feat: convert sentinel to caddy

2025-10-10 23:00:39 +02:00 · 2023-06-05 01:53:38 +02:00 · 2023-06-05 01:53:38 +02:00 · 9e4f8dcf0d
commit 9e4f8dcf0d
parent 6f84594c87
5 changed files with 51 additions and 25 deletions
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@ -9,19 +9,13 @@
 in {
  users.groups.acme.members = ["caddy"];

-  rekey.secrets."dhparams.pem" = {
-    file = ./secrets/dhparams.pem.age;
-    mode = "440";
-    group = "nginx";
-  };
-
  services.caddy = let
    authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain;
    authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress);
    grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain;
    grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port;
    lokiDomain = "loki.${personalDomain}";
-    lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
+    lokiPort = toString nodes.ward-loki.config.services.loki.configuration.server.http_listen_port;
  in {
    enable = true;
    package = pkgs.caddy.withPackages {
@ -33,5 +27,48 @@ in {
      ];
      vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
    };
+
+    globalConfig = ''
+      servers {
+        metrics
+      }
+    '';
+
+    virtualHosts.${authDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to https://${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}
+          transport http {
+            tls_insecure_skip_verify
+          }
+        }
+      '';
+    };
+
+    virtualHosts.${grafanaDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to http://${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort}
+        }
+      '';
+    };
+
+    virtualHosts.${lokiDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain;
+      # TODO disable access log
+      # TODO auth
+      # TODO no auth for /ready
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}
+          websocket
+        }
+      '';
+    };
  };
 }
--- a/hosts/sentinel/nginx.nix
+++ b/hosts/sentinel/nginx.nix
@ -6,23 +6,6 @@
 }: let
  inherit (config.repo.secrets.local) acme personalDomain;
 in {
-  rekey.secrets.acme-credentials = {
-    file = ./secrets/acme-credentials.age;
-    mode = "440";
-    group = "acme";
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      inherit (acme) email;
-      credentialsFile = config.rekey.secrets.acme-credentials.path;
-      dnsProvider = "cloudflare";
-      dnsPropagationCheck = true;
-      reloadServices = ["nginx"];
-    };
-  };
-  extra.acme.wildcardDomains = acme.domains;
  users.groups.acme.members = ["nginx"];

  rekey.secrets."dhparams.pem" = {
--- a/hosts/sentinel/secrets/dhparams.pem.age
+++ b/hosts/sentinel/secrets/dhparams.pem.age
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -157,6 +157,7 @@ in {
            name = "Loki";
            type = "loki";
            access = "proxy";
+            # TODO use public endpoint, and enable oauth token passing
            url = "http://${nodes."${parentNodeName}-loki".config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:3100";
            orgId = 1;
          }
@ -239,6 +240,8 @@ in {
  }: {
    rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";

+    extra.wireguard.proxy-sentinel.client.via = "sentinel";
+
    networking.nftables.firewall = {
      zones = lib.mkForce {
        #local-vms.interfaces = ["local-vms"];
--- a/modules/extra.nix
+++ b/modules/extra.nix
@ -66,6 +66,9 @@ in {
      '';
    };

-    networking.firewall.allowedTCPPorts = optionals config.services.nginx.enable [80 443];
+    networking.firewall.allowedTCPPorts =
+      optionals
+      (config.services.caddy.enable || config.services.nginx.enable)
+      [80 443];
  };
 }