From c1c8242845b1006f0cccef7211deef8195cbd1b0 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 23 Jan 2022 16:43:34 +0100 Subject: vidhar: selfsigned tls cert --- hosts/vidhar/default.nix | 11 +++++++++++ hosts/vidhar/selfsigned.crt | 9 +++++++++ hosts/vidhar/selfsigned.key | 26 ++++++++++++++++++++++++++ 3 files changed, 46 insertions(+) create mode 100644 hosts/vidhar/selfsigned.crt create mode 100644 hosts/vidhar/selfsigned.key diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 0cb11ec8..16405a26 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -123,6 +123,10 @@ }; virtualHosts = { ${config.services.grafana.domain} = { + addSSL = true; + forceSSL = true; + sslCertificate = ./selfsigned.crt; + sslCertificateKey = config.sops.secrets."selfsigned.key".path; locations."/" = { proxyPass = "http://grafana/"; proxyWebsockets = true; @@ -149,6 +153,13 @@ sopsFile = ./grafana-secret-key; owner = "grafana"; }; + sops.secrets."selfsigned.key" = { + format = "binary"; + sopsFile = ./selfsigned.key; + group = "ssl"; + mode = "0440"; + }; + users.groups.ssl.members = ["nginx"]; services.loki = { enable = true; diff --git a/hosts/vidhar/selfsigned.crt b/hosts/vidhar/selfsigned.crt new file mode 100644 index 00000000..2454e7a0 --- /dev/null +++ b/hosts/vidhar/selfsigned.crt @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE----- +MIIBSjCB/aADAgECAhQkPP20/GroiCxeATRK9v5/ENBnlTAFBgMrZXAwGzEZMBcG +A1UEAwwQdmlkaGFyLnlnZ2RyYXNpbDAeFw0yMjAxMjMxNTE4MzlaFw0zMjAxMjEx +NTE4MzlaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQAo +raRZr/cZazcRdRE6Fk2aDo0+UNtxLOsuW7THuvjTgqNTMFEwHQYDVR0OBBYEFFhk +MNMLGMrj4Z7jNR4viK7ED3UlMB8GA1UdIwQYMBaAFFhkMNMLGMrj4Z7jNR4viK7E +D3UlMA8GA1UdEwEB/wQFMAMBAf8wBQYDK2VwA0EAp4M3smZvvgCLCiaBPifajTJ3 +uhzKGG6Tgw7tB6tAoM5DJ8z/o2rnzM+eI5vOVbYe/9felInygKp0MjVm0nokDQ== +-----END CERTIFICATE----- diff --git a/hosts/vidhar/selfsigned.key b/hosts/vidhar/selfsigned.key new file mode 100644 index 00000000..10e0418b --- /dev/null +++ b/hosts/vidhar/selfsigned.key @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:A8sZhoRXQUu9nwRMGjXFG4M5pPcYZ+vmeTYGLY1ioBt+GBSomb2jZtc6cIKvleUFDSsIfryraS01k5dFVxNELdCjhWMMRYlfY4L5Sc5jzRDFI+m/s1xCjOA6a3We2bs/kTqeH9+yFv/zwW5SXuOPazxPRpB+qxk=,iv:iYHZ1hk3Lxe834GUqQgROm8n33Q7I4JXjcUEUtyntCs=,tag:njODzTay42/Uwg8ixSwhhw==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-01-23T15:19:33Z", + "mac": "ENC[AES256_GCM,data:3kf2lurN4UGUAlaK/pN6dCIyzN7QGEUm9bwqZBUzx6ussGHTlZB0rLoSvZ/5Y6mffXmdMvPFwXIiAbQ/McVwUJ1VAofJpmMNGSRP2gn5yZikfzaKXgzz9p0SVsLjI4Q3/Nb3t06DYiZy/U2w/jk1xXWvzRiv5XVMKxqjEwk9ktQ=,iv:GLCu2/DdFx6vnpUIn/xmLAPPfqzhkgW7cap96aMX8io=,tag:DxdaqEPha1IZzaBJGnA+zQ==,type:str]", + "pgp": [ + { + "created_at": "2022-01-23T15:19:33Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAEEOUDrtzAc9PMW9UordxfTXZGl6b1A9kQkY7GX0j5XUw\na0y5o1dMJuiS10zGLMIeVVO+2a+5pRA87mgLlK/bZlf70ytvxS8iCe2gj03seIqy\n0lwB0/maAFb01G/mC0mGKfKPe6zZ6KIGn5rLd8bvwmSaW2vxawyTkPKI9nNrVfsn\n1K4q7X9PutaFh96HkzG5NIFDpbBIlDHPA5YztIl5dmzix/frAAHWykmo4Sqx9g==\n=vxLi\n-----END PGP MESSAGE-----\n", + "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362" + }, + { + "created_at": "2022-01-23T15:19:33Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAFxmhohIFm+I2W74VhD13qus+tX6F9OEas68VnivXDVUw\nKncJVQR8KYvoZei3qVa/4V6tWSwv0zs9lY+uYIBdYcfJC5jK2N9A4ALpD6rDUw42\n0lwBUqnJlY+P13tuZ5dbsBHUNyoeLZ53+hOOfGTZHQbUA0XeoPgzppqtaqrdn+st\nioHJhTNE87D+naKaRiVXLaeDpsW3OYA0khX1ubUDincPwMiGPBAZALul+UpQNw==\n=ra2/\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file -- cgit v1.2.3