chore: remove old nginx and oauth2-proxy config for sentinel

hosts/sentinel/caddy.nix

@@ -34,6 +34,9 @@ in {
       }
     '';
 
+    # TODO move subconfigs to the relevant hosts instead.
+    # -> have something like merged config nodes.<name>....
+
     virtualHosts.${authDomain} = {
       useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
       extraConfig = ''

hosts/sentinel/nginx.nix

@@ -1,89 +0,0 @@
-{
-  config,
-  lib,
-  nodes,
-  ...
-}: let
-  inherit (config.repo.secrets.local) acme personalDomain;
-in {
-  users.groups.acme.members = ["nginx"];
-
-  rekey.secrets."dhparams.pem" = {
-    file = ./secrets/dhparams.pem.age;
-    mode = "440";
-    group = "nginx";
-  };
-
-  services.nginx = let
-    authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain;
-    authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress);
-    grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain;
-    grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port;
-    lokiDomain = "loki.${personalDomain}";
-    lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
-  in {
-    enable = true;
-
-    # TODO move subconfigs to the relevant hosts instead.
-    # -> have something like merged config nodes.<name>....
-
-    upstreams.kanidm = {
-      servers."${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}" = {};
-      extraConfig = ''
-        zone kanidm 64k;
-        keepalive 2;
-      '';
-    };
-    virtualHosts.${authDomain} = {
-      forceSSL = true;
-      useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
-      locations."/".proxyPass = "https://kanidm";
-      # Allow using self-signed certs to satisfy kanidm's requirement
-      # for TLS connections. (This is over wireguard anyway)
-      # TODO can we get rid of this?
-      extraConfig = ''
-        proxy_ssl_verify off;
-      '';
-    };
-
-    upstreams.grafana = {
-      servers."${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort}" = {};
-      extraConfig = ''
-        zone grafana 64k;
-        keepalive 2;
-      '';
-    };
-    virtualHosts.${grafanaDomain} = {
-      forceSSL = true;
-      useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain;
-      locations."/".proxyPass = "http://grafana";
-    };
-
-    upstreams.loki = {
-      servers."${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}" = {};
-      extraConfig = ''
-        zone loki 64k;
-        keepalive 2;
-      '';
-    };
-    virtualHosts.${lokiDomain} = {
-      forceSSL = true;
-      useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain;
-      locations."/" = {
-        proxyPass = "http://loki";
-        proxyWebsockets = true;
-        extraConfig = ''
-          access_log off;
-        '';
-      };
-      locations."/ready" = {
-        proxyPass = "http://loki";
-        proxyWebsockets = true;
-        extraConfig = ''
-          auth_request off;
-          access_log off;
-        '';
-      };
-    };
-  };
-}

hosts/sentinel/oauth2-proxy.nix

@@ -1,57 +0,0 @@
-{
-  config,
-  lib,
-  nodes,
-  ...
-}: let
-  inherit (config.repo.secrets.local) acme personalDomain;
-  authDomain = "auth.${personalDomain}";
-in {
-  networking.domain = personalDomain;
-
-  # Contains OAUTH2_PROXY_CLIENT_SECRET=...
-  #rekey.secrets.grafana-secret-key = {
-  #  file = ./secrets/oauth2-proxy-client-secret.age;
-  #  mode = "440";
-  #  group = "oauth2_proxy";
-  #};
-
-  services.oauth2_proxy = {
-    enable = true;
-    cookie.secure = true;
-    cookie.httpOnly = false;
-    email.domains = ["*"];
-    provider = "oidc";
-    scope = "openid email";
-    loginURL = "https://${authDomain}/ui/oauth2";
-    redeemURL = "https://${authDomain}/oauth2/token";
-    validateURL = "https://${authDomain}/oauth2/openid/grafana/userinfo";
-    clientID = "oauth2-proxy";
-    clientSecret = "";
-    #keyFile = config.rekey.secrets.oauth2-proxy-client-secret.path;
-    reverseProxy = true;
-    extraConfig.skip-provider-button = true;
-    setXauthrequest = true;
-  };
-
-  # Apply oauth by default to all locations
-  services.nginx.virtualHosts = lib.genAttrs config.services.oauth2_proxy.nginx.virtualHosts (_: {
-    extraConfig = ''
-      auth_request /oauth2/auth;
-      error_page 401 = /oauth2/sign_in;
-
-      # pass information via X-User and X-Email headers to backend,
-      # requires running with --set-xauthrequest flag
-      auth_request_set $user   $upstream_http_x_auth_request_user;
-      auth_request_set $email  $upstream_http_x_auth_request_email;
-      proxy_set_header X-User  $user;
-      proxy_set_header X-Email $email;
-
-      # if you enabled --cookie-refresh, this is needed for it to work with auth_request
-      auth_request_set $auth_cookie $upstream_http_set_cookie;
-      add_header Set-Cookie $auth_cookie;
-    '';
-    locations."/oauth2/".extraConfig = "auth_request off;";
-    locations."/oauth2/auth".extraConfig = "auth_request off;";
-  });
-}