add bind and onepassword-connect services and enable them on telperion

This commit is contained in:
Joseph Hanson 2024-07-07 12:27:41 -05:00
parent 3dbd439dc4
commit 2a059a848d
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
7 changed files with 226 additions and 1 deletions

View file

@ -0,0 +1,27 @@
{config, ...}:
''
include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
acl trusted {
10.33.44.0/24; # LAN
10.1.1.0/24; # Servers
10.1.2.0/24; # Trusted
10.1.3.0/24; # IoT
10.1.4.0/24; # Video
};
zone "jahanson.tech." {
type master;
file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
allow-transfer {
key "externaldns";
};
update-policy {
grant externaldns zonesub ANY;
};
allow-query {
trusted;
};
};
''

View file

@ -42,9 +42,41 @@
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
sops = {
# Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
secrets = {
"bind/rndc-keys/externaldns" = {
owner = config.users.users.named.name;
inherit (config.users.users.named) group;
sopsFile = ./secrets.sops.yaml;
};
"bind/zones/jahanson.tech" = {
owner = config.users.users.named.name;
inherit (config.users.users.named) group;
sopsFile = ./secrets.sops.yaml;
};
"1password-credentials.json" = {
mode = "0444";
sopsFile = ./secrets.sops.yaml;
};
};
};
# System settings and services.
mySystem = {
purpose = "Production";
system.motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
services = {
podman.enable = true;
onepassword-connect = {
enable = true;
credentialsFile = config.sops.secrets."1password-credentials.json".path;
};
bind = {
enable = true;
extraConfig = import ./config/bind.nix { inherit config; };
};
};
};
}

View file

@ -0,0 +1,75 @@
lego:
dnsimple:
token: ENC[AES256_GCM,data:tbTPdoM/ZdPlaYVBqKyfE99XheKnzKLIAi82PyztSREuzTacTSh5cM3y4Q==,iv:LgTqAJsNcC5cyaBxU5P6qLKbj5nkCbOwhz4ilKuWBd4=,tag:hGnt8ERvVo5VOzTJLM60MA==,type:str]
1password-credentials.json: ENC[AES256_GCM,data:AksPI4SvhUUYxccYBYHp+GCkBSofzVBO2oPQus36QbX8ea+QU4RC41sSTj3j3807byYy2GqZq0PEr43xVFYBLwWZOEIuYKqwBcObYiXWjrNZA76LIVHYpYtI0NnRIuqYYIQ0Q5a2fwHheTX9ntvkiWCKYMSzkijsla7AHYgKwOnufYnnfnLUddjZBC85Y9HsP2/a735LWXaJsxJj687ugA6lGcowZkYZRq5VGu6c8Z+3Qf4L+vVkrwJk0t1UgwbMVkiY9MdVHfsaoOVd6cFi8WPjGTFN5qQXytfXlJH/NfXD5ONFzFlPzFppUqollUnduOfQiw4AdjD0imNLFHySk4sHEx2tIEn8EbYjzrYzAYP8u1zAtkGvVDzUf136vWSHAgcEifw7erZH8CqJfJDk/kKt29vWk+rZTduRkFJmjRXAKsWeb52GlhsQ2i3EznLvNmQH0n3ISMi6HLwKF6Ftfq+G2OiJaCu+uQdPGzXbM4zSI5dV4N/JjKipWjZUZH3qck+9oF5OeTK1NpiuQ2hryF7+TfxYzQo7qDwn9wlekmA0ZtB2eHQxltTD0gXehg6h+xyxoatU39K/43afZmlMTb8D89NDgGGbyg9QZuUFC33ML9diFtKGFmiaOsLW2tRDLSueKHRBrpJ62/Fk9kee1h0giBb2zd8w7sDwwSsxkk0i6Fo7FxKE0IwPc8hjaWdjf+poB/HFHhaPcU40KUd4i78HMf7SgncdA2PKSG2D3SxHHGjsPzOE0RSjKemArTg/qNi48A9AVfxQwykyXeVGktYsWI/F9YyT5kkUqetoJEWXvQMRrtK7C9pNQ18BrE5XMIJSQGqivTiuOIfj7BgLnOH727CeJeFrqyfHL291C+C3r7kTCVCo+4JuwvDAAlQSrCgwpnEscOOIgcDSTn2g9FezWMI4zrokFRHpEt9EklViIrChEzh9ToK4WO8nTggFxcGA9BSm1TuaKmes9l5xydJIDZP2amJT2o2JwioUN5aJ9FM7i6YTpxI8eJOM1zR2GvJa9omL+vVCQqA/oEmrkSgFqvWYRjc30k1ri+0OpYp8g5jyvyCiU5BjXK/52I1kpO/svkx9YaPyyV1phGwaBu6DAn2CTYLYn4BOz+3Xn5b0dhsN1FdjIYjftReDWbrHPotQRL0yWR5HlIGdHoniW0D6wj1/EX46DmEaIjXpqYQLeyT1oVIhy6tt6llrI4GUc9Stnjl3xLX1WAVn6A8pAWDO5h7Yh6qimY/5PwJhyqzhCq7ys0eIag9tq7+51DukiY47O9tt2J+kwhqHMTG0oU9ApJAaYEj6JHTH6FBiYl4kFU5dngWyAmiULgdWHrZwz2011ZWP9zvlvcvT6596WYg6S3+F+/1LKPE1pN4yeaTf6i00xn6dhrj1JSGU7duD+E+loeIOreEmlhk9gEcgcVuzr9SChSvp0d1BBkoPjQg=,iv:6VmRvje3POZLN4gWwCsvFe8emDJRxrJl0Kvdhd1Bhgw=,tag:xiBUM/eU/dNIVmxcDHlNyg==,type:str]
bind:
rndc-keys:
main: ENC[AES256_GCM,data:lhBcakmH2jS33ImdyWC3udEK7J+HfYhga9QSk/KoSS+bMDZovnzhXBc1bzspBxeXomF8yjLvMvQP7xnVA97Sis5wT9PGDgmi88X21RpqA42V+iYvGYIdFidC+9WNp3DEhubYEwpt,iv:oNkrl7bLCIWIdLlGoe6zFq/ZDlvWDRQXwUpAVtFWoc4=,tag:2MVxVeFhTfWcgkOs/14nQw==,type:str]
externaldns: ENC[AES256_GCM,data:WFJ0tzI8mzOt0wFvI4PwxQHtzho0Kai/S2ihgG5hjEn5wPAS3ToFOFrjYu4uKWAHqxwOmTu823Is194F9Encu2MvNn6/6vatDVWR2M4K3srIkzKQVBGltgor8K2foBaHyBMBIM0OMUWV,iv:2ZzmMErrSNct+fQanTmBiRmkGDriKFEIRAJN+PelmEk=,tag:Y8y4fnZzdJm1zs/Jey+XCw==,type:str]
zones:
jahanson.tech: ENC[AES256_GCM,data:5cRXJyv5FAZw3WveJE2y0N8tAkkPECti73ZRDevZRKSzCblcPXyGry+nxq+tEhPj5c5yiUmKbi2z7LQEu97yDwhdTVNYfk4tZpCachzfE5h9IZo8TW94RGPErkVcq8D/SpLrVItT8mNEfTn93Z0WwM0iZ3tmNdEwfpUvvrYLYFwbE7avLbSU5cSOrjx9vYdqRCR6ON7AjOqywr03V+ecPZIw1kp7YrSI2wQTpX3baS9HD8oZZpaK06UB9hCui5ouF1UHL7+/oy1AdhHsixliw4itM/RjhNETLEdOX8vzsqVNBjY8ukHQc81F+0FPXo36umaLjSa54ZATXJwNETz5J0M73/G6ydaHE5oHlJ75QfCnyqSrNb7oWy1F5bAnPFHQa3rSGWotvF9FRfG96CJaNyjEgGMVTgyDpw8/N2dvXp/zLLW67/t83cNn65RSBafVQaKcXFRqntMXqtlmtrzPWzI9B97S7EAXMOEztMdBd5y1znQ50Q7pFG0Nde96zhLLj109BpkSXd/6vn28J/V1m216eTvd7R4rRc/KmiTh82XKnJUIJomsG45j5PRM0ZESIGV0QuCmOYhth1nnWzxMF2WPEFJRdHYYqZqnK1TcQntVlFp1eumw+S4actU/skvPtqGOU38OaOTX4DyIHhvIH2Qwre+u3QbQafqphWG7dDTY8XBdbnKcQds/33ouqo3RpfWG8+1AVpyowDimRUzmyu2aN8XLjoM5FvLj6ilEVJ2g544Dt+lLPGIivYz8xi8OaNP+qXe23Bviq5y+PgVkSblabXvNI9Uqnxw4IExpoicaBi7ZpAjDOLuvdfF+N2rgOAw0KMfE/o8Un0BPZT0xsTygYUO1W0+pya/bRK7Y91i8u7X3cBgyHJRxn2HIRakhyRq064IWP8JMdkkpaJ8Ihd/yzD4d8+0dKGYrhbINUpM70onOg1/XtivNnx8zL9Q7MmusT2tL6nUHbC3s7TdHxjRvKipZvF2FmoS3bUypHnXTbnLJZAyYgtvPCd/dvDNimAIK9g9u1NtjNuDaj3u4ba1JczFAuCyHvgQjxdGvE22Ep4WHd4VCNLyskwS9kFHARBQDW6vwrn1VKZWqnwqZYDm8NUawoNoNFSaXc/ujdEzK3OuikqOipvEKgp0x9f+raWce64PSdEItMDcMP44FygE=,iv:gQVkoHtZJlyWtF7Ka7bNa36FHC4fpSLK4VY19QHrONo=,tag:WWEIvLgWxt5jACJzdSMB+w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dVRKK1ppRjZkQzRPaTdM
Y1RzbXE0WHd2dGtHc0F6cU15NTVqUkpvd3pvCkhOeDZBOVFZWWRxVjVkcnZsNXA1
amJLcVR0K2cvd0xJeVVuQnVVaWFxU28KLS0tIGpYOExjb25kVUJqMUVGK2xrUm5a
ZG5XRzdMdDRiWEUyclZIakJTOXJrTFkKu2n5cgJ+VxueuV0zHScBp6r7YlTuTSOd
RV23RsqKfzkyMLM49xWSLuYf2RRjZ0YHBq+BIZW8AAJ3MTvaSWgudQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nuj9sk2k8ede06f8gk5twdlc593uuc7lll2dvuy20nxw9zn97u5swrcjpj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRlVFeHBoaTVvWUVpbHlU
S0FjcU9XSmZkZUZ0RVNlSldLTllaKzZMMXg0CmJPTEhlOUFPaFgxRUQwN3I3dUZ5
TjI3OEZIU3ZEbU9MK2REVWZGcEpONjQKLS0tIFdEMVY3TU5wVnYyYUhaNFA0TWl3
cU1NQ2VqSEkxQ21aUklkRUJhRXNIcWMKbR3qS/GhSw8vKVvSl2WZzYNf0eC3jbNc
FP4afeqQZ20X+9hZyFO8jb0cYrbRQoKug8CjMkFChve+ekI6ohjRdg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWUFJZDRtTWQ2ME1ORnR6
MWpZN3U0aWlZQlJFcUh0K2MxK2doWG9nR0JVCjFHT2J5VW5ZOS9pN3YrWmkvTThy
d1JJYmNmQjRaZXV3aXR0M1kwOEhHQ0kKLS0tIE9CNVUzOG16QXNkd1VSbS9SUkow
MXFJQ3BTNllIKzlOZTg5KzlwRHl1RUUKj0MnUS3U9o12RmodiKEYG2pc6ds2BbZl
8vgzhWf0ZhzEBHRFlfD2qNyNXSE2bJO8dZllrUJ43ZMY1xUtR+zjiA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMGJlSE4vUjZBaVZWZW9K
RDQwSTZjV0FkeXVpMnBWb2krbXpKNWpVaGs0CkRkZDBiZlNaSGxZVlVzRnZ6R0pj
U1JPemdjN2Y4YUZlMzBhV1k4dU84VFEKLS0tIG03VXJVY1lnN21BZ1ErNnZRaEd5
QVRyQktKUlhrQWdDc0dOZkdCOHZYNzAK5mz2bFjMPnWLRArxOFSf/1AFrIB2FQou
cx/+EDLua01mVlMF3yBuTBvTM475MBoD+seppKRezry/AU9ofmh2gg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZ0MvcFdaUG1jakFlcWor
ZGxmbjkxbnZOYUFnOFF1TExxdTlpSlFlNmhRCmhhNGRIVHM2MHBuc0FyRllEZGsy
bzZOcFFSY0J6WnNvVEV5ZnZMVk4ySDQKLS0tIE53eUxIRVk2ZzhkY1M1c0szSndz
cGI5Y0NyVXpPditxU2pmbHZWcGVlVjAKtoM9Xt5H5PTkEqhjZH9MKTt+tlMwbHxD
+Ig0n95JYYzuR4KtSeMFIS6R9uxyFXVtre5RVI+Gw5rCT/inJfMAYg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKc2gvU3lSNE5pbHZ2MmdK
YzIyTXhhbVhtQ1dyZTZmOGhpdE5mL1ZZR0RnCnAwVFhUV3JYUXlGN3lha2ErRDFa
dm85dDN5MStHbjRRUmdXc2JmbXNkSFEKLS0tIFhwMEJtZXg2WVFZSC8rTlpwWDl1
RmdXR1ljY0NXOW1mNkxxcFFwUnV1bTAKm4J3pfDnG3/+Si+GqCYgwMgEma75J2fN
w568D0AP/sIYFMBk717rjQN76vZ6GJU5LIWC0nVtyyL2TEffc8+H0g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-07T17:07:12Z"
mac: ENC[AES256_GCM,data:EgmgDOS1shuK42RN5XVy/CZt6u3mg16P15bteLV6WbNZCY2ztnfrPY6xd77meim8PTk85Dpg7orLy/SjJrDrVeEBqMmskdrWMiy/Vdty40VCp+N4C/y8KpSzqHrEFSsVbW9SfrnOBPiW3OlZXuASwZkOkl6sFHiBi4MXn0lpgFk=,iv:Z3xqS7RCpul0ul88ard5sYKZqbHR9Jz4sy4qifUg9MY=,tag:7qPNN0CvvPd3IE1DQHyTtA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

View file

@ -0,0 +1,38 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.mySystem.services.bind;
serviceUser = "named";
in
{
options.mySystem.services.bind = {
enable = mkEnableOption "bind";
package = mkPackageOption pkgs "bind" { };
extraConfig = mkOption {
type = types.string;
};
};
config = mkIf cfg.enable {
# Forces the machine to use the resolver provided by the network
networking.resolvconf.useLocalResolver = mkForce false;
# Enable bind with domain configuration
services.bind = {
enable = true;
inherit (cfg) package;
extraConfig = cfg.extraConfig;
};
# Clean up journal files
systemd.services.bind = {
preStart = mkAfter ''
rm -rf ${config.services.bind.directory}/*.jnl
'';
};
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = mkIf config.mySystem.system.impermanence.enable {
directories = [ services.bind.directory ];
};
};
}

View file

@ -1,8 +1,10 @@
{
imports = [
./bind
./cockpit
./forgejo
./nginx
./onepassword-connect
./podman
./postgresql
./radicale

View file

@ -0,0 +1,52 @@
{ lib, config, pkgs, ... }:
with lib;
let
cfg = config.mySystem.services.onepassword-connect;
in
{
options.mySystem.services.onepassword-connect = {
enable = mkEnableOption "onepassword-connect";
credentialsFile = lib.mkOption {
type = lib.types.path;
};
dataDir = lib.mkOption {
type = lib.types.path;
default = "/var/lib/onepassword-connect/data";
};
};
config = mkIf cfg.enable {
# Create data dir
system.activationScripts.makeOnePasswordConnectDataDir = lib.stringAfter [ "var" ] ''
mkdir -p "${cfg.dataDir}"
chown -R 999:999 ${cfg.dataDir}
'';
# Enable onepassword-connect containers.
virtualisation.oci-containers.containers = {
onepassword-connect-api = {
image = "docker.io/1password/connect-api:1.7.2";
autoStart = true;
ports = [ "8080:8080" ];
volumes = [
"${cfg.credentialsFile}:/home/opuser/.op/1password-credentials.json"
"${cfg.dataDir}:/home/opuser/.op/data"
];
};
onepassword-connect-sync = {
image = "docker.io/1password/connect-sync:1.7.2";
autoStart = true;
ports = [ "8081:8080" ];
volumes = [
"${cfg.credentialsFile}:/home/opuser/.op/1password-credentials.json"
"${cfg.dataDir}:/home/opuser/.op/data"
];
};
};
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable {
directories = [ cfg.dataDir ];
};
};
}

View file

@ -47,5 +47,4 @@ in
users.groups.kah = { };
users.users.jahanson.extraGroups = [ "kah" ];
};
}