4 files changed, 26 insertions, 2 deletions

diff --git a/hosts/tahoe/secrets/acme/credentials.age b/hosts/tahoe/secrets/acme/credentials.age
new file mode 100644
index 0000000..5b79f73
--- /dev/null
+++ b/hosts/tahoe/secrets/acme/credentials.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 dtgBNg uA1fVGl4O/Dh2SigMhPzDfqXUBT22kIypRFyhnKTLVA
+oyJUlB0Q381w9ZdyAkQVIB+1F1cDiBkLsq6KJM5U5Rk
+-> &`(il-grease
+UYI7ukzTm4M7kZvl7qq8p/na
+--- Gno1Ou1gtlurTyiaf66uq777VPs9E8QMZ9xBtfvXSns
+�_��wS�?�(��0�XEY���qJ�36���h,Ѽ��Ə��e�lusIrv�~�A1���g����Px�(`k�:!:�K�2�I�}�P�5�#��򮙃�ҳ)���F�%=\�9N�8�@~Sa5�
\ No newline at end of file
diff --git a/hosts/tahoe/secrets/acme/gcp_service_account.json.age b/hosts/tahoe/secrets/acme/gcp_service_account.json.age
new file mode 100644
index 0000000..0f99905
--- /dev/null
+++ b/hosts/tahoe/secrets/acme/gcp_service_account.json.age
diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix
index d6b7272..71b2bd1 100644
--- a/hosts/tahoe/secrets/secrets.nix
+++ b/hosts/tahoe/secrets/secrets.nix
@@ -4,7 +4,8 @@ let
 in {
   "wireguard_privatekey.age".publicKeys = [ fcuny_aptos ];
 
-  "traefik/gcp_service_account.json.age".publicKeys = [ fcuny_aptos ];
+  "acme/credentials.age".publicKeys = [ fcuny_aptos ];
+  "acme/gcp_service_account.json.age".publicKeys = [ fcuny_aptos ];
 
   "unifi/unifi-poller.age".publicKeys = [ fcuny_aptos ];
 
diff --git a/modules/services/grafana/default.nix b/modules/services/grafana/default.nix
index 174ece9..bee67bd 100644
--- a/modules/services/grafana/default.nix
+++ b/modules/services/grafana/default.nix
@@ -1,5 +1,7 @@
 { config, lib, pkgs, ... }:
-let cfg = config.my.services.grafana;
+let
+  cfg = config.my.services.grafana;
+  secrets = config.age.secrets;
 in {
   options.my.services.grafana = with lib; {
     enable = mkEnableOption "grafana observability stack";
@@ -29,6 +31,20 @@ in {
       };
     };
 
+    services.nginx.virtualHosts."dash.fcuny.xyz" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:9090";
+        proxyWebsockets = true;
+      };
+    };
+
+    security.acme.certs."dash.fcuny.xyz" = {
+      dnsProvider = "gcloud";
+      credentialsFile = secrets."acme/credentials".path;
+    };
+
     my.services.backup = { paths = [ "/var/lib/grafana" ]; };
   };
 }