nginx ip hidden in sops

2025-12-06 07:16:37 +03:00 · 2024-03-21 20:09:04 +03:00 · 2024-03-21 20:09:04 +03:00 · 41175885a7
parent 7cb8ec0656
commit 41175885a7
3 changed files with 46 additions and 32 deletions
--- a/hosts/intelnuc/configuration.nix
+++ b/hosts/intelnuc/configuration.nix
@ -85,10 +85,10 @@
    locations."/".extraConfig = ''
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
-      proxy_pass              http://123.123.123.123:3000;
+      include ${config.sops.templates."nginx-graf1.conf".path};
    '';
    locations."/api/live/ws".extraConfig = ''
-      proxy_pass http://123.123.123.123:3000;
+      include ${config.sops.templates."nginx-graf1.conf".path};
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
@ -101,10 +101,10 @@
    locations."/".extraConfig = ''
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
-      proxy_pass              http://123.123.123.123:3000;
+      include ${config.sops.templates."nginx-graf2.conf".path};
    '';
    locations."/api/live/ws".extraConfig = ''
-      proxy_pass http://123.123.123.123:3000;
+      include ${config.sops.templates."nginx-graf2.conf".path};
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
@ -117,7 +117,7 @@
    locations."/".extraConfig = ''
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
-      proxy_pass              http://123.123.123.123:5601;
+      include ${config.sops.templates."nginx-kibana.conf".path};
    '';
  };

--- a/hosts/intelnuc/sops.nix
+++ b/hosts/intelnuc/sops.nix
@ -3,16 +3,33 @@
 {
  sops = {
    defaultSopsFile = ../../secrets/intelnuc/main.yaml;
-    sshKeyPaths = lib.mkForce [];
-    age.sshKeyPaths = lib.mkForce [ "/home/delta/.ssh/id_ed25519" ];
+    age.sshKeyPaths = [ "/home/delta/.ssh/id_ed25519" ];
    defaultSopsFormat = "yaml";

    secrets = {
-      "myservice/my_subdir/my_secret" = {};
-    #   "nginx/graf1" = { };
-    #   "nginx/graf2" = { };
-    #   "nginx/kibana" = { };
-
+      "nginx/graf1" = { };
+      "nginx/graf2" = { };
+      "nginx/kibana" = { };
    };
+
+    templates ={
+      "nginx-graf1.conf"= {
+        content = '' proxy_pass ${config.sops.placeholder."nginx/graf1"}; '';
+        owner = "root";
+        mode = "0444";
+      };
+      "nginx-graf2.conf"= {
+        content = '' proxy_pass ${config.sops.placeholder."nginx/graf2"}; '';
+        owner = "root";
+        mode = "0444";
+      };
+      "nginx-kibana.conf"= {
+        content = '' proxy_pass ${config.sops.placeholder."nginx/kibana"}; '';
+        owner = "root";
+        mode = "0444";
+      };
+      
+    };
+
  };
 }
--- a/secrets/intelnuc/main.yaml
+++ b/secrets/intelnuc/main.yaml
@ -1,11 +1,8 @@
-#ENC[AES256_GCM,data:FaOSuGU8RwFvckoITrGacn0T8dbVLaDH0aYVXaE=,iv:L6ffjAOb40cJrVipFOL2BqUHP2HKbiG7SYOk5duJLT8=,tag:O3J8FRYlElrrCiWCHq51BA==,type:comment]
+#ENC[AES256_GCM,data:TKFsca0ngKW2E0UzOkdwYBFqzUKFF5B5+OBBs5Q=,iv:3TpoJ0ERwn5coP+QCb07eKI0bDsCCJzVncvBPNt7ZJM=,tag:wXF9PqFJ6ATe9CDAtLUUDA==,type:comment]
 nginx:
-    graf1: ENC[AES256_GCM,data:FLFAf065Lcu+e64=,iv:W/jQmUEueAVkuWFaElXVILV86n25MjRlcieUOdS73Kw=,tag:UTDfnLXBtI6kSiNkdqMTew==,type:str]
-    graf2: ENC[AES256_GCM,data:mdKFz9IMNpcfX04=,iv:34N491ELjlOlOdwpJEQNAR2mz+nrgGDnzppnyq76jeM=,tag:tLLzgjYlEpNGCISIHWEe2g==,type:str]
-    kibana: ENC[AES256_GCM,data:oiSnQzvaRYDS/44=,iv:3XlfBMd5gAu/FIbSr5nI0fHHCmwJkFHCiPXpoZB8ycw=,tag:lDcYsjdM86Bq7TE0yByAEA==,type:str]
-myservice:
-    my_subdir:
-        my_secret: ENC[AES256_GCM,data:/9KmKrM0Js5a,iv:n1xlsrjbHsiyynTjNjvPcVSQm/7YJ30S5Is7w33AKFA=,tag:WG50Y5nePaHrtijQ3muXHw==,type:str]
+    graf1: ENC[AES256_GCM,data:V2nwxbhaSZ/+yy2dxGEApWKVUBhpFSY=,iv:BaKJAt1YoDtPbforo40L49Sx2FlicgWzEV/0zGqHsE0=,tag:JcQL6WuPOTAFjJ52ym9+4w==,type:str]
+    graf2: ENC[AES256_GCM,data:VCoHvyka6Npo31w=,iv:XqkBCQZ9N4T5zKE5JmVYO1HsR1naPQtVTWoEaz/WPAA=,tag:lUunS+92Kyt3voS9b34/6Q==,type:str]
+    kibana: ENC[AES256_GCM,data:xv2K1JXWsHoIsgM=,iv:F3IFgWiMaKOIyaWclmgDpQyVtgniP7CSPu990RH2j5w=,tag:Dhe4IWXPT9InrgxnWRSaTw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -15,23 +12,23 @@ sops:
        - recipient: age15ztewc67js3aunwx8zvkdukqy8r3qswpqucjsqqnqjy3zecvacyqdxhl4y
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGa3RXMG1Jc3c1NVFCYnlO
-            bHdxc3cyYUZ6MDZKOGsxTklLbE5DTzYyLzF3CkFwRGlPNTFaYWNCbkxMcmJVVCtM
-            V0Z4RWxXVTErYUVlU05uMXNRSFZIUlUKLS0tIEtTMkcwTDhDZzdpRGtCSFpMV3Z6
-            ai9wNlRkUC9XNTlad3VkM3U5U3E3UGMKTnRsw7LstwwlELVtZcq6Yo0ClXs6BUX7
-            5AFE6q6bhdpkze0QPQLEm7hEyZ5hBIvD1T9LoAS19APd6ah6+eAHWA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvTUFkVnE1a24zSmVTVW1i
+            RGdYYWwxS1BQNTFoLzNWdVB4cFVpSEZtdDFzCkhCZE9XTTkwZDAzbCttbDVXcnhU
+            S1lrS3YwM3Z0MjNMUkxLVHp2QldRbFEKLS0tIDV5R1JjTkYvendPNFVPRUtJYkho
+            cDJiQ204czZ6RlN6VWNsNXRKWFlabHMKN4RzFvn1Fka0spPVSk7VOXEe4mlZQFJZ
+            EraNKedbc+yEjkCsliez91X8PH6bTqr/LuOPf+ZrczwcCcmjF5GhoQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1sxv5n2au0pwpvnj8qya75quz264s5jt0e9734jefng4dh2vyyqlqyuynuc
+        - recipient: age1vt6n9pgz57malqryph4nyvypr3y845fthkc704uhh0s7sqy4s97q0hffyk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1TTZWdnpidGZkeEpTa2E4
-            ZVFCR21ZMVBiM1BtNk1rV2EwZmNldG1jYmljClFNMitqT2cwbGthRGswREtoWktx
-            VmVicityeVphcWNSVFVzREE0TVBUMG8KLS0tIGxtT3ppWDBqNXpUeDhUbXFDYjQ5
-            ZkFmUUg1R0w3czMvZytud3pEajFxL00KWcIupUeVIcXhf29NAiUGmmsCminokmJM
-            +/82FhbQwvIOCU5GlZOpCLVOFWIsMiwC3OzDv64hMHxzH4TNuiulvg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxaUt0NHBTc0wySnBZajNC
+            TkNNZVZUYVpVSWQ2WGZrcFgzVU1SaUViS0g0CldkNG1QdUZmVHBPUHBQYVNSMitX
+            Vm5FT3VHNVZOVzVJV3ZGRmJBK094Z0EKLS0tIFlGOUJCNkFGamNvS1dGSjZ5UkFB
+            YmhmZ256WW1yUFV3a3RScmNoSHFsbm8KNPDePbaa5fNywlOo9VBUli76lbkTRigU
+            78jZRaQ0fKGobZ4R5lYzJWmZNDbkuEH1VG1L8PlNrbWsbcEvlDya7A==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-21T15:21:14Z"
-    mac: ENC[AES256_GCM,data:l/I2iaLLcj3q83L/eOObxN3z+zzyy8I8cJzi9b2FRzcaMUggot0l1LdPqk6KDaEfzlOPv8N1ZtwO1oYcb1JkO1/5Ga0hqBKs4yuQUrmXYjhZa6VzY7Jd1aKRTVZZtBeW2mbENVha6Co2tSRGOQNPJM64G2oIhUv3g6WdVUSCOb0=,iv:vIcmlAqBD8Z0IWnV5m/2MBXuQIl8MdRXc4c/XvUdi34=,tag:/RT/T5VuHbxrMIcaSKhPnw==,type:str]
+    lastmodified: "2024-03-21T17:02:45Z"
+    mac: ENC[AES256_GCM,data:kIYQRHj4AIRJ5It1tQXiBwEKoKjN3tmGchYDvXKVNQbA5Mi7uxVsunBcz5Nu0CGB9qa/OIJAtx8+7Cth1YEFAXfFnFD/sy8b3zKFgQJI7iB/1IxJbOsoHHcEbuoqRaZQUqrzsctZjI4v203liE9X6zalm8vovZ4As1b808Anwtk=,iv:tepGQAmydrha/hAzFJqWtEX0b2VefjfSbBgtVjdE+7o=,tag:OGawRuZ6/GCpYP7/gbAVhw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1