feat: generate secrets

2025-10-11 07:10:39 +02:00 · 2023-06-12 01:03:44 +02:00 · 2023-06-12 01:03:44 +02:00 · 69bd2a71ce
commit 69bd2a71ce
parent f33fa54b65
24 changed files with 154 additions and 65 deletions
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@ -6,25 +6,12 @@
  utils,
  ...
 }: {
-  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];

-  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      proxy-sentinel.interfaces = ["proxy-sentinel"];
-      sentinel = {
-        parent = "proxy-sentinel";
-        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-      };
-    };
-
-    rules = lib.mkForce {
-      sentinel-to-local = {
-        from = ["sentinel"];
-        to = ["local"];
-        allowedTCPPorts = [3001];
-      };
-    };
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [3001];
  };

  age.secrets.grafana-secret-key = {
@ -40,7 +27,10 @@
    group = "grafana";
  };

-  nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [config.age.secrets.grafana-loki-basic-auth-password];
+  nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [
+  aaa not wokring
+    config.age.secrets.grafana-loki-basic-auth-password
+  ];

  services.grafana = {
    enable = true;
@ -104,7 +94,7 @@
          orgId = 1;
          basicAuth = true;
          basicAuthUser = nodeName;
-          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
+          secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-loki-basic-auth-password.path}}";
        }
      ];
    };
--- a/hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age
+++ b/hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 S8bAt5Bt8ci+w8+jC/II3dMSUUEneGKpJULB+FYN6ns
+DpKs7bP2Ft4fgbntM6guSFlUuCHiysmALR6jAK6bR/A
+-> piv-p256 xqSe8Q A7ZD865VJVg/Lx4d2Ly4dvaIzKmmA1X5f/EOdwdH3dfb
+jEqpzb0kdVzYddrmVXIi8672/YLH5+luvUJeb4/ibzA
+-> gu'-grease
+uGbk/7/cRAmN2VWdXgKuVrvRAfnupb/WTK0r5ow5ud/sp2iEVAM8NZ9f
+--- QtjcCefxUDq0yYOou3EbBBZbGu1FfzmXo3cXhiKe44E
+0ß¾.D¨$Ê¼C G‰KŽ	Bˆ¿FËméXêŸ]¢,'0›áæo!‘ß¸#‹¬]%öðŽ=—Óž~QÜèß€ÐÌƒ›Gæ¶Òœr—
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@ -6,26 +6,12 @@
  utils,
  ...
 }: {
-  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];

-  # TODO this as includable module?
-  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      proxy-sentinel.interfaces = ["proxy-sentinel"];
-      sentinel = {
-        parent = "proxy-sentinel";
-        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-      };
-    };
-
-    rules = lib.mkForce {
-      sentinel-to-local = {
-        from = ["sentinel"];
-        to = ["local"];
-        allowedTCPPorts = [8300];
-      };
-    };
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [8300];
  };

  age.secrets."kanidm-self-signed.crt" = {
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@ -5,25 +5,12 @@
  utils,
  ...
 }: {
-  extra.wireguard.proxy-sentinel.client.via = "sentinel";
+  imports = [
+    ../../../../modules/proxy-via-sentinel.nix
+  ];

-  networking.nftables.firewall = {
-    zones = lib.mkForce {
-      proxy-sentinel.interfaces = ["proxy-sentinel"];
-      sentinel = {
-        parent = "proxy-sentinel";
-        ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4];
-        ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6];
-      };
-    };
-
-    rules = lib.mkForce {
-      sentinel-to-local = {
-        from = ["sentinel"];
-        to = ["local"];
-        allowedTCPPorts = [3100];
-      };
-    };
+  networking.nftables.firewall.rules = lib.mkForce {
+    sentinel-to-local.allowedTCPPorts = [3100];
  };

  services.loki = let
--- a/hosts/ward/secrets/promtail-loki-basic-auth-password.age
+++ b/hosts/ward/secrets/promtail-loki-basic-auth-password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 WO6NVr8uGQ9GGngru17rGIcyZ7Jk0V47Me3ee4h0wTQ
+2wi5L99XZMN4Aytb8aYH4H6iR9MeuXNXh6hOCap/75A
+-> piv-p256 xqSe8Q Aoh7VxZSYtAdc4h0B9toepYGmB9Ad6lib7ovoK7P9jTp
+21bQ859o1wlRZxyw84hCEZFWcCQ58uQ0sxzSMlVYvwE
+-> DJt-grease ipE| /Qlv %,8pl
+6Pg7ViLxJIt1CrQFYVZvTPGz
+--- DNpm5163v+rHN5tTVzNbIt3mQRvkLs7Envc7HulIU0g
+Í\©¬ü®ÆÄ[Ñbr©WÝ%úÿ‘ÜZ‚ÇÑ:Ù¦ý¿O_Ô6YpÔ½pÁÒƒ —"ó)Z
¼G/B§–H¶&©}3ª‘]u�	æ½õEÏóÌ‚§