feat: prepare sentinel for webapp oauth2 authentication

2023-06-21 01:36:44 +02:00 · 2023-06-21 01:36:44 +02:00 · 6b81ecd961
commit 6b81ecd961
parent 19acca7cba
9 changed files with 145 additions and 68 deletions
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@ -26,27 +26,9 @@ in {

    age.secrets.loki-basic-auth-hashes = {
      rekeyFile = ./secrets/loki-basic-auth-hashes.age;
-      generator = {
-        # Dependencies are added by the nodes that define passwords (using distributed-config).
-        script = {
-          pkgs,
-          lib,
-          decrypt,
-          deps,
-          ...
-        }:
-          lib.flip lib.concatMapStrings deps ({
-            name,
-            host,
-            file,
-          }: ''
-            echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
-            echo -n ${lib.escapeShellArg host}"+"${lib.escapeShellArg name}" "
-            ${decrypt} ${lib.escapeShellArg file} \
-              | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
-              || die "Failure while aggregating caddy basic auth hashes"
-          '');
-      };
+      # Copy only the script so the dependencies can be added by the nodes
+      # that define passwords (using distributed-config).
+      generator.script = config.age.generators.basic-auth.script;
      mode = "440";
      group = "caddy";
    };
@ -55,6 +37,7 @@ in {
      useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain;
      extraConfig = ''
        import common
+        skip_log
        basicauth {
          import ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path}
        }
--- a/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
+++ b/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age