From 9e4f8dcf0d59bc8e01db52fe7877e40e76e46d87 Mon Sep 17 00:00:00 2001
From: oddlama <oddlama@oddlama.org>
Date: Mon, 5 Jun 2023 01:53:38 +0200
Subject: [PATCH] feat: convert sentinel to caddy

---
 hosts/sentinel/caddy.nix                |  51 ++++++++++++++++++++----
 hosts/sentinel/nginx.nix                |  17 --------
 hosts/sentinel/secrets/dhparams.pem.age | Bin 1181 -> 0 bytes
 hosts/ward/default.nix                  |   3 ++
 modules/extra.nix                       |   5 ++-
 5 files changed, 51 insertions(+), 25 deletions(-)
 delete mode 100644 hosts/sentinel/secrets/dhparams.pem.age

diff --git a/hosts/sentinel/caddy.nix b/hosts/sentinel/caddy.nix
index ad17ddc..1098d7d 100644
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@@ -9,19 +9,13 @@
 in {
   users.groups.acme.members = ["caddy"];
 
-  rekey.secrets."dhparams.pem" = {
-    file = ./secrets/dhparams.pem.age;
-    mode = "440";
-    group = "nginx";
-  };
-
   services.caddy = let
     authDomain = nodes.ward-nginx.config.services.kanidm.serverSettings.domain;
     authPort = lib.last (lib.splitString ":" nodes.ward-nginx.config.services.kanidm.serverSettings.bindaddress);
     grafanaDomain = nodes.ward-test.config.services.grafana.settings.server.domain;
     grafanaPort = toString nodes.ward-test.config.services.grafana.settings.server.http_port;
     lokiDomain = "loki.${personalDomain}";
-    lokiPort = toString nodes.ward-loki.config.services.loki.settings.server.http_port;
+    lokiPort = toString nodes.ward-loki.config.services.loki.configuration.server.http_listen_port;
   in {
     enable = true;
     package = pkgs.caddy.withPackages {
@@ -33,5 +27,48 @@ in {
       ];
       vendorHash = "sha256-RqSXQihtY5+ACaMo7bLdhu1A+qcraexb1W/Ia+aUF1k";
     };
+
+    globalConfig = ''
+      servers {
+        metrics
+      }
+    '';
+
+    virtualHosts.${authDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert authDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to https://${nodes.ward-nginx.config.extra.wireguard.proxy-sentinel.ipv4}:${authPort}
+          transport http {
+            tls_insecure_skip_verify
+          }
+        }
+      '';
+    };
+
+    virtualHosts.${grafanaDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert grafanaDomain;
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to http://${nodes.ward-test.config.extra.wireguard.proxy-sentinel.ipv4}:${grafanaPort}
+        }
+      '';
+    };
+
+    virtualHosts.${lokiDomain} = {
+      useACMEHost = config.lib.extra.matchingWildcardCert lokiDomain;
+      # TODO disable access log
+      # TODO auth
+      # TODO no auth for /ready
+      extraConfig = ''
+        encode zstd gzip
+        reverse_proxy * {
+          to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}
+          websocket
+        }
+      '';
+    };
   };
 }
diff --git a/hosts/sentinel/nginx.nix b/hosts/sentinel/nginx.nix
index c9ea59d..a16edbc 100644
--- a/hosts/sentinel/nginx.nix
+++ b/hosts/sentinel/nginx.nix
@@ -6,23 +6,6 @@
 }: let
   inherit (config.repo.secrets.local) acme personalDomain;
 in {
-  rekey.secrets.acme-credentials = {
-    file = ./secrets/acme-credentials.age;
-    mode = "440";
-    group = "acme";
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      inherit (acme) email;
-      credentialsFile = config.rekey.secrets.acme-credentials.path;
-      dnsProvider = "cloudflare";
-      dnsPropagationCheck = true;
-      reloadServices = ["nginx"];
-    };
-  };
-  extra.acme.wildcardDomains = acme.domains;
   users.groups.acme.members = ["nginx"];
 
   rekey.secrets."dhparams.pem" = {
diff --git a/hosts/sentinel/secrets/dhparams.pem.age b/hosts/sentinel/secrets/dhparams.pem.age
deleted file mode 100644
index abadc29950e300772b3918a5467024b015285572..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1181
zcmV;O1Y-MPXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zV*Z)#U`a#(pva7ag0
zQD#;|S7|nSIdEBXZe&k)aZN-@bTDO3H)>jQK{yI#Q)X#eayDXkWH57KL~TK8GD%}?
zM>bS-X+e5;cur_gdU7i@FEL7MR!s^mJ|J*ub}eu+H8vo4aZ_bDQ6NDxV>o1RdRR_&
zVoODMaz}JecVR?1GI4NfH9>M>L1;K>HhD5JK~XDnNNoyrbxvVRNknc=XKH6OcyCx@
zLvS@XVrnpCNiR-UT0(DQVoFg~PDoi#NiYg6J|H}DR76-OM`SH$a%Ew2Wgt{vbVML&
zDL7DDQ(|=>c{B=6Zbm^ySz|>{V|8O|NKiw1WkgvsGDTKZV{>g)VqsY_D?wr~Fe`d+
zH)b|uWm#5AY*lDtNl<MtSYkO?bTUT@OhF1QEiE8<F=lyMadLK5L_<Y2b89elb6PV|
zR%kMEGfOslS2;&gYEEiTNOD6{N<j*7<h1*J?)*Fo4o76I*{nu9G3%9!y~(Ha%*PBH
z<)S-VH?yoJ_O2>}s={EeMl33-dBiH!HXPCg#E-L|zvwNaFVT5tD5TvME#@JnMdKCW
z`*kKFGYUiEI>SjqHS=Q6Kv1!xTq%!4xG8}slCTGd-}(p?F4y^o-imm!OdIpAWpU8n
zp559t!b77K(|EY&{h6qV&$VX3zzdnY!m0^D_#ZJSAbRzAC^3%J*W6zbh?vqDIFj<3
z+mC^AoqW#!REx*Y`FUOlV+*#=ueZN|u!XQGVnU7#b9sMVbUd|jLGTTHJDtvr-+!7|
z<?A%eDInnZ^e;^2GA`O8#UCT%h%y$#OZn%3>EBuVq03A2iIg#|qDl*<_lhR^4sB%b
z@$)eyK0)wyD~7Gyq7~Pt=pHp_1dD?M*@#_aQ<e;w(|hkH4)^l>8;r-=Wo|p{G6ncE
zZzH^lvyW;<^3Yfr@*%*rN`LsyO#fQb^nsyw7QY#eGhF&cMx`Z#-2^`wyIAjWsPNUq
zow@GL2Y*>@j~YN^DWG>eMnj9yOjWK7H0$MX-7KlHd2m0f1+PLq`;2or=t?2*_LmQ=
zh`jj?P7hbEch*tHDGeLjM6+=}v<&d}jhouSOp`(2)(ot$8Vvsiz>=0zJ88W^B;4{p
z&tR2!3|Iq}H9pmN@DU}l<h;iT*7S2;z&<0#5oj?I34vwg2<AU9-NL{bQIALHhC(Ii
zYd)yE!bE%cEfBoc?*cWq$I4O~EKS&18~Y;$!=l;}e5NI2#pet0=MtUZBbPoMO}LD?
zI>Ye+0LMFH_#gAaBp)Z5o?F4aHXT7v5L~k9yT$s50oP_&n_YdK`&ftEWz^*k$3&qb
zO#ETvn<jJYxJ6y(iy~yUqt;K4SyAyNkIN`~b@p!YsI)FBD@XWsyMk(!H=D&W;2tth
zN*B`H6^P6c@sSlrqF-QauX)cg<oqFp=|3Wdt#!YlwhnE{$vfgU1h03iSuEi(tpsUO
vj<!NmKttkwm*%de)Z$A7YyVM4xB#$rimyU@%}u1FC&W6=`)t`Rzd2u$F(VMC

diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix
index 4f3e0c9..2117ca6 100644
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@@ -157,6 +157,7 @@ in {
             name = "Loki";
             type = "loki";
             access = "proxy";
+            # TODO use public endpoint, and enable oauth token passing
             url = "http://${nodes."${parentNodeName}-loki".config.extra.wireguard."${parentNodeName}-local-vms".ipv4}:3100";
             orgId = 1;
           }
@@ -239,6 +240,8 @@ in {
   }: {
     rekey.hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICDDvvF3+KwfoZrPAUAt2HS7y5FM9S5Mr1iRkBUqoXno";
 
+    extra.wireguard.proxy-sentinel.client.via = "sentinel";
+
     networking.nftables.firewall = {
       zones = lib.mkForce {
         #local-vms.interfaces = ["local-vms"];
diff --git a/modules/extra.nix b/modules/extra.nix
index b777871..d3015ca 100644
--- a/modules/extra.nix
+++ b/modules/extra.nix
@@ -66,6 +66,9 @@ in {
       '';
     };
 
-    networking.firewall.allowedTCPPorts = optionals config.services.nginx.enable [80 443];
+    networking.firewall.allowedTCPPorts =
+      optionals
+      (config.services.caddy.enable || config.services.nginx.enable)
+      [80 443];
   };
 }