refactor: move all proxy related configuration to the nodes that define them

hosts/ward/microvms/kanidm/default.nix

@@ -5,7 +5,10 @@
   pkgs,
   utils,
   ...
-}: {
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
+in {
   imports = [
     ../../../../modules/proxy-via-sentinel.nix
   ];
@@ -26,12 +29,29 @@
     group = "kanidm";
   };
 
+  nodes.sentinel = {
+    proxiedDomains.kanidm = kanidmDomain;
+
+    services.caddy.virtualHosts.${kanidmDomain} = {
+      useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert kanidmDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy {
+          to https://${config.services.kanidm.serverSettings.bindaddress}
+          transport http {
+            tls_insecure_skip_verify
+          }
+        }
+      '';
+    };
+  };
+
   services.kanidm = {
     enableServer = true;
     # enablePAM = true;
     serverSettings = {
-      domain = nodes.sentinel.config.proxiedDomains.kanidm;
-      origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
+      domain = kanidmDomain;
+      origin = "https://${kanidmDomain}";
       tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
       tls_key = config.age.secrets."kanidm-self-signed.key".path;
       bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";