feat(ward): open kanidm port only for sentinel

hosts/sentinel/default.nix

@@ -14,6 +14,4 @@
     ./net.nix
     ./nginx.nix
   ];
-
-  boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
 }

hosts/sentinel/fs.nix

@@ -39,6 +39,7 @@
     };
   };
 
+  boot.loader.grub.devices = ["/dev/disk/by-id/${config.repo.secrets.local.disk.main}"];
   boot.initrd.luks.devices.enc-rpool.allowDiscards = true;
   fileSystems."/persist".neededForBoot = true;
 

hosts/sentinel/nginx.nix

@@ -49,6 +49,7 @@ in {
       locations."/".proxyPass = "https://kanidm";
       # Allow using self-signed certs to satisfy kanidm's requirement
       # for TLS connections. (This is over wireguard anyway)
+      # TODO can we get rid of this?
       extraConfig = ''
         proxy_ssl_verify off;
       '';