Added Sanoid config. Enabled Sanoid, Unifi, and lego-auto with sops.

This commit is contained in:
Joseph Hanson 2024-07-13 08:57:32 -05:00
parent 700475f219
commit 86aded238d
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
3 changed files with 137 additions and 1 deletions

View file

@ -0,0 +1,36 @@
{ ... }:
{
outputs = {
# ZFS automated snapshots
templates = {
"production" = {
recursive = true;
autoprune = true;
autosnap = true;
hourly = 24;
daily = 7;
monthly = 12;
};
};
datasets = {
"eru/xen-backups" = {
useTemplate = ["production"];
};
"eru/hansonhive" = {
useTemplate = ["production"];
};
"eru/tm_joe" = {
useTemplate = ["production"];
};
"eru/tm_elisia" = {
useTemplate = ["production"];
};
"eru/containers/volumes/xo-data" = {
useTemplate = ["production"];
};
"eru/containers/volumes/xo-redis-data" = {
useTemplate = ["production"];
};
};
};
}

View file

@ -2,7 +2,9 @@
# and may be overwritten by future invocations. Please make changes # and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead. # to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }: { config, lib, modulesPath, ... }:
let
sanoidConfig = import ./config/sanoid.nix { };
in
{ {
imports = imports =
[ [
@ -66,6 +68,15 @@
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
sops = {
secrets = {
"lego/dnsimple/token" = {
mode = "0444";
sopsFile = ./secrets.sops.yaml;
};
};
};
# System settings and services. # System settings and services.
mySystem = { mySystem = {
purpose = "Production"; purpose = "Production";
@ -81,5 +92,26 @@
samba.shares = import ./config/samba-shares.nix { }; samba.shares = import ./config/samba-shares.nix { };
samba.extraConfig = import ./config/samba-config.nix { }; samba.extraConfig = import ./config/samba-config.nix { };
}; };
services = {
podman.enable = true;
# Sanoid
sanoid = {
enable = true;
inherit (sanoidConfig.outputs) templates datasets;
};
# Unifi & Lego-Auto
unifi.enable = true;
lego-auto = {
enable = true;
dnsimpleTokenPath = "${config.sops.secrets."lego/dnsimple/token".path}";
domains = "gandalf.jahanson.tech";
email = "joe@veri.dev";
provider = "dnsimple";
};
};
}; };
} }

View file

@ -0,0 +1,68 @@
lego:
dnsimple:
token: ENC[AES256_GCM,data:3Lj6jhHuh0YbQCSZvUnSDtyo9Qi6Mx1d8eAGuIFih9YfDlIzYGkpI7YpvQ==,iv:YKpsMww+58+/wi70iXfVYcjkB5MPIA3epWXkqdSxJ1s=,tag:yi+Kstm1Vs3D+1c549QhlA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NnVtdU9ObzB0TkdHUHBy
aGVJaXg2NExmbkpzb3JYUXgza3lrOTR2K2pJCmNNdGs1MzZ0NFIyYktaMlhWK1Vq
K0E0OXBMWjd5Tk16MUFFL2gvVzdiZzQKLS0tIEx6bEN6ZkYrKzdxNGtYM0s3VnE1
a3YweEdFaGU2bkh5R3hvNWhMTHhxSmMKS22+GD1O8RWMvg+V2IqnbSPol5wKKfEj
hNB9fkAmRQtnKieSv957XTwbraxf7IVB/BO96CtLM0d29VFNErwsXg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nuj9sk2k8ede06f8gk5twdlc593uuc7lll2dvuy20nxw9zn97u5swrcjpj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1NUtYSGJvSkwzTFp4QTV5
WU9hcXVILzlEdklESUtKdzZIWUVzWmR2UGlFCngrUTNTM0N6VkF0ZGowbE9pVWFu
YXlCdjd0RmlXVnBmRlBGMncrZk1oeE0KLS0tIGpGOHBub3pEbVZ1Zlhxa0lEc3oy
M1lCSGNQVy96anBVTzF2Q0ZXVTlrY1EKkBzej4W8tsAqn2bgfDv7VvXuyH3rj0vT
9FPqSaMjcyPCfXvzL14+mQj24pkA1z/fYlxKnd+rDQCdvOh/T1xvNg==
-----END AGE ENCRYPTED FILE-----
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjWnlKRHBhbUV5empIODNZ
bDdXcWVpMDY0TkV0bUtuS3ZSY3JqZVJTTzB3CjJCUEdzbmc3Rm5pSWdqQkw5MXJO
eE9ZVlo4RnFmUlI1UExBS1RkbmFwbmcKLS0tIEo1aFdSMDFFT3AvQ1ZUV3RsSHZ3
WWJuUnpJNlRsako2VDlpdEc1QVI4aDAKNKvUK6soiEKatD/y2RL8Glx3aSDAJHiI
KBtP/xL6if720Ge1EodQGjAqHa6Q65LJUmKK0wqwdOhrPNrA7Ea2fQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6VkVBQXJCdTNiZzFCVEQ5
bDZuNVdDd3B6dGJZS1pkVm40bitJODAxdXpzCmQ3WVppMEVGenBaMU4ybk5PM01L
NjJwd05vQ3dPWENSTUZiQnhkUU5meTQKLS0tIDQxL3QwanBYMzlTUVN6K3JqVWp4
aDVmWHo1bkdGRDFzb0ZPeDJJWUptcHcK2Z/AYb0yNmPwnY04SVurDromVkhinRKo
MsYAlynO4ivwrPXXLBZY136b7ecDpy5YzacJRP/YZzuaniJP4mrm2w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArbXRmald0cXBjOExHRTZT
K2Nab0NvOVhiclRBMVQ2a1RreVBUa1BoMlY0ClY2OHdnSFBmTHNEOStEVlk2c0FD
Zzh4bUQzZGFWU1RyWXh4b2xVY1B2MkEKLS0tIHpBcHViNjF2YnNjOXArcDArWW1i
a3VuRDU3bzdmWnpySmowVDNkWUNic2cKxBV/uUUT/WrklKeHIrdtcxa1s7C3C+cb
A5aOMUNEDtqo9Clg+PPs8RQy45uGRhio3B80SJgChH7RYn0ifJafFA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaeGZvUnk4b28wSlFJYlFN
NEJ5ZzdOT0M2cGxRVVRHRVBJYSt6dS90WUdjCndTYlViaGcwY0dxNnp6aFZFQnMx
ZUlFS1Y3SG52L05ZL3NrOXhLRjVBOXMKLS0tIGhYVXR0cjJGc0JCTTdEdFY3NEc3
REg4dkpMZmJoVDhhaUYxRVMwTVg2OHMKOs63Zk6TmRjLnloNj1QUK+I8aVcPUvJr
7Qgn2bYbyjG/seI0DzcDvUH4eRSjvDkCOqqh9Ry6K3TaRty28XS29g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-13T11:28:05Z"
mac: ENC[AES256_GCM,data:j2xatOmDBCBCApSomOx6LI4HpyoQ4nVLjsdNX8gKImGKGvJYQUG7liRhEVIwPeUH9oxGoZ1dJF1r4msQnfXk/OTgUNpQvoHyufeUOv+v1IBxwJRYbaAEoq8h59glJaBSJHZTBLWNsPDnijpv8f2q3HmvN9nrQhC1b0rfvMmH8hU=,iv:wsV5WBwhhZqHEBmsqczpnS7f6/8D39APmQspqOZKt8I=,tag:WdGFjwtw3jOyuYZ6OWxkHg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1