diff --git a/hosts/sentinel/caddy.nix b/hosts/sentinel/caddy.nix index 1098d7d..81aec1f 100644 --- a/hosts/sentinel/caddy.nix +++ b/hosts/sentinel/caddy.nix @@ -34,6 +34,9 @@ in { } ''; + # TODO move subconfigs to the relevant hosts instead. + # -> have something like merged config nodes..... + virtualHosts.${authDomain} = { useACMEHost = config.lib.extra.matchingWildcardCert authDomain; extraConfig = '' diff --git a/hosts/sentinel/nginx.nix b/hosts/sentinel/nginx.nix deleted file mode 100644 index a16edbc..0000000 --- a/hosts/sentinel/nginx.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ - config, - lib, - nodes, - ... -}: let - inherit (config.repo.secrets.local) acme personalDomain; -in { - users.groups.acme.members = ["nginx"]; - - rekey.secrets."dhparams.pem" = { - file = ./secrets/dhparams.pem.age; - mode = "440"; - group = "nginx"; - }; - - services.nginx = let - authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain; - authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress); - grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain; - grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port; - lokiDomain = "loki.${personalDomain}"; - lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port; - in { - enable = true; - - # TODO move subconfigs to the relevant hosts instead. - # -> have something like merged config nodes..... - - upstreams.kanidm = { - servers."${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}" = {}; - extraConfig = '' - zone kanidm 64k; - keepalive 2; - ''; - }; - virtualHosts.${authDomain} = { - forceSSL = true; - useACMEHost = config.lib.extra.matchingWildcardCert authDomain; - locations."/".proxyPass = "https://kanidm"; - # Allow using self-signed certs to satisfy kanidm's requirement - # for TLS connections. (This is over wireguard anyway) - # TODO can we get rid of this? - extraConfig = '' - proxy_ssl_verify off; - ''; - }; - - upstreams.grafana = { - servers."${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort}" = {}; - extraConfig = '' - zone grafana 64k; - keepalive 2; - ''; - }; - virtualHosts.${grafanaDomain} = { - forceSSL = true; - useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain; - locations."/".proxyPass = "http://grafana"; - }; - - upstreams.loki = { - servers."${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}" = {}; - extraConfig = '' - zone loki 64k; - keepalive 2; - ''; - }; - virtualHosts.${lokiDomain} = { - forceSSL = true; - useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain; - locations."/" = { - proxyPass = "http://loki"; - proxyWebsockets = true; - extraConfig = '' - access_log off; - ''; - }; - locations."/ready" = { - proxyPass = "http://loki"; - proxyWebsockets = true; - extraConfig = '' - auth_request off; - access_log off; - ''; - }; - }; - }; -} diff --git a/hosts/sentinel/oauth2-proxy.nix b/hosts/sentinel/oauth2-proxy.nix deleted file mode 100644 index 9abc334..0000000 --- a/hosts/sentinel/oauth2-proxy.nix +++ /dev/null @@ -1,57 +0,0 @@ -{ - config, - lib, - nodes, - ... -}: let - inherit (config.repo.secrets.local) acme personalDomain; - authDomain = "auth.${personalDomain}"; -in { - networking.domain = personalDomain; - - # Contains OAUTH2_PROXY_CLIENT_SECRET=... - #rekey.secrets.grafana-secret-key = { - # file = ./secrets/oauth2-proxy-client-secret.age; - # mode = "440"; - # group = "oauth2_proxy"; - #}; - - services.oauth2_proxy = { - enable = true; - cookie.secure = true; - cookie.httpOnly = false; - email.domains = ["*"]; - provider = "oidc"; - scope = "openid email"; - loginURL = "https://${authDomain}/ui/oauth2"; - redeemURL = "https://${authDomain}/oauth2/token"; - validateURL = "https://${authDomain}/oauth2/openid/grafana/userinfo"; - clientID = "oauth2-proxy"; - clientSecret = ""; - #keyFile = config.rekey.secrets.oauth2-proxy-client-secret.path; - reverseProxy = true; - extraConfig.skip-provider-button = true; - setXauthrequest = true; - }; - - # Apply oauth by default to all locations - services.nginx.virtualHosts = lib.genAttrs config.services.oauth2_proxy.nginx.virtualHosts (_: { - extraConfig = '' - auth_request /oauth2/auth; - error_page 401 = /oauth2/sign_in; - - # pass information via X-User and X-Email headers to backend, - # requires running with --set-xauthrequest flag - auth_request_set $user $upstream_http_x_auth_request_user; - auth_request_set $email $upstream_http_x_auth_request_email; - proxy_set_header X-User $user; - proxy_set_header X-Email $email; - - # if you enabled --cookie-refresh, this is needed for it to work with auth_request - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - ''; - locations."/oauth2/".extraConfig = "auth_request off;"; - locations."/oauth2/auth".extraConfig = "auth_request off;"; - }); -}