From 26081d759a314998fc6f3894b1f1b63aa6d45e49 Mon Sep 17 00:00:00 2001 From: Malte Tammena Date: Wed, 4 Oct 2023 16:33:37 +0200 Subject: [PATCH] fix(gogs): update certificate --- hosts/faunus-ater.nix | 1 + modules/gogs.nix | 4 ++-- secrets/hosts/faunus-ater/secrets.yaml | 5 +++-- secrets/pub/git-home.crt | 11 +++++++++++ 4 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 secrets/pub/git-home.crt diff --git a/hosts/faunus-ater.nix b/hosts/faunus-ater.nix index fd09c98..36a6453 100644 --- a/hosts/faunus-ater.nix +++ b/hosts/faunus-ater.nix @@ -536,6 +536,7 @@ in { "certificate-key-note-home" = nginxSecret; "certificate-key-foto-home" = nginxSecret; "certificate-key-listen-home" = nginxSecret; + "certificate-key-git-home" = nginxSecret; "paperless-admin-password" = {}; "photoprism-admin-password" = {}; "grafana-admin-password" = { diff --git a/modules/gogs.nix b/modules/gogs.nix index 090f9de..9ca2557 100644 --- a/modules/gogs.nix +++ b/modules/gogs.nix @@ -51,8 +51,8 @@ in { addSSL = true; listenAddresses = [cfg.addr.v4 "[${cfg.addr.v6}]"]; sslTrustedCertificate = pkgs.writeText "ca.crt" (builtins.readFile ../secrets/ca.crt); - sslCertificateKey = config.sops.secrets."nginx-cert-key".path; - sslCertificate = config.sops.secrets."nginx-cert-crt".path; + sslCertificateKey = config.sops.secrets."certificate-key-git-home".path; + sslCertificate = ../secrets/pub/git-home.crt; locations."/" = { proxyPass = "http://${config.services.gogs.httpAddress}:${toString config.services.gogs.httpPort}"; proxyWebsockets = true; diff --git a/secrets/hosts/faunus-ater/secrets.yaml b/secrets/hosts/faunus-ater/secrets.yaml index a3838fb..34d5b00 100644 --- a/secrets/hosts/faunus-ater/secrets.yaml +++ b/secrets/hosts/faunus-ater/secrets.yaml @@ -20,6 +20,7 @@ certificate-key-read-home: ENC[AES256_GCM,data:gmOZltlFX1MnD2O9MvImBfHXSFOCoRwf2 certificate-key-note-home: ENC[AES256_GCM,data:3o14rUIbQnO2zsWZ+2HOYeUj9bCwAyDnCTJnqPFeUoycRNof72adOQnXD55zkRjvmTCKn+eUAftMUmKwLh6igQBUDfaa3LR4vrFIFxGU2yVc05HCtkNoH8DDbaNlh2qUEXxRhdHOOH8H9+owKC8vdI3lg0jQCOCohyh8DXzMBlDwMrRt4GEdCf9SacVFSAwYjBcaY5QiGno62cwhIopOqrDEgDjX9DqSXdMldWPJAhY+vKqkQw3s0TEP6VKUWxS1dsk5iUWLCiwEluapUlkNe8pl2IS+edfMHs6r5VjkvREZgnVlYG/E7KZxs+RXZHH6hqC+QVQwb1Pyvg1pNrgRgYglQjGEk4Hw2KYLPiujvA8Gh5g4FXLqOqb0D+1e/L4KmuuRJj4NFSJva1BlMXg=,iv:CzTsAY13qJ7QuLxAy8hR25eilH1xk2ZeMm1n36jXhr0=,tag:EF58EugYcdZmus01rYU4Og==,type:str] certificate-key-foto-home: ENC[AES256_GCM,data:fBu0O+jgpvquYLm8pkATyJc/htIM9K45O+ORLh6BZ3sU4KkzHxhxwgmGirt+KmuPDfpXKpXZ9JnR6ZzQ8fx+SKy65RLN0NsFYgmtmkLft0x5yir9qODGSFcEfAbF8ytr2+TvjLJxm44uutuwuedM3npfM1Ix8kJctTbDDsDm+O1a6yHwYMzdNMvG/wzYwcLfkKYVAmJ7NSDhWn0EQbMuiYE+Dr5ELpLBRrJ+9jLRSW21coK3vsjWPdDNu53HJhm3tXMygShrfMnbizCS+usHDaDPmyR6FNsS1+jc6BosVD/hK1p/eXkLKYwnOyMZdpnPiVQVr1E7Sa0P1RgOoDkWx8J+ltj1UqqDtWaU6caqALOXE++oowXJski1HJWZtPyra0TkbZXNqrUA2Pwyxns=,iv:/Ssx11gARoOKrO4slcd3h839qyrzkuYWF2yBUpD+QCQ=,tag:qgZauUmp6Ry5RGsA0uPqZA==,type:str] certificate-key-listen-home: ENC[AES256_GCM,data:B0sXmMgBnBc2T2rimUrsx77uLcKeMUkMIOCuI1eGR/HJdGmDlD3fTu4OHEBi/dlcDhka7sEw3at2orZtn4C7vaT0xvbvQTNtHnXSYIsKJd4lc/5UGugAi7uL5yzv6GlgJDsD6hy7sxRgiZzvk5fqlPZ6IRn2olMV1fhEAqHYQuyYca4Jx8M0s/lfnW1IzxZkykMrxXAWgCccC8JwtAbFmGBIIJATR+sIbK6w2eT/c/6DuqVlcqpL2w81RHn5nATUOsqTMuAxNPFOsQ8hkhohi7i07UJ9zHTbgd1Joxp0UnilW7eNKevySXSpS2K5D/lpNA2TXVImC+mKf2vw9Tq0fLbh3AtoWkKMKvDMe65SnnKs7w57SKNOHwcImMEiEr33xaj9SuDL9pbuXp5j84E=,iv:xxXKfCd1wbuXh+PfLkBuE+hMtrqwGPETHqHP+Ym1Kdw=,tag:midB+J8LvwGhTBpZ6z0ajA==,type:str] +certificate-key-git-home: ENC[AES256_GCM,data:/ElUTbedyaxWRf+A0A/4oCxcCFBz10zI26/i6h1TVEWg347v76k1BqlsywERg7Q+uLTc61bE5JdskoAX7im2HbYgC83o2YmnLTPKFWWlXIZDbBAx4BCh2/O2W38plgpN3jMeZ0VG9/11nL3pwXPyFwdOqhbaH3Xa0fWcomvREq9bewM1MzAw74KI6bNVnKpe9LQNj+aQBzq5UNDWiToR2iNyQ1k8DUhmBPxei/nMrHiFRj4gVk86IhyQKjZAY4Q+dLQ/aPSz1EqGUoXWh05RgvB+Q5BNJMTIj1x/OYpxoH5/E8babQwX4fhXPFHDf5+wdLJlaFUPoswHIIrXrP+T6UQtFRMS2oBI/cln2uoma49ApXmNOBzmkAAOd0tJ4VDFxQ/PhdtF0tsR5mOSLKU=,iv:Lk9K11R4kOIXUipUhxjIIryt+sIMLETuYx1IrAsYiLM=,tag:41DTtViZFE3ZRQLvRnV0xw==,type:str] sops: kms: [] gcp_kms: [] @@ -35,8 +36,8 @@ sops: cUZZQ1N4dGxpR2VLR1ZjTlFmTmwvTGsKzvsg2Uh2LzE5vXrdxW+H3ACP9kbFO1Rb XUyEF6E40UGTR40J8CqV7IvnHVvaLVIekW51MyKVGNyBG1phOne10w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-09-19T15:35:58Z" - mac: ENC[AES256_GCM,data:qFEHyZEkfrIgB/5oVO3bLmR9NbFKKxUeSEL9nGbCkzREKxECWwBwpY8fMZM17DE8XG4cP+AmpkT56eOEd5tbr3JYqbn/LzMvjEXBEyv15dg4/4XPyLO22uKk/E0EtOgVZaFiX+joDhFVDnvlcntuJobH0xEYUDCA00jMXRBS19k=,iv:JjZMKF23lXa1y2zAbyd+9X8m7gMOvX2n2bThVj4WWmY=,tag:D9fG0sDtPVWz5FlmAbX+2w==,type:str] + lastmodified: "2023-10-04T14:28:07Z" + mac: ENC[AES256_GCM,data:5ClPyK4mJ+YwcYVKyHKZnH0gCl4GYfZHATFNTRDnHZE8rY9xkDr31t1Q3brCyQcpPBzj/mL3sNWqaVZJ36rAdBgj9hCk5cOikA3J3BLDk2zyu1ugRotliYBWOYSZastu2czfBoGn+MxENqr4qT2jmBH3K1cd1mUwkKVl/C5OGkk=,iv:+j88Yba0m0KKc0DmI+8NMilIOxCYii9CysZ+2GoOc/o=,tag:OMVrXpps7x4M70HDRKkyyA==,type:str] pgp: - created_at: "2022-06-04T20:24:49Z" enc: | diff --git a/secrets/pub/git-home.crt b/secrets/pub/git-home.crt new file mode 100644 index 0000000..d7ec85b --- /dev/null +++ b/secrets/pub/git-home.crt @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBoDCCAUegAwIBAgIUcJLg2plScWMgDUk+jtw7eEwOpfcwCgYIKoZIzj0EAwIw +FTETMBEGA1UEAwwKTXkgSG9tZSBDQTAeFw0yMzEwMDQxNDI4MDZaFw0yNDEwMDMx +NDI4MDZaMBExDzANBgNVBAMMBiouaG9tZTBZMBMGByqGSM49AgEGCCqGSM49AwEH +A0IABP6qv9g+sNiYHaQTGxsbFT1GbIwnVFjpHhv3WfjNPkIqQ6Uxx3iZDzcZkFza +UnbwZ5mXkrg4t8M5OPv3LozuAeSjeTB3MAsGA1UdDwQEAwIF4DATBgNVHSUEDDAK +BggrBgEFBQcDATATBgNVHREEDDAKgghnaXQuaG9tZTAdBgNVHQ4EFgQU9YvwvRmg +kH7T8rPZmAQqtg7arzswHwYDVR0jBBgwFoAU3LHFhGwT3qMYGN9SmsFeqDIHztMw +CgYIKoZIzj0EAwIDRwAwRAIgB3w5EYXZRZpTMg95zrY/iWxBF4wrSR+UjgJ6K1va +GyICIEanqxKN+PYkZ4CJ28UQuw6GnSa2myL2xLj0fUBXyTpl +-----END CERTIFICATE-----