refactor: move all proxy related configuration to the nodes that define them

2023-06-13 02:58:14 +02:00 · 2023-06-13 02:58:14 +02:00 · 998d6d5348
commit 998d6d5348
parent ead3c1696f
12 changed files with 122 additions and 176 deletions
--- a/hosts/ward/microvms/grafana/default.nix
+++ b/hosts/ward/microvms/grafana/default.nix
@ -5,7 +5,10 @@
  nodes,
  utils,
  ...
-}: {
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  grafanaDomain = "grafana.${sentinelCfg.repo.secrets.local.personalDomain}";
+in {
  imports = [
    ../../../../modules/proxy-via-sentinel.nix
  ];
@ -27,9 +30,23 @@
    group = "grafana";
  };

-  nodes.sentinel.age.secrets.loki-basic-auth-hashes.generator.dependencies = [
-    config.age.secrets.grafana-loki-basic-auth-password
-  ];
+  nodes.sentinel = {
+    age.secrets.loki-basic-auth-hashes.generator.dependencies = [
+      config.age.secrets.grafana-loki-basic-auth-password
+    ];
+
+    proxiedDomains.grafana = grafanaDomain;
+
+    services.caddy.virtualHosts.${grafanaDomain} = {
+      useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert grafanaDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy {
+          to http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}
+        }
+      '';
+    };
+  };

  services.grafana = {
    enable = true;
@ -38,8 +55,8 @@
      users.allow_sign_up = false;

      server = {
-        domain = nodes.sentinel.config.proxiedDomains.grafana;
-        root_url = "https://${nodes.sentinel.config.proxiedDomains.grafana}";
+        domain = grafanaDomain;
+        root_url = "https://${grafanaDomain}";
        enforce_domain = true;
        enable_gzip = true;
        http_addr = config.extra.wireguard.proxy-sentinel.ipv4;
@ -66,9 +83,9 @@
        client_secret = "r6Yk5PPSXFfYDPpK6TRCzXK8y1rTrfcb8F7wvNC5rZpyHTMF"; # TODO temporary test not a real secret
        scopes = "openid email profile";
        login_attribute_path = "prefered_username";
-        auth_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/ui/oauth2";
-        token_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/token";
-        api_url = "https://${nodes.sentinel.config.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
+        auth_url = "https://${sentinelCfg.proxiedDomains.kanidm}/ui/oauth2";
+        token_url = "https://${sentinelCfg.proxiedDomains.kanidm}/oauth2/token";
+        api_url = "https://${sentinelCfg.proxiedDomains.kanidm}/oauth2/openid/grafana/userinfo";
        use_pkce = true;
        # Allow mapping oauth2 roles to server admin
        allow_assign_grafana_admin = true;
@ -89,7 +106,7 @@
          name = "Loki";
          type = "loki";
          access = "proxy";
-          url = "https://${nodes.sentinel.config.proxiedDomains.loki}";
+          url = "https://${sentinelCfg.proxiedDomains.loki}";
          orgId = 1;
          basicAuth = true;
          basicAuthUser = nodeName;
--- a/hosts/ward/microvms/kanidm/default.nix
+++ b/hosts/ward/microvms/kanidm/default.nix
@ -5,7 +5,10 @@
  pkgs,
  utils,
  ...
-}: {
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  kanidmDomain = "auth.${sentinelCfg.repo.secrets.local.personalDomain}";
+in {
  imports = [
    ../../../../modules/proxy-via-sentinel.nix
  ];
@ -26,12 +29,29 @@
    group = "kanidm";
  };

+  nodes.sentinel = {
+    proxiedDomains.kanidm = kanidmDomain;
+
+    services.caddy.virtualHosts.${kanidmDomain} = {
+      useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert kanidmDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy {
+          to https://${config.services.kanidm.serverSettings.bindaddress}
+          transport http {
+            tls_insecure_skip_verify
+          }
+        }
+      '';
+    };
+  };
+
  services.kanidm = {
    enableServer = true;
    # enablePAM = true;
    serverSettings = {
-      domain = nodes.sentinel.config.proxiedDomains.kanidm;
-      origin = "https://${nodes.sentinel.config.proxiedDomains.kanidm}";
+      domain = kanidmDomain;
+      origin = "https://${kanidmDomain}";
      tls_chain = config.age.secrets."kanidm-self-signed.crt".path;
      tls_key = config.age.secrets."kanidm-self-signed.key".path;
      bindaddress = "${config.extra.wireguard.proxy-sentinel.ipv4}:8300";
--- a/hosts/ward/microvms/loki/default.nix
+++ b/hosts/ward/microvms/loki/default.nix
@ -4,7 +4,10 @@
  nodes,
  utils,
  ...
-}: {
+}: let
+  sentinelCfg = nodes.sentinel.config;
+  lokiDomain = "loki.${sentinelCfg.repo.secrets.local.personalDomain}";
+in {
  imports = [
    ../../../../modules/proxy-via-sentinel.nix
  ];
@ -13,6 +16,52 @@
    sentinel-to-local.allowedTCPPorts = [3100];
  };

+  nodes.sentinel = {
+    proxiedDomains.loki = lokiDomain;
+
+    age.secrets.loki-basic-auth-hashes = {
+      rekeyFile = ./secrets/loki-basic-auth-hashes.age;
+      generator = {
+        # Dependencies are added by the nodes that define passwords using
+        # distributed-config.
+        script = {
+          pkgs,
+          lib,
+          decrypt,
+          deps,
+          ...
+        }:
+          lib.flip lib.concatMapStrings deps ({
+            name,
+            host,
+            file,
+          }: ''
+            echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
+            echo -n ${lib.escapeShellArg host}" "
+            ${decrypt} ${lib.escapeShellArg file} \
+              | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
+              || die "Failure while aggregating caddy basic auth hashes"
+          '');
+      };
+      mode = "440";
+      group = "caddy";
+    };
+
+    services.caddy.virtualHosts.${lokiDomain} = {
+      useACMEHost = sentinelCfg.lib.extra.matchingWildcardCert lokiDomain;
+      extraConfig = ''
+        encode zstd gzip
+        skip_log
+        basicauth {
+          import ${sentinelCfg.age.secrets.loki-basic-auth-hashes.path}
+        }
+        reverse_proxy {
+          to http://${config.services.loki.configuration.server.http_listen_address}:${toString config.services.loki.configuration.server.http_listen_port}
+        }
+      '';
+    };
+  };
+
  services.loki = let
    lokiDir = "/var/lib/loki";
  in {
--- a/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
+++ b/hosts/ward/microvms/loki/secrets/loki-basic-auth-hashes.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 oTqcGYrzcjVyYkWQndidK7lfyMfQUFaLukLu9ru7ygc
+0viOW4o/PQEhZfZFOx4UxbRBCGUXCYcvDv6r8hi6aiQ
+-> piv-p256 xqSe8Q Akl/Ab1PwdLsyhJv3KzPxdALttqJdNk1wNj+pNnrFs9v
+FbVps0hL4XpaPxrIBFmBi+a4YKIjTYsqBjN9JwzpkP8
+-> ^/?z7Md-grease QDfMgTO
+b+w4gj1Yxs6ocBCJN6AgLDad1/+EZ+HZ0zvMvGJaztxeIhNLSsiqoBn2GpwX6IcY
+YWpLnO3Fw1xaU9Jqn9HJIqyYGFX1O5dBlvgu1rqgxytwiEEcDZaXOA1ZIupE
+--- 0jXcY3KP8+JMsQ6+uhLE2bS1vGau/hr2b5ZD2SIUkbE
+ąŠô>@2([žsÎ&ź†´d»KŽş’<w‰kÖqŕ¬ŞZ$VĘ[Äf_Ć‘d-u´š‰ëß˝ź|^ß×ĆÂ¶–Q7�cIÇl*ćŕÚŮłźĽ€łś”ź•�™´2úńzgcUâza5>1}ĂiĆ_	~�ÎÍžÁ™ü�«˛ŮQây�ĐÜW°P:qQ}"Óôň]+Pŕ:´Ŕqg|3köŃ&6˙őÉŘ`hG