diff --git a/.env b/.env new file mode 100644 index 0000000..56c38a2 --- /dev/null +++ b/.env @@ -0,0 +1,8 @@ +# Production environment — DO NOT COMMIT +DB_HOST=db.nexus.local +DB_USER=nexus_app +DB_PASS= +API_TOKEN=FHIDWCTF2026{ghost-in-the-machine_dangling_c0mm1t_surv1v3s} +VAULT_ADDR=https://vault.nexus.local +VAULT_TOKEN= +AWS_REGION=eu-central-1 diff --git a/scripts/rotate-certs.sh b/scripts/rotate-certs.sh new file mode 100755 index 0000000..0329bd6 --- /dev/null +++ b/scripts/rotate-certs.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Renew and deploy TLS certificates via certbot + Vault. +set -euo pipefail + +DOMAINS=("nexus.local" "*.nexus.local") +EMAIL="infra@nexus.local" + +for DOMAIN in "${DOMAINS[@]}"; do + certbot certonly --dns-route53 \ + -d "$DOMAIN" \ + --email "$EMAIL" \ + --agree-tos \ + --non-interactive +done + +echo "[certs] Renewed. Reloading nginx..." +systemctl reload nginx