feat: convert sentinel to caddy

2025-10-11 07:10:39 +02:00 · 2023-06-05 01:53:38 +02:00 · 2023-06-05 01:53:38 +02:00 · 9e4f8dcf0d
commit 9e4f8dcf0d
parent 6f84594c87
5 changed files with 51 additions and 25 deletions
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@ -9,19 +9,13 @@
 in {
  users.groups.acme.members = ["caddy"];

-  rekey.secrets."dhparams.pem" = {
-    file = ./secrets/dhparams.pem.age;
-    mode = "440";
-    group = "nginx";
-  };
-
  services.caddy = let
    authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain;
    authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress);
    grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain;
    grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port;
    lokiDomain = "loki.${personalDomain}";
-    lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
+    lokiPort = toString nodes.ward-loki.config.services.loki.configuration.server.http_listen_port;
  in {
    enable = true;
    package = pkgs.caddy.withPackages {
@ -33,5 +27,48 @@ in {
      ];
      vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
    };
+
+    globalConfig = ''
+      servers {
+        metrics
+      }
+    '';
+
+    virtualHosts.${authDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to https://${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}
+          transport http {
+            tls_insecure_skip_verify
+          }
+        }
+      '';
+    };
+
+    virtualHosts.${grafanaDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to http://${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort}
+        }
+      '';
+    };
+
+    virtualHosts.${lokiDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain;
+      # TODO disable access log
+      # TODO auth
+      # TODO no auth for /ready
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}
+          websocket
+        }
+      '';
+    };
  };
 }
--- a/hosts/sentinel/nginx.nix
+++ b/hosts/sentinel/nginx.nix
@ -6,23 +6,6 @@
 }: let
  inherit (config.repo.secrets.local) acme personalDomain;
 in {
-  rekey.secrets.acme-credentials = {
-    file = ./secrets/acme-credentials.age;
-    mode = "440";
-    group = "acme";
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      inherit (acme) email;
-      credentialsFile = config.rekey.secrets.acme-credentials.path;
-      dnsProvider = "cloudflare";
-      dnsPropagationCheck = true;
-      reloadServices = ["nginx"];
-    };
-  };
-  extra.acme.wildcardDomains = acme.domains;
  users.groups.acme.members = ["nginx"];

  rekey.secrets."dhparams.pem" = {
--- a/hosts/sentinel/secrets/dhparams.pem.age
+++ b/hosts/sentinel/secrets/dhparams.pem.age