nix-config/hosts/elisabeth/guests.nix

{
  config,
  stateVersion,
  inputs,
  lib,
  minimal,
  nodes,
  ...
}: let
  domainOf = hostName: let
    domains = {
      adguardhome = "adguardhome";
      forgejo = "git";
      immich = "immich";
      nextcloud = "nc";
      ollama = "ollama";
      paperless = "ppl";
      ttrss = "rss";
      vaultwarden = "pw";
      yourspotify = "sptfy";
      apispotify = "apisptfy";
      kanidm = "auth";
      oauth2-proxy = "oauth2";
    };
  in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";
  # TODO hard coded elisabeth nicht so schön
  ipOf = hostName: nodes."elisabeth-${hostName}".config.wireguard.elisabeth.ipv4;
in {
  services.nginx = let
    blockOf = hostName: {
      virtualHostExtraConfig ? "",
      maxBodySize ? "500M",
      port ? 3000,
      upstream ? hostName,
      protocol ? "http",
    }: {
      upstreams.${hostName} = {
        servers."${ipOf upstream}:${toString port}" = {};
        extraConfig = ''
          zone ${hostName} 64k ;
          keepalive 5 ;
        '';
      };
      virtualHosts.${domainOf hostName} = {
        forceSSL = true;
        useACMEHost = "web";
        locations."/" = {
          proxyPass = "${protocol}://${hostName}";
          proxyWebsockets = true;
          X-Frame-Options = "SAMEORIGIN";
        };
        extraConfig =
          ''
            client_max_body_size ${maxBodySize} ;
          ''
          + virtualHostExtraConfig;
      };
    };
  in
    lib.mkMerge [
      {
        enable = true;
        recommendedSetup = true;
      }
      (blockOf "vaultwarden" {maxBodySize = "1G";})
      (blockOf "forgejo" {maxBodySize = "1G";})
      (blockOf "immich" {maxBodySize = "5G";})
      (lib.mkMerge
        [
          (
            blockOf "adguardhome"
            {
            }
          )
          {
            virtualHosts.${domainOf "adguardhome"} = {
              locations."/".extraConfig = ''
                auth_request /oauth2/auth;
                error_page 401 = /oauth2/sign_in;

                # pass information via X-User and X-Email headers to backend,
                # requires running with --set-xauthrequest flag
                auth_request_set $user   $upstream_http_x_auth_request_user;
                auth_request_set $email  $upstream_http_x_auth_request_email;
                proxy_set_header X-User  $user;
                proxy_set_header X-Email $email;

                # if you enabled --cookie-refresh, this is needed for it to work with auth_request
                auth_request_set $auth_cookie $upstream_http_set_cookie;
                add_header Set-Cookie $auth_cookie;
              '';
              locations."/oauth2/" = {
                proxyPass = "http://oauth2-proxy";
                extraConfig = ''
                  proxy_set_header X-Scheme                $scheme;
                  proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
                '';
              };

              locations."= /oauth2/auth" = {
                proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=adguardhome_access";
                extraConfig = ''
                  internal;

                  proxy_set_header X-Scheme         $scheme;
                  # nginx auth_request includes headers but not body
                  proxy_set_header Content-Length   "";
                  proxy_pass_request_body           off;
                '';
              };
            };
          }
        ])
      (lib.mkMerge [
        (blockOf "oauth2-proxy" {})
        {
          virtualHosts.${domainOf "oauth2-proxy"} = {
            locations."/".extraConfig = ''
              auth_request /oauth2/auth;
              error_page 401 = /oauth2/sign_in;

              # pass information via X-User and X-Email headers to backend,
              # requires running with --set-xauthrequest flag
              auth_request_set $user   $upstream_http_x_auth_request_user;
              auth_request_set $email  $upstream_http_x_auth_request_email;
              proxy_set_header X-User  $user;
              proxy_set_header X-Email $email;

              # if you enabled --cookie-refresh, this is needed for it to work with auth_request
              auth_request_set $auth_cookie $upstream_http_set_cookie;
              add_header Set-Cookie $auth_cookie;
            '';

            locations."/oauth2/" = {
              proxyPass = "http://oauth2-proxy";
              extraConfig = ''
                proxy_set_header X-Scheme                $scheme;
                proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
              '';
            };

            locations."= /oauth2/auth" = {
              proxyPass = "http://oauth2-proxy/oauth2/auth";
              extraConfig = ''
                internal;

                proxy_set_header X-Scheme         $scheme;
                # nginx auth_request includes headers but not body
                proxy_set_header Content-Length   "";
                proxy_pass_request_body           off;
              '';
            };
          };
        }
      ])
      (blockOf "paperless" {maxBodySize = "5G";})
      (blockOf "ttrss" {port = 80;})
      (blockOf "yourspotify" {port = 80;})
      (blockOf "apispotify" {
        port = 80;
        upstream = "yourspotify";
      })
      (blockOf "nextcloud" {
        maxBodySize = "5G";
        port = 80;
      })
      (blockOf "kanidm"
        {
          protocol = "https";
          virtualHostExtraConfig = ''
            proxy_ssl_verify off ;
          '';
        })
    ];

  guests = let
    mkGuest = guestName: {
      enablePanzer ? false,
      enableRenaultFT ? false,
      enableBunker ? false,
      enableSharedPaperless ? false,
      ...
    }: {
      autostart = true;
      zfs."/state" = {
        pool = "rpool";
        dataset = "local/guests/${guestName}";
      };
      zfs."/persist" = {
        pool = "rpool";
        dataset = "safe/guests/${guestName}";
      };
      zfs."/panzer" = lib.mkIf enablePanzer {
        pool = "panzer";
        dataset = "safe/guests/${guestName}";
      };
      zfs."/renaultft" = lib.mkIf enableRenaultFT {
        pool = "renaultft";
        dataset = "safe/guests/${guestName}";
      };
      # kinda not necesarry should be removed on next reimaging
      zfs."/bunker" = lib.mkIf enableBunker {
        pool = "panzer";
        dataset = "bunker/guests/${guestName}";
      };
      zfs."/paperless" = lib.mkIf enableSharedPaperless {
        pool = "panzer";
        dataset = "bunker/shared/paperless";
      };
      modules = [
        ../../modules/config
        ../../modules/services/${guestName}.nix
        {
          node.secretsDir = config.node.secretsDir + "/${guestName}";
          networking.nftables.firewall.zones.untrusted.interfaces = [config.guests.${guestName}.networking.mainLinkName];
          systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = {
            DHCP = lib.mkForce "no";
            address = [
              (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4)
              (lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv6)
            ];
            gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4)];
          };
        }
      ];
    };

    #deadnix: skip
    mkMicrovm = guestName: cfg: {
      ${guestName} =
        mkGuest guestName cfg
        // {
          backend = "microvm";
          microvm = {
            system = "x86_64-linux";
            macvtap = "lan";
            baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;
          };
          extraSpecialArgs = {
            inherit (inputs.self) nodes;
            inherit (inputs.self.pkgs.x86_64-linux) lib;
            inherit inputs minimal stateVersion;
          };
        };
    };

    mkContainer = guestName: cfg: {
      ${guestName} =
        mkGuest guestName cfg
        // {
          backend = "container";
          container.macvlan = "lan";
          extraSpecialArgs = {
            inherit lib nodes inputs minimal stateVersion;
          };
        };
    };
  in
    {}
    // mkContainer "adguardhome" {}
    // mkContainer "oauth2-proxy" {}
    // mkContainer "vaultwarden" {}
    // mkContainer "ddclient" {}
    // mkContainer "ollama" {}
    // mkContainer "ttrss" {}
    // mkContainer "yourspotify" {}
    // mkContainer "kanidm" {}
    // mkContainer "nextcloud" {
      enablePanzer = true;
    }
    // mkContainer "paperless" {
      enableSharedPaperless = true;
    }
    // mkContainer "forgejo" {
      enablePanzer = true;
    }
    // mkMicrovm "immich" {
      enablePanzer = true;
    }
    // mkContainer "samba" {
      enablePanzer = true;
      enableRenaultFT = true;
      enableBunker = true;
      enableSharedPaperless = true;
    };
}
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`{`
			`config,`
			`stateVersion,`
			`inputs,`
			`lib,`
			`minimal,`
			`nodes,`
			`...`
			`}: let`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00			`domainOf = hostName: let`
			`domains = {`
			`adguardhome = "adguardhome";`
			`forgejo = "git";`
			`immich = "immich";`
			`nextcloud = "nc";`
			`ollama = "ollama";`
			`paperless = "ppl";`
			`ttrss = "rss";`
			`vaultwarden = "pw";`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`yourspotify = "sptfy";`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00			`apispotify = "apisptfy";`
			`kanidm = "auth";`
feat: oauth2-proxy 2024-03-19 00:46:35 +01:00			`oauth2-proxy = "oauth2";`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00			`};`
			`in "${domains.${hostName}}.${config.secrets.secrets.global.domains.web}";`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`# TODO hard coded elisabeth nicht so schön`
			`ipOf = hostName: nodes."elisabeth-${hostName}".config.wireguard.elisabeth.ipv4;`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`in {`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00			`services.nginx = let`
			`blockOf = hostName: {`
			`virtualHostExtraConfig ? "",`
			`maxBodySize ? "500M",`
			`port ? 3000,`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`upstream ? hostName,`
			`protocol ? "http",`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00			`}: {`
			`upstreams.${hostName} = {`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`servers."${ipOf upstream}:${toString port}" = {};`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00			`extraConfig = ''`
			`zone ${hostName} 64k ;`
			`keepalive 5 ;`
			`'';`
feat: gitea config 2024-01-12 15:47:43 +01:00			`};`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00			`virtualHosts.${domainOf hostName} = {`
			`forceSSL = true;`
			`useACMEHost = "web";`
			`locations."/" = {`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`proxyPass = "${protocol}://${hostName}";`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00			`proxyWebsockets = true;`
			`X-Frame-Options = "SAMEORIGIN";`
			`};`
			`extraConfig =`
			`''`
			`client_max_body_size ${maxBodySize} ;`
			`''`
			`+ virtualHostExtraConfig;`
feat: started immich impl 2024-01-20 21:07:00 +01:00			`};`
			`};`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00			`in`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`lib.mkMerge [`
			`{`
			`enable = true;`
			`recommendedSetup = true;`
			`}`
			`(blockOf "vaultwarden" {maxBodySize = "1G";})`
			`(blockOf "forgejo" {maxBodySize = "1G";})`
			`(blockOf "immich" {maxBodySize = "5G";})`
feat: oauth2-proxy 2024-03-19 00:46:35 +01:00			`(lib.mkMerge`
			`[`
			`(`
			`blockOf "adguardhome"`
			`{`
			`}`
			`)`
			`{`
			`virtualHosts.${domainOf "adguardhome"} = {`
			`locations."/".extraConfig = ''`
			`auth_request /oauth2/auth;`
			`error_page 401 = /oauth2/sign_in;`

			`# pass information via X-User and X-Email headers to backend,`
			`# requires running with --set-xauthrequest flag`
			`auth_request_set $user $upstream_http_x_auth_request_user;`
			`auth_request_set $email $upstream_http_x_auth_request_email;`
			`proxy_set_header X-User $user;`
			`proxy_set_header X-Email $email;`

			`# if you enabled --cookie-refresh, this is needed for it to work with auth_request`
			`auth_request_set $auth_cookie $upstream_http_set_cookie;`
			`add_header Set-Cookie $auth_cookie;`
			`'';`
			`locations."/oauth2/" = {`
			`proxyPass = "http://oauth2-proxy";`
			`extraConfig = ''`
			`proxy_set_header X-Scheme $scheme;`
			`proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;`
			`'';`
			`};`

			`locations."= /oauth2/auth" = {`
			`proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=adguardhome_access";`
			`extraConfig = ''`
			`internal;`

			`proxy_set_header X-Scheme $scheme;`
			`# nginx auth_request includes headers but not body`
			`proxy_set_header Content-Length "";`
			`proxy_pass_request_body off;`
			`'';`
			`};`
			`};`
			`}`
			`])`
			`(lib.mkMerge [`
			`(blockOf "oauth2-proxy" {})`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`{`
feat: oauth2-proxy 2024-03-19 00:46:35 +01:00			`virtualHosts.${domainOf "oauth2-proxy"} = {`
			`locations."/".extraConfig = ''`
			`auth_request /oauth2/auth;`
			`error_page 401 = /oauth2/sign_in;`

			`# pass information via X-User and X-Email headers to backend,`
			`# requires running with --set-xauthrequest flag`
			`auth_request_set $user $upstream_http_x_auth_request_user;`
			`auth_request_set $email $upstream_http_x_auth_request_email;`
			`proxy_set_header X-User $user;`
			`proxy_set_header X-Email $email;`

			`# if you enabled --cookie-refresh, this is needed for it to work with auth_request`
			`auth_request_set $auth_cookie $upstream_http_set_cookie;`
			`add_header Set-Cookie $auth_cookie;`
			`'';`

			`locations."/oauth2/" = {`
			`proxyPass = "http://oauth2-proxy";`
			`extraConfig = ''`
			`proxy_set_header X-Scheme $scheme;`
			`proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;`
			`'';`
			`};`

			`locations."= /oauth2/auth" = {`
			`proxyPass = "http://oauth2-proxy/oauth2/auth";`
			`extraConfig = ''`
			`internal;`

			`proxy_set_header X-Scheme $scheme;`
			`# nginx auth_request includes headers but not body`
			`proxy_set_header Content-Length "";`
			`proxy_pass_request_body off;`
			`'';`
			`};`
			`};`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`}`
feat: oauth2-proxy 2024-03-19 00:46:35 +01:00			`])`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`(blockOf "paperless" {maxBodySize = "5G";})`
			`(blockOf "ttrss" {port = 80;})`
			`(blockOf "yourspotify" {port = 80;})`
			`(blockOf "apispotify" {`
			`port = 80;`
			`upstream = "yourspotify";`
			`})`
			`(blockOf "nextcloud" {`
			`maxBodySize = "5G";`
			`port = 80;`
			`})`
			`(blockOf "kanidm"`
			`{`
			`protocol = "https";`
			`virtualHostExtraConfig = ''`
			`proxy_ssl_verify off ;`
			`'';`
			`})`
			`];`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`guests = let`
			`mkGuest = guestName: {`
			`enablePanzer ? false,`
			`enableRenaultFT ? false,`
feat: added remote backups 2024-01-15 02:13:46 +01:00			`enableBunker ? false,`
feat: paperless 2024-01-18 00:39:25 +01:00			`enableSharedPaperless ? false,`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`...`
			`}: {`
			`autostart = true;`
			`zfs."/state" = {`
			`pool = "rpool";`
			`dataset = "local/guests/${guestName}";`
			`};`
			`zfs."/persist" = {`
			`pool = "rpool";`
			`dataset = "safe/guests/${guestName}";`
			`};`
			`zfs."/panzer" = lib.mkIf enablePanzer {`
			`pool = "panzer";`
			`dataset = "safe/guests/${guestName}";`
			`};`
			`zfs."/renaultft" = lib.mkIf enableRenaultFT {`
			`pool = "renaultft";`
			`dataset = "safe/guests/${guestName}";`
			`};`
chore: simplified nginx setup 2024-03-14 20:07:10 +01:00			`# kinda not necesarry should be removed on next reimaging`
feat: added remote backups 2024-01-15 02:13:46 +01:00			`zfs."/bunker" = lib.mkIf enableBunker {`
			`pool = "panzer";`
			`dataset = "bunker/guests/${guestName}";`
			`};`
feat: paperless 2024-01-18 00:39:25 +01:00			`zfs."/paperless" = lib.mkIf enableSharedPaperless {`
			`pool = "panzer";`
			`dataset = "bunker/shared/paperless";`
			`};`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`modules = [`
			`../../modules/config`
			`../../modules/services/${guestName}.nix`
			`{`
feat: switch to kanidm instead 2024-03-05 00:34:50 +01:00			`node.secretsDir = config.node.secretsDir + "/${guestName}";`
feat: added local wireguard routing 2024-03-14 23:08:42 +01:00			`networking.nftables.firewall.zones.untrusted.interfaces = [config.guests.${guestName}.networking.mainLinkName];`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = {`
			`DHCP = lib.mkForce "no";`
feat: setup elisabeth 2024-01-13 16:07:55 +01:00			`address = [`
feat: added local IPv6 2024-02-10 17:53:16 +01:00			`(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4)`
			`(lib.net.cidr.hostCidr config.secrets.secrets.global.net.ips."${config.guests.${guestName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv6)`
feat: setup elisabeth 2024-01-13 16:07:55 +01:00			`];`
feat: added local IPv6 2024-02-10 17:53:16 +01:00			`gateway = [(lib.net.cidr.host 1 config.secrets.secrets.global.net.privateSubnetv4)];`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`};`
			`}`
			`];`
			`};`

			`#deadnix: skip`
			`mkMicrovm = guestName: cfg: {`
			`${guestName} =`
			`mkGuest guestName cfg`
			`// {`
			`backend = "microvm";`
			`microvm = {`
			`system = "x86_64-linux";`
			`macvtap = "lan";`
feat: immich working 2024-01-21 00:43:50 +01:00			`baseMac = config.secrets.secrets.local.networking.interfaces.lan01.mac;`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`};`
			`extraSpecialArgs = {`
			`inherit (inputs.self) nodes;`
			`inherit (inputs.self.pkgs.x86_64-linux) lib;`
			`inherit inputs minimal stateVersion;`
			`};`
			`};`
			`};`

			`mkContainer = guestName: cfg: {`
			`${guestName} =`
			`mkGuest guestName cfg`
			`// {`
			`backend = "container";`
			`container.macvlan = "lan";`
			`extraSpecialArgs = {`
			`inherit lib nodes inputs minimal stateVersion;`
			`};`
			`};`
			`};`
			`in`
			`{}`
			`// mkContainer "adguardhome" {}`
feat: oauth2-proxy 2024-03-19 00:46:35 +01:00			`// mkContainer "oauth2-proxy" {}`
feat: vaultwarden config 2024-01-12 17:16:37 +01:00			`// mkContainer "vaultwarden" {}`
feat: ddclient container 2024-01-13 19:23:51 +01:00			`// mkContainer "ddclient" {}`
chore: flake update feat: ollama server 2024-01-26 01:04:08 +01:00			`// mkContainer "ollama" {}`
feat: ttrss 2024-02-13 18:07:45 +01:00			`// mkContainer "ttrss" {}`
feat: more authelia config 2024-03-02 22:26:12 +01:00			`// mkContainer "yourspotify" {}`
feat: switch to kanidm instead 2024-03-05 00:34:50 +01:00			`// mkContainer "kanidm" {}`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`// mkContainer "nextcloud" {`
			`enablePanzer = true;`
			`}`
feat: paperless 2024-01-18 00:39:25 +01:00			`// mkContainer "paperless" {`
			`enableSharedPaperless = true;`
			`}`
feat: kanidm provision feat: move gitea to forgejo feat: fix streamdeck 2024-03-12 18:19:52 +01:00			`// mkContainer "forgejo" {`
feat: gitea config 2024-01-12 15:47:43 +01:00			`enablePanzer = true;`
			`}`
feat: immich working 2024-01-21 00:43:50 +01:00			`// mkMicrovm "immich" {`
feat: started immich impl 2024-01-20 21:07:00 +01:00			`enablePanzer = true;`
			`}`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`// mkContainer "samba" {`
			`enablePanzer = true;`
			`enableRenaultFT = true;`
feat: paperless 2024-01-18 00:39:25 +01:00			`enableBunker = true;`
			`enableSharedPaperless = true;`
feat: adguard home feat: implement extra module containers feat: final smb confi feat: final nextcloud confi feat: rework networks ip feat: move acme and ddclient to server 2024-01-11 22:42:03 +01:00			`};`
			`}`