feat: add basic auth for loki

hosts/sentinel/caddy.nix

@@ -9,6 +9,18 @@
 in {
   users.groups.acme.members = ["caddy"];
 
+  # TODO assertions = lib.flip lib.mapAttrsToList config.users.users
+  # TODO   (name: user: {
+  # TODO     assertion = user.uid != null;
+  # TODO     message = "non-deterministic uid detected for: ${name}";
+  # TODO   });
+
+  rekey.secrets.loki-basic-auth = {
+    file = ./secrets/loki-basic-auth.age;
+    mode = "440";
+    group = "caddy";
+  };
+
   services.caddy = let
     authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain;
     authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress);
@@ -28,11 +40,58 @@ in {
       vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
     };
 
-    globalConfig = ''
-      servers {
-        metrics
-      }
-    '';
+    # globalConfig = ''
+    #   # servers {
+    #   #   metrics
+    #   # }
+
+    #   order authenticate before respond
+    #   order authorize before basicauth
+
+    #   security {
+    #     oauth identity provider generic {
+    #       realm generic
+    #       driver generic
+    #       client_id {env.GENERIC_CLIENT_ID}
+    #       client_secret {env.GENERIC_CLIENT_SECRET}
+    #       scopes openid email profile
+    #       base_auth_url https://${authDomain}/ui/oauth2
+    #       metadata_url https://${authDomain}/oauth2/openid/{env.GENERIC_CLIENT_ID}/.well-known/openid-configuration
+    #     }
+
+    #     authentication portal myportal {
+    #       crypto default token lifetime 3600
+    #       crypto key sign-verify {env.JWT_SHARED_KEY}
+    #       enable identity provider generic
+    #       cookie domain myfiosgateway.com
+    #       ui {
+    #         links {
+    #           "My Identity" "/whoami" icon "las la-user"
+    #         }
+    #       }
+
+    #       transform user {
+    #         match realm generic
+    #         action add role authp/user
+    #         ui link "File Server" https://assetq.myfiosgateway.com:8443/ icon "las la-star"
+    #       }
+
+    #       transform user {
+    #         match realm generic
+    #         match email greenpau@contoso.com
+    #         action add role authp/admin
+    #       }
+    #     }
+
+    #     authorization policy mypolicy {
+    #       set auth url https://auth.myfiosgateway.com:8443/oauth2/generic
+    #       crypto key verify {env.JWT_SHARED_KEY}
+    #       allow roles authp/admin authp/user
+    #       validate bearer header
+    #       inject headers with claims
+    #     }
+    #   }
+    # '';
 
     # TODO move subconfigs to the relevant hosts instead.
     # -> have something like merged config nodes.<name>....
@@ -41,7 +100,7 @@ in {
       useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
       extraConfig = ''
         encode zstd gzip
-        reverse_proxy * {
+        reverse_proxy {
           to https://${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}
           transport http {
             tls_insecure_skip_verify
@@ -54,7 +113,7 @@ in {
       useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain;
       extraConfig = ''
         encode zstd gzip
-        reverse_proxy * {
+        reverse_proxy {
           to http://${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort}
         }
       '';
@@ -62,14 +121,14 @@ in {
 
     virtualHosts.${lokiDomain} = {
       useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain;
-      # TODO disable access log
-      # TODO auth
-      # TODO no auth for /ready
       extraConfig = ''
         encode zstd gzip
-        reverse_proxy * {
+        skip_log
+        basicauth {
+          import ${config.rekey.secrets.loki-basic-auth.path}
+        }
+        reverse_proxy {
           to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}
-          websocket
         }
       '';
     };

hosts/sentinel/secrets/loki-basic-auth.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 xm5cDvIASu2sheBB0ZSLDRRTjxKOQFFOuPAl0pvhrUA
+7HQHJLJX/8+BCWkmFbxU68xvD6ZnXICcWm+689E4VlU
+-> piv-p256 xqSe8Q AsK1jgDlC3PHkA2jXuf1zrFF+LV49f/XOA3aS/IgWbpv
+iJJlFFNZ3CZ78BiO93EfraQggVRRM338wuaN0g776IA
+-> =iE-grease
+vUaawORH9nI/5ixF7WN5U3c
+--- sM7mi2FbffVC2G3ClnFzHbMnCBfROVM+/PHNeD4qebI
+€Ö3)/õ.Dß²…f(|®/ÓÏÀ%S¤˜£kµõ«ÝvÎC•º5¹~C\h§)§M¬iD€ž‰êÔÓ3/mOZqãKj
iŠÍæÌôÅY ‘_ƒ¼?à3‚5I÷ßþ>‰|d˜—É

hosts/ward/default.nix

@@ -8,6 +8,7 @@
   inherit (nodes.sentinel.config.repo.secrets.local) personalDomain;
   authDomain = "auth.${personalDomain}";
   grafanaDomain = "grafana.${personalDomain}";
+  lokiDomain = "loki.${personalDomain}";
   lokiDir = "/var/lib/loki";
 in {
   imports = [
@@ -96,6 +97,12 @@ in {
       group = "grafana";
     };
 
+    rekey.secrets.loki-basic-auth-password-grafana = {
+      file = ./secrets/loki-basic-auth-password-grafana.age;
+      mode = "440";
+      group = "grafana";
+    };
+
     services.grafana = {
       enable = true;
       settings = {
@@ -132,7 +139,7 @@ in {
           client_id = "grafana";
           #client_secret = "$__file{${config.rekey.secrets.grafana-oauth-client-secret.path}}";
           client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
-          scopes = "openid profile email";
+          scopes = "openid email profile";
           login_attribute_path = "prefered_username";
           auth_url = "https://${authDomain}/ui/oauth2";
           token_url = "https://${authDomain}/oauth2/token";
@@ -157,9 +164,11 @@ in {
             name = "Loki";
             type = "loki";
             access = "proxy";
-            # TODO use public endpoint, and enable oauth token passing
-            url = "http://${nodes."${parentNodeName}-loki".config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:3100";
+            url = "https://${lokiDomain}";
             orgId = 1;
+            basicAuth = true;
+            basicAuthUser = "grafana";
+            secureJsonData.basicAuthPassword = "$__file{${config.rekey.secrets.loki-basic-auth-password-grafana.path}}";
           }
         ];
       };

hosts/ward/secrets/loki-basic-auth-password-grafana.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 WrGssql6ABmtiNPFxIuKmjEjNWp8yQ9CbIdaPkE1BmU
+lX/mIQPjjBp62RZyZV3WZrzzM/RAVEVMslOvQiO3ztw
+-> piv-p256 xqSe8Q A+/jWovwGhsvkNHNvfnhEOSKu6qkfQGCKnVYRJo1IWFM
+oWybJl7iZ6pkBAGmv3SmE9q1eEpkDtnIxR+3MCKi6bo
+-> a6-grease O~| \B n <1fV!LUr
+y0AAIziu
+--- 0K+cIttoHGYTWwzdoYJn1rIdtDqiBGz/jLOvPnns2CM
+Bu ¶;{þº:qJ�6„¼’]rL(@Û�¨×£C8Áñ¸ì*ü¾–]ªù¡¾£=j1îãØ€kk¯â<4"[�Üj©bLÅ;U�2wc-4