xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

changes

Browse source
This commit is contained in:
xyno (Philipp Hochkamp) 2023-06-30 01:16:49 +02:00
parent 94d60b5a4e
commit 061293e537
35 changed files with 319 additions and 276 deletions
Download patch file Download diff file Expand all files Collapse all files

72
hosts/beliskner/default.nix
View file

@ -39,6 +39,7 @@
networking.defaultGateway6 = { address = "2a00:6800:3::1"; interface = "ens3"; };
networking.defaultGateway = { address = "195.90.208.1"; interface = "ens3"; };
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
networking.useDHCP = false;
# networking.interfaces.eno1.useDHCP = true;
networking.hostId = "7c28236a";
@ -54,9 +55,28 @@
root_url = "https://beliskner.kangaroo-galaxy.ts.net/";
};
};
services.grafana.settings = {
analytics.reporting_enabled = false;
users = {
allow_sign_up = false;
};
#auth.proxy = ''
# enabled = true
# header_name = "X-Webauth-User"
# header_property = "username"
# auto_sign_up = true
# allow_sign_up = true
# whitelist = "127.0.0.1, ::1"
#'';
};
ragon.agenix.secrets."prometheusBlackboxConfig" = { owner = config.services.prometheus.exporters.blackbox.user; };
users.groups.${config.services.prometheus.exporters.blackbox.user} = { };
users.users.${config.services.prometheus.exporters.blackbox.user} = {
isSystemUser = true;
group = config.services.prometheus.exporters.blackbox.user;
};
services.prometheus.exporters.blackbox = {
enable = true;
configFile = config.age.secrets.prometheusBlackboxConfig.path;
@ -69,54 +89,50 @@
virtualHosts = {
"beliskner.kangaroo-galaxy.ts.net" = {
extraConfig = ''
reverse_proxy :${toString config.services.grafana.settings.server.http_port}
forward_auth unix//run/tailscale.nginx-auth.sock {
uri /auth
header_up Remote-Addr {remote_host}
header_up Remote-Port {remote_port}
header_up Original-URI {uri}
copy_headers {
Tailscale-User>X-Webauth-User
Tailscale-Name>X-Webauth-Name
Tailscale-Login>X-Webauth-Login
Tailscale-Tailnet>X-Webauth-Tailnet
Tailscale-Profile-Picture>X-Webauth-Profile-Picture
}
}
#forward_auth unix//run/tailscale/tailscaled.sock {
# uri /auth
# header_up Remote-Addr {remote_host}
# header_up Remote-Port {remote_port}
# header_up Original-URI {uri}
# copy_headers {
# Tailscale-User>X-Webauth-User
# Tailscale-Name>X-Webauth-Name
# Tailscale-Login>X-Webauth-Login
# Tailscale-Tailnet>X-Webauth-Tailnet
# Tailscale-Profile-Picture>X-Webauth-Profile-Picture
# }
#}
reverse_proxy {
to http://localhost:${toString config.services.grafana.settings.server.http_port}
flush_interval -1
transport http {
keepalive 310s
compression off
}
}
'';
};
};
};
networking.firewall.trustedInterfaces = [ "lo" "tailscale0" ];
services.grafana.settings = {
analytics.reporting_enabled = false;
users = {
allow_sign_up = false;
};
auth.proxy = ''
enabled = true
header_name = "X-Webauth-User"
header_property = "username"
auto_sign_up = true
allow_sign_up = true
whitelist = "127.0.0.1, ::1"
'';
};
services.tailscale = {
enable = true;
permitCertUid = "caddy";
};
age.identityPaths = lib.mkForce [ "/nix/persistent/etc/ssh/ssh_host_ed25519_key" ];
ragon = {
cli.enable = false;
user.enable = false;
persist.enable = true;
persist.baseDir = "/nix/persistent";
persist.extraDirectories = [
"/var/lib/tailscale"
"/var/lib/caddy"
"/var/log"
];
services = {
ssh.enable = true;