vidhar: selfsigned tls cert

author: Gregor Kleen <gkleen@yggdrasil.li> 2022-01-23 16:43:34 +0100
committer: Gregor Kleen <gkleen@yggdrasil.li> 2022-01-23 16:43:34 +0100
commit: c1c8242845b1006f0cccef7211deef8195cbd1b0 (patch)
tree: 5ef65c7422a2d7075bee2f907f3ce199a8b04de4
parent: 99f7fa13ee3967370c2dbce49c54e834ef9a0565 (diff)
download: nixos-c1c8242845b1006f0cccef7211deef8195cbd1b0.tar
nixos-c1c8242845b1006f0cccef7211deef8195cbd1b0.tar.gz
nixos-c1c8242845b1006f0cccef7211deef8195cbd1b0.tar.bz2
nixos-c1c8242845b1006f0cccef7211deef8195cbd1b0.tar.xz
nixos-c1c8242845b1006f0cccef7211deef8195cbd1b0.zip
3 files changed, 46 insertions, 0 deletions
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 0cb11ec8..16405a26 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -123,6 +123,10 @@
      };
      virtualHosts = {
        ${config.services.grafana.domain} = {
+          addSSL = true;
+          forceSSL = true;
+          sslCertificate = ./selfsigned.crt;
+          sslCertificateKey = config.sops.secrets."selfsigned.key".path;
          locations."/" = {
            proxyPass = "http://grafana/";
            proxyWebsockets = true;
@@ -149,6 +153,13 @@
      sopsFile = ./grafana-secret-key;
      owner = "grafana";
    };
+    sops.secrets."selfsigned.key" = {
+      format = "binary";
+      sopsFile = ./selfsigned.key;
+      group = "ssl";
+      mode = "0440";
+    };
+    users.groups.ssl.members = ["nginx"];
    services.loki = {
      enable = true;
diff --git a/hosts/vidhar/selfsigned.crt b/hosts/vidhar/selfsigned.crt
new file mode 100644
index 00000000..2454e7a0
--- /dev/null
+++ b/hosts/vidhar/selfsigned.crt
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBSjCB/aADAgECAhQkPP20/GroiCxeATRK9v5/ENBnlTAFBgMrZXAwGzEZMBcG
+A1UEAwwQdmlkaGFyLnlnZ2RyYXNpbDAeFw0yMjAxMjMxNTE4MzlaFw0zMjAxMjEx
+NTE4MzlaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQAo
+raRZr/cZazcRdRE6Fk2aDo0+UNtxLOsuW7THuvjTgqNTMFEwHQYDVR0OBBYEFFhk
+MNMLGMrj4Z7jNR4viK7ED3UlMB8GA1UdIwQYMBaAFFhkMNMLGMrj4Z7jNR4viK7E
+D3UlMA8GA1UdEwEB/wQFMAMBAf8wBQYDK2VwA0EAp4M3smZvvgCLCiaBPifajTJ3
+uhzKGG6Tgw7tB6tAoM5DJ8z/o2rnzM+eI5vOVbYe/9felInygKp0MjVm0nokDQ==
+-----END CERTIFICATE-----
diff --git a/hosts/vidhar/selfsigned.key b/hosts/vidhar/selfsigned.key
new file mode 100644
index 00000000..10e0418b
--- /dev/null
+++ b/hosts/vidhar/selfsigned.key
@@ -0,0 +1,26 @@
+{
+        "data": "ENC[AES256_GCM,data:A8sZhoRXQUu9nwRMGjXFG4M5pPcYZ+vmeTYGLY1ioBt+GBSomb2jZtc6cIKvleUFDSsIfryraS01k5dFVxNELdCjhWMMRYlfY4L5Sc5jzRDFI+m/s1xCjOA6a3We2bs/kTqeH9+yFv/zwW5SXuOPazxPRpB+qxk=,iv:iYHZ1hk3Lxe834GUqQgROm8n33Q7I4JXjcUEUtyntCs=,tag:njODzTay42/Uwg8ixSwhhw==,type:str]",
+        "sops": {
+                "kms": null,
+                "gcp_kms": null,
+                "azure_kv": null,
+                "hc_vault": null,
+                "age": null,
+                "lastmodified": "2022-01-23T15:19:33Z",
+                "mac": "ENC[AES256_GCM,data:3kf2lurN4UGUAlaK/pN6dCIyzN7QGEUm9bwqZBUzx6ussGHTlZB0rLoSvZ/5Y6mffXmdMvPFwXIiAbQ/McVwUJ1VAofJpmMNGSRP2gn5yZikfzaKXgzz9p0SVsLjI4Q3/Nb3t06DYiZy/U2w/jk1xXWvzRiv5XVMKxqjEwk9ktQ=,iv:GLCu2/DdFx6vnpUIn/xmLAPPfqzhkgW7cap96aMX8io=,tag:DxdaqEPha1IZzaBJGnA+zQ==,type:str]",
+                "pgp": [
+                        {
+                                "created_at": "2022-01-23T15:19:33Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAEEOUDrtzAc9PMW9UordxfTXZGl6b1A9kQkY7GX0j5XUw\na0y5o1dMJuiS10zGLMIeVVO+2a+5pRA87mgLlK/bZlf70ytvxS8iCe2gj03seIqy\n0lwB0/maAFb01G/mC0mGKfKPe6zZ6KIGn5rLd8bvwmSaW2vxawyTkPKI9nNrVfsn\n1K4q7X9PutaFh96HkzG5NIFDpbBIlDHPA5YztIl5dmzix/frAAHWykmo4Sqx9g==\n=vxLi\n-----END PGP MESSAGE-----\n",
+                                "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
+                        },
+                        {
+                                "created_at": "2022-01-23T15:19:33Z",
+                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAFxmhohIFm+I2W74VhD13qus+tX6F9OEas68VnivXDVUw\nKncJVQR8KYvoZei3qVa/4V6tWSwv0zs9lY+uYIBdYcfJC5jK2N9A4ALpD6rDUw42\n0lwBUqnJlY+P13tuZ5dbsBHUNyoeLZ53+hOOfGTZHQbUA0XeoPgzppqtaqrdn+st\nioHJhTNE87D+naKaRiVXLaeDpsW3OYA0khX1ubUDincPwMiGPBAZALul+UpQNw==\n=ra2/\n-----END PGP MESSAGE-----\n",
+                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+                        }
+                ],
+                "unencrypted_suffix": "_unencrypted",
+                "version": "3.7.1"
+        }
+}
+\ No newline at end of file
author	Gregor Kleen <gkleen@yggdrasil.li>	2022-01-23 16:43:34 +0100
committer	Gregor Kleen <gkleen@yggdrasil.li>	2022-01-23 16:43:34 +0100
commit	c1c8242845b1006f0cccef7211deef8195cbd1b0 (patch)
tree	5ef65c7422a2d7075bee2f907f3ce199a8b04de4
parent	99f7fa13ee3967370c2dbce49c54e834ef9a0565 (diff)
download	nixos-c1c8242845b1006f0cccef7211deef8195cbd1b0.tar nixos-c1c8242845b1006f0cccef7211deef8195cbd1b0.tar.gz nixos-c1c8242845b1006f0cccef7211deef8195cbd1b0.tar.bz2 nixos-c1c8242845b1006f0cccef7211deef8195cbd1b0.tar.xz nixos-c1c8242845b1006f0cccef7211deef8195cbd1b0.zip

diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 0cb11ec8..16405a26 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix
@@ -123,6 +123,10 @@
123	};	123	};
124	virtualHosts = {	124	virtualHosts = {
125	${config.services.grafana.domain} = {	125	${config.services.grafana.domain} = {
		126	addSSL = true;
		127	forceSSL = true;
		128	sslCertificate = ./selfsigned.crt;
		129	sslCertificateKey = config.sops.secrets."selfsigned.key".path;
126	locations."/" = {	130	locations."/" = {
127	proxyPass = "http://grafana/";	131	proxyPass = "http://grafana/";
128	proxyWebsockets = true;	132	proxyWebsockets = true;
@@ -149,6 +153,13 @@
149	sopsFile = ./grafana-secret-key;	153	sopsFile = ./grafana-secret-key;
150	owner = "grafana";	154	owner = "grafana";
151	};	155	};
		156	sops.secrets."selfsigned.key" = {
		157	format = "binary";
		158	sopsFile = ./selfsigned.key;
		159	group = "ssl";
		160	mode = "0440";
		161	};
		162	users.groups.ssl.members = ["nginx"];
152		163
153	services.loki = {	164	services.loki = {
154	enable = true;	165	enable = true;


diff --git a/hosts/vidhar/selfsigned.crt b/hosts/vidhar/selfsigned.crt new file mode 100644 index 00000000..2454e7a0 --- /dev/null +++ b/hosts/vidhar/selfsigned.crt
@@ -0,0 +1,9 @@
		1	-----BEGIN CERTIFICATE-----
		2	MIIBSjCB/aADAgECAhQkPP20/GroiCxeATRK9v5/ENBnlTAFBgMrZXAwGzEZMBcG
		3	A1UEAwwQdmlkaGFyLnlnZ2RyYXNpbDAeFw0yMjAxMjMxNTE4MzlaFw0zMjAxMjEx
		4	NTE4MzlaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQAo
		5	raRZr/cZazcRdRE6Fk2aDo0+UNtxLOsuW7THuvjTgqNTMFEwHQYDVR0OBBYEFFhk
		6	MNMLGMrj4Z7jNR4viK7ED3UlMB8GA1UdIwQYMBaAFFhkMNMLGMrj4Z7jNR4viK7E
		7	D3UlMA8GA1UdEwEB/wQFMAMBAf8wBQYDK2VwA0EAp4M3smZvvgCLCiaBPifajTJ3
		8	uhzKGG6Tgw7tB6tAoM5DJ8z/o2rnzM+eI5vOVbYe/9felInygKp0MjVm0nokDQ==
		9	-----END CERTIFICATE-----


diff --git a/hosts/vidhar/selfsigned.key b/hosts/vidhar/selfsigned.key new file mode 100644 index 00000000..10e0418b --- /dev/null +++ b/hosts/vidhar/selfsigned.key
@@ -0,0 +1,26 @@
		1	{
		2	"data": "ENC[AES256_GCM,data:A8sZhoRXQUu9nwRMGjXFG4M5pPcYZ+vmeTYGLY1ioBt+GBSomb2jZtc6cIKvleUFDSsIfryraS01k5dFVxNELdCjhWMMRYlfY4L5Sc5jzRDFI+m/s1xCjOA6a3We2bs/kTqeH9+yFv/zwW5SXuOPazxPRpB+qxk=,iv:iYHZ1hk3Lxe834GUqQgROm8n33Q7I4JXjcUEUtyntCs=,tag:njODzTay42/Uwg8ixSwhhw==,type:str]",
		3	"sops": {
		4	"kms": null,
		5	"gcp_kms": null,
		6	"azure_kv": null,
		7	"hc_vault": null,
		8	"age": null,
		9	"lastmodified": "2022-01-23T15:19:33Z",
		10	"mac": "ENC[AES256_GCM,data:3kf2lurN4UGUAlaK/pN6dCIyzN7QGEUm9bwqZBUzx6ussGHTlZB0rLoSvZ/5Y6mffXmdMvPFwXIiAbQ/McVwUJ1VAofJpmMNGSRP2gn5yZikfzaKXgzz9p0SVsLjI4Q3/Nb3t06DYiZy/U2w/jk1xXWvzRiv5XVMKxqjEwk9ktQ=,iv:GLCu2/DdFx6vnpUIn/xmLAPPfqzhkgW7cap96aMX8io=,tag:DxdaqEPha1IZzaBJGnA+zQ==,type:str]",
		11	"pgp": [
		12	{
		13	"created_at": "2022-01-23T15:19:33Z",
		14	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAEEOUDrtzAc9PMW9UordxfTXZGl6b1A9kQkY7GX0j5XUw\na0y5o1dMJuiS10zGLMIeVVO+2a+5pRA87mgLlK/bZlf70ytvxS8iCe2gj03seIqy\n0lwB0/maAFb01G/mC0mGKfKPe6zZ6KIGn5rLd8bvwmSaW2vxawyTkPKI9nNrVfsn\n1K4q7X9PutaFh96HkzG5NIFDpbBIlDHPA5YztIl5dmzix/frAAHWykmo4Sqx9g==\n=vxLi\n-----END PGP MESSAGE-----\n",
		15	"fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
		16	},
		17	{
		18	"created_at": "2022-01-23T15:19:33Z",
		19	"enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAFxmhohIFm+I2W74VhD13qus+tX6F9OEas68VnivXDVUw\nKncJVQR8KYvoZei3qVa/4V6tWSwv0zs9lY+uYIBdYcfJC5jK2N9A4ALpD6rDUw42\n0lwBUqnJlY+P13tuZ5dbsBHUNyoeLZ53+hOOfGTZHQbUA0XeoPgzppqtaqrdn+st\nioHJhTNE87D+naKaRiVXLaeDpsW3OYA0khX1ubUDincPwMiGPBAZALul+UpQNw==\n=ra2/\n-----END PGP MESSAGE-----\n",
		20	"fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
		21	}
		22	],
		23	"unencrypted_suffix": "_unencrypted",
		24	"version": "3.7.1"
		25	}
		26	} \ No newline at end of file