feat: generate secrets

2025-10-11 07:10:39 +02:00 · 2023-06-12 01:03:44 +02:00 · 2023-06-12 01:03:44 +02:00 · 69bd2a71ce
commit 69bd2a71ce
parent f33fa54b65
24 changed files with 154 additions and 65 deletions
--- a/hosts/sentinel/secrets/loki-basic-auth-hashes.age
+++ b/hosts/sentinel/secrets/loki-basic-auth-hashes.age
@ -1,9 +1,10 @@
 age-encryption.org/v1
-> X25519 POUeKoNotGuIHX9N955m56eWzou850H02OG3O+ygIy0
-zR6pq7sHR/Vo32YS6wITRuKRgHWjIqdcsILvR4yL6NU
-> piv-p256 xqSe8Q AoHB1E3JcMAeRCjGPj/Fnd7eeVbi1X/qXV62/04DabNm
-Uqx5OonPfDJ++9gWVfD2RztyaRVEC+ZI0eSa7h9MVgo
-> ={9x3$iL-grease 7(o } u,|S!;51 "
-g2+PG1QoDXzzkGnd3ZLsfltd0neKRWt3NwJeTDhPACFBL7yooXk
--- 5mTTZWqCisymYqhefWaZ67X1UWkrSyIMKCMvS4d6I40
-UWh;oDń�n&.ĄPš	ži�—ł¶ČĂíşBâĚ'ĘÉr¸nâŘgŽúa@UOL_Ćfă…¨ö)ńRhŞvüžc2Ă[ięEÜJ$fZľLgÉĘÎU>\7Ú>NbĚßr{LW?ďÎ
’Ë4ëxđ•ăĹĎŃ
‹Ý‹§7=ăŹ~qü•ŹÖO6uŁöőQÁřÍ�îÄJŚ	S¶šz	ČÔMŔ0ď'`ě
+-> X25519 lB23D7AmIF0aexiFK8El0nE88SFMsTdqI2AFwCkoAkw
+n1eyViq9JQCe7QTuKi3k8DNdnjR6c2lLaBoT8f4IHQg
+-> piv-p256 xqSe8Q Ar0Mqg1pFoTei1CfCUp4SZsXNSxkJw9CVV7KuiZWqVkB
+Vx7hdeRcSiS/IiXWkMm0Sy2c5zWGGFUtLd03WKKTpYs
+-> -.-grease C?E+>{j _of5
+u02vRewJinMZScNTqe7+7Ee8b98EY3+T0oYs1yOhEJ2KdFPsrUcoMWivMun2KwwM
+rPkxdA
+--- zMYSBhkaD2xsuyTKqN8hG8NaJuAXeinDrXQtddfR0Gs
+sŒÈ†eýpÀ®_u³¸÷”hÓ·ª¶Û¶B UÿóÖìUÚp¿›[[cøË7ÿêÿ+…O�´EeÁ�ü½lˆ`j(¿`Æªv#��_Ž¡î‰Æ.¸GP:ò?ê"’ß;_'>Ú 4Ç
--- a/hosts/sentinel/secrets/loki-basic-auth.age
+++ b/hosts/sentinel/secrets/loki-basic-auth.age
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@ -6,25 +6,12 @@
  utils,
  ...
 }: {
-  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];

-  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      proxy-sentinel.interfaces = ["proxy-sentinel"];
-      sentinel = {
-        parent = "proxy-sentinel";
-        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-      };
-    };
-
-    rules = lib.mkForce {
-      sentinel-to-local = {
-        from = ["sentinel"];
-        to = ["local"];
-        allowedTCPPorts = [3001];
-      };
-    };
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [3001];
  };

  age.secrets.grafana-secret-key = {
@ -40,7 +27,10 @@
    group = "grafana";
  };

-  nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [config.age.secrets.grafana-loki-basic-auth-password];
+  nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [
+  aaa not wokring
+    config.age.secrets.grafana-loki-basic-auth-password
+  ];

  services.grafana = {
    enable = true;
@ -104,7 +94,7 @@
          orgId = 1;
          basicAuth = true;
          basicAuthUser = nodeName;
-          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
+          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-loki-basic-auth-password.path}}";
        }
      ];
    };
--- a/hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age
+++ b/hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 S8bAt5Bt8ci+w8+jC/II3dMSUUEneGKpJULB+FYN6ns
+DpKs7bP2Ft4fgbntM6guSFlUuCHiysmALR6jAK6bR/A
+-> piv-p256 xqSe8Q A7ZD865VJVg/Lx4d2Ly4dvaIzKmmA1X5f/EOdwdH3dfb
+jEqpzb0kdVzYddrmVXIi8672/YLH5+luvUJeb4/ibzA
+-> gu'-grease
+uGbk/7/cRAmN2VWdXgKuVrvRAfnupb/WTK0r5ow5ud/sp2iEVAM8NZ9f
+--- QtjcCefxUDq0yYOou3EbBBZbGu1FfzmXo3cXhiKe44E
+0ß¾.D¨$Ê¼C G‰KŽ	Bˆ¿FËméXêŸ]¢,'0›áæo!‘ß¸#‹¬]%öðŽ=—Óž~QÜèß€ÐÌƒ›Gæ¶Òœr—
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@ -6,26 +6,12 @@
  utils,
  ...
 }: {
-  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];

-  # TODO this as includable module?
-  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      proxy-sentinel.interfaces = ["proxy-sentinel"];
-      sentinel = {
-        parent = "proxy-sentinel";
-        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-      };
-    };
-
-    rules = lib.mkForce {
-      sentinel-to-local = {
-        from = ["sentinel"];
-        to = ["local"];
-        allowedTCPPorts = [8300];
-      };
-    };
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [8300];
  };

  age.secrets."kanidm-self-signed.crt" = {
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@ -5,25 +5,12 @@
  utils,
  ...
 }: {
-  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];

-  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      proxy-sentinel.interfaces = ["proxy-sentinel"];
-      sentinel = {
-        parent = "proxy-sentinel";
-        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-      };
-    };
-
-    rules = lib.mkForce {
-      sentinel-to-local = {
-        from = ["sentinel"];
-        to = ["local"];
-        allowedTCPPorts = [3100];
-      };
-    };
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [3100];
  };

  services.loki = let
--- a/hosts/ward/secrets/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/secrets/promtail-loki-basic-auth-password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 WO6NVr8uGQ9GGngru17rGIcyZ7Jk0V47Me3ee4h0wTQ
+2wi5L99XZMN4Aytb8aYH4H6iR9MeuXNXh6hOCap/75A
+-> piv-p256 xqSe8Q Aoh7VxZSYtAdc4h0B9toepYGmB9Ad6lib7ovoK7P9jTp
+21bQ859o1wlRZxyw84hCEZFWcCQ58uQ0sxzSMlVYvwE
+-> DJt-grease ipE| /Qlv %,8pl
+6Pg7ViLxJIt1CrQFYVZvTPGz
+--- DNpm5163v+rHN5tTVzNbIt3mQRvkLs7Envc7HulIU0g
+Í\©¬ü®ÆÄ[Ñbr©WÝ%úÿ‘ÜZ‚ÇÑ:Ù¦ý¿O_Ô6YpÔ½pÁÒƒ —"ó)Z
¼G/B§–H¶&©}3ª‘]u�	æ½õEÏóÌ‚§