chore: test basic auth with influx, but seems to conflict with internal auth

2023-06-25 14:37:25 +02:00 · 2023-06-25 14:37:25 +02:00 · 10a52642ad
commit 10a52642ad
parent 6e15d49cbc
5 changed files with 43 additions and 3 deletions
--- a/hosts/ward/microvms/influxdb/default.nix
+++ b/hosts/ward/microvms/influxdb/default.nix
@ -36,6 +36,26 @@ in {
  nodes.sentinel = {
    providedDomains.influxdb = influxdbDomain;

+    # Not actually used on the system, but to allow us to provision tokens
+    # when generating secrets.
+    age.secrets.admin-influxdb-basic-auth-password = {
+      rekeyFile = ./secrets/admin-influxdb-basic-auth-password.age;
+      generator = "alnum";
+      mode = "000";
+    };
+
+    age.secrets.influxdb-basic-auth-hashes = {
+      rekeyFile = ./secrets/influxdb-basic-auth-hashes.age;
+      # Copy only the script so the dependencies can be added by the nodes
+      # that define passwords (using distributed-config).
+      generator = {
+        inherit (config.age.generators.basic-auth) script;
+        dependencies = [sentinelCfg.age.secrets.admin-influxdb-basic-auth-password];
+      };
+      mode = "440";
+      group = "nginx";
+    };
+
    services.nginx = {
      upstreams.influxdb = {
        servers."${config.services.influxdb2.settings.http-bind-address}" = {};
@ -54,6 +74,8 @@ in {
          proxyWebsockets = true;
          extraConfig = ''
            satisfy any;
+            auth_basic "Authentication required";
+            auth_basic_user_file ${sentinelCfg.age.secrets.influxdb-basic-auth-hashes.path};
            ${lib.concatMapStrings (ip: "allow ${ip};\n") sentinelCfg.extra.wireguard.proxy-sentinel.server.reservedAddresses}
            deny all;
          '';
--- a/hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age
+++ b/hosts/ward/microvms/influxdb/secrets/admin-influxdb-basic-auth-password.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 eDC4hGeQD8dKvjQGBSflv/kqswkwegtt7mpGTatDjlk
+vMVjoIZ4/7293gMJBY+6oIuE3SVulm8Qz5d2TQCy8YA
+-> piv-p256 xqSe8Q Av1JmXT6ELHJypYLCvvpa5HLphPJcQhBTLHrQWUu3BXU
+K/KNd1uhA/fyYmnPKJexC8W/5W4ZhtzDQEci8sswqP8
+-> 6huK-grease iyY \}FcJ
+k8F8LboYhZJtd2PyQQpRJUoSpBVGm3ocsIiYV9tEihOLahdqcyQawHU2mL7zMTo+
+j6FqPxOXBQ
+--- gzu/0Qvwe1DU/wXCkzaZgFQks4Hq/OAudbkfPiQMHR4
+¿¯/P'Ü|L%äo�>³GôpHžþKÉ™ö¹•Ï3•)z�ùÏJD01xüsè¨â‹Þ-Æd|õ€d¦…'ò¼‹/Ík\6B}‚xË
--- a/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age
+++ b/hosts/ward/microvms/influxdb/secrets/influxdb-basic-auth-hashes.age