1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 23:00:39 +02:00

refactor: move all proxy related configuration to the nodes that define them

This commit is contained in:
oddlama 2023-06-13 02:58:14 +02:00
parent ead3c1696f
commit 998d6d5348
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
12 changed files with 122 additions and 176 deletions

6
flake.lock generated
View file

@ -31,11 +31,11 @@
]
},
"locked": {
"lastModified": 1686610839,
"narHash": "sha256-rK3m7hth4Nc7Xmi83Mf4j53s1Ym9mJr312g7ct4i5Ck=",
"lastModified": 1686617801,
"narHash": "sha256-fXNOCYjuFL4427jRW9C5xdc7KSJKhoFxXbBrxE3kibU=",
"owner": "oddlama",
"repo": "agenix-rekey",
"rev": "cd77cb3bd43ece5b5fb1517d4b32338ac3cc5798",
"rev": "787efa41f1611403320517bbd41cd7cb7ebdf93d",
"type": "github"
},
"original": {

View file

@ -17,6 +17,7 @@
../../../modules/interface-naming.nix
../../../modules/microvms.nix
../../../modules/promtail.nix
../../../modules/proxied-domains.nix
../../../modules/repo.nix
../../../modules/wireguard.nix
];

View file

@ -14,34 +14,6 @@
# TODO message = "non-deterministic uid detected for: ${name}";
# TODO });
age.secrets.loki-basic-auth-hashes = {
rekeyFile = ./secrets/loki-basic-auth-hashes.age;
generator = {
# Dependencies are added by the nodes that define passwords using
# distributed-config.
script = {
pkgs,
lib,
decrypt,
deps,
...
}:
lib.flip lib.concatMapStrings deps ({
name,
host,
file,
}: ''
echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2
echo -n ${lib.escapeShellArg host}" "
${decrypt} ${lib.escapeShellArg file} \
| ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
|| die "Failure while aggregating caddy basic auth hashes"
'');
};
mode = "440";
group = "caddy";
};
services.caddy = {
enable = true;
package = pkgs.caddy.withPackages {
@ -53,99 +25,5 @@
];
vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
};
# globalConfig = ''
# # servers {
# # metrics
# # }
# order authenticate before respond
# order authorize before basicauth
# security {
# oauth identity provider generic {
# realm generic
# driver generic
# client_id {env.GENERIC_CLIENT_ID}
# client_secret {env.GENERIC_CLIENT_SECRET}
# scopes openid email profile
# base_auth_url https://${authDomain}/ui/oauth2
# metadata_url https://${authDomain}/oauth2/openid/{env.GENERIC_CLIENT_ID}/.well-known/openid-configuration
# }
# authentication portal myportal {
# crypto default token lifetime 3600
# crypto key sign-verify {env.JWT_SHARED_KEY}
# enable identity provider generic
# cookie domain myfiosgateway.com
# ui {
# links {
# "My Identity" "/whoami" icon "las la-user"
# }
# }
# transform user {
# match realm generic
# action add role authp/user
# ui link "File Server" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
# }
# transform user {
# match realm generic
# match email greenpau@contoso.com
# action add role authp/admin
# }
# }
# authorization policy mypolicy {
# set auth url https://auth.myfiosgateway.com:8443/oauth2/generic
# crypto key verify {env.JWT_SHARED_KEY}
# allow roles authp/admin authp/user
# validate bearer header
# inject headers with claims
# }
# }
# '';
# TODO move subconfigs to the relevant hosts instead.
# -> have something like merged config nodes.<name>....
# -> needs to be in a way that doesn't trigger infinite recursion
virtualHosts.${config.proxyDomains.kanidm} = {
useACMEHost = config.lib.extra.matchingWildcardCert config.proxyDomains.kanidm;
extraConfig = ''
encode zstd gzip
reverse_proxy {
to https://${nodes.ward-kanidm.config.extra.wireguard.proxy-sentinel.ipv4}:${lib.last (lib.splitString ":" nodes.ward-kanidm.config.services.kanidm.serverSettings.bindaddress)}
transport http {
tls_insecure_skip_verify
}
}
'';
};
virtualHosts.${config.proxyDomains.grafana} = {
useACMEHost = config.lib.extra.matchingWildcardCert config.proxyDomains.grafana;
extraConfig = ''
encode zstd gzip
reverse_proxy {
to http://${nodes.ward-grafana.config.extra.wireguard.proxy-sentinel.ipv4}:${toString nodes.ward-grafana.config.services.grafana.settings.server.http_port}
}
'';
};
virtualHosts.${config.proxyDomains.loki} = {
useACMEHost = config.lib.extra.matchingWildcardCert config.proxyDomains.loki;
extraConfig = ''
encode zstd gzip
skip_log
basicauth {
import ${config.age.secrets.loki-basic-auth-hashes.path}
}
reverse_proxy {
to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${toString nodes.ward-loki.config.services.loki.configuration.server.http_listen_port}
}
'';
};
};
}

View file

@ -12,7 +12,6 @@
./fs.nix
./net.nix
./proxied-domains.nix
./acme.nix
./caddy.nix

View file

@ -1,25 +0,0 @@
{
config,
lib,
...
}: let
inherit
(lib)
mkOption
types
;
inherit (config.repo.secrets.local) personalDomain;
in {
options.proxiedDomains = mkOption {
type = types.attrsOf types.str;
default = {};
description = "Registry of relevant proxied domains";
};
config.proxiedDomains = {
grafana = "grafana.${personalDomain}";
kanidm = "auth.${personalDomain}";
loki = "loki.${personalDomain}";
};
}

View file

@ -1,10 +0,0 @@
age-encryption.org/v1
-> X25519 vqJImcuJU5nQkpNVBkRvU5gEjhiIT6GJIlKIa7Yv1T4
e30hk35HKlgSfI++1rC/CSJBjD0NInyUWv5suU2aDxU
-> piv-p256 xqSe8Q Agg6on210aOduBZKkxcooDEb5INXxTn0py0lufQz3ymG
TT2/sfJlvVIPaCNoqHVpAkYcrpQJ2K0OTclpuNCd2Gw
-> _cB-grease
--- 31UQg77E61iYmWHRniBdikMqVz7L8C6WYpWKrNvVi2k
U MËÍ@ÿâ!¢ìŠ{ÚÝ�XQzŽ!yöžÑ 6X\³è]…UÁi®‰Œ4Ìð•—¼ByX‚´‘Ùøu\Þ^’ÃB¸.ò�h›%`”‹¸ÚM¸+
qd$c¨-R;ȆÖV …#êŽ[¼{örqq¦èµÎÃV¨ql6«°î‹ÀÂEf©(RX¥2ÇiÖßKž�ï¬gÑì°ßWÐp‡ 9Óì5°D}z

View file

@ -5,7 +5,10 @@
nodes,
utils,
...
}: {
}: let
sentinelCfg = nodes.sentinel.config;
grafanaDomain = "grafana.${sentinelCfg.repo.secrets.local.personalDomain}";
in {
imports = [
../../../../modules/proxy-via-sentinel.nix
];
@ -27,9 +30,23 @@
group = "grafana";
};
nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [
config.age.secrets.grafana-loki-basic-auth-password
];
nodes.sentinel = {
age.secrets.loki-basic-auth-hashes.generator.dependencies = [
config.age.secrets.grafana-loki-basic-auth-password
];
proxiedDomains.grafana = grafanaDomain;
services.caddy.virtualHosts.${grafanaDomain} = {
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
extraConfig = ''
encode zstd gzip
reverse_proxy {
to http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}
}
'';
};
};
services.grafana = {
enable = true;
@ -38,8 +55,8 @@
users.allow_sign_up = false;
server = {
domain = nodes.sentinel.config.proxiedDomains.grafana;
root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}";
domain = grafanaDomain;
root_url = "https://${grafanaDomain}";
enforce_domain = true;
enable_gzip = true;
http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
@ -66,9 +83,9 @@
client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
scopes = "openid email profile";
login_attribute_path = "prefered_username";
auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2";
token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token";
api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
auth_url = "https://${sentinelCfg.proxiedDomains.kanidm}/ui/oauth2";
token_url = "https://${sentinelCfg.proxiedDomains.kanidm}/oauth2/token";
api_url = "https://${sentinelCfg.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
use_pkce = true;
# Allow mapping oauth2 roles to server admin
allow_assign_grafana_admin = true;
@ -89,7 +106,7 @@
name = "Loki";
type = "loki";
access = "proxy";
url = "https://${nodes.sentinel.config.proxiedDomains.loki}";
url = "https://${sentinelCfg.proxiedDomains.loki}";
orgId = 1;
basicAuth = true;
basicAuthUser = nodeName;

View file

@ -5,7 +5,10 @@
pkgs,
utils,
...
}: {
}: let
sentinelCfg = nodes.sentinel.config;
kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
in {
imports = [
../../../../modules/proxy-via-sentinel.nix
];
@ -26,12 +29,29 @@
group = "kanidm";
};
nodes.sentinel = {
proxiedDomains.kanidm = kanidmDomain;
services.caddy.virtualHosts.${kanidmDomain} = {
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert kanidmDomain;
extraConfig = ''
encode zstd gzip
reverse_proxy {
to https://${config.services.kanidm.serverSettings.bindaddress}
transport http {
tls_insecure_skip_verify
}
}
'';
};
};
services.kanidm = {
enableServer = true;
# enablePAM = true;
serverSettings = {
domain = nodes.sentinel.config.proxiedDomains.kanidm;
origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
domain = kanidmDomain;
origin = "https://${kanidmDomain}";
tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
tls_key = config.age.secrets."kanidm-self-signed.key".path;
bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";

View file

@ -4,7 +4,10 @@
nodes,
utils,
...
}: {
}: let
sentinelCfg = nodes.sentinel.config;
lokiDomain = "loki.${sentinelCfg.repo.secrets.local.personalDomain}";
in {
imports = [
../../../../modules/proxy-via-sentinel.nix
];
@ -13,6 +16,52 @@
sentinel-to-local.allowedTCPPorts = [3100];
};
nodes.sentinel = {
proxiedDomains.loki = lokiDomain;
age.secrets.loki-basic-auth-hashes = {
rekeyFile = ./secrets/loki-basic-auth-hashes.age;
generator = {
# Dependencies are added by the nodes that define passwords using
# distributed-config.
script = {
pkgs,
lib,
decrypt,
deps,
...
}:
lib.flip lib.concatMapStrings deps ({
name,
host,
file,
}: ''
echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2
echo -n ${lib.escapeShellArg host}" "
${decrypt} ${lib.escapeShellArg file} \
| ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
|| die "Failure while aggregating caddy basic auth hashes"
'');
};
mode = "440";
group = "caddy";
};
services.caddy.virtualHosts.${lokiDomain} = {
useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain;
extraConfig = ''
encode zstd gzip
skip_log
basicauth {
import ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path}
}
reverse_proxy {
to http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}
}
'';
};
};
services.loki = let
lokiDir = "/var/lib/loki";
in {

View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> X25519 oTqcGYrzcjVyYkWQndidK7lfyMfQUFaLukLu9ru7ygc
0viOW4o/PQEhZfZFOx4UxbRBCGUXCYcvDv6r8hi6aiQ
-> piv-p256 xqSe8Q Akl/Ab1PwdLsyhJv3KzPxdALttqJdNk1wNj+pNnrFs9v
FbVps0hL4XpaPxrIBFmBi+a4YKIjTYsqBjN9JwzpkP8
-> ^/?z7Md-grease QDfMgTO
b+w4gj1Yxs6ocBCJN6AgLDad1/+EZ+HZ0zvMvGJaztxeIhNLSsiqoBn2GpwX6IcY
YWpLnO3Fw1xaU9Jqn9HJIqyYGFX1O5dBlvgu1rqgxytwiEEcDZaXOA1ZIupE
--- 0jXcY3KP8+JMsQ6+uhLE2bS1vGau/hr2b5ZD2SIUkbE
ąŠô>@2([žsÎ&ꆴd»KŽş’<w‰kÖqପZ$VĘ[Äf_Ć‘d-u´š‰ëß˝ź|^ß×ƶ–Q7�cIÇl*ćŕÚŮłź Ľ€łś”ź•�™´2úńzgcUâza5>1}ĂiĆ_ ~�ÎÍžÁ™­ü�«˛ŮQây�ĐÜW°P:qQ}"Óôň]+Pŕ:´Ŕqg|3köŃ&6˙őÉŘ`hG

View file

@ -37,7 +37,7 @@ in {
isColmenaNode = elem nodeName (attrNames colmenaNodes);
otherNodes = filter (n: n != nodeName) (attrNames colmenaNodes);
foreignConfigs = concatMap (n: colmenaNodes.${n}.config.nodes.${nodeName} or []) otherNodes;
toplevelAttrs = ["age" "networking" "systemd" "services"];
toplevelAttrs = ["age" "proxiedDomains" "networking" "systemd" "services"];
in
optionalAttrs isColmenaNode (mergeToplevelConfigs toplevelAttrs (
foreignConfigs

View file

@ -0,0 +1,7 @@
{lib, ...}: {
options.proxiedDomains = lib.mkOption {
type = lib.types.attrsOf lib.types.str;
default = {};
description = "Registry of proxied domains for easy cross-node referencing.";
};
}