feat: convert sentinel to caddy

hosts/sentinel/caddy.nix

@@ -9,19 +9,13 @@
 in {
   users.groups.acme.members = ["caddy"];
 
-  rekey.secrets."dhparams.pem" = {
-    file = ./secrets/dhparams.pem.age;
-    mode = "440";
-    group = "nginx";
-  };
-
   services.caddy = let
     authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain;
     authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress);
     grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain;
     grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port;
     lokiDomain = "loki.${personalDomain}";
-    lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
+    lokiPort = toString nodes.ward-loki.config.services.loki.configuration.server.http_listen_port;
   in {
     enable = true;
     package = pkgs.caddy.withPackages {
@@ -33,5 +27,48 @@ in {
       ];
       vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
     };
+
+    globalConfig = ''
+      servers {
+        metrics
+      }
+    '';
+
+    virtualHosts.${authDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to https://${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}
+          transport http {
+            tls_insecure_skip_verify
+          }
+        }
+      '';
+    };
+
+    virtualHosts.${grafanaDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to http://${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort}
+        }
+      '';
+    };
+
+    virtualHosts.${lokiDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain;
+      # TODO disable access log
+      # TODO auth
+      # TODO no auth for /ready
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}
+          websocket
+        }
+      '';
+    };
   };
 }

hosts/sentinel/nginx.nix

@@ -6,23 +6,6 @@
 }: let
   inherit (config.repo.secrets.local) acme personalDomain;
 in {
-  rekey.secrets.acme-credentials = {
-    file = ./secrets/acme-credentials.age;
-    mode = "440";
-    group = "acme";
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      inherit (acme) email;
-      credentialsFile = config.rekey.secrets.acme-credentials.path;
-      dnsProvider = "cloudflare";
-      dnsPropagationCheck = true;
-      reloadServices = ["nginx"];
-    };
-  };
-  extra.acme.wildcardDomains = acme.domains;
   users.groups.acme.members = ["nginx"];
 
   rekey.secrets."dhparams.pem" = {

hosts/ward/default.nix

@@ -157,6 +157,7 @@ in {
             name = "Loki";
             type = "loki";
             access = "proxy";
+            # TODO use public endpoint, and enable oauth token passing
             url = "http://${nodes."${parentNodeName}-loki".config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:3100";
             orgId = 1;
           }
@@ -239,6 +240,8 @@ in {
   }: {
     rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
 
+    extra.wireguard.proxy-sentinel.client.via = "sentinel";
+
     networking.nftables.firewall = {
       zones = lib.mkForce {
         #local-vms.interfaces = ["local-vms"];

modules/extra.nix

@@ -66,6 +66,9 @@ in {
       '';
     };
 
-    networking.firewall.allowedTCPPorts = optionals config.services.nginx.enable [80 443];
+    networking.firewall.allowedTCPPorts =
+      optionals
+      (config.services.caddy.enable || config.services.nginx.enable)
+      [80 443];
   };
 }