File tree Expand file tree Collapse file tree 2 files changed +33
-12
lines changed
nix/nixos-modules/services Expand file tree Collapse file tree 2 files changed +33
-12
lines changed Original file line number Diff line number Diff line change 3131 description = "TODO: @sarcasticadmin" ;
3232 } ;
3333
34+ certCert = mkOption {
35+ type = types . str ;
36+ default = "${ cfg . certPath } /cert.crt" ;
37+ description = "TODO: @sarcasticadmin" ;
38+ } ;
39+
40+ certKey = mkOption {
41+ type = types . str ;
42+ default = "${ cfg . certPath } /cert.key" ;
43+ description = "TODO: @sarcasticadmin" ;
44+ } ;
45+
3446 commonName = mkOption {
3547 type = types . str ;
3648 description = "TODO: @sarcasticadmin" ;
4961 ConditionPathExists = "!${ cfg . certPath } /cert.crt" ;
5062 } ;
5163 serviceConfig = {
52- ExecStart = "openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj '/C=US/ST=California/L=Pasadena/O=SCaLE Security/OU=NOC/CN=${ cfg . commonName } ' -keyout ${ cfg . certPath } /cert.key -out ${ cfg . certPath } /cert.crt " ;
64+ ExecStart = "${ lib . getExe pkgs . openssl } req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj '/C=US/ST=California/L=Pasadena/O=SCaLE Security/OU=NOC/CN=${ cfg . commonName } ' -keyout ${ cfg . certKey } -out ${ cfg . certCert } " ;
5365 } ;
5466 wantedBy = [ "network.target" ] ;
5567 } ;
Original file line number Diff line number Diff line change 66} :
77let
88 cfg = config . scale-network . services . monitoring ;
9+ cfgCertGenerator = config . scale-network . services . cert-generator ;
910
1011 inherit ( lib )
1112 types
1415 inherit ( lib . modules )
1516 mkDefault
1617 mkIf
18+ mkMerge
1719 ;
1820
1921 inherit ( lib . options )
9092 } ;
9193
9294 nginx . enable = mkDefault true ;
93- # TODO: TLS enabled
94- # Good example enable TLS, but would like to keep it out of the /nix/store
95- # ref: https://github.com/NixOS/nixpkgs/blob/c6fd903606866634312e40cceb2caee8c0c9243f/nixos/tests/custom-ca.nix#L80
96- nginx . virtualHosts . "${ cfg . nginxFQDN } " = {
97- default = true ;
98- enableACME = false ;
99- locations . "/" = {
100- proxyPass = "http://${ toString config . services . grafana . settings . server . http_addr } :${ toString config . services . grafana . settings . server . http_port } /" ;
101- proxyWebsockets = true ;
102- } ;
103- } ;
95+ nginx . virtualHosts . "${ cfg . nginxFQDN } " = mkMerge [
96+
97+ {
98+ default = true ;
99+ enableACME = false ;
100+ locations . "/" = {
101+ proxyPass = "http://${ toString config . services . grafana . settings . server . http_addr } :${ toString config . services . grafana . settings . server . http_port } /" ;
102+ proxyWebsockets = true ;
103+ } ;
104+ }
105+
106+ ( mkIf cfgCertGenerator . enable {
107+ addSSL = true ;
108+ sslCertificate = cfgCertGenerator . certCert ;
109+ sslCertificateKey = cfgCertGenerator . certKey ;
110+ } )
111+
112+ ] ;
104113 } ;
105114 } ;
106115}
You can’t perform that action at this time.
0 commit comments