From 4bfdbea62a890ad14e93371e63a14551464b2c00 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Wed, 3 Nov 2021 16:54:07 +0000
Subject: [PATCH] Add second domain to monitoring cert
Copy everything from how the issuer does it.
---
morph/grid/local/config.json | 1 +
morph/grid/local/grid.nix | 2 +-
morph/grid/production/config.json | 4 ++++
morph/grid/production/grid.nix | 2 +-
morph/grid/testing/config.json | 4 ++++
morph/grid/testing/grid.nix | 2 +-
morph/lib/customize-monitoring.nix | 3 ++-
nixos/modules/issuer.nix | 1 -
nixos/modules/monitoring/server/grafana.nix | 22 +++++++++++++--------
9 files changed, 28 insertions(+), 13 deletions(-)
diff --git a/morph/grid/local/config.json b/morph/grid/local/config.json
index 8b23b6f1..8bd686a0 100644
--- a/morph/grid/local/config.json
+++ b/morph/grid/local/config.json
@@ -5,6 +5,7 @@
, "monitoringvpnEndpoint": "192.168.67.24:51820"
, "passValue": 1000000
, "issuerDomains": ["payments.localdev"]
+, "monitoringDomains": ["monitoring.localdev"]
, "letsEncryptAdminEmail": "florian@privatestorage.io"
, "allowedChargeOrigins": [
"http://localhost:5000"
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 5502b8fa..4a1524c6 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -116,7 +116,7 @@ let
nodeExporterTargets
paymentExporterTargets
blackboxExporterHttpsTargets;
- inherit (grid-config) letsEncryptAdminEmail;
+ inherit (grid-config) letsEncryptAdminEmail monitoringDomains;
googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
enableSlackAlert = false;
monitoringvpnIPv4 = "172.23.23.1";
diff --git a/morph/grid/production/config.json b/morph/grid/production/config.json
index fcae1563..1696b5fb 100644
--- a/morph/grid/production/config.json
+++ b/morph/grid/production/config.json
@@ -8,6 +8,10 @@
"payments.privatestorage.io"
, "payments.private.storage"
]
+, "monitoringDomains": [
+ "monitoring.privatestorage.io"
+ , "monitoring.private.storage"
+ ]
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
, "allowedChargeOrigins": [
"https://privatestorage.io"
diff --git a/morph/grid/production/grid.nix b/morph/grid/production/grid.nix
index b42f4a3e..4f410abb 100644
--- a/morph/grid/production/grid.nix
+++ b/morph/grid/production/grid.nix
@@ -49,7 +49,7 @@ let
nodeExporterTargets
paymentExporterTargets
blackboxExporterHttpsTargets;
- inherit (grid-config) letsEncryptAdminEmail;
+ inherit (grid-config) letsEncryptAdminEmail monitoringDomains;
googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
enableSlackAlert = true;
monitoringvpnIPv4 = "172.23.23.1";
diff --git a/morph/grid/testing/config.json b/morph/grid/testing/config.json
index a10840db..7c3775df 100644
--- a/morph/grid/testing/config.json
+++ b/morph/grid/testing/config.json
@@ -8,6 +8,10 @@
"payments.privatestorage-staging.com"
, "payments.extra.privatestorage-staging.com"
]
+, "monitoringDomains": [
+ "monitoring.privatestorage-staging.com"
+ , "monitoring.extra.privatestorage-staging.com"
+ ]
, "letsEncryptAdminEmail": "jean-paul@privatestorage.io"
, "allowedChargeOrigins": [
"http://localhost:5000"
diff --git a/morph/grid/testing/grid.nix b/morph/grid/testing/grid.nix
index ea4cd56a..33451877 100644
--- a/morph/grid/testing/grid.nix
+++ b/morph/grid/testing/grid.nix
@@ -62,7 +62,7 @@ let
nodeExporterTargets
paymentExporterTargets
blackboxExporterHttpsTargets;
- inherit (grid-config) letsEncryptAdminEmail;
+ inherit (grid-config) letsEncryptAdminEmail monitoringDomains;
googleOAuthClientID = grid-config.monitoringGoogleOAuthClientID;
enableSlackAlert = true;
monitoringvpnIPv4 = "172.23.23.1";
diff --git a/morph/lib/customize-monitoring.nix b/morph/lib/customize-monitoring.nix
index ef89119f..2899d994 100644
--- a/morph/lib/customize-monitoring.nix
+++ b/morph/lib/customize-monitoring.nix
@@ -11,6 +11,7 @@
# See ``customize-issuer.nix``.
, monitoringvpnIPv4
, letsEncryptAdminEmail
+, monitoringDomains
# A list of VPN IP addresses as strings indicating which clients will be
# allowed onto the VPN.
@@ -119,7 +120,7 @@ in {
inherit letsEncryptAdminEmail;
inherit googleOAuthClientID;
inherit enableSlackAlert;
- domain = "${config.networking.hostName}.${config.networking.domain}";
+ domains = monitoringDomains;
};
system.stateVersion = stateVersion;
diff --git a/nixos/modules/issuer.nix b/nixos/modules/issuer.nix
index da3eed73..98192fab 100644
--- a/nixos/modules/issuer.nix
+++ b/nixos/modules/issuer.nix
@@ -111,7 +111,6 @@ in {
# We'll refer to this collection of domains by the first domain in the
# list.
domain = builtins.head cfg.domains;
- certServiceName = "acme-${domain}";
# Payment server internal http port (arbitrary, non-priviledged):
internalHttpPort = "1061";
diff --git a/nixos/modules/monitoring/server/grafana.nix b/nixos/modules/monitoring/server/grafana.nix
index 1b51abd4..bbded5e9 100644
--- a/nixos/modules/monitoring/server/grafana.nix
+++ b/nixos/modules/monitoring/server/grafana.nix
@@ -20,10 +20,10 @@ let
in {
options.services.private-storage.monitoring.grafana = {
- domain = lib.mkOption
- { type = lib.types.str;
- example = lib.literalExample "grafana.grid.private.storage";
- description = "The FQDN of the Grafana host";
+ domains = lib.mkOption
+ { type = lib.types.listOf lib.types.str;
+ example = [ "grafana.grid.private.storage" ];
+ description = "The domain names at which the server is reachable.";
};
prometheusUrl = lib.mkOption
{ type = lib.types.str;
@@ -79,13 +79,18 @@ in {
};
};
- config = {
+ config =
+ let
+ # We'll refer to this collection of domains by the first domain in the list.
+ domain = builtins.head cfg.domains;
+
+ in {
# Port 80 for ACME ssl retrieval only. 443 for nginx -> grafana.
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.grafana = {
enable = true;
- domain = cfg.domain;
+ domain = domain;
port = 2342;
addr = "127.0.0.1";
@@ -144,7 +149,7 @@ in {
is_default = true;
send_reminder = false;
settings = {
- username = "${cfg.domain}";
+ username = "${domain}";
uploadImage = true;
};
secure_settings = {
@@ -170,7 +175,8 @@ in {
# Only allow PFS-enabled ciphers with AES256:
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
- virtualHosts.${config.services.grafana.domain} = {
+ virtualHosts."${domain}" = {
+ serverAliases = builtins.tail cfg.domains;
enableACME = true;
forceSSL = true;
locations."/" = {
--
GitLab