diff --git a/hosts/sentinel/caddy.nix b/hosts/sentinel/caddy.nix index a3a3cb1..105a93e 100644 --- a/hosts/sentinel/caddy.nix +++ b/hosts/sentinel/caddy.nix @@ -15,8 +15,33 @@ in { # TODO message = "non-deterministic uid detected for: ${name}"; # TODO }); - age.secrets.loki-basic-auth = { - rekeyFile = ./secrets/loki-basic-auth.age; + age.secrets.loki-basic-auth-hashes = { + rekeyFile = ./secrets/loki-basic-auth-hashes.age; + generator = { + dependencies = [ + # TODO allow defining these from other nodes like nodes.sentinel.age.secrets....dependenices = []; + nodes.ward.config.age.secrets.loki-basic-auth-password + nodes.ward-test.config.age.secrets.loki-basic-auth-password + ]; + script = { + pkgs, + lib, + decrypt, + deps, + ... + }: + lib.flip lib.concatMapStrings deps ({ + name, + host, + file, + }: '' + echo " -> Aggregating "${lib.escapeShellArg host}":"${lib.escapeShellArg name}"" >&2 + echo -n ${lib.escapeShellArg host}" " + ${decrypt} ${lib.escapeShellArg file} \ + | ${pkgs.caddy}/bin/caddy hash-password --algorithm bcrypt \ + || die "Failure while aggregating caddy basic auth hashes" + ''); + }; mode = "440"; group = "caddy"; }; @@ -125,7 +150,7 @@ in { encode zstd gzip skip_log basicauth { - import ${config.age.secrets.loki-basic-auth.path} + import ${config.age.secrets.loki-basic-auth-hashes.path} } reverse_proxy { to http://${nodes.ward-loki.config.extra.wireguard.proxy-sentinel.ipv4}:${lokiPort} diff --git a/hosts/sentinel/secrets/loki-basic-auth-hashes.age b/hosts/sentinel/secrets/loki-basic-auth-hashes.age new file mode 100644 index 0000000..1bd7187 --- /dev/null +++ b/hosts/sentinel/secrets/loki-basic-auth-hashes.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 POUeKoNotGuIHX9N955m56eWzou850H02OG3O+ygIy0 +zR6pq7sHR/Vo32YS6wITRuKRgHWjIqdcsILvR4yL6NU +-> piv-p256 xqSe8Q AoHB1E3JcMAeRCjGPj/Fnd7eeVbi1X/qXV62/04DabNm +Uqx5OonPfDJ++9gWVfD2RztyaRVEC+ZI0eSa7h9MVgo +-> ={9x3$iL-grease 7(o } u,|S!;51 " +g2+PG1QoDXzzkGnd3ZLsfltd0neKRWt3NwJeTDhPACFBL7yooXk +--- 5mTTZWqCisymYqhefWaZ67X1UWkrSyIMKCMvS4d6I40 +UWh;oDn&.P iB'rnga@UOL_fㅨ)Rhvc2[iEJ$fZLgU>\7>Nbr{LW? 4x ݋7=~qO6uQ́J Sz M0'` \ No newline at end of file diff --git a/hosts/ward/default.nix b/hosts/ward/default.nix index a68f676..ae6bd19 100644 --- a/hosts/ward/default.nix +++ b/hosts/ward/default.nix @@ -2,6 +2,7 @@ config, nodes, nixos-hardware, + nodeName, pkgs, ... }: let @@ -100,6 +101,7 @@ in { age.secrets.loki-basic-auth-password = { rekeyFile = ./secrets/loki-basic-auth-password.age; + generator = "alnum"; mode = "440"; group = "grafana"; }; @@ -165,7 +167,7 @@ in { url = "https://${lokiDomain}"; orgId = 1; basicAuth = true; - basicAuthUser = "iB6UEjt4so4xWqei"; + basicAuthUser = nodeName; secureJsonData.basicAuthPassword = "$__file{${config.age.secrets.loki-basic-auth-password.path}}"; } ]; diff --git a/hosts/ward/promtail.nix b/hosts/ward/promtail.nix index 819657f..57996a0 100644 --- a/hosts/ward/promtail.nix +++ b/hosts/ward/promtail.nix @@ -11,9 +11,7 @@ in { age.secrets.loki-basic-auth-password = { rekeyFile = ./secrets/loki-basic-auth-password.age; - file = ./aaa; - #file = ./aaa; - #generate = "alnum48"; + generator = "alnum"; mode = "440"; group = "promtail"; }; @@ -35,9 +33,7 @@ in { clients = [ { - #basic_auth.username = nodeName; - #basic_auth.password_file = config.age.random-secrets.loki-basic-auth-password.path; - basic_auth.username = "iB6UEjt4so4xWqei"; + basicAuthUser = nodeName; basic_auth.password_file = config.age.secrets.loki-basic-auth-password.path; url = "https://${lokiDomain}/loki/api/v1/push"; }