From 135528e082ecfa47c8e255fb33128bc375cbd8f9 Mon Sep 17 00:00:00 2001 From: oddlama Date: Fri, 2 Jun 2023 01:28:35 +0200 Subject: [PATCH] feat: add grafana test setup with oauth2 --- hosts/common/core/impermanence.nix | 16 +++- hosts/sentinel/nginx.nix | 21 ++++- hosts/ward/default.nix | 89 ++++++++++++++++++- hosts/ward/secrets/grafana-secret-key.age | 10 +++ .../proxy-sentinel/keys/ward-test.age | 9 ++ .../proxy-sentinel/keys/ward-test.pub | 1 + .../psks/sentinel+ward-test.age | 9 ++ 7 files changed, 146 insertions(+), 9 deletions(-) create mode 100644 hosts/ward/secrets/grafana-secret-key.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-test.age create mode 100644 secrets/wireguard/proxy-sentinel/keys/ward-test.pub create mode 100644 secrets/wireguard/proxy-sentinel/psks/sentinel+ward-test.age diff --git a/hosts/common/core/impermanence.nix b/hosts/common/core/impermanence.nix index 7d1f60b..dd33465 100644 --- a/hosts/common/core/impermanence.nix +++ b/hosts/common/core/impermanence.nix @@ -79,7 +79,7 @@ directory = "/var/lib/cups"; user = "root"; group = "root"; - mode = "0755"; + mode = "0700"; } ] ++ lib.optionals config.services.fail2ban.enable [ @@ -95,7 +95,7 @@ directory = "/var/lib/postgresql"; user = "postgres"; group = "postgres"; - mode = "0755"; + mode = "0700"; } ] ++ lib.optionals config.services.gitea.enable [ @@ -103,7 +103,15 @@ directory = "/var/lib/gitea"; user = "gitea"; group = "gitea"; - mode = "0755"; + mode = "0700"; + } + ] + ++ lib.optionals config.services.grafana.enable [ + { + directory = config.services.grafana.dataDir; + user = "grafana"; + group = "grafana"; + mode = "0700"; } ] ++ lib.optionals config.services.kanidm.enableServer [ @@ -111,7 +119,7 @@ directory = "/var/lib/kanidm"; user = "kanidm"; group = "kanidm"; - mode = "0755"; + mode = "0700"; } ]; }; diff --git a/hosts/sentinel/nginx.nix b/hosts/sentinel/nginx.nix index 2af30c8..89ce6c5 100644 --- a/hosts/sentinel/nginx.nix +++ b/hosts/sentinel/nginx.nix @@ -1,5 +1,6 @@ { config, + lib, nodes, ... }: let @@ -34,10 +35,13 @@ in { services.nginx = let authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain; + authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress); + grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain; + grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port; in { enable = true; - upstreams."kanidm" = { - servers."${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:8300" = {}; + upstreams.kanidm = { + servers."${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}" = {}; extraConfig = '' zone kanidm 64k; keepalive 2; @@ -54,5 +58,18 @@ in { proxy_ssl_verify off; ''; }; + + upstreams.grafana = { + servers."${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort}" = {}; + extraConfig = '' + zone grafana 64k; + keepalive 2; + ''; + }; + virtualHosts.${grafanaDomain} = { + forceSSL = true; + useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain; + locations."/".proxyPass = "http://grafana"; + }; }; } diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 7b3e6eb..9adb133 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -7,6 +7,7 @@ }: let inherit (nodes.sentinel.config.repo.secrets.local) personalDomain; authDomain = "auth.${personalDomain}"; + grafanaDomain = "grafana.${personalDomain}"; in { imports = [ nixos-hardware.common-cpu-intel @@ -60,7 +61,91 @@ in { }; microvm.vms.test.config = { + lib, + config, + ... + }: { rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBXXjI6uB26xOF0DPy/QyLladoGIKfAtofyqPgIkCH/g"; + + extra.wireguard.proxy-sentinel.client.via = "sentinel"; + + networking.nftables.firewall = { + zones = lib.mkForce { + #local-vms.interfaces = ["local-vms"]; + proxy-sentinel.interfaces = ["proxy-sentinel"]; + sentinel = { + parent = "proxy-sentinel"; + ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; + ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; + }; + }; + + rules = lib.mkForce { + sentinel-to-local = { + from = ["sentinel"]; + to = ["local"]; + allowedTCPPorts = [3001]; + }; + }; + }; + + rekey.secrets.grafana-secret-key = { + file = ./secrets/grafana-secret-key.age; + mode = "440"; + group = "grafana"; + }; + + services.grafana = { + enable = true; + settings = { + analytics.reporting_enabled = false; + users.allow_sign_up = false; + + server = { + domain = grafanaDomain; + root_url = "https://${config.services.grafana.settings.server.domain}"; + enforce_domain = true; + enable_gzip = true; + http_addr = config.extra.wireguard.proxy-sentinel.ipv4; + http_port = 3001; + # cert_key = /etc/grafana/grafana.key; + # cert_file = /etc/grafana/grafana.crt; + # protocol = "https" + }; + + security = { + disable_initial_admin_creation = true; + secret_key = "$__file{${config.rekey.secrets.grafana-secret-key.path}}"; + cookie_secure = true; + disable_gravatar = true; + hide_version = true; + }; + + auth = { + signout_redirect_url = "https://sso.nycode.dev/if/session-end/grafana/"; + disable_login_form = true; + }; + + "auth.generic_oauth" = { + enabled = true; + name = "Kanidm"; + icon = "signin"; + allow_sign_up = true; + auto_login = false; + client_id = "grafana"; + client_secret = "$__file{${config.rekey.secrets.grafana-oauth-client-secret.path}}"; + scopes = "openid profile email"; + login_attribute_path = "prefered_username"; + auth_url = "https://${authDomain}/ui/oauth2"; + token_url = "https://${authDomain}/oauth2/token"; + api_url = "https://${authDomain}/oauth2/openid/grafana/userinfo"; + use_pkce = true; + allow_assign_grafana_admin = true; + }; + + # TODO provision + }; + }; }; microvm.vms.nginx.config = { @@ -70,9 +155,7 @@ in { }: { rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2TxWynLb8V9SP45kFqsoCWhe/dG8N1xWNuJG5VQndq"; - extra.wireguard.proxy-sentinel = { - client.via = "sentinel"; - }; + extra.wireguard.proxy-sentinel.client.via = "sentinel"; networking.nftables.firewall = { zones = lib.mkForce { diff --git a/hosts/ward/secrets/grafana-secret-key.age b/hosts/ward/secrets/grafana-secret-key.age new file mode 100644 index 0000000..2c96032 --- /dev/null +++ b/hosts/ward/secrets/grafana-secret-key.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 S365Ptmx5jGBBvN7q/nxHZWLT4wsHYey5TSIvqfKqXs +MODSBeb8Kt0CfFdTgPskMFVaen28O5N5ql7aqxJ+YaQ +-> piv-p256 xqSe8Q A8G1Ljc2V/ay90ZiITuXGDxRaH5R/QqDsSpXbsYQFFjx +nE6ODZqg4QAujfWOeTRD/S0m/8bRadTqSCQa5sVIJ3w +-> <*^9;-grease X4qEn "qK,G4} 5Gp'jn!Q +bU3aA07kpeHbqAoFMrp4mWj3/iPH67VZpE+mW2Z9huxze+Jn1js0p/hV2fj2jlWm +/DZP +--- vSYl/yA0H1WBqkDI+lu8o1+/l7pOt5wFwb2cLuCDWFQ +YB';HIt%?{e8VBQF̻e>m(G̸9ͺȘ"L2zA~OFjs" \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-test.age b/secrets/wireguard/proxy-sentinel/keys/ward-test.age new file mode 100644 index 0000000..c32c7a8 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-test.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 cMMC99p0MIklijuoRd8tQCQrqo4UlVPmsOyKc5qt4X0 +T1PF6GADXZQV9d9m834dmnIwD877qjjNklA/LlSlI8E +-> piv-p256 xqSe8Q A1lRTx9nYJzX/aLJ/0ed7cql4nTE6XXhhtjNTMmZQFvM +uo9MbHeHqcEXsxxYx5h/28n5nwPXl7O7W8PRXNUBv+w +-> Vqg!O%^-grease +TxEpmFfkMMptulXHKQ +--- bd0u4VALhJtT/XO47mLjTrPnzvX5qcmZyx4I1Kr3ymU +q7յ5p= h$UEI|o~Ixr 3|*;wJMń@*usOU:0!8{ \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-test.pub b/secrets/wireguard/proxy-sentinel/keys/ward-test.pub new file mode 100644 index 0000000..329b759 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-test.pub @@ -0,0 +1 @@ +PTlU+qtfddz0ZfcHcfZmSxZ4Abe8UCpWV2FBJQswzBk= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-test.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-test.age new file mode 100644 index 0000000..a7dd4ee --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-test.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 3bQe5/vCstk47dFWcHw+b/VPNNcWdQc/h7LJY3gaMzk +20CR1ih9fzd6aCq4oKLvOIOoBO8WIKKkEk4+SMr+qus +-> piv-p256 xqSe8Q A5Is7U9nNFHhQWs+3ef7va56kGP77CuM61Tlq2KtNve9 +UP3HX8ickxbaNanHaBN+5azuHvrLgJI7Jdc9rjO5NlY +-> *b-grease K[ ot SG~=$]V~ Klp +nGbF +--- 6ySzDV9GHLj+UkO3AdCz1qNeHLsHnna4Ss5O/VfzwX0 +ݙZg* Tjպ剺Rg];}}MmЇܫ:2`G*䫈@u= \ No newline at end of file