From 10a52642ad029484676783df417a16177c17ba8f Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Sun, 25 Jun 2023 14:37:25 +0200
Subject: [PATCH] chore: test basic auth with influx, but seems to conflict
 with internal auth

---
 hosts/ward/microvms/influxdb/default.nix      |  22 ++++++++++++++++++
 .../admin-influxdb-basic-auth-password.age    |  10 ++++++++
 .../secrets/influxdb-basic-auth-hashes.age    | Bin 560 -> 494 bytes
 modules/telegraf.nix                          |  10 ++++++++
 nix/lib.nix                                   |   4 +---
 5 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age

diff --git a/hosts/ward/microvms/influxdb/default.nix b/hosts/ward/microvms/influxdb/default.nix
index 6c804c1..85a027d 100644
--- a/hosts/ward/microvms/influxdb/default.nix
+++ b/hosts/ward/microvms/influxdb/default.nix
@@ -36,6 +36,26 @@ in {
   nodes.sentinel = {
     providedDomains.influxdb = influxdbDomain;
 
+    # Not actually used on the system, but to allow us to provision tokens
+    # when generating secrets.
+    age.secrets.admin-influxdb-basic-auth-password = {
+      rekeyFile = ./secrets/admin-influxdb-basic-auth-password.age;
+      generator = "alnum";
+      mode = "000";
+    };
+
+    age.secrets.influxdb-basic-auth-hashes = {
+      rekeyFile = ./secrets/influxdb-basic-auth-hashes.age;
+      # Copy only the script so the dependencies can be added by the nodes
+      # that define passwords (using distributed-config).
+      generator = {
+        inherit (config.age.generators.basic-auth) script;
+        dependencies = [sentinelCfg.age.secrets.admin-influxdb-basic-auth-password];
+      };
+      mode = "440";
+      group = "nginx";
+    };
+
     services.nginx = {
       upstreams.influxdb = {
         servers."${config.services.influxdb2.settings.http-bind-address}" = {};
@@ -54,6 +74,8 @@ in {
           proxyWebsockets = true;
           extraConfig = ''
             satisfy any;
+            auth_basic "Authentication required";
+            auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path};
             ${lib.concatMapStrings (ip: "allow ${ip};\n") sentinelCfg.extra.wireguard.proxy-sentinel.server.reservedAddresses}
             deny all;
           '';
diff --git a/hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age b/hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age
new file mode 100644
index 0000000..49cc1b6
--- /dev/null
+++ b/hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 eDC4hGeQD8dKvjQGBSflv/kqswkwegtt7mpGTatDjlk
+vMVjoIZ4/7293gMJBY+6oIuE3SVulm8Qz5d2TQCy8YA
+-> piv-p256 xqSe8Q Av1JmXT6ELHJypYLCvvpa5HLphPJcQhBTLHrQWUu3BXU
+K/KNd1uhA/fyYmnPKJexC8W/5W4ZhtzDQEci8sswqP8
+-> 6huK-grease iyY \}FcJ
+k8F8LboYhZJtd2PyQQpRJUoSpBVGm3ocsIiYV9tEihOLahdqcyQawHU2mL7zMTo+
+j6FqPxOXBQ
+--- gzu/0Qvwe1DU/wXCkzaZgFQks4Hq/OAudbkfPiQMHR4
+¿¯/P'Ü|L%äo­>³GôpHžþK­É™ö¹•Ï3•)zùÏJD01xüsè¨â‹Þ-Æd|õ€d¦…'ò¼‹/Ík\6B}‚xË
\ No newline at end of file
diff --git a/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age b/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age
index f08d7273a549e50575cfda020314208e514fda51..4ff7adfb24f34205e65a599a39349315340e360c 100644
GIT binary patch
delta 472
zcmV;}0Vn>j1nvWnAb)LdIYVkQWJpeNHBwSdWp7Y$Q)@U@Z&OQhdP{RkR#;X_Mr2lK
zXLM~dYYI0^FKB2`FLp{wb$K^ePewv#WMx@QaZpTXc12oIcVTZ<D`ZedXIe6AQ3@?S
zAaH4REpRe5HXwL$Q)M_&AVD`;W@<P^WlJ$+GIMTiLUJ@^OMg)`GI=jAYEF4Fc4}o&
zLUB?|LNic9XLJfNP;@diPjWX<Y*}_`S}<c(ZEs3eK}Az&Y-M9tFLq~fG%HbWPi0v~
zS7!<>J|Ht|EoX9NVRL05GErl1Mn_NzH*PCxc~(YpR#7lFa8xvBS4wAfYGp@nT3BRN
zN-=F^LNjq`Pk&7^I4g2?RB~r{Y*1%bM{`zgL1|%G3N0-yAWcD7SZXUcM`l_?OLk>i
zN_S~<aA<i@Vsun^L324&b3s8lVs3RvLOC{73SHeRb%Qs*Q>58!W+Ne^;n3b-=LKRC
zh`<>}vRb`rqCqM)Z(FaN(D)<Dfm)qlycc&Rgou9ptWic0heZkh$K)qf0{OQnNMt6m
znm&%KI>C2h#yGS9(s<NHLUxslaITJSwj$rtW?4dC<n&b2ALMG)r_P??wtV&<A!8b8
OuGw9E16qglvt3A$O0pIJ

delta 539
zcmV+$0_6Sf1F!^;Ab)pBNlbD<b~$5scX(AnYBhFCY;iJSSWq;0Fmp9jPE1u$PBJlQ
zQc!0?YYK8gYi)6FD@`<1Nm^rTWHWX&a7RvBSwm?}ZA@%2a#?9`FhMkLVK8S$a|$g!
zAaH4REpRe5HXwL$Q)M_&AVG6^P&IT^M^HFTF->oHL_}3~VShDdT31PEP-awNHfC9O
zNKsg8O?GomF-{6_Pclq6b7D3tOIKN1V>UNAa!^z`QgLNXa7S-JGImdSV|saUWl?N%
zPf-djJ|JRQBrRuhWnpt=AbV&tIWQo2QDH<NPCZ60Om90wATTa!KXwXKWou|jWKmXa
zHeysrWky<IS$}pnOmKHWZD=x8c}GD>bV5@_bVEZ*D{e<rLvT}4VRmk1P<3QEQ%_De
zIa4oV3PV><M^RN!GcRg4Lq#}4PjGE-PE<}+PGosAPj7H(Xk|-D3N0-yAXG17GfF{o
zIV)^qXf-c#S1?gTZ+c8+Gd4^$LNr8Zc0x>XMnXb&T7NTUFbcQ4chF~0KQrLxx2TI@
ztJNO!&qT9xnYByX=)JxV6>p{6k6(yv_%vMqg#r0xuaiw|z)@12#ASo!Z^8kBKRm_f
z#t@?OzcY`IV=(R6@ijh#eMxeU5<JleL>$cX<2g(+m5np$g}f52YTPEEE5Ofdvl7CR
df^?~@{uF-3q)!d?RsnrejQ+Bw;hgsQ2-*E2%d7wZ

diff --git a/modules/telegraf.nix b/modules/telegraf.nix
index 80f9e39..daf54e7 100644
--- a/modules/telegraf.nix
+++ b/modules/telegraf.nix
@@ -43,6 +43,16 @@ in {
   config = mkIf cfg.enable {
     age.secrets.telegraf-influxdb-token = {
       rekeyFile = nodePath + "/secrets/telegraf-influxdb-token.age";
+      # TODO generator.script = { pkgs, lib, decrypt, deps, ... }: let
+      # TODO   adminBasicAuth = (builtins.head deps).file;
+      # TODO   adminToken = (builtins.head deps).file; # TODO ..... filter by name?
+      # TODO in ''
+      # TODO   echo " -> Provisioning influxdb token for [34mtelegraf[m on [32m${nodeName}[m at [33mhttps://${cfg.influxdb2.domain}[m" >&2
+      # TODO   ${decrypt} ${lib.escapeShellArg aba.file} \
+      # TODO   INFLUX_HOST=https://${aba.host}+${aba.name}:${PW}@${URL}
+      # TODO     | ${pkgs.influxdb2-cli}/bin/influx -niBC 12 ${lib.escapeShellArg host}"+"${lib.escapeShellArg name} \
+      # TODO     || die "Failure"
+      # TODO '');
       mode = "440";
       group = "telegraf";
     };
diff --git a/nix/lib.nix b/nix/lib.nix
index 5607331..dfdbe99 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -73,9 +73,7 @@ in rec {
   # Counts how often each element occurrs in xs
   countOccurrences = let
     addOrUpdate = acc: x:
-      if builtins.hasAttr x acc
-      then acc // {${x} = acc.${x} + 1;}
-      else acc // {${x} = 1;};
+      acc // {${x} = (acc.${x} or 0) + 1;};
   in
     foldl' addOrUpdate {};