diff --git a/hosts/sentinel/caddy.nix b/hosts/sentinel/caddy.nix index 81aec1f..faf7307 100644 --- a/hosts/sentinel/caddy.nix +++ b/hosts/sentinel/caddy.nix @@ -9,6 +9,18 @@ in { users.groups.acme.members = ["caddy"]; + # TODO assertions = lib.flip lib.mapAttrsToList config.users.users + # TODO (name: user: { + # TODO assertion = user.uid != null; + # TODO message = "non-deterministic uid detected for: ${name}"; + # TODO }); + + rekey.secrets.loki-basic-auth = { + file = ./secrets/loki-basic-auth.age; + mode = "440"; + group = "caddy"; + }; + services.caddy = let authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain; authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress); @@ -28,11 +40,58 @@ in { vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k"; }; - globalConfig = '' - servers { - metrics - } - ''; + # globalConfig = '' + # # servers { + # # metrics + # # } + + # order authenticate before respond + # order authorize before basicauth + + # security { + # oauth identity provider generic { + # realm generic + # driver generic + # client_id {env.GENERIC_CLIENT_ID} + # client_secret {env.GENERIC_CLIENT_SECRET} + # scopes openid email profile + # base_auth_url https://${authDomain}/ui/oauth2 + # metadata_url https://${authDomain}/oauth2/openid/{env.GENERIC_CLIENT_ID}/.well-known/openid-configuration + # } + + # authentication portal myportal { + # crypto default token lifetime 3600 + # crypto key sign-verify {env.JWT_SHARED_KEY} + # enable identity provider generic + # cookie domain myfiosgateway.com + # ui { + # links { + # "My Identity" "/whoami" icon "las la-user" + # } + # } + + # transform user { + # match realm generic + # action add role authp/user + # ui link "File Server" https://assetq.myfiosgateway.com:8443/ icon "las la-star" + # } + + # transform user { + # match realm generic + # match email greenpau@contoso.com + # action add role authp/admin + # } + # } + + # authorization policy mypolicy { + # set auth url https://auth.myfiosgateway.com:8443/oauth2/generic + # crypto key verify {env.JWT_SHARED_KEY} + # allow roles authp/admin authp/user + # validate bearer header + # inject headers with claims + # } + # } + # ''; # TODO move subconfigs to the relevant hosts instead. # -> have something like merged config nodes..... @@ -41,7 +100,7 @@ in { useACMEHost = config.lib.extra.matchingWildcardCert authDomain; extraConfig = '' encode zstd gzip - reverse_proxy * { + reverse_proxy { to https://${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort} transport http { tls_insecure_skip_verify @@ -54,7 +113,7 @@ in { useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain; extraConfig = '' encode zstd gzip - reverse_proxy * { + reverse_proxy { to http://${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort} } ''; @@ -62,14 +121,14 @@ in { virtualHosts.${lokiDomain} = { useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain; - # TODO disable access log - # TODO auth - # TODO no auth for /ready extraConfig = '' encode zstd gzip - reverse_proxy * { + skip_log + basicauth { + import ${config.rekey.secrets.loki-basic-auth.path} + } + reverse_proxy { to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort} - websocket } ''; }; diff --git a/hosts/sentinel/secrets/loki-basic-auth.age b/hosts/sentinel/secrets/loki-basic-auth.age new file mode 100644 index 0000000..16d2be2 --- /dev/null +++ b/hosts/sentinel/secrets/loki-basic-auth.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 xm5cDvIASu2sheBB0ZSLDRRTjxKOQFFOuPAl0pvhrUA +7HQHJLJX/8+BCWkmFbxU68xvD6ZnXICcWm+689E4VlU +-> piv-p256 xqSe8Q AsK1jgDlC3PHkA2jXuf1zrFF+LV49f/XOA3aS/IgWbpv +iJJlFFNZ3CZ78BiO93EfraQggVRRM338wuaN0g776IA +-> =iE-grease +vUaawORH9nI/5ixF7WN5U3c +--- sM7mi2FbffVC2G3ClnFzHbMnCBfROVM+/PHNeD4qebI +€Ö3)/õ.Dß²…f(|®/ÓÏÀ%S¤˜£kµõ«ÝvÎC•º5¹~C\h§)§M¬iD€ž‰êÔÓ3/mOZqãKjiŠÍæÌôÅY ‘_ƒ¼? à3‚5I÷ßþ>‰|d˜—É \ No newline at end of file diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 2117ca6..3b2e16d 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -8,6 +8,7 @@ inherit (nodes.sentinel.config.repo.secrets.local) personalDomain; authDomain = "auth.${personalDomain}"; grafanaDomain = "grafana.${personalDomain}"; + lokiDomain = "loki.${personalDomain}"; lokiDir = "/var/lib/loki"; in { imports = [ @@ -96,6 +97,12 @@ in { group = "grafana"; }; + rekey.secrets.loki-basic-auth-password-grafana = { + file = ./secrets/loki-basic-auth-password-grafana.age; + mode = "440"; + group = "grafana"; + }; + services.grafana = { enable = true; settings = { @@ -132,7 +139,7 @@ in { client_id = "grafana"; #client_secret = "$__file{${config.rekey.secrets.grafana-oauth-client-secret.path}}"; client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret - scopes = "openid profile email"; + scopes = "openid email profile"; login_attribute_path = "prefered_username"; auth_url = "https://${authDomain}/ui/oauth2"; token_url = "https://${authDomain}/oauth2/token"; @@ -157,9 +164,11 @@ in { name = "Loki"; type = "loki"; access = "proxy"; - # TODO use public endpoint, and enable oauth token passing - url = "http://${nodes."${parentNodeName}-loki".config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:3100"; + url = "https://${lokiDomain}"; orgId = 1; + basicAuth = true; + basicAuthUser = "grafana"; + secureJsonData.basicAuthPassword = "$__file{${config.rekey.secrets.loki-basic-auth-password-grafana.path}}"; } ]; }; diff --git a/hosts/ward/secrets/loki-basic-auth-password-grafana.age b/hosts/ward/secrets/loki-basic-auth-password-grafana.age new file mode 100644 index 0000000..9eb7907 --- /dev/null +++ b/hosts/ward/secrets/loki-basic-auth-password-grafana.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 WrGssql6ABmtiNPFxIuKmjEjNWp8yQ9CbIdaPkE1BmU +lX/mIQPjjBp62RZyZV3WZrzzM/RAVEVMslOvQiO3ztw +-> piv-p256 xqSe8Q A+/jWovwGhsvkNHNvfnhEOSKu6qkfQGCKnVYRJo1IWFM +oWybJl7iZ6pkBAGmv3SmE9q1eEpkDtnIxR+3MCKi6bo +-> a6-grease O~| \B n <1fV!LUr +y0AAIziu +--- 0K+cIttoHGYTWwzdoYJn1rIdtDqiBGz/jLOvPnns2CM +Bu ¶;{þº:qJ6„¼’]rL(@ۨףC8Áñ¸ì*ü¾–]ªù¡¾£=j1îãØ €kk¯â<4"[Üj©bLÅ;U2wc-4 \ No newline at end of file