From c1c8242845b1006f0cccef7211deef8195cbd1b0 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Sun, 23 Jan 2022 16:43:34 +0100
Subject: vidhar: selfsigned tls cert
---
hosts/vidhar/default.nix | 11 +++++++++++
hosts/vidhar/selfsigned.crt | 9 +++++++++
hosts/vidhar/selfsigned.key | 26 ++++++++++++++++++++++++++
3 files changed, 46 insertions(+)
create mode 100644 hosts/vidhar/selfsigned.crt
create mode 100644 hosts/vidhar/selfsigned.key
diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix
index 0cb11ec8..16405a26 100644
--- a/hosts/vidhar/default.nix
+++ b/hosts/vidhar/default.nix
@@ -123,6 +123,10 @@
};
virtualHosts = {
${config.services.grafana.domain} = {
+ addSSL = true;
+ forceSSL = true;
+ sslCertificate = ./selfsigned.crt;
+ sslCertificateKey = config.sops.secrets."selfsigned.key".path;
locations."/" = {
proxyPass = "http://grafana/";
proxyWebsockets = true;
@@ -149,6 +153,13 @@
sopsFile = ./grafana-secret-key;
owner = "grafana";
};
+ sops.secrets."selfsigned.key" = {
+ format = "binary";
+ sopsFile = ./selfsigned.key;
+ group = "ssl";
+ mode = "0440";
+ };
+ users.groups.ssl.members = ["nginx"];
services.loki = {
enable = true;
diff --git a/hosts/vidhar/selfsigned.crt b/hosts/vidhar/selfsigned.crt
new file mode 100644
index 00000000..2454e7a0
--- /dev/null
+++ b/hosts/vidhar/selfsigned.crt
@@ -0,0 +1,9 @@
+-----BEGIN CERTIFICATE-----
+MIIBSjCB/aADAgECAhQkPP20/GroiCxeATRK9v5/ENBnlTAFBgMrZXAwGzEZMBcG
+A1UEAwwQdmlkaGFyLnlnZ2RyYXNpbDAeFw0yMjAxMjMxNTE4MzlaFw0zMjAxMjEx
+NTE4MzlaMBsxGTAXBgNVBAMMEHZpZGhhci55Z2dkcmFzaWwwKjAFBgMrZXADIQAo
+raRZr/cZazcRdRE6Fk2aDo0+UNtxLOsuW7THuvjTgqNTMFEwHQYDVR0OBBYEFFhk
+MNMLGMrj4Z7jNR4viK7ED3UlMB8GA1UdIwQYMBaAFFhkMNMLGMrj4Z7jNR4viK7E
+D3UlMA8GA1UdEwEB/wQFMAMBAf8wBQYDK2VwA0EAp4M3smZvvgCLCiaBPifajTJ3
+uhzKGG6Tgw7tB6tAoM5DJ8z/o2rnzM+eI5vOVbYe/9felInygKp0MjVm0nokDQ==
+-----END CERTIFICATE-----
diff --git a/hosts/vidhar/selfsigned.key b/hosts/vidhar/selfsigned.key
new file mode 100644
index 00000000..10e0418b
--- /dev/null
+++ b/hosts/vidhar/selfsigned.key
@@ -0,0 +1,26 @@
+{
+ "data": "ENC[AES256_GCM,data:A8sZhoRXQUu9nwRMGjXFG4M5pPcYZ+vmeTYGLY1ioBt+GBSomb2jZtc6cIKvleUFDSsIfryraS01k5dFVxNELdCjhWMMRYlfY4L5Sc5jzRDFI+m/s1xCjOA6a3We2bs/kTqeH9+yFv/zwW5SXuOPazxPRpB+qxk=,iv:iYHZ1hk3Lxe834GUqQgROm8n33Q7I4JXjcUEUtyntCs=,tag:njODzTay42/Uwg8ixSwhhw==,type:str]",
+ "sops": {
+ "kms": null,
+ "gcp_kms": null,
+ "azure_kv": null,
+ "hc_vault": null,
+ "age": null,
+ "lastmodified": "2022-01-23T15:19:33Z",
+ "mac": "ENC[AES256_GCM,data:3kf2lurN4UGUAlaK/pN6dCIyzN7QGEUm9bwqZBUzx6ussGHTlZB0rLoSvZ/5Y6mffXmdMvPFwXIiAbQ/McVwUJ1VAofJpmMNGSRP2gn5yZikfzaKXgzz9p0SVsLjI4Q3/Nb3t06DYiZy/U2w/jk1xXWvzRiv5XVMKxqjEwk9ktQ=,iv:GLCu2/DdFx6vnpUIn/xmLAPPfqzhkgW7cap96aMX8io=,tag:DxdaqEPha1IZzaBJGnA+zQ==,type:str]",
+ "pgp": [
+ {
+ "created_at": "2022-01-23T15:19:33Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DbYDvGI0HDr0SAQdAEEOUDrtzAc9PMW9UordxfTXZGl6b1A9kQkY7GX0j5XUw\na0y5o1dMJuiS10zGLMIeVVO+2a+5pRA87mgLlK/bZlf70ytvxS8iCe2gj03seIqy\n0lwB0/maAFb01G/mC0mGKfKPe6zZ6KIGn5rLd8bvwmSaW2vxawyTkPKI9nNrVfsn\n1K4q7X9PutaFh96HkzG5NIFDpbBIlDHPA5YztIl5dmzix/frAAHWykmo4Sqx9g==\n=vxLi\n-----END PGP MESSAGE-----\n",
+ "fp": "A1C7C95E6CAF0A965CB47277BCF50A89C1B1F362"
+ },
+ {
+ "created_at": "2022-01-23T15:19:33Z",
+ "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAFxmhohIFm+I2W74VhD13qus+tX6F9OEas68VnivXDVUw\nKncJVQR8KYvoZei3qVa/4V6tWSwv0zs9lY+uYIBdYcfJC5jK2N9A4ALpD6rDUw42\n0lwBUqnJlY+P13tuZ5dbsBHUNyoeLZ53+hOOfGTZHQbUA0XeoPgzppqtaqrdn+st\nioHJhTNE87D+naKaRiVXLaeDpsW3OYA0khX1ubUDincPwMiGPBAZALul+UpQNw==\n=ra2/\n-----END PGP MESSAGE-----\n",
+ "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
+ }
+ ],
+ "unencrypted_suffix": "_unencrypted",
+ "version": "3.7.1"
+ }
+}
\ No newline at end of file
--
cgit v1.2.3