refactor: move all proxy related configuration to the nodes that define them

hosts/sentinel/caddy.nix

@@ -14,34 +14,6 @@
   # TODO     message = "non-deterministic uid detected for: ${name}";
   # TODO   });
 
-  age.secrets.loki-basic-auth-hashes = {
-    rekeyFile = ./secrets/loki-basic-auth-hashes.age;
-    generator = {
-      # Dependencies are added by the nodes that define passwords using
-      # distributed-config.
-      script = {
-        pkgs,
-        lib,
-        decrypt,
-        deps,
-        ...
-      }:
-        lib.flip lib.concatMapStrings deps ({
-          name,
-          host,
-          file,
-        }: ''
-          echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2
-          echo -n ${lib.escapeShellArg host}" "
-          ${decrypt} ${lib.escapeShellArg file} \
-            | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
-            || die "Failure while aggregating caddy basic auth hashes"
-        '');
-    };
-    mode = "440";
-    group = "caddy";
-  };
-
   services.caddy = {
     enable = true;
     package = pkgs.caddy.withPackages {
@@ -53,99 +25,5 @@
       ];
       vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
     };
-
-    # globalConfig = ''
-    #   # servers {
-    #   #   metrics
-    #   # }
-
-    #   order authenticate before respond
-    #   order authorize before basicauth
-
-    #   security {
-    #     oauth identity provider generic {
-    #       realm generic
-    #       driver generic
-    #       client_id {env.GENERIC_CLIENT_ID}
-    #       client_secret {env.GENERIC_CLIENT_SECRET}
-    #       scopes openid email profile
-    #       base_auth_url https://${authDomain}/ui/oauth2
-    #       metadata_url https://${authDomain}/oauth2/openid/{env.GENERIC_CLIENT_ID}/.well-known/openid-configuration
-    #     }
-
-    #     authentication portal myportal {
-    #       crypto default token lifetime 3600
-    #       crypto key sign-verify {env.JWT_SHARED_KEY}
-    #       enable identity provider generic
-    #       cookie domain myfiosgateway.com
-    #       ui {
-    #         links {
-    #           "My Identity" "/whoami" icon "las la-user"
-    #         }
-    #       }
-
-    #       transform user {
-    #         match realm generic
-    #         action add role authp/user
-    #         ui link "File Server" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
-    #       }
-
-    #       transform user {
-    #         match realm generic
-    #         match email greenpau@contoso.com
-    #         action add role authp/admin
-    #       }
-    #     }
-
-    #     authorization policy mypolicy {
-    #       set auth url https://auth.myfiosgateway.com:8443/oauth2/generic
-    #       crypto key verify {env.JWT_SHARED_KEY}
-    #       allow roles authp/admin authp/user
-    #       validate bearer header
-    #       inject headers with claims
-    #     }
-    #   }
-    # '';
-
-    # TODO move subconfigs to the relevant hosts instead.
-    # -> have something like merged config nodes.<name>....
-    # -> needs to be in a way that doesn't trigger infinite recursion
-
-    virtualHosts.${config.proxyDomains.kanidm} = {
-      useACMEHost = config.lib.extra.matchingWildcardCert config.proxyDomains.kanidm;
-      extraConfig = ''
-        encode zstd gzip
-        reverse_proxy {
-          to https://${nodes.ward-kanidm.config.extra.wireguard.proxy-sentinel.ipv4}:${lib.last (lib.splitString ":" nodes.ward-kanidm.config.services.kanidm.serverSettings.bindaddress)}
-          transport http {
-            tls_insecure_skip_verify
-          }
-        }
-      '';
-    };
-
-    virtualHosts.${config.proxyDomains.grafana} = {
-      useACMEHost = config.lib.extra.matchingWildcardCert config.proxyDomains.grafana;
-      extraConfig = ''
-        encode zstd gzip
-        reverse_proxy {
-          to http://${nodes.ward-grafana.config.extra.wireguard.proxy-sentinel.ipv4}:${toString nodes.ward-grafana.config.services.grafana.settings.server.http_port}
-        }
-      '';
-    };
-
-    virtualHosts.${config.proxyDomains.loki} = {
-      useACMEHost = config.lib.extra.matchingWildcardCert config.proxyDomains.loki;
-      extraConfig = ''
-        encode zstd gzip
-        skip_log
-        basicauth {
-          import ${config.age.secrets.loki-basic-auth-hashes.path}
-        }
-        reverse_proxy {
-          to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${toString nodes.ward-loki.config.services.loki.configuration.server.http_listen_port}
-        }
-      '';
-    };
   };
 }

hosts/sentinel/default.nix

@@ -12,7 +12,6 @@
 
     ./fs.nix
     ./net.nix
-    ./proxied-domains.nix
 
     ./acme.nix
     ./caddy.nix

hosts/sentinel/proxied-domains.nix

@@ -1,25 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  inherit
-    (lib)
-    mkOption
-    types
-    ;
-
-  inherit (config.repo.secrets.local) personalDomain;
-in {
-  options.proxiedDomains = mkOption {
-    type = types.attrsOf types.str;
-    default = {};
-    description = "Registry of relevant proxied domains";
-  };
-
-  config.proxiedDomains = {
-    grafana = "grafana.${personalDomain}";
-    kanidm = "auth.${personalDomain}";
-    loki = "loki.${personalDomain}";
-  };
-}

hosts/sentinel/secrets/loki-basic-auth-hashes.age

@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> X25519 vqJImcuJU5nQkpNVBkRvU5gEjhiIT6GJIlKIa7Yv1T4
-e30hk35HKlgSfI++1rC/CSJBjD0NInyUWv5suU2aDxU
--> piv-p256 xqSe8Q Agg6on210aOduBZKkxcooDEb5INXxTn0py0lufQz3ymG
-TT2/sfJlvVIPaCNoqHVpAkYcrpQJ2K0OTclpuNCd2Gw
--> _cB-grease
-
---- 31UQg77E61iYmWHRniBdikMqVz7L8C6WYpWKrNvVi2k
-UMËÍ@ÿâ!¢ìŠ{ÚÝ�XQzŽ!yöžÑ	6X\³è]…UÁi®‰Œ4Ìð•—¼ByX‚´‘Ùøu\Þ^’ÃB¸.ò�h›%`”‹¸ÚM¸+
-qd$c¨-R;ȆÖV…#êŽ[¼{örqq¦èµÎÃV¨ql6«°î‹ÀÂEf©(RX¥2ÇiÖßKž�ï¬gÑì°ßWÐp‡	9Óì5°D}z