diff --git a/hosts/sentinel/caddy.nix b/hosts/sentinel/caddy.nix index ad17ddc..1098d7d 100644 --- a/hosts/sentinel/caddy.nix +++ b/hosts/sentinel/caddy.nix @@ -9,19 +9,13 @@ in { users.groups.acme.members = ["caddy"]; - rekey.secrets."dhparams.pem" = { - file = ./secrets/dhparams.pem.age; - mode = "440"; - group = "nginx"; - }; - services.caddy = let authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain; authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress); grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain; grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port; lokiDomain = "loki.${personalDomain}"; - lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port; + lokiPort = toString nodes.ward-loki.config.services.loki.configuration.server.http_listen_port; in { enable = true; package = pkgs.caddy.withPackages { @@ -33,5 +27,48 @@ in { ]; vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k"; }; + + globalConfig = '' + servers { + metrics + } + ''; + + virtualHosts.${authDomain} = { + useACMEHost = config.lib.extra.matchingWildcardCert authDomain; + extraConfig = '' + encode zstd gzip + reverse_proxy * { + to https://${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort} + transport http { + tls_insecure_skip_verify + } + } + ''; + }; + + virtualHosts.${grafanaDomain} = { + useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain; + extraConfig = '' + encode zstd gzip + reverse_proxy * { + to http://${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort} + } + ''; + }; + + virtualHosts.${lokiDomain} = { + useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain; + # TODO disable access log + # TODO auth + # TODO no auth for /ready + extraConfig = '' + encode zstd gzip + reverse_proxy * { + to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort} + websocket + } + ''; + }; }; } diff --git a/hosts/sentinel/nginx.nix b/hosts/sentinel/nginx.nix index c9ea59d..a16edbc 100644 --- a/hosts/sentinel/nginx.nix +++ b/hosts/sentinel/nginx.nix @@ -6,23 +6,6 @@ }: let inherit (config.repo.secrets.local) acme personalDomain; in { - rekey.secrets.acme-credentials = { - file = ./secrets/acme-credentials.age; - mode = "440"; - group = "acme"; - }; - - security.acme = { - acceptTerms = true; - defaults = { - inherit (acme) email; - credentialsFile = config.rekey.secrets.acme-credentials.path; - dnsProvider = "cloudflare"; - dnsPropagationCheck = true; - reloadServices = ["nginx"]; - }; - }; - extra.acme.wildcardDomains = acme.domains; users.groups.acme.members = ["nginx"]; rekey.secrets."dhparams.pem" = { diff --git a/hosts/sentinel/secrets/dhparams.pem.age b/hosts/sentinel/secrets/dhparams.pem.age deleted file mode 100644 index abadc29..0000000 Binary files a/hosts/sentinel/secrets/dhparams.pem.age and /dev/null differ diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index 4f3e0c9..2117ca6 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -157,6 +157,7 @@ in { name = "Loki"; type = "loki"; access = "proxy"; + # TODO use public endpoint, and enable oauth token passing url = "http://${nodes."${parentNodeName}-loki".config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:3100"; orgId = 1; } @@ -239,6 +240,8 @@ in { }: { rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno"; + extra.wireguard.proxy-sentinel.client.via = "sentinel"; + networking.nftables.firewall = { zones = lib.mkForce { #local-vms.interfaces = ["local-vms"]; diff --git a/modules/extra.nix b/modules/extra.nix index b777871..d3015ca 100644 --- a/modules/extra.nix +++ b/modules/extra.nix @@ -66,6 +66,9 @@ in { ''; }; - networking.firewall.allowedTCPPorts = optionals config.services.nginx.enable [80 443]; + networking.firewall.allowedTCPPorts = + optionals + (config.services.caddy.enable || config.services.nginx.enable) + [80 443]; }; }