chore: test basic auth with influx, but seems to conflict with internal auth

2025-10-11 07:10:39 +02:00 · 2023-06-25 14:37:25 +02:00 · 2023-06-25 14:37:25 +02:00 · 10a52642ad
commit 10a52642ad
parent 6e15d49cbc
5 changed files with 43 additions and 3 deletions
--- a/hosts/ward/microvms/influxdb/default.nix
+++ b/hosts/ward/microvms/influxdb/default.nix
@ -36,6 +36,26 @@ in {
  nodes.sentinel = {
    providedDomains.influxdb = influxdbDomain;
    # Not actually used on the system, but to allow us to provision tokens
    # when generating secrets.
    age.secrets.admin-influxdb-basic-auth-password = {
      rekeyFile = ./secrets/admin-influxdb-basic-auth-password.age;
      generator = "alnum";
      mode = "000";
    };
    age.secrets.influxdb-basic-auth-hashes = {
      rekeyFile = ./secrets/influxdb-basic-auth-hashes.age;
      # Copy only the script so the dependencies can be added by the nodes
      # that define passwords (using distributed-config).
      generator = {
        inherit (config.age.generators.basic-auth) script;
        dependencies = [sentinelCfg.age.secrets.admin-influxdb-basic-auth-password];
      };
      mode = "440";
      group = "nginx";
    };
    services.nginx = {
      upstreams.influxdb = {
        servers."${config.services.influxdb2.settings.http-bind-address}" = {};
@ -54,6 +74,8 @@ in {
          proxyWebsockets = true;
          extraConfig = ''
            satisfy any;
            auth_basic "Authentication required";
            auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path};
            ${lib.concatMapStrings (ip: "allow ${ip};\n") sentinelCfg.extra.wireguard.proxy-sentinel.server.reservedAddresses}
            deny all;
          '';
--- a/hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age
+++ b/hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> X25519 eDC4hGeQD8dKvjQGBSflv/kqswkwegtt7mpGTatDjlk
 vMVjoIZ4/7293gMJBY+6oIuE3SVulm8Qz5d2TQCy8YA
 -> piv-p256 xqSe8Q Av1JmXT6ELHJypYLCvvpa5HLphPJcQhBTLHrQWUu3BXU
 K/KNd1uhA/fyYmnPKJexC8W/5W4ZhtzDQEci8sswqP8
 -> 6huK-grease iyY \}FcJ
 k8F8LboYhZJtd2PyQQpRJUoSpBVGm3ocsIiYV9tEihOLahdqcyQawHU2mL7zMTo+
 j6FqPxOXBQ
 --- gzu/0Qvwe1DU/wXCkzaZgFQks4Hq/OAudbkfPiQMHR4
 ¿¯/P'Ü|L%äo�>³GôpHžþKÉ™ö¹•Ï3•)z�ùÏJD01xüsè¨â‹Þ-Æd|õ€d¦…'ò¼‹/Ík\6B}‚xË
--- a/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age
+++ b/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age
--- a/modules/telegraf.nix
+++ b/modules/telegraf.nix
@ -43,6 +43,16 @@ in {
  config = mkIf cfg.enable {
    age.secrets.telegraf-influxdb-token = {
      rekeyFile = nodePath + "/secrets/telegraf-influxdb-token.age";
      # TODO generator.script = { pkgs, lib, decrypt, deps, ... }: let
      # TODO   adminBasicAuth = (builtins.head deps).file;
      # TODO   adminToken = (builtins.head deps).file; # TODO ..... filter by name?
      # TODO in ''
      # TODO   echo " -> Provisioning influxdb token for [34mtelegraf[m on [32m${nodeName}[m at [33mhttps://${cfg.influxdb2.domain}[m" >&2
      # TODO   ${decrypt} ${lib.escapeShellArg aba.file} \
      # TODO   INFLUX_HOST=https://${aba.host}+${aba.name}:${PW}@${URL}
      # TODO     | ${pkgs.influxdb2-cli}/bin/influx -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \
      # TODO     || die "Failure"
      # TODO '');
      mode = "440";
      group = "telegraf";
    };
--- a/nix/lib.nix
+++ b/nix/lib.nix
@ -73,9 +73,7 @@ in rec {
  # Counts how often each element occurrs in xs
  countOccurrences = let
    addOrUpdate = acc: x:
-      if builtins.hasAttr x acc
+      acc // {${x} = (acc.${x} or 0) + 1;};
      then acc // {${x} = acc.${x} + 1;}
      else acc // {${x} = 1;};
  in
    foldl' addOrUpdate {};