diff --git a/hosts/sentinel/secrets/loki-basic-auth-hashes.age b/hosts/sentinel/secrets/loki-basic-auth-hashes.age index 1bd7187..c47f312 100644 --- a/hosts/sentinel/secrets/loki-basic-auth-hashes.age +++ b/hosts/sentinel/secrets/loki-basic-auth-hashes.age @@ -1,9 +1,10 @@ age-encryption.org/v1 --> X25519 POUeKoNotGuIHX9N955m56eWzou850H02OG3O+ygIy0 -zR6pq7sHR/Vo32YS6wITRuKRgHWjIqdcsILvR4yL6NU --> piv-p256 xqSe8Q AoHB1E3JcMAeRCjGPj/Fnd7eeVbi1X/qXV62/04DabNm -Uqx5OonPfDJ++9gWVfD2RztyaRVEC+ZI0eSa7h9MVgo --> ={9x3$iL-grease 7(o } u,|S!;51 " -g2+PG1QoDXzzkGnd3ZLsfltd0neKRWt3NwJeTDhPACFBL7yooXk ---- 5mTTZWqCisymYqhefWaZ67X1UWkrSyIMKCMvS4d6I40 -UWh;oDn&.P iB'rnga@UOL_fㅨ)Rhvc2[iEJ$fZLgU>\7>Nbr{LW? 4x ݋7=~qO6uQ́J Sz M0'` \ No newline at end of file +-> X25519 lB23D7AmIF0aexiFK8El0nE88SFMsTdqI2AFwCkoAkw +n1eyViq9JQCe7QTuKi3k8DNdnjR6c2lLaBoT8f4IHQg +-> piv-p256 xqSe8Q Ar0Mqg1pFoTei1CfCUp4SZsXNSxkJw9CVV7KuiZWqVkB +Vx7hdeRcSiS/IiXWkMm0Sy2c5zWGGFUtLd03WKKTpYs +-> -.-grease C?E+>{j _of5 +u02vRewJinMZScNTqe7+7Ee8b98EY3+T0oYs1yOhEJ2KdFPsrUcoMWivMun2KwwM +rPkxdA +--- zMYSBhkaD2xsuyTKqN8hG8NaJuAXeinDrXQtddfR0Gs +sȆep_uhӷ۶B UUp[[c7+OE el`j(`ƪv#_.GP:?";_'> 4 \ No newline at end of file diff --git a/hosts/sentinel/secrets/loki-basic-auth.age b/hosts/sentinel/secrets/loki-basic-auth.age deleted file mode 100644 index 50f1046..0000000 Binary files a/hosts/sentinel/secrets/loki-basic-auth.age and /dev/null differ diff --git a/hosts/ward/microvms/grafana/default.nix b/hosts/ward/microvms/grafana/default.nix index 3f4285f..73a9059 100644 --- a/hosts/ward/microvms/grafana/default.nix +++ b/hosts/ward/microvms/grafana/default.nix @@ -6,25 +6,12 @@ utils, ... }: { - extra.wireguard.proxy-sentinel.client.via = "sentinel"; + imports = [ + ../../../../modules/proxy-via-sentinel.nix + ]; - networking.nftables.firewall = { - zones = lib.mkForce { - proxy-sentinel.interfaces = ["proxy-sentinel"]; - sentinel = { - parent = "proxy-sentinel"; - ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; - ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; - }; - }; - - rules = lib.mkForce { - sentinel-to-local = { - from = ["sentinel"]; - to = ["local"]; - allowedTCPPorts = [3001]; - }; - }; + networking.nftables.firewall.rules = lib.mkForce { + sentinel-to-local.allowedTCPPorts = [3001]; }; age.secrets.grafana-secret-key = { @@ -40,7 +27,10 @@ group = "grafana"; }; - nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [config.age.secrets.grafana-loki-basic-auth-password]; + nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [ + aaa not wokring + config.age.secrets.grafana-loki-basic-auth-password + ]; services.grafana = { enable = true; @@ -104,7 +94,7 @@ orgId = 1; basicAuth = true; basicAuthUser = nodeName; - secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}"; + secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.grafana-loki-basic-auth-password.path}}"; } ]; }; diff --git a/hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age b/hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age new file mode 100644 index 0000000..83c4eaf --- /dev/null +++ b/hosts/ward/microvms/grafana/secrets/grafana-loki-basic-auth-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 S8bAt5Bt8ci+w8+jC/II3dMSUUEneGKpJULB+FYN6ns +DpKs7bP2Ft4fgbntM6guSFlUuCHiysmALR6jAK6bR/A +-> piv-p256 xqSe8Q A7ZD865VJVg/Lx4d2Ly4dvaIzKmmA1X5f/EOdwdH3dfb +jEqpzb0kdVzYddrmVXIi8672/YLH5+luvUJeb4/ibzA +-> gu'-grease +uGbk/7/cRAmN2VWdXgKuVrvRAfnupb/WTK0r5ow5ud/sp2iEVAM8NZ9f +--- QtjcCefxUDq0yYOou3EbBBZbGu1FfzmXo3cXhiKe44E +0߾.D$ʼCGK BFmX],'0o!߸#]%=Ӟ ~Q߀̃GҜr \ No newline at end of file diff --git a/hosts/ward/microvms/kanidm/default.nix b/hosts/ward/microvms/kanidm/default.nix index 1340c88..46c3646 100644 --- a/hosts/ward/microvms/kanidm/default.nix +++ b/hosts/ward/microvms/kanidm/default.nix @@ -6,26 +6,12 @@ utils, ... }: { - extra.wireguard.proxy-sentinel.client.via = "sentinel"; + imports = [ + ../../../../modules/proxy-via-sentinel.nix + ]; - # TODO this as includable module? - networking.nftables.firewall = { - zones = lib.mkForce { - proxy-sentinel.interfaces = ["proxy-sentinel"]; - sentinel = { - parent = "proxy-sentinel"; - ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; - ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; - }; - }; - - rules = lib.mkForce { - sentinel-to-local = { - from = ["sentinel"]; - to = ["local"]; - allowedTCPPorts = [8300]; - }; - }; + networking.nftables.firewall.rules = lib.mkForce { + sentinel-to-local.allowedTCPPorts = [8300]; }; age.secrets."kanidm-self-signed.crt" = { diff --git a/hosts/ward/microvms/loki/default.nix b/hosts/ward/microvms/loki/default.nix index 1aeaa93..687683f 100644 --- a/hosts/ward/microvms/loki/default.nix +++ b/hosts/ward/microvms/loki/default.nix @@ -5,25 +5,12 @@ utils, ... }: { - extra.wireguard.proxy-sentinel.client.via = "sentinel"; + imports = [ + ../../../../modules/proxy-via-sentinel.nix + ]; - networking.nftables.firewall = { - zones = lib.mkForce { - proxy-sentinel.interfaces = ["proxy-sentinel"]; - sentinel = { - parent = "proxy-sentinel"; - ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; - ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; - }; - }; - - rules = lib.mkForce { - sentinel-to-local = { - from = ["sentinel"]; - to = ["local"]; - allowedTCPPorts = [3100]; - }; - }; + networking.nftables.firewall.rules = lib.mkForce { + sentinel-to-local.allowedTCPPorts = [3100]; }; services.loki = let diff --git a/hosts/ward/secrets/promtail-loki-basic-auth-password.age b/hosts/ward/secrets/promtail-loki-basic-auth-password.age new file mode 100644 index 0000000..30ce9bd --- /dev/null +++ b/hosts/ward/secrets/promtail-loki-basic-auth-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 WO6NVr8uGQ9GGngru17rGIcyZ7Jk0V47Me3ee4h0wTQ +2wi5L99XZMN4Aytb8aYH4H6iR9MeuXNXh6hOCap/75A +-> piv-p256 xqSe8Q Aoh7VxZSYtAdc4h0B9toepYGmB9Ad6lib7ovoK7P9jTp +21bQ859o1wlRZxyw84hCEZFWcCQ58uQ0sxzSMlVYvwE +-> DJt-grease ipE| /Qlv %,8pl +6Pg7ViLxJIt1CrQFYVZvTPGz +--- DNpm5163v+rHN5tTVzNbIt3mQRvkLs7Envc7HulIU0g +\[brW%Z:٦O_6YpԽp҃")Z G/BH&}3]u Ê \ No newline at end of file diff --git a/modules/distributed-config.nix b/modules/distributed-config.nix index 647173d..290be61 100644 --- a/modules/distributed-config.nix +++ b/modules/distributed-config.nix @@ -34,6 +34,7 @@ in { foreignConfigs = map (n: colmenaNodes.${n}.config.nodes.${nodeName} or {}) otherNodes; toplevelAttrs = ["age" "networking" "systemd" "services"]; in + todo wrong, currently extension FROM microvms is not possible { assertions = map (n: { diff --git a/modules/proxy-via-sentinel.nix b/modules/proxy-via-sentinel.nix new file mode 100644 index 0000000..a54712d --- /dev/null +++ b/modules/proxy-via-sentinel.nix @@ -0,0 +1,25 @@ +{ + lib, + nodes, + ... +}: { + extra.wireguard.proxy-sentinel.client.via = "sentinel"; + + networking.nftables.firewall = { + zones = lib.mkForce { + proxy-sentinel.interfaces = ["proxy-sentinel"]; + sentinel = { + parent = "proxy-sentinel"; + ipv4Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv4]; + ipv6Addresses = [nodes.sentinel.config.extra.wireguard.proxy-sentinel.ipv6]; + }; + }; + + rules = lib.mkForce { + sentinel-to-local = { + from = ["sentinel"]; + to = ["local"]; + }; + }; + }; +} diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-grafana.age b/secrets/wireguard/proxy-sentinel/keys/ward-grafana.age new file mode 100644 index 0000000..f0a4312 Binary files /dev/null and b/secrets/wireguard/proxy-sentinel/keys/ward-grafana.age differ diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-grafana.pub b/secrets/wireguard/proxy-sentinel/keys/ward-grafana.pub new file mode 100644 index 0000000..8bcfb3e --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-grafana.pub @@ -0,0 +1 @@ +e01aX1saudxbQ2QNI171c3HQYopzr65dUSvy3nttv2I= diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.age b/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.age new file mode 100644 index 0000000..7b741de --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 iDP/l9JWpSbmurGwatXgJB7lpXbN91ni8Q2dJQcOuHI +0mZ+TZtBjLrxg+9S4wPNfmQMMF8Muoz80FljLGZeQls +-> piv-p256 xqSe8Q Any/1MXgHhAG2HbdPc6E9tm4S+LwrzYl0I4Ueqhu/paX +C95VJbBXVDaKe6yHLjZ3QHhh+X9gn8xZ7NdF/1egY/w +-> r1b-grease !c:IOcD~ +G3m3OhWWqAc+CuI +--- XmXpw9TwMOGptOoWlyvlwiuKIhqiBc0+hq2zJ+jZwuc +*oX>R=v b" vNŔY|$ :<鹊.Z/̪`P|[͐UjDhY \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.pub b/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.pub new file mode 100644 index 0000000..bc74869 --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/keys/ward-kanidm.pub @@ -0,0 +1 @@ +n+WfDPdO0Xz1j7pVdc/TgCxj+LQQSiAjs3isjPC2GUM= diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-grafana.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-grafana.age new file mode 100644 index 0000000..312d44c --- /dev/null +++ b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-grafana.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> X25519 0yESayMtWrk28Z68kjxDmDD9JH68LZbhw0HsaSDXoVY +G7TX9cB4VAvnz5yPVxGM+7CNhhsYpc9z1AnmDX68fDE +-> piv-p256 xqSe8Q A4nALj+oE9+cPh20V0q7Q3FW+BUe6ss1YL28G7qgT3AP +eSUmv9rudIjfD9eqF+4C1PBsrH96YyQsalxA2SHnOuk +-> Og-_`qm-grease R.-KV +2vNoHmyK16/IIrS3NnRBc1TTkfnf8ZC55hgzxfHuB2dhuRH2MuNGS9nz5HHfZ9yi +iIw +--- CoRs6zw5vxbWfLmaO3aE7PrYJHcPWkJ16Dcb+9pecrw +: +<^7v uQueY" +#!!MG&{ެx.!|F >[īq6s \ No newline at end of file diff --git a/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-kanidm.age b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-kanidm.age new file mode 100644 index 0000000..83337df Binary files /dev/null and b/secrets/wireguard/proxy-sentinel/psks/sentinel+ward-kanidm.age differ diff --git a/secrets/wireguard/ward-local-vms/keys/ward-grafana.age b/secrets/wireguard/ward-local-vms/keys/ward-grafana.age new file mode 100644 index 0000000..cd5277f --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-grafana.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 1VMVSzcANsteZ4hAHqn/TJJcEU1jqj2m3fgY6SNe1Vc +w5a7A0Suk4RHNVUbqdLnodZf5qPmAd214QtOqHLMFU8 +-> piv-p256 xqSe8Q Ah1xDNBFPyADUPmDyZn1nrdd1etkCGCP9k1FVzO2ax05 +SLRXGnfmBI+MucpBj5IhdCLOSCE+VdEsVGJrV8Uno1c +-> Bk(9k-grease +X7PFQXIU0w0BA4i39o/DvXD7RvSI6a/19qbgDus8QspP2zizCYLRiir4GC/eEmbx +naZ8rbadAiqF33d9TJjt0GHLAKEO41LLag +--- S9BGD+Tn7zOwdYaOL6bxMJg+miYxMClrfVYF++N1bT8 +YʾS/O} `̒GStHg/cѻɼ+G`yO2-eS/.ij$ͳK \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/keys/ward-grafana.pub b/secrets/wireguard/ward-local-vms/keys/ward-grafana.pub new file mode 100644 index 0000000..029880c --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-grafana.pub @@ -0,0 +1 @@ +JhRPg09Lsu7OJ2YpyZHD+/KaKYT9xHJ6D8Ljhwa7JXU= diff --git a/secrets/wireguard/ward-local-vms/keys/ward-kanidm.age b/secrets/wireguard/ward-local-vms/keys/ward-kanidm.age new file mode 100644 index 0000000..f19c451 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-kanidm.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 fh0OvxTr6Zttk6+VAI9c4Y9ann6FIkTmBvC7Y82SrxI +Y6k/ZKI7a1J0/hcPrPdl25l6takAd//omssdtLinYlo +-> piv-p256 xqSe8Q AjohzpU4WsG47TdoKLAUQ38ebUvlFSh6HK+tpFIa8XiD +OIBdk79gYZCYn6Cpb7g/wYMdiP2f244nGfkuhHvtIdM +-> PvW.-grease M`]UA5 5e} %97ce +IC2uBMgrkvgSG7PDF7sNIA +--- Ewa38w9RjdbGnOTGDW9Np0S5URA9FP1vLSm+5ewr0vk +mV.蘮iLA`fL1hO@V=.l` ;Ŵ=/YڹJß+Waz \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/keys/ward-kanidm.pub b/secrets/wireguard/ward-local-vms/keys/ward-kanidm.pub new file mode 100644 index 0000000..8e72e4e --- /dev/null +++ b/secrets/wireguard/ward-local-vms/keys/ward-kanidm.pub @@ -0,0 +1 @@ +utKdEpCoObpQQBsgTdHo9ILebtAmky2ODzzvyxqCNGU= diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-grafana.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-grafana.age new file mode 100644 index 0000000..b0e3939 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/psks/ward+ward-grafana.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 l+Kx2WdyZAcXw1khpjWLlp3i0ZGsL55c4uglYcjM8lg +X7K6tEd5ShwZTV77QJGOUze5xqC7h52p/sgxdYjd+Hw +-> piv-p256 xqSe8Q Almjk6hOZRvyUCMKI/zvfBxtiRHkeJ0osoqhgkNKJwWb +zICEosfjzSTe4KF29PpxpUiEb3+U7tSVgPd6DBGrTF8 +-> ZiQW'-grease f cV +hIn+gaL0Gga0VyVw9KFhgc/tIrleJnE +--- rtrMiXdLfW6uqYP8F8OUPGxJxiBV2L7x4/6zQk6MbVo ++f>>Ø1d"duNy=ѭtf+_m=)* \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/psks/ward+ward-kanidm.age b/secrets/wireguard/ward-local-vms/psks/ward+ward-kanidm.age new file mode 100644 index 0000000..774b6dd Binary files /dev/null and b/secrets/wireguard/ward-local-vms/psks/ward+ward-kanidm.age differ diff --git a/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-kanidm.age b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-kanidm.age new file mode 100644 index 0000000..9b09e50 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-kanidm.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 0rM+VxBb/RV2VTW5xCQEsiKcEavMhS84MczYVNu3M28 +JqY5QAqkTOe+DPTcQ+hE8VyydiuCTB/oMfybJy77nTw +-> piv-p256 xqSe8Q A7YPM7afy7jQlOjLSGnRZxM1Lpjq/MIrE/Re/eXvTWLG +DVs5SmBiriP1N5Ao/JZCW4kMMsM5Pn3GZq2wGEUIQ5Y +-> WkDB[!<@-grease NA %r x ?p8%w^w +KzfsXKRvSOnHZCqBCNA +--- 0nKf16DM2WX3m8hCsuXJhepeoqW4ijIFDvrS7j9RUuI +83x0"~<1+ٔzb՝=$-\ wu})tR5T78Ъ \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-loki.age b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-loki.age new file mode 100644 index 0000000..14a8c04 --- /dev/null +++ b/secrets/wireguard/ward-local-vms/psks/ward-grafana+ward-loki.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 uqBWvpQ8DR8aQY2r3Vhw6axyVbKmgXvEXFLZuM7rA1o ++uCVaGfiloQOtRdJXkqi3DmyflJxCmnHBdTd8i+Pafc +-> piv-p256 xqSe8Q AoCH6+psiFFiq55UYRSO1xsTxDAbspFul9JLvoa15kwp +6jgEbmnQtGkajeVOOVcna+3lBwWn9ugUAOueJ3xHMpo +-> z-grease n3dm|_ '/E`@% H +85u5GUpIwcbSPBPN9Kulccacf9/mWWvIHfTb +--- feOoiwcKK14ARe6JX6Fgn8mql8i6pQ9D8RLo5VF13VI +&L)/ʇ^H,bNKE8 M߀Á1s%Bdgr \ No newline at end of file diff --git a/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-loki.age b/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-loki.age new file mode 100644 index 0000000..f47879f --- /dev/null +++ b/secrets/wireguard/ward-local-vms/psks/ward-kanidm+ward-loki.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 UnfKesPLrwZKz3l1tgw3u0eSpH/znFoeEtDJMkBzz3E +SdRp4/E0e54l1P9f7/qh6Y/FT3AItVnNyu+z+IRE91Q +-> piv-p256 xqSe8Q Ai0cV8qTPFWewQC9MDQUm5pnKUa2Vkq1CwbWcpTURxOj +56B02YgriclCJMU8qT8J9auzEAi2dQFrYZwCSIny7Lc +-> PS-rC-grease kf8 Ri>B +yrzDq1oL2vHsqwzYr5I8nV+oC7QWnGWDMLVe +--- L7Jd7UDHK8K1mjVqv25iOui+8jbVx+fcd3Bp0aqFstQ +{"qKsqˠ|?' 2 +S]jW2NM;h`񰕠ژ"*exy \ No newline at end of file