feat: generate caddy basic auth passwords using agenix-rekey

2025-10-11 07:10:39 +02:00 · 2023-06-10 00:52:17 +02:00 · 2023-06-10 00:52:17 +02:00 · e61c82ebfc
commit e61c82ebfc
parent cfb7c88862
4 changed files with 42 additions and 10 deletions
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@ -15,8 +15,33 @@ in {
  # TODO     message = "non-deterministic uid detected for: ${name}";
  # TODO   });

-  age.secrets.loki-basic-auth = {
-    rekeyFile = ./secrets/loki-basic-auth.age;
+  age.secrets.loki-basic-auth-hashes = {
+    rekeyFile = ./secrets/loki-basic-auth-hashes.age;
+    generator = {
+      dependencies = [
+        # TODO allow defining these from other nodes like nodes.sentinel.age.secrets....dependenices = [];
+        nodes.ward.config.age.secrets.loki-basic-auth-password
+        nodes.ward-test.config.age.secrets.loki-basic-auth-password
+      ];
+      script = {
+        pkgs,
+        lib,
+        decrypt,
+        deps,
+        ...
+      }:
+        lib.flip lib.concatMapStrings deps ({
+          name,
+          host,
+          file,
+        }: ''
+          echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
+          echo -n ${lib.escapeShellArg host}" "
+          ${decrypt} ${lib.escapeShellArg file} \
+            | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
+            || die "Failure while aggregating caddy basic auth hashes"
+        '');
+    };
    mode = "440";
    group = "caddy";
  };
@ -125,7 +150,7 @@ in {
        encode zstd gzip
        skip_log
        basicauth {
-          import ${config.age.secrets.loki-basic-auth.path}
+          import ${config.age.secrets.loki-basic-auth-hashes.path}
        }
        reverse_proxy {
          to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}
--- a/hosts/sentinel/secrets/loki-basic-auth-hashes.age
+++ b/hosts/sentinel/secrets/loki-basic-auth-hashes.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 POUeKoNotGuIHX9N955m56eWzou850H02OG3O+ygIy0
+zR6pq7sHR/Vo32YS6wITRuKRgHWjIqdcsILvR4yL6NU
+-> piv-p256 xqSe8Q AoHB1E3JcMAeRCjGPj/Fnd7eeVbi1X/qXV62/04DabNm
+Uqx5OonPfDJ++9gWVfD2RztyaRVEC+ZI0eSa7h9MVgo
+-> ={9x3$iL-grease 7(o } u,|S!;51 "
+g2+PG1QoDXzzkGnd3ZLsfltd0neKRWt3NwJeTDhPACFBL7yooXk
+--- 5mTTZWqCisymYqhefWaZ67X1UWkrSyIMKCMvS4d6I40
+UWh;oDñ�n&.¥Pš	žiˆ—³¶ÈÃíºBâÌ'ÊÉr¸nâØgŽúa@UOL_Æfã…¨ö)ñRhªvüžc2Ã[iêEÜJ$fZ¾LgÉÊÎU>\7Ú>NbÌßr{LW?ïÎ
’Ë4ëxð•ãÅÏÑ
‹Ý‹§7=ã�~qü•�ÖO6u£öõQÁøÍ�îÄJŒ	S¶šz	ÈÔMÀ0ï'`ì