add bind and onepassword-connect services and enable them on telperion
This commit is contained in:
parent
3dbd439dc4
commit
2a059a848d
7 changed files with 226 additions and 1 deletions
27
nixos/hosts/telperion/config/bind.nix
Normal file
27
nixos/hosts/telperion/config/bind.nix
Normal file
|
@ -0,0 +1,27 @@
|
|||
{config, ...}:
|
||||
''
|
||||
include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
|
||||
|
||||
acl trusted {
|
||||
10.33.44.0/24; # LAN
|
||||
10.1.1.0/24; # Servers
|
||||
10.1.2.0/24; # Trusted
|
||||
10.1.3.0/24; # IoT
|
||||
10.1.4.0/24; # Video
|
||||
};
|
||||
|
||||
zone "jahanson.tech." {
|
||||
type master;
|
||||
file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
|
||||
journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
|
||||
allow-transfer {
|
||||
key "externaldns";
|
||||
};
|
||||
update-policy {
|
||||
grant externaldns zonesub ANY;
|
||||
};
|
||||
allow-query {
|
||||
trusted;
|
||||
};
|
||||
};
|
||||
''
|
|
@ -42,9 +42,41 @@
|
|||
|
||||
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
||||
|
||||
sops = {
|
||||
# Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
|
||||
secrets = {
|
||||
"bind/rndc-keys/externaldns" = {
|
||||
owner = config.users.users.named.name;
|
||||
inherit (config.users.users.named) group;
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
};
|
||||
"bind/zones/jahanson.tech" = {
|
||||
owner = config.users.users.named.name;
|
||||
inherit (config.users.users.named) group;
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
};
|
||||
"1password-credentials.json" = {
|
||||
mode = "0444";
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# System settings and services.
|
||||
mySystem = {
|
||||
purpose = "Production";
|
||||
system.motd.networkInterfaces = [ "enp2s0" "wlp3s0" ];
|
||||
|
||||
services = {
|
||||
podman.enable = true;
|
||||
onepassword-connect = {
|
||||
enable = true;
|
||||
credentialsFile = config.sops.secrets."1password-credentials.json".path;
|
||||
};
|
||||
bind = {
|
||||
enable = true;
|
||||
extraConfig = import ./config/bind.nix { inherit config; };
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
75
nixos/hosts/telperion/secrets.sops.yaml
Normal file
75
nixos/hosts/telperion/secrets.sops.yaml
Normal file
|
@ -0,0 +1,75 @@
|
|||
lego:
|
||||
dnsimple:
|
||||
token: ENC[AES256_GCM,data:tbTPdoM/ZdPlaYVBqKyfE99XheKnzKLIAi82PyztSREuzTacTSh5cM3y4Q==,iv:LgTqAJsNcC5cyaBxU5P6qLKbj5nkCbOwhz4ilKuWBd4=,tag:hGnt8ERvVo5VOzTJLM60MA==,type:str]
|
||||
1password-credentials.json: ENC[AES256_GCM,data:AksPI4SvhUUYxccYBYHp+GCkBSofzVBO2oPQus36QbX8ea+QU4RC41sSTj3j3807byYy2GqZq0PEr43xVFYBLwWZOEIuYKqwBcObYiXWjrNZA76LIVHYpYtI0NnRIuqYYIQ0Q5a2fwHheTX9ntvkiWCKYMSzkijsla7AHYgKwOnufYnnfnLUddjZBC85Y9HsP2/a735LWXaJsxJj687ugA6lGcowZkYZRq5VGu6c8Z+3Qf4L+vVkrwJk0t1UgwbMVkiY9MdVHfsaoOVd6cFi8WPjGTFN5qQXytfXlJH/NfXD5ONFzFlPzFppUqollUnduOfQiw4AdjD0imNLFHySk4sHEx2tIEn8EbYjzrYzAYP8u1zAtkGvVDzUf136vWSHAgcEifw7erZH8CqJfJDk/kKt29vWk+rZTduRkFJmjRXAKsWeb52GlhsQ2i3EznLvNmQH0n3ISMi6HLwKF6Ftfq+G2OiJaCu+uQdPGzXbM4zSI5dV4N/JjKipWjZUZH3qck+9oF5OeTK1NpiuQ2hryF7+TfxYzQo7qDwn9wlekmA0ZtB2eHQxltTD0gXehg6h+xyxoatU39K/43afZmlMTb8D89NDgGGbyg9QZuUFC33ML9diFtKGFmiaOsLW2tRDLSueKHRBrpJ62/Fk9kee1h0giBb2zd8w7sDwwSsxkk0i6Fo7FxKE0IwPc8hjaWdjf+poB/HFHhaPcU40KUd4i78HMf7SgncdA2PKSG2D3SxHHGjsPzOE0RSjKemArTg/qNi48A9AVfxQwykyXeVGktYsWI/F9YyT5kkUqetoJEWXvQMRrtK7C9pNQ18BrE5XMIJSQGqivTiuOIfj7BgLnOH727CeJeFrqyfHL291C+C3r7kTCVCo+4JuwvDAAlQSrCgwpnEscOOIgcDSTn2g9FezWMI4zrokFRHpEt9EklViIrChEzh9ToK4WO8nTggFxcGA9BSm1TuaKmes9l5xydJIDZP2amJT2o2JwioUN5aJ9FM7i6YTpxI8eJOM1zR2GvJa9omL+vVCQqA/oEmrkSgFqvWYRjc30k1ri+0OpYp8g5jyvyCiU5BjXK/52I1kpO/svkx9YaPyyV1phGwaBu6DAn2CTYLYn4BOz+3Xn5b0dhsN1FdjIYjftReDWbrHPotQRL0yWR5HlIGdHoniW0D6wj1/EX46DmEaIjXpqYQLeyT1oVIhy6tt6llrI4GUc9Stnjl3xLX1WAVn6A8pAWDO5h7Yh6qimY/5PwJhyqzhCq7ys0eIag9tq7+51DukiY47O9tt2J+kwhqHMTG0oU9ApJAaYEj6JHTH6FBiYl4kFU5dngWyAmiULgdWHrZwz2011ZWP9zvlvcvT6596WYg6S3+F+/1LKPE1pN4yeaTf6i00xn6dhrj1JSGU7duD+E+loeIOreEmlhk9gEcgcVuzr9SChSvp0d1BBkoPjQg=,iv:6VmRvje3POZLN4gWwCsvFe8emDJRxrJl0Kvdhd1Bhgw=,tag:xiBUM/eU/dNIVmxcDHlNyg==,type:str]
|
||||
bind:
|
||||
rndc-keys:
|
||||
main: ENC[AES256_GCM,data:lhBcakmH2jS33ImdyWC3udEK7J+HfYhga9QSk/KoSS+bMDZovnzhXBc1bzspBxeXomF8yjLvMvQP7xnVA97Sis5wT9PGDgmi88X21RpqA42V+iYvGYIdFidC+9WNp3DEhubYEwpt,iv:oNkrl7bLCIWIdLlGoe6zFq/ZDlvWDRQXwUpAVtFWoc4=,tag:2MVxVeFhTfWcgkOs/14nQw==,type:str]
|
||||
externaldns: ENC[AES256_GCM,data:WFJ0tzI8mzOt0wFvI4PwxQHtzho0Kai/S2ihgG5hjEn5wPAS3ToFOFrjYu4uKWAHqxwOmTu823Is194F9Encu2MvNn6/6vatDVWR2M4K3srIkzKQVBGltgor8K2foBaHyBMBIM0OMUWV,iv:2ZzmMErrSNct+fQanTmBiRmkGDriKFEIRAJN+PelmEk=,tag:Y8y4fnZzdJm1zs/Jey+XCw==,type:str]
|
||||
zones:
|
||||
jahanson.tech: ENC[AES256_GCM,data:5cRXJyv5FAZw3WveJE2y0N8tAkkPECti73ZRDevZRKSzCblcPXyGry+nxq+tEhPj5c5yiUmKbi2z7LQEu97yDwhdTVNYfk4tZpCachzfE5h9IZo8TW94RGPErkVcq8D/SpLrVItT8mNEfTn93Z0WwM0iZ3tmNdEwfpUvvrYLYFwbE7avLbSU5cSOrjx9vYdqRCR6ON7AjOqywr03V+ecPZIw1kp7YrSI2wQTpX3baS9HD8oZZpaK06UB9hCui5ouF1UHL7+/oy1AdhHsixliw4itM/RjhNETLEdOX8vzsqVNBjY8ukHQc81F+0FPXo36umaLjSa54ZATXJwNETz5J0M73/G6ydaHE5oHlJ75QfCnyqSrNb7oWy1F5bAnPFHQa3rSGWotvF9FRfG96CJaNyjEgGMVTgyDpw8/N2dvXp/zLLW67/t83cNn65RSBafVQaKcXFRqntMXqtlmtrzPWzI9B97S7EAXMOEztMdBd5y1znQ50Q7pFG0Nde96zhLLj109BpkSXd/6vn28J/V1m216eTvd7R4rRc/KmiTh82XKnJUIJomsG45j5PRM0ZESIGV0QuCmOYhth1nnWzxMF2WPEFJRdHYYqZqnK1TcQntVlFp1eumw+S4actU/skvPtqGOU38OaOTX4DyIHhvIH2Qwre+u3QbQafqphWG7dDTY8XBdbnKcQds/33ouqo3RpfWG8+1AVpyowDimRUzmyu2aN8XLjoM5FvLj6ilEVJ2g544Dt+lLPGIivYz8xi8OaNP+qXe23Bviq5y+PgVkSblabXvNI9Uqnxw4IExpoicaBi7ZpAjDOLuvdfF+N2rgOAw0KMfE/o8Un0BPZT0xsTygYUO1W0+pya/bRK7Y91i8u7X3cBgyHJRxn2HIRakhyRq064IWP8JMdkkpaJ8Ihd/yzD4d8+0dKGYrhbINUpM70onOg1/XtivNnx8zL9Q7MmusT2tL6nUHbC3s7TdHxjRvKipZvF2FmoS3bUypHnXTbnLJZAyYgtvPCd/dvDNimAIK9g9u1NtjNuDaj3u4ba1JczFAuCyHvgQjxdGvE22Ep4WHd4VCNLyskwS9kFHARBQDW6vwrn1VKZWqnwqZYDm8NUawoNoNFSaXc/ujdEzK3OuikqOipvEKgp0x9f+raWce64PSdEItMDcMP44FygE=,iv:gQVkoHtZJlyWtF7Ka7bNa36FHC4fpSLK4VY19QHrONo=,tag:WWEIvLgWxt5jACJzdSMB+w==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4dVRKK1ppRjZkQzRPaTdM
|
||||
Y1RzbXE0WHd2dGtHc0F6cU15NTVqUkpvd3pvCkhOeDZBOVFZWWRxVjVkcnZsNXA1
|
||||
amJLcVR0K2cvd0xJeVVuQnVVaWFxU28KLS0tIGpYOExjb25kVUJqMUVGK2xrUm5a
|
||||
ZG5XRzdMdDRiWEUyclZIakJTOXJrTFkKu2n5cgJ+VxueuV0zHScBp6r7YlTuTSOd
|
||||
RV23RsqKfzkyMLM49xWSLuYf2RRjZ0YHBq+BIZW8AAJ3MTvaSWgudQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1nuj9sk2k8ede06f8gk5twdlc593uuc7lll2dvuy20nxw9zn97u5swrcjpj
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRlVFeHBoaTVvWUVpbHlU
|
||||
S0FjcU9XSmZkZUZ0RVNlSldLTllaKzZMMXg0CmJPTEhlOUFPaFgxRUQwN3I3dUZ5
|
||||
TjI3OEZIU3ZEbU9MK2REVWZGcEpONjQKLS0tIFdEMVY3TU5wVnYyYUhaNFA0TWl3
|
||||
cU1NQ2VqSEkxQ21aUklkRUJhRXNIcWMKbR3qS/GhSw8vKVvSl2WZzYNf0eC3jbNc
|
||||
FP4afeqQZ20X+9hZyFO8jb0cYrbRQoKug8CjMkFChve+ekI6ohjRdg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWUFJZDRtTWQ2ME1ORnR6
|
||||
MWpZN3U0aWlZQlJFcUh0K2MxK2doWG9nR0JVCjFHT2J5VW5ZOS9pN3YrWmkvTThy
|
||||
d1JJYmNmQjRaZXV3aXR0M1kwOEhHQ0kKLS0tIE9CNVUzOG16QXNkd1VSbS9SUkow
|
||||
MXFJQ3BTNllIKzlOZTg5KzlwRHl1RUUKj0MnUS3U9o12RmodiKEYG2pc6ds2BbZl
|
||||
8vgzhWf0ZhzEBHRFlfD2qNyNXSE2bJO8dZllrUJ43ZMY1xUtR+zjiA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMGJlSE4vUjZBaVZWZW9K
|
||||
RDQwSTZjV0FkeXVpMnBWb2krbXpKNWpVaGs0CkRkZDBiZlNaSGxZVlVzRnZ6R0pj
|
||||
U1JPemdjN2Y4YUZlMzBhV1k4dU84VFEKLS0tIG03VXJVY1lnN21BZ1ErNnZRaEd5
|
||||
QVRyQktKUlhrQWdDc0dOZkdCOHZYNzAK5mz2bFjMPnWLRArxOFSf/1AFrIB2FQou
|
||||
cx/+EDLua01mVlMF3yBuTBvTM475MBoD+seppKRezry/AU9ofmh2gg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1z3vjvkead2h934n3w4m5m7tg4tj5qlzagsq6ly84h3tcu7x4ldsqd3s5fg
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZ0MvcFdaUG1jakFlcWor
|
||||
ZGxmbjkxbnZOYUFnOFF1TExxdTlpSlFlNmhRCmhhNGRIVHM2MHBuc0FyRllEZGsy
|
||||
bzZOcFFSY0J6WnNvVEV5ZnZMVk4ySDQKLS0tIE53eUxIRVk2ZzhkY1M1c0szSndz
|
||||
cGI5Y0NyVXpPditxU2pmbHZWcGVlVjAKtoM9Xt5H5PTkEqhjZH9MKTt+tlMwbHxD
|
||||
+Ig0n95JYYzuR4KtSeMFIS6R9uxyFXVtre5RVI+Gw5rCT/inJfMAYg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKc2gvU3lSNE5pbHZ2MmdK
|
||||
YzIyTXhhbVhtQ1dyZTZmOGhpdE5mL1ZZR0RnCnAwVFhUV3JYUXlGN3lha2ErRDFa
|
||||
dm85dDN5MStHbjRRUmdXc2JmbXNkSFEKLS0tIFhwMEJtZXg2WVFZSC8rTlpwWDl1
|
||||
RmdXR1ljY0NXOW1mNkxxcFFwUnV1bTAKm4J3pfDnG3/+Si+GqCYgwMgEma75J2fN
|
||||
w568D0AP/sIYFMBk717rjQN76vZ6GJU5LIWC0nVtyyL2TEffc8+H0g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-07-07T17:07:12Z"
|
||||
mac: ENC[AES256_GCM,data:EgmgDOS1shuK42RN5XVy/CZt6u3mg16P15bteLV6WbNZCY2ztnfrPY6xd77meim8PTk85Dpg7orLy/SjJrDrVeEBqMmskdrWMiy/Vdty40VCp+N4C/y8KpSzqHrEFSsVbW9SfrnOBPiW3OlZXuASwZkOkl6sFHiBi4MXn0lpgFk=,iv:Z3xqS7RCpul0ul88ard5sYKZqbHR9Jz4sy4qifUg9MY=,tag:7qPNN0CvvPd3IE1DQHyTtA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
38
nixos/modules/nixos/services/bind/default.nix
Normal file
38
nixos/modules/nixos/services/bind/default.nix
Normal file
|
@ -0,0 +1,38 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.bind;
|
||||
serviceUser = "named";
|
||||
in
|
||||
{
|
||||
options.mySystem.services.bind = {
|
||||
enable = mkEnableOption "bind";
|
||||
package = mkPackageOption pkgs "bind" { };
|
||||
extraConfig = mkOption {
|
||||
type = types.string;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Forces the machine to use the resolver provided by the network
|
||||
networking.resolvconf.useLocalResolver = mkForce false;
|
||||
|
||||
# Enable bind with domain configuration
|
||||
services.bind = {
|
||||
enable = true;
|
||||
inherit (cfg) package;
|
||||
extraConfig = cfg.extraConfig;
|
||||
};
|
||||
|
||||
# Clean up journal files
|
||||
systemd.services.bind = {
|
||||
preStart = mkAfter ''
|
||||
rm -rf ${config.services.bind.directory}/*.jnl
|
||||
'';
|
||||
};
|
||||
|
||||
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = mkIf config.mySystem.system.impermanence.enable {
|
||||
directories = [ services.bind.directory ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -1,8 +1,10 @@
|
|||
{
|
||||
imports = [
|
||||
./bind
|
||||
./cockpit
|
||||
./forgejo
|
||||
./nginx
|
||||
./onepassword-connect
|
||||
./podman
|
||||
./postgresql
|
||||
./radicale
|
||||
|
|
52
nixos/modules/nixos/services/onepassword-connect/default.nix
Normal file
52
nixos/modules/nixos/services/onepassword-connect/default.nix
Normal file
|
@ -0,0 +1,52 @@
|
|||
{ lib, config, pkgs, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfg = config.mySystem.services.onepassword-connect;
|
||||
in
|
||||
{
|
||||
options.mySystem.services.onepassword-connect = {
|
||||
enable = mkEnableOption "onepassword-connect";
|
||||
credentialsFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
};
|
||||
dataDir = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
default = "/var/lib/onepassword-connect/data";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Create data dir
|
||||
system.activationScripts.makeOnePasswordConnectDataDir = lib.stringAfter [ "var" ] ''
|
||||
mkdir -p "${cfg.dataDir}"
|
||||
chown -R 999:999 ${cfg.dataDir}
|
||||
'';
|
||||
|
||||
# Enable onepassword-connect containers.
|
||||
virtualisation.oci-containers.containers = {
|
||||
onepassword-connect-api = {
|
||||
image = "docker.io/1password/connect-api:1.7.2";
|
||||
autoStart = true;
|
||||
ports = [ "8080:8080" ];
|
||||
volumes = [
|
||||
"${cfg.credentialsFile}:/home/opuser/.op/1password-credentials.json"
|
||||
"${cfg.dataDir}:/home/opuser/.op/data"
|
||||
];
|
||||
};
|
||||
|
||||
onepassword-connect-sync = {
|
||||
image = "docker.io/1password/connect-sync:1.7.2";
|
||||
autoStart = true;
|
||||
ports = [ "8081:8080" ];
|
||||
volumes = [
|
||||
"${cfg.credentialsFile}:/home/opuser/.op/1password-credentials.json"
|
||||
"${cfg.dataDir}:/home/opuser/.op/data"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
environment.persistence."${config.mySystem.system.impermanence.persistPath}" = lib.mkIf config.mySystem.system.impermanence.enable {
|
||||
directories = [ cfg.dataDir ];
|
||||
};
|
||||
};
|
||||
}
|
|
@ -47,5 +47,4 @@ in
|
|||
users.groups.kah = { };
|
||||
users.users.jahanson.extraGroups = [ "kah" ];
|
||||
};
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue