diff --git a/env/prod/fetchcert.cue b/env/prod/fetchcert.cue index 4a7dee1..dec597c 100644 --- a/env/prod/fetchcert.cue +++ b/env/prod/fetchcert.cue @@ -27,3 +27,14 @@ fetchcert: base: f.#Fetchcert & { kubernetes_url: "https://kubernetes.pyrocufflink.blue:6443" namespace: "dch-ca" } + +fetchcert: loki: fetchcert.base & { + secret: "loki" + cert: "loki.cer" + key: "loki.key" + postupdate: """ + install -v -o root -g 10001 -m ugo=r /etc/fetchcert/certs/loki.cer /etc/loki/server.cer + install -v -o root -g 10001 -m ug=r,o= /etc/fetchcert/certs/loki.key /etc/loki/server.key + systemctl reload loki + """ +} diff --git a/host/loki0.pyrocufflink.blue.cue b/host/loki0.pyrocufflink.blue.cue index f1d4f03..81409b1 100644 --- a/host/loki0.pyrocufflink.blue.cue +++ b/host/loki0.pyrocufflink.blue.cue @@ -4,3 +4,33 @@ import ( ssh: prod.ssh sudo: prod.sudo + +fetchcert: prod.fetchcert.loki & { + token: """ + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNTZzeW9XeWoycVdQa092 + N0VYL2grR0lLY1c4QXl2VHI3NmsxM253UlNVCmZLbFZWakJGVG9WakkyYmpJL1VR + YmVQQXRCTlhrQk9UYUE5UkRFZUlwNlkKLS0tIGg4R25ZaVhUU1BFVjdac2NqMVpQ + QmZRTndBalZndVF0VFpxdHBRemhNS1EKrNZG179fh2aS/3FOaM1xCHRG4uOt5jyx + 1m5h3Q9y2u7EbcbZHLIZR3wkQfsfscK1PS0+H0NiYAgh9u2L2kdhcLcesb3fhmSy + svHzW2q1ZkJ8DSwH3xCRBuKmH4Q172NcVUPzI39CgsI5SkqZdKjWnK9JJAs43Ihr + cM90hUN+5t50byUSzwTCmNY4xVW3N/pWMfrethCYk9E8cXts/L3A3EpgpIi3qrKn + gj2VfrvpHAWVcggX1rZVFlQwBg4LnPWMNztl5VRYIvwfJghykEjMlzkysLm3Q2is + /w+kthpBzYAvI4c1Tfx3/uMRVcWnmUgz15viKlqohVaAl9PHQ2y/te9w9D5ZtcYs + D33hfA7Aux9t18WJ/ru09rEJl649Al7ZxQd73upf9QrWGzkX4luHO85n8CBmcsuh + +ZcM1HMLiuxGCW6xyq66Eg6t/1pfPWGZtLCsFh4SRgJ6Uuq14FyU32Pkulq+yEMg + Sq2ZRUXU+e3M6/HcUhb+QQUTQF1wPHyEukUlecLGDd3i+xpjOrL5Eg7LjKVAv8Yj + 8U1yiYjgRHfdkvT27RJC/rxuf674vU8H8na3jGXrPARMqq4L4B0XkUzclJZMzSPC + cSTaEIgb5OpfWmMb4uC0p76vHYhr4XX3iIVpivfxaDLAgyx06D4/oXALcgjcCHWY + /7m5t8MbIGqluqcJLYRhSQ+G/aWiyZG3zlgRfpOIyVzQHwQwGf2CLh6ygv9n5cWP + Gr0ZfcyVps734gVsDNqZ3vTy4nxjTueUiUpNqRaznzxT/z7Mq9/i0s1aoWBef0PV + MZL0jxyMeQUfRf0DdP/iPqkTU5hxw8/yqwuu2i3TJImVQ8ga8O3InyvN577mPihE + EqFjRl1jZr+Uip0+SPz+CSLIgBJ8rpAo/HTpue6Oe88rYtC0437YQtcWpB3rnARD + uggtP70SfvS7FWFCbYy7nxZrUcDMloD5gcIYNobkWQZhGdGvXDGVxB/FT8Rg6tAU + EOpaSSc3wOmHpnB6qCyCJ45mb6HwRCGoZmxaG/5uWreys0R8AJsMIq8vFVAS3sDo + EONNYMWtlAZg8XOZcSgSnKpUF5VWlt+3HLkpwQkTBq3SvjvMd6shybPVGVNxMwbU + a2gey9Kv4lq8Suvvrn31DeYErGwUYy0qMwTL1a4Q8I08kMg6lqqaPotIC63RSlUu + SEoarQ== + -----END AGE ENCRYPTED FILE----- + """ +} diff --git a/host/loki0.pyrocufflink.blue.post.sh b/host/loki0.pyrocufflink.blue.post.sh index 17c32eb..b7087d9 100644 --- a/host/loki0.pyrocufflink.blue.post.sh +++ b/host/loki0.pyrocufflink.blue.post.sh @@ -1 +1,2 @@ . scripts/no-coreos-default-sudo.sh +. scripts/loki-cert.sh diff --git a/instructions/loki0.pyrocufflink.blue.cue b/instructions/loki0.pyrocufflink.blue.cue index 165c035..0c5cbd0 100644 --- a/instructions/loki0.pyrocufflink.blue.cue +++ b/instructions/loki0.pyrocufflink.blue.cue @@ -2,12 +2,14 @@ import ( "list" "du5t1n.me/cfg/app/collectd" + "du5t1n.me/cfg/app/fetchcert" "du5t1n.me/cfg/app/loki" "du5t1n.me/cfg/env/prod" ) render: list.Concat([ - collectd.templates, - loki.templates, prod.templates, + collectd.templates, + fetchcert.templates, + loki.templates, ]) diff --git a/scripts/loki-cert.sh b/scripts/loki-cert.sh new file mode 100644 index 0000000..8fe20f0 --- /dev/null +++ b/scripts/loki-cert.sh @@ -0,0 +1,3 @@ +if [ ! -f /host/etc/loki/server.cer ] || [ ! -f /host/etc/loki/server.key ]; then + systemctl start fetchcert +fi diff --git a/templates/loki/config.yml b/templates/loki/config.yml index b11f2f0..0ddb22d 100644 --- a/templates/loki/config.yml +++ b/templates/loki/config.yml @@ -2,6 +2,9 @@ auth_enabled: false server: http_listen_port: 3100 + http_tls_config: + cert_file: /etc/loki/server.cer + key_file: /etc/loki/server.key grpc_listen_port: 9096 common: