feat: generate caddy basic auth passwords using agenix-rekey

2025-10-11 07:10:39 +02:00 · 2023-06-10 00:52:17 +02:00 · 2023-06-10 00:52:17 +02:00 · e61c82ebfc
commit e61c82ebfc
parent cfb7c88862
4 changed files with 42 additions and 10 deletions
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@ -15,8 +15,33 @@ in {
  # TODO     message = "non-deterministic uid detected for: ${name}";
  # TODO   });
-  age.secrets.loki-basic-auth = {
+  age.secrets.loki-basic-auth-hashes = {
-    rekeyFile = ./secrets/loki-basic-auth.age;
+    rekeyFile = ./secrets/loki-basic-auth-hashes.age;
    generator = {
      dependencies = [
        # TODO allow defining these from other nodes like nodes.sentinel.age.secrets....dependenices = [];
        nodes.ward.config.age.secrets.loki-basic-auth-password
        nodes.ward-test.config.age.secrets.loki-basic-auth-password
      ];
      script = {
        pkgs,
        lib,
        decrypt,
        deps,
        ...
      }:
        lib.flip lib.concatMapStrings deps ({
          name,
          host,
          file,
        }: ''
          echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
          echo -n ${lib.escapeShellArg host}" "
          ${decrypt} ${lib.escapeShellArg file} \
            | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
            || die "Failure while aggregating caddy basic auth hashes"
        '');
    };
    mode = "440";
    group = "caddy";
  };
@ -125,7 +150,7 @@ in {
        encode zstd gzip
        skip_log
        basicauth {
-          import ${config.age.secrets.loki-basic-auth.path}
+          import ${config.age.secrets.loki-basic-auth-hashes.path}
        }
        reverse_proxy {
          to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}
--- a/hosts/sentinel/secrets/loki-basic-auth-hashes.age
+++ b/hosts/sentinel/secrets/loki-basic-auth-hashes.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> X25519 POUeKoNotGuIHX9N955m56eWzou850H02OG3O+ygIy0
 zR6pq7sHR/Vo32YS6wITRuKRgHWjIqdcsILvR4yL6NU
 -> piv-p256 xqSe8Q AoHB1E3JcMAeRCjGPj/Fnd7eeVbi1X/qXV62/04DabNm
 Uqx5OonPfDJ++9gWVfD2RztyaRVEC+ZI0eSa7h9MVgo
 -> ={9x3$iL-grease 7(o } u,|S!;51 "
 g2+PG1QoDXzzkGnd3ZLsfltd0neKRWt3NwJeTDhPACFBL7yooXk
 --- 5mTTZWqCisymYqhefWaZ67X1UWkrSyIMKCMvS4d6I40
 UWh;oDñ�n&.¥Pš	žiˆ—³¶ÈÃíºBâÌ'ÊÉr¸nâØgŽúa@UOL_Æfã…¨ö)ñRhªvüžc2Ã[iêEÜJ$fZ¾LgÉÊÎU>\7Ú>NbÌßr{LW?ïÎ
’Ë4ëxð•ãÅÏÑ
‹Ý‹§7=ã�~qü•�ÖO6u£öõQÁøÍ�îÄJŒ	S¶šz	ÈÔMÀ0ï'`ì
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -2,6 +2,7 @@
  config,
  nodes,
  nixos-hardware,
  nodeName,
  pkgs,
  ...
 }: let
@ -100,6 +101,7 @@ in {
    age.secrets.loki-basic-auth-password = {
      rekeyFile = ./secrets/loki-basic-auth-password.age;
      generator = "alnum";
      mode = "440";
      group = "grafana";
    };
@ -165,7 +167,7 @@ in {
            url = "https://${lokiDomain}";
            orgId = 1;
            basicAuth = true;
-            basicAuthUser = "iB6UEjt4so4xWqei";
+            basicAuthUser = nodeName;
            secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
          }
        ];
--- a/hosts/ward/promtail.nix
+++ b/hosts/ward/promtail.nix
@ -11,9 +11,7 @@
 in {
  age.secrets.loki-basic-auth-password = {
    rekeyFile = ./secrets/loki-basic-auth-password.age;
-    file = ./aaa;
+    generator = "alnum";
    #file = ./aaa;
    #generate = "alnum48";
    mode = "440";
    group = "promtail";
  };
@ -35,9 +33,7 @@ in {
      clients = [
        {
-          #basic_auth.username = nodeName;
+          basicAuthUser = nodeName;
          #basic_auth.password_file = config.age.random-secrets.loki-basic-auth-password.path;
          basic_auth.username = "iB6UEjt4so4xWqei";
          basic_auth.password_file = config.age.secrets.loki-basic-auth-password.path;
          url = "https://${lokiDomain}/loki/api/v1/push";
        }