feat: prepare sentinel for webapp oauth2 authentication

2025-10-11 07:10:39 +02:00 · 2023-06-21 01:36:44 +02:00 · 2023-06-21 01:36:44 +02:00 · 6b81ecd961
commit 6b81ecd961
parent 19acca7cba
9 changed files with 145 additions and 68 deletions
--- a/hosts/common/core/system.nix
+++ b/hosts/common/core/system.nix
@ -362,6 +362,25 @@
      lib.mkIf (pubkeyPath != null && lib.pathExists pubkeyPath) pubkeyPath;
  };

+  age.generators.basic-auth.script = {
+    pkgs,
+    lib,
+    decrypt,
+    deps,
+    ...
+  }:
+    lib.flip lib.concatMapStrings deps ({
+      name,
+      host,
+      file,
+    }: ''
+      echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
+      echo -n ${lib.escapeShellArg host}"+"${lib.escapeShellArg name}" "
+      ${decrypt} ${lib.escapeShellArg file} \
+        | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
+        || die "Failure while aggregating caddy basic auth hashes"
+    '');
+
  boot = {
    initrd.systemd = {
      enable = true;
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@ -1,14 +1,19 @@
 {
  config,
-  lib,
-  nodes,
-  nodeName,
  pkgs,
  ...
 }: {
  users.groups.acme.members = ["caddy"];

-  services.caddy = {
+  age.secrets.caddy-env = {
+    rekeyFile = ./secrets/caddy-env.age;
+    mode = "440";
+    group = "caddy";
+  };
+
+  services.caddy = let
+    proxyAuthDomain = "sentinel.${config.repo.secrets.local.personalDomain}";
+  in {
    enable = true;
    package = pkgs.caddy.withPackages {
      plugins = [
@ -19,5 +24,52 @@
      ];
      vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
    };
+
+    virtualHosts.${proxyAuthDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert proxyAuthDomain;
+      extraConfig = ''
+        import common
+        authenticate with myportal
+      '';
+    };
+
+    globalConfig = ''
+      order authenticate before respond
+      order authorize before basicauth
+
+      security {
+        oauth identity provider kanidm {
+          realm kanidm
+          driver generic
+          client_id web-sentinel
+          client_secret {env.KANIDM_CLIENT_SECRET}
+          scopes openid email profile
+          base_auth_url https://${config.proxiedDomains.kanidm}/ui/oauth2
+          metadata_url https://${config.proxiedDomains.kanidm}/oauth2/openid/sentinel/.well-known/openid-configuration
+        }
+
+        authentication portal myportal {
+          enable identity provider kanidm
+          cookie domain ${config.repo.secrets.local.personalDomain}
+          ui {
+            links {
+              "My Identity" "/whoami" icon "las la-user"
+            }
+          }
+
+          transform user {
+            match realm kanidm
+            action add role authp/user
+          }
+
+          #transform user {
+          #  match realm kanidm
+          #  match scope read:access_aguardhome
+          #  action add role authp/admin
+          #}
+        }
+    '';
  };
+
+  systemd.services.caddy.serviceConfig.environmentFile = config.age.secrets.caddy-env.path;
 }
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -16,4 +16,9 @@
    ./acme.nix
    ./caddy.nix
  ];
+
+  extra.promtail = {
+    enable = true;
+    proxy = "sentinel";
+  };
 }
--- a/hosts/sentinel/secrets/caddy-env.age
+++ b/hosts/sentinel/secrets/caddy-env.age
--- a/hosts/sentinel/secrets/promtail-loki-basic-auth-password.age
+++ b/hosts/sentinel/secrets/promtail-loki-basic-auth-password.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 5yDq2pctzyK8uUxKxekOz9tHbmUq4JKCzEbBCYQ79w0
+lFsTmuUufwYoZ1fAbs7BCmaU3h6Mck8w98TmUdahWP8
+-> piv-p256 xqSe8Q Aul+3eIiUD0DWAiRPR7Ms4l9ohF+62P98EYqngOFOwU9
+TdW4WUaIeT7rC9eeGjEM1jPEp/LE1q2V3/fQFLyjbtk
+-> yYnni-grease 2a
+SV/4RAhtPi8LsDwcXpwT8AZQCwwJ1tu0R3aN8r7J5cs2RCNGKvNYhU3WRZ6XUi84
+S1SGmd886W3twPhMYSjm9j8IqqJ5iaWq0IXPpxLZIpv1viS4jDoLgMcKxFbKI97z
+5OCc
+--- 30SxKU9DX+vU3e/fd4upxOLcv4DSujy06P+Ja2yHPjM
+¾?ÙGu>ir7åyÛ¦mé–`Ç‘·"AêM7´^…ì�÷‘ÏM*ÿO%BÜÁÂRµQ©Â“§^Hxï_ÑÎ;e‚ü—ÃdW�3†q0\ª4:Ü
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@ -26,27 +26,9 @@ in {

    age.secrets.loki-basic-auth-hashes = {
      rekeyFile = ./secrets/loki-basic-auth-hashes.age;
-      generator = {
-        # Dependencies are added by the nodes that define passwords (using distributed-config).
-        script = {
-          pkgs,
-          lib,
-          decrypt,
-          deps,
-          ...
-        }:
-          lib.flip lib.concatMapStrings deps ({
-            name,
-            host,
-            file,
-          }: ''
-            echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
-            echo -n ${lib.escapeShellArg host}"+"${lib.escapeShellArg name}" "
-            ${decrypt} ${lib.escapeShellArg file} \
-              | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
-              || die "Failure while aggregating caddy basic auth hashes"
-          '');
-      };
+      # Copy only the script so the dependencies can be added by the nodes
+      # that define passwords (using distributed-config).
+      generator.script = config.age.generators.basic-auth.script;
      mode = "440";
      group = "caddy";
    };
@ -55,6 +37,7 @@ in {
      useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain;
      extraConfig = ''
        import common
+        skip_log
        basicauth {
          import ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path}
        }
--- a/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
+++ b/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age