feat: generate caddy basic auth passwords using agenix-rekey

2023-06-10 00:52:17 +02:00 · 2023-06-10 00:52:17 +02:00 · e61c82ebfc
commit e61c82ebfc
parent cfb7c88862
4 changed files with 42 additions and 10 deletions
--- a/hosts/sentinel/caddy.nix
+++ b/hosts/sentinel/caddy.nix
@ -15,8 +15,33 @@ in {
  # TODO     message = "non-deterministic uid detected for: ${name}";
  # TODO   });

-  age.secrets.loki-basic-auth = {
-    rekeyFile = ./secrets/loki-basic-auth.age;
+  age.secrets.loki-basic-auth-hashes = {
+    rekeyFile = ./secrets/loki-basic-auth-hashes.age;
+    generator = {
+      dependencies = [
+        # TODO allow defining these from other nodes like nodes.sentinel.age.secrets....dependenices = [];
+        nodes.ward.config.age.secrets.loki-basic-auth-password
+        nodes.ward-test.config.age.secrets.loki-basic-auth-password
+      ];
+      script = {
+        pkgs,
+        lib,
+        decrypt,
+        deps,
+        ...
+      }:
+        lib.flip lib.concatMapStrings deps ({
+          name,
+          host,
+          file,
+        }: ''
+          echo " -> Aggregating [32m"${lib.escapeShellArg host}":[m[33m"${lib.escapeShellArg name}"[m" >&2
+          echo -n ${lib.escapeShellArg host}" "
+          ${decrypt} ${lib.escapeShellArg file} \
+            | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \
+            || die "Failure while aggregating caddy basic auth hashes"
+        '');
+    };
    mode = "440";
    group = "caddy";
  };
@ -125,7 +150,7 @@ in {
        encode zstd gzip
        skip_log
        basicauth {
-          import ${config.age.secrets.loki-basic-auth.path}
+          import ${config.age.secrets.loki-basic-auth-hashes.path}
        }
        reverse_proxy {
          to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort}
--- a/hosts/sentinel/secrets/loki-basic-auth-hashes.age
+++ b/hosts/sentinel/secrets/loki-basic-auth-hashes.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 POUeKoNotGuIHX9N955m56eWzou850H02OG3O+ygIy0
+zR6pq7sHR/Vo32YS6wITRuKRgHWjIqdcsILvR4yL6NU
+-> piv-p256 xqSe8Q AoHB1E3JcMAeRCjGPj/Fnd7eeVbi1X/qXV62/04DabNm
+Uqx5OonPfDJ++9gWVfD2RztyaRVEC+ZI0eSa7h9MVgo
+-> ={9x3$iL-grease 7(o } u,|S!;51 "
+g2+PG1QoDXzzkGnd3ZLsfltd0neKRWt3NwJeTDhPACFBL7yooXk
+--- 5mTTZWqCisymYqhefWaZ67X1UWkrSyIMKCMvS4d6I40
+UWh;oDñ�n&.¥Pš	žiˆ—³¶ÈÃíºBâÌ'ÊÉr¸nâØgŽúa@UOL_Æfã…¨ö)ñRhªvüžc2Ã[iêEÜJ$fZ¾LgÉÊÎU>\7Ú>NbÌßr{LW?ïÎ
’Ë4ëxð•ãÅÏÑ
‹Ý‹§7=ã�~qü•�ÖO6u£öõQÁøÍ�îÄJŒ	S¶šz	ÈÔMÀ0ï'`ì
--- a/hosts/ward/default.nix
+++ b/hosts/ward/default.nix
@ -2,6 +2,7 @@
  config,
  nodes,
  nixos-hardware,
+  nodeName,
  pkgs,
  ...
 }: let
@ -100,6 +101,7 @@ in {

    age.secrets.loki-basic-auth-password = {
      rekeyFile = ./secrets/loki-basic-auth-password.age;
+      generator = "alnum";
      mode = "440";
      group = "grafana";
    };
@ -165,7 +167,7 @@ in {
            url = "https://${lokiDomain}";
            orgId = 1;
            basicAuth = true;
-            basicAuthUser = "iB6UEjt4so4xWqei";
+            basicAuthUser = nodeName;
            secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}";
          }
        ];
--- a/hosts/ward/promtail.nix
+++ b/hosts/ward/promtail.nix
@ -11,9 +11,7 @@
 in {
  age.secrets.loki-basic-auth-password = {
    rekeyFile = ./secrets/loki-basic-auth-password.age;
-    file = ./aaa;
-    #file = ./aaa;
-    #generate = "alnum48";
+    generator = "alnum";
    mode = "440";
    group = "promtail";
  };
@ -35,9 +33,7 @@ in {

      clients = [
        {
-          #basic_auth.username = nodeName;
-          #basic_auth.password_file = config.age.random-secrets.loki-basic-auth-password.path;
-          basic_auth.username = "iB6UEjt4so4xWqei";
+          basicAuthUser = nodeName;
          basic_auth.password_file = config.age.secrets.loki-basic-auth-password.path;
          url = "https://${lokiDomain}/loki/api/v1/push";
        }