappers.mapSubdomains {
radarr = vhosts.proxy "http://127.0.0.1:7878"; radarr = vhosts.proxy radarr.url;
sonarr = vhosts.proxy "http://127.0.0.1:8989"; sonarr = vhosts.proxy sonarr.url;
fbi-index = vhosts.proxy "http://127.0.0.1:9696"; fbi-index = vhosts.proxy prowlarr.url;
fbi-requests = vhosts.proxy "http://127.0.0.1:${config.portsStr.ombi}"; fbi-requests = vhosts.proxy ombi.url;
}; };
}; };
systemd.services.radarr.serviceConfig.Slice = "mediamanagement.slice"; systemd.services.radarr.serviceConfig.Slice = "mediamanagement.slice";

8
hosts/VEGAS/services/hydra/default.nix
View file

@ -31,15 +31,15 @@ in
) )
); );
reservePortsFor = [ "hydra" ]; links.hydra.protocol = "http";
services.nginx.appendHttpConfig = '' services.nginx.appendHttpConfig = ''
limit_req_zone $binary_remote_addr zone=hydra_api_push_limiter:10m rate=1r/m; limit_req_zone $binary_remote_addr zone=hydra_api_push_limiter:10m rate=1r/m;
''; '';
services.nginx.virtualHosts."hydra.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy "http://127.0.0.1:${config.portsStr.hydra}") { services.nginx.virtualHosts."hydra.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy config.links.hydra.url) {
locations."/api/push" = { locations."/api/push" = {
proxyPass = "http://127.0.0.1:${config.portsStr.hydra}"; proxyPass = config.links.hydra.url;
extraConfig = '' extraConfig = ''
auth_request off; auth_request off;
proxy_method PUT; proxy_method PUT;
@ -54,7 +54,7 @@ in
services.hydra = { services.hydra = {
enable = true; enable = true;
hydraURL = "https://hydra.${domain}"; hydraURL = "https://hydra.${domain}";
port = config.ports.hydra; inherit (config.links.hydra) port;
notificationSender = "hydra@${domain}"; notificationSender = "hydra@${domain}";
buildMachinesFiles = [ "/etc/nix/hydra-machines" ]; buildMachinesFiles = [ "/etc/nix/hydra-machines" ];
useSubstitutes = true; useSubstitutes = true;

10
hosts/VEGAS/services/ipfs/default.nix
View file

@ -3,7 +3,7 @@ with tools.nginx;
let let
inherit (tools.meta) domain; inherit (tools.meta) domain;
cfg = config.services.ipfs; cfg = config.services.ipfs;
gwPort = config.portsStr.ipfsGateway; gw = config.links.ipfsGateway;
in in
{ {
imports = [ imports = [
@ -31,7 +31,7 @@ in
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"top-level.${domain}".locations = { "top-level.${domain}".locations = {
"~ ^/ip[fn]s" = { "~ ^/ip[fn]s" = {
proxyPass = "http://127.0.0.1:${gwPort}"; proxyPass = gw.url;
extraConfig = '' extraConfig = ''
add_header X-Content-Type-Options ""; add_header X-Content-Type-Options "";
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
@ -43,7 +43,7 @@ in
locations = { locations = {
"= /".return = "404"; "= /".return = "404";
"~ ^/ip[fn]s" = { "~ ^/ip[fn]s" = {
proxyPass = "http://127.0.0.1:${gwPort}"; proxyPass = gw.url;
extraConfig = '' extraConfig = ''
add_header X-Content-Type-Options ""; add_header X-Content-Type-Options "";
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;
@ -54,7 +54,7 @@ in
}; };
"ipfs.admin.${domain}" = vhosts.basic // { "ipfs.admin.${domain}" = vhosts.basic // {
locations."/api".proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:"; locations."/api".proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:";
locations."/ipns/webui.ipfs.${domain}".proxyPass = "http://127.0.0.1:${gwPort}/ipns/webui.ipfs.${domain}"; locations."/ipns/webui.ipfs.${domain}".proxyPass = "${gw.url}/ipns/webui.ipfs.${domain}";
locations."= /".return = "302 /ipns/webui.ipfs.${domain}"; locations."= /".return = "302 /ipns/webui.ipfs.${domain}";
locations."/debug/metrics/prometheus" = { locations."/debug/metrics/prometheus" = {
proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:"; proxyPass = "http://unix:/run/ipfs/ipfs-api.sock:";
@ -85,7 +85,7 @@ in
useACMEHost = "ipfs.${domain}"; useACMEHost = "ipfs.${domain}";
locations = { locations = {
"/" = { "/" = {
proxyPass = "http://127.0.0.1:${gwPort}"; proxyPass = gw.url;
extraConfig = '' extraConfig = ''
add_header X-Content-Type-Options ""; add_header X-Content-Type-Options "";
add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Origin *;

4
hosts/VEGAS/services/minecraft/num.nix
View file

@ -1,6 +1,6 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ {
reservePortsFor = [ "mc-num" ]; links.mc-num = {};
services.modded-minecraft-servers.instances.num = { services.modded-minecraft-servers.instances.num = {
enable = true; enable = true;
rsyncSSHKeys = [ rsyncSSHKeys = [
@ -10,7 +10,7 @@
jvmInitialAllocation = "2G"; jvmInitialAllocation = "2G";
jvmMaxAllocation = "8G"; jvmMaxAllocation = "8G";
serverConfig = { serverConfig = {
server-port = config.ports.mc-num; server-port = config.links.mc-num.port;
motd = "Welcome to num's minecraft server"; motd = "Welcome to num's minecraft server";
}; };
}; };

37
hosts/VEGAS/services/monitoring/default.nix
View file

@ -2,7 +2,7 @@
let let
inherit (tools.meta) domain; inherit (tools.meta) domain;
inherit (config) ports portsStr; inherit (config) links;
cfg = { inherit (config.services) loki; }; cfg = { inherit (config.services) loki; };
@ -34,10 +34,21 @@ in
file = ../../../../secrets/grafana-secrets.age; file = ../../../../secrets/grafana-secrets.age;
}; };
reservePortsFor = [ "grafana" "prometheus" "loki" "loki-grpc" ]; links = {
grafana.protocol = "http";
prometheus.protocol = "http";
loki = {
protocol = "http";
ipv4 = myNode.hypr.addr;
};
loki-grpc = {
protocol = "grpc";
ipv4 = myNode.hypr.addr;
};
};
services.grafana = { services.grafana = {
enable = true; enable = true;
port = ports.grafana; inherit (links.grafana) port;
rootUrl = "https://monitoring.${domain}/"; rootUrl = "https://monitoring.${domain}/";
dataDir = "/srv/storage/private/grafana"; dataDir = "/srv/storage/private/grafana";
analytics.reporting.enable = false; analytics.reporting.enable = false;
@ -63,13 +74,13 @@ in
datasources = [ datasources = [
{ {
name = "Prometheus"; name = "Prometheus";
url = "http://127.0.0.1:${portsStr.prometheus}"; inherit (links.prometheus) url;
type = "prometheus"; type = "prometheus";
isDefault = true; isDefault = true;
} }
{ {
name = "Loki"; name = "Loki";
url = "http://${myNode.hypr.addr}:${portsStr.loki}"; inherit (links.loki) url;
type = "loki"; type = "loki";
} }
]; ];
@ -80,14 +91,14 @@ in
EnvironmentFile = config.age.secrets.grafana-secrets.path; EnvironmentFile = config.age.secrets.grafana-secrets.path;
}; };
services.nginx.virtualHosts."monitoring.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy "http://127.0.0.1:${portsStr.grafana}") { services.nginx.virtualHosts."monitoring.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy links.grafana.url) {
locations."/".proxyWebsockets = true; locations."/".proxyWebsockets = true;
}; };
services.prometheus = { services.prometheus = {
enable = true; enable = true;
listenAddress = "127.0.0.1"; listenAddress = links.prometheus.ipv4;
port = ports.prometheus; inherit (links.prometheus) port;
globalConfig = { globalConfig = {
scrape_interval = "60s"; scrape_interval = "60s";
}; };
@ -129,12 +140,12 @@ in
auth_enabled = false; auth_enabled = false;
server = { server = {
log_level = "warn"; log_level = "warn";
http_listen_address = myNode.hypr.addr; http_listen_address = links.loki.ipv4;
http_listen_port = ports.loki; http_listen_port = links.loki.port;
grpc_listen_address = "127.0.0.1"; grpc_listen_address = links.loki-grpc.ipv4;
grpc_listen_port = ports.loki-grpc; grpc_listen_port = links.loki-grpc.port;
}; };
frontend_worker.frontend_address = "127.0.0.1:${portsStr.loki-grpc}"; frontend_worker.frontend_address = links.loki-grpc.tuple;
ingester = { ingester = {
lifecycler = { lifecycler = {
address = "127.0.0.1"; address = "127.0.0.1";

4
hosts/VEGAS/services/nix/binary-cache.nix
View file

@ -10,8 +10,8 @@ in
{ {
services.nginx.upstreams.nar-serve.extraConfig = '' services.nginx.upstreams.nar-serve.extraConfig = ''
random; random;
server 127.0.0.1:${config.portsStr.nar-serve-self} fail_timeout=0; server ${config.links.nar-serve-self.tuple} fail_timeout=0;
server 127.0.0.1:${config.portsStr.nar-serve-nixos-org} fail_timeout=0; server ${config.links.nar-serve-nixos-org.tuple} fail_timeout=0;
''; '';
services.nginx.appendHttpConfig = '' services.nginx.appendHttpConfig = ''
proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off; proxy_cache_path /var/cache/nginx/nixstore levels=1:2 keys_zone=nixstore:10m max_size=10g inactive=24h use_temp_path=off;

12
hosts/VEGAS/services/nix/nar-serve.nix
View file

@ -12,11 +12,11 @@
}; };
in in
{ {
reservePortsFor = [ links = {
"nar-serve-self" nar-serve-self.protocol = "http";
"nar-serve-nixos-org" nar-serve-nixos-org.protocol = "http";
]; };
systemd.services.nar-serve-self = mkNarServe "https://cache.${tools.meta.domain}" config.portsStr.nar-serve-self; systemd.services.nar-serve-self = mkNarServe "https://cache.${tools.meta.domain}" config.links.nar-serve-self.portStr;
systemd.services.nar-serve-nixos-org = mkNarServe "https://cache.nixos.org" config.portsStr.nar-serve-nixos-org; systemd.services.nar-serve-nixos-org = mkNarServe "https://cache.nixos.org" config.links.nar-serve-nixos-org.portStr;
} }

20
hosts/VEGAS/services/object-storage/default.nix
View file

@ -1,8 +1,7 @@
{ config, inputs, lib, pkgs, tools, ... }: { config, inputs, lib, pkgs, tools, ... }:
with tools.nginx; with tools.nginx;
let let
minioPort = config.portsStr.minio; inherit (config) links;
consolePort = config.portsStr.minioConsole;
mapPaths = lib.mapAttrsRecursive ( mapPaths = lib.mapAttrsRecursive (
path: value: lib.nameValuePair path: value: lib.nameValuePair
@ -17,7 +16,10 @@ let
); );
in in
{ {
reservePortsFor = [ "minio" "minioConsole" ]; links = {
minio.protocol = "http";
minioConsole.protocol = "http";
};
age.secrets.minio-root-credentials = { age.secrets.minio-root-credentials = {
file = ../../../../secrets/minio-root-credentials.age; file = ../../../../secrets/minio-root-credentials.age;
@ -30,8 +32,8 @@ in
rootCredentialsFile = config.age.secrets.minio-root-credentials.path; rootCredentialsFile = config.age.secrets.minio-root-credentials.path;
dataDir = [ "/srv/storage/objects" ]; dataDir = [ "/srv/storage/objects" ];
browser = true; browser = true;
listenAddress = "127.0.0.1:${minioPort}"; listenAddress = links.minio.tuple;
consoleAddress = "127.0.0.1:${consolePort}"; consoleAddress = links.minioConsole.tuple;
}; };
systemd.services.minio.serviceConfig = { systemd.services.minio.serviceConfig = {
Slice = "remotefshost.slice"; Slice = "remotefshost.slice";
@ -40,17 +42,17 @@ in
# TODO: vhosts.proxy? # TODO: vhosts.proxy?
"object-storage" = vhosts.basic // { "object-storage" = vhosts.basic // {
locations = { locations = {
"/".proxyPass = "http://127.0.0.1:${minioPort}"; "/".proxyPass = links.minio.url;
"= /dashboard".proxyPass = "http://127.0.0.1:${minioPort}"; "= /dashboard".proxyPass = links.minio.url;
}; };
extraConfig = "client_max_body_size 4G;"; extraConfig = "client_max_body_size 4G;";
}; };
"console.object-storage" = vhosts.basic // { "console.object-storage" = vhosts.basic // {
locations = { locations = {
"/".proxyPass = "http://127.0.0.1:${consolePort}"; "/".proxyPass = links.minioConsole.url;
}; };
}; };
"cdn" = lib.recursiveUpdate (vhosts.proxy "http://127.0.0.1:${minioPort}/content-delivery$request_uri") { "cdn" = lib.recursiveUpdate (vhosts.proxy "${links.minio.url}/content-delivery$request_uri") {
locations."= /".return = "302 /index.html"; locations."= /".return = "302 /index.html";
}; };
}; };

8
hosts/VEGAS/services/searxng/default.nix
View file

@ -1,9 +1,9 @@
{ config, inputs, lib, pkgs, tools, ... }: { config, inputs, lib, pkgs, tools, ... }:
let let
port = config.portsStr.searxng; inherit (config) links;
in in
{ {
reservePortsFor = [ "searxng" ]; links.searxng.protocol = "http";
age.secrets.searxng-secrets.file = ../../../../secrets/searxng-secrets.age; age.secrets.searxng-secrets.file = ../../../../secrets/searxng-secrets.age;
services.searx = { services.searx = {
@ -45,14 +45,14 @@ in
}; };
}; };
uwsgiConfig = { uwsgiConfig = {
http = "127.0.0.1:${port}"; http = links.searxng.tuple;
cache2 = "name=searxcache,items=2000,blocks=2000,blocksize=65536,bitmap=1"; cache2 = "name=searxcache,items=2000,blocks=2000,blocksize=65536,bitmap=1";
buffer-size = 65536; buffer-size = 65536;
env = ["SEARXNG_SETTINGS_PATH=/run/searx/settings.yml"]; env = ["SEARXNG_SETTINGS_PATH=/run/searx/settings.yml"];
disable-logging = true; disable-logging = true;
}; };
}; };
services.nginx.virtualHosts."search.${tools.meta.domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy "http://127.0.0.1:${port}") { services.nginx.virtualHosts."search.${tools.meta.domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy links.searxng.url) {
extraConfig = "access_log off;"; extraConfig = "access_log off;";
}; };
systemd.services.uwsgi.after = [ "wireguard-wgmv-es7.service" "network-addresses-wgmv-es7.service" ]; systemd.services.uwsgi.after = [ "wireguard-wgmv-es7.service" "network-addresses-wgmv-es7.service" ];

17
hosts/VEGAS/services/sips/default.nix
View file

@ -3,6 +3,7 @@ let
host = tools.identity.autoDomain "sips"; host = tools.identity.autoDomain "sips";
inherit (inputs.self.packages.${pkgs.system}) sips; inherit (inputs.self.packages.${pkgs.system}) sips;
inherit (config) links;
connStringNet = "host=127.0.0.1 sslmode=disable dbname=sips user=sips"; connStringNet = "host=127.0.0.1 sslmode=disable dbname=sips user=sips";
connString = "host=/var/run/postgresql dbname=sips user=sips"; connString = "host=/var/run/postgresql dbname=sips user=sips";
@ -23,14 +24,18 @@ in
mode = "0400"; mode = "0400";
}; };
reservePortsFor = [ "sips" "sipsInternal" "sipsIpfsApiProxy" ]; links = {
sips.protocol = "http";
sipsInternal.protocol = "http";
sipsIpfsApiProxy.protocol = "http";
};
systemd.services.sips = { systemd.services.sips = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" ]; after = [ "network.target" "postgresql.service" ];
requires = [ "sips-ipfs-api-proxy.service" ]; requires = [ "sips-ipfs-api-proxy.service" ];
serviceConfig = { serviceConfig = {
ExecStart = "${sips}/bin/sips --dbdriver postgres --db \"${connString}\" --addr 127.0.0.1:${config.portsStr.sipsInternal} --api http://127.0.0.1:${config.portsStr.sipsIpfsApiProxy} --apitimeout 604800s"; ExecStart = "${sips}/bin/sips --dbdriver postgres --db \"${connString}\" --addr ${links.sipsInternal.tuple} --api ${links.sipsIpfsApiProxy.url} --apitimeout 604800s";
PrivateNetwork = true; PrivateNetwork = true;
DynamicUser = true; DynamicUser = true;
}; };
@ -41,7 +46,7 @@ in
after = [ "network.target" "sips.service" ]; after = [ "network.target" "sips.service" ];
bindsTo = [ "sips.service" ]; bindsTo = [ "sips.service" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.socat}/bin/socat tcp4-listen:${config.portsStr.sipsIpfsApiProxy},fork,reuseaddr,bind=127.0.0.1 unix-connect:/run/ipfs/ipfs-api.sock"; ExecStart = "${pkgs.socat}/bin/socat tcp4-listen:${links.sipsIpfsApiProxy.portStr},fork,reuseaddr,bind=${links.sipsIpfsApiProxy.ipv4} unix-connect:/run/ipfs/ipfs-api.sock";
PrivateNetwork = true; PrivateNetwork = true;
DynamicUser = true; DynamicUser = true;
SupplementaryGroups = "ipfs"; SupplementaryGroups = "ipfs";
@ -54,7 +59,7 @@ in
bindsTo = [ "sips.service" ]; bindsTo = [ "sips.service" ];
requires = [ "sips-proxy.socket" ]; requires = [ "sips-proxy.socket" ];
serviceConfig = { serviceConfig = {
ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd 127.0.0.1:${config.portsStr.sipsInternal}"; ExecStart = "${config.systemd.package}/lib/systemd/systemd-socket-proxyd ${links.sipsInternal.tuple}";
PrivateNetwork = true; PrivateNetwork = true;
DynamicUser = true; DynamicUser = true;
SupplementaryGroups = "ipfs"; SupplementaryGroups = "ipfs";
@ -66,11 +71,11 @@ in
wantedBy = [ "sockets.target" ]; wantedBy = [ "sockets.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
socketConfig = { socketConfig = {
ListenStream = "127.0.0.1:${config.portsStr.sips}"; ListenStream = "${links.sips.tuple}";
}; };
}; };
environment.systemPackages = [ sipsctl ]; environment.systemPackages = [ sipsctl ];
services.nginx.virtualHosts.${host} = tools.nginx.vhosts.proxy "http://127.0.0.1:${config.portsStr.sips}"; services.nginx.virtualHosts.${host} = tools.nginx.vhosts.proxy links.sips.url;
} }

9
hosts/VEGAS/services/sso/default.nix
View file

@ -3,10 +3,11 @@ with tools.nginx;
let let
login = "login.${tools.meta.domain}"; login = "login.${tools.meta.domain}";
cfg = config.services.keycloak; cfg = config.services.keycloak;
kc = config.links.keycloak;
in in
{ {
tested.requiredChecks = [ "keycloak" ]; tested.requiredChecks = [ "keycloak" ];
reservePortsFor = [ "keycloak" ]; links.keycloak.protocol = "http";
imports = [ imports = [
./identity-management.nix ./identity-management.nix
@ -18,7 +19,7 @@ in
mode = "0400"; mode = "0400";
}; };
services.nginx.virtualHosts = { services.nginx.virtualHosts = {
"${login}" = lib.recursiveUpdate (vhosts.proxy "http://${cfg.settings.http-host}:${config.portsStr.keycloak}") { "${login}" = lib.recursiveUpdate (vhosts.proxy kc.url) {
locations."= /".return = "302 /auth/realms/master/account/"; locations."= /".return = "302 /auth/realms/master/account/";
}; };
"account.${domain}" = vhosts.redirect "https://${login}/auth/realms/master/account/"; "account.${domain}" = vhosts.redirect "https://${login}/auth/realms/master/account/";
@ -31,8 +32,8 @@ in
passwordFile = config.age.secrets.keycloak-dbpass.path; passwordFile = config.age.secrets.keycloak-dbpass.path;
}; };
settings = { settings = {
http-host = "127.0.0.1"; http-host = kc.ipv4;
http-port = config.ports.keycloak; http-port = kc.port;
hostname = login; hostname = login;
proxy = "edge"; proxy = "edge";
# for backcompat, TODO: remove # for backcompat, TODO: remove

10
hosts/VEGAS/services/uptime-kuma/default.nix
View file

@ -5,13 +5,13 @@ let
flakePkgs = inputs.self.packages.${pkgs.system}; flakePkgs = inputs.self.packages.${pkgs.system};
port = config.portsStr.uptime-kuma; link = config.links.uptime-kuma;
dataDir = "/srv/storage/private/uptime-kuma"; dataDir = "/srv/storage/private/uptime-kuma";
in in
{ {
reservePortsFor = [ "uptime-kuma" ]; links.uptime-kuma.protocol = "http";
users.users.uptime-kuma = { users.users.uptime-kuma = {
isSystemUser = true; isSystemUser = true;
@ -62,8 +62,8 @@ in
environment = { environment = {
NODE_ENV = "production"; NODE_ENV = "production";
DATA_DIR = dataDir; DATA_DIR = dataDir;
UPTIME_KUMA_HOST = "127.0.0.1"; UPTIME_KUMA_HOST = link.ipv4;
UPTIME_KUMA_PORT = port; UPTIME_KUMA_PORT = link.portStr;
UPTIME_KUMA_HIDE_LOG = lib.concatStringsSep "," [ UPTIME_KUMA_HIDE_LOG = lib.concatStringsSep "," [
"debug_monitor" "debug_monitor"
"info_monitor" "info_monitor"
@ -71,7 +71,7 @@ in
}; };
}; };
services.nginx.virtualHosts."status.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy "http://127.0.0.1:${port}") { services.nginx.virtualHosts."status.${domain}" = lib.recursiveUpdate (tools.nginx.vhosts.proxy link.url) {
locations = { locations = {
"/".proxyWebsockets = true; "/".proxyWebsockets = true;
"=/".return = "302 /status/${builtins.replaceStrings ["."] ["-"] domain}"; "=/".return = "302 /status/${builtins.replaceStrings ["."] ["-"] domain}";

10
hosts/prophet/services/reflex/default.nix
View file

@ -1,9 +1,7 @@
{ config, inputs, pkgs, tools, ... }: { config, inputs, pkgs, tools, ... }:
let {
port = config.portsStr.nixIpfs; links.nixIpfs.protocol = "http";
in {
reservePortsFor = [ "nixIpfs" ];
systemd.services.nix-ipfs-cache = { systemd.services.nix-ipfs-cache = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -14,7 +12,7 @@ in {
CacheDirectory = "nix-ipfs-cache"; CacheDirectory = "nix-ipfs-cache";
}; };
environment = { environment = {
REFLEX_PORT = port; REFLEX_PORT = config.links.nixIpfs.portStr;
IPFS_API = config.services.ipfs.apiAddress; IPFS_API = config.services.ipfs.apiAddress;
NIX_CACHES = toString [ NIX_CACHES = toString [
"https://cache.nixos.org" "https://cache.nixos.org"
@ -24,5 +22,5 @@ in {
}; };
}; };
services.nginx.virtualHosts."reflex.${tools.meta.domain}" = tools.nginx.vhosts.proxy "http://127.0.0.1:${port}"; services.nginx.virtualHosts."reflex.${tools.meta.domain}" = tools.nginx.vhosts.proxy config.links.nixIpfs.url;
} }

6
modules/ipfs/default.nix
View file

@ -4,7 +4,7 @@ let
cfg = config.services.ipfs; cfg = config.services.ipfs;
apiAddress = "/unix/run/ipfs/ipfs-api.sock"; apiAddress = "/unix/run/ipfs/ipfs-api.sock";
ipfsApi = pkgs.writeTextDir "api" apiAddress; ipfsApi = pkgs.writeTextDir "api" apiAddress;
gwPort = config.portsStr.ipfsGateway; gw = config.links.ipfsGateway;
in in
{ {
age.secrets.ipfs-swarm-key = { age.secrets.ipfs-swarm-key = {
@ -14,7 +14,7 @@ in
inherit (cfg) group; inherit (cfg) group;
}; };
reservePortsFor = [ "ipfsGateway" ]; links.ipfsGateway.protocol = "http";
networking.firewall = { networking.firewall = {
allowedTCPPorts = [ 4001 ]; allowedTCPPorts = [ 4001 ];
@ -28,7 +28,7 @@ in
autoMigrate = false; autoMigrate = false;
inherit apiAddress; inherit apiAddress;
gatewayAddress = "/ip4/127.0.0.1/tcp/${gwPort}"; gatewayAddress = "/ip4/${gw.ipv4}/tcp/${gw.portStr}";
dataDir = "/srv/storage/ipfs/repo"; dataDir = "/srv/storage/ipfs/repo";
localDiscovery = false; localDiscovery = false;

11
modules/monitoring/default.nix
View file

@ -4,16 +4,17 @@ let
writeJSON = filename: data: pkgs.writeText filename (builtins.toJSON data); writeJSON = filename: data: pkgs.writeText filename (builtins.toJSON data);
inherit (config) ports portsStr;
relabel = from: to: { relabel = from: to: {
source_labels = [ from ]; source_labels = [ from ];
target_label = to; target_label = to;
}; };
in in
{ {
# same as remote loki port # remote loki
reservePortsFor = [ "loki" ]; links.loki = {
protocol = "http";
ipv4 = hosts.VEGAS.hypr.addr;
};
services.journald.extraConfig = "Storage=volatile"; services.journald.extraConfig = "Storage=volatile";
@ -41,7 +42,7 @@ in
server.disable = true; server.disable = true;
positions.filename = "\${STATE_DIRECTORY:/tmp}/promtail-positions.yaml"; positions.filename = "\${STATE_DIRECTORY:/tmp}/promtail-positions.yaml";
clients = [ clients = [
{ url = "http://${hosts.VEGAS.hypr.addr}:${portsStr.loki}/loki/api/v1/push"; } { url = "${config.links.loki.url}/loki/api/v1/push"; }
]; ];
scrape_configs = [ scrape_configs = [
{ {