Move config around.

This commit is contained in:
Joseph Hanson 2024-04-29 12:49:18 -05:00
parent 87bb308e42
commit 5632b37b1b
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
3 changed files with 20 additions and 17 deletions

View file

@ -0,0 +1,16 @@
{config, ...}:
''
include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
zone "jahanson.tech." {
type master;
file "${config.sops.secrets."bind/zones/jahanson.tech".path}";
journal "${config.services.bind.directory}/db.jahanson.tech.jnl";
allow-transfer {
key "externaldns";
};
update-policy {
grant externaldns zonesub ANY;
};
};
''

View file

@ -11,20 +11,12 @@
]; ];
sops = { sops = {
# Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default. # Mounts unencrypted sops values at /run/secrets/bind/rndc_keys/externaldns accessible by root only by default.
secrets = { secrets = {
"bind/rndc_keys/main" = {
owner = config.users.users.named.name;
inherit (config.users.users.named) group;
};
"bind/rndc_keys/externaldns" = { "bind/rndc_keys/externaldns" = {
owner = config.users.users.named.name; owner = config.users.users.named.name;
inherit (config.users.users.named) group; inherit (config.users.users.named) group;
}; };
"bind/zones/jahanson.tech" = {
owner = config.users.users.named.name;
inherit (config.users.users.named) group;
};
}; };
}; };
@ -61,11 +53,7 @@
services.bind = { services.bind = {
enable = true; enable = true;
extraConfig = '' extraConfig = import ./config/bind.nix {inherit config;};
include "${config.sops.secrets."bind/rndc-keys/main".path}";
include "${config.sops.secrets."bind/rndc-keys/externaldns".path}";
include "${config.sops.secrets."bind/named_extraconfig".path}";
'';
}; };
# Some programs need SUID wrappers, can be configured further or are # Some programs need SUID wrappers, can be configured further or are

View file

@ -2,7 +2,6 @@ bind:
rndc_keys: rndc_keys:
main: ENC[AES256_GCM,data:fHA7GHqsS2A4W4sp8f/qW1CAsK9g4GOV6AJosDkJHYD1hm6gGP/c7qN3LPCVGNP1dLvwdFBMsJw9Zk11RXmqix+4RRVJe1H+b0kYYgdawiWpujQ3APlb6FNRJL05818vLYJs5gnP,iv:Kpq6AVJG/7gbztgxsDzY087Q/ykg9Pe92IXdk88LsOg=,tag:qSYN8JCzh8XJuagU7RHctg==,type:str] main: ENC[AES256_GCM,data:fHA7GHqsS2A4W4sp8f/qW1CAsK9g4GOV6AJosDkJHYD1hm6gGP/c7qN3LPCVGNP1dLvwdFBMsJw9Zk11RXmqix+4RRVJe1H+b0kYYgdawiWpujQ3APlb6FNRJL05818vLYJs5gnP,iv:Kpq6AVJG/7gbztgxsDzY087Q/ykg9Pe92IXdk88LsOg=,tag:qSYN8JCzh8XJuagU7RHctg==,type:str]
externaldns: ENC[AES256_GCM,data:aAKeXstTUfpTSR7M3TMtXaHoYRiaQAVUsfEbIIOAP4V1vAwsTTZg7u8hKdyDh3xA+oXnrcZL9Z0/lKyfvEaZSkHdC1ATTNgnFXEhoJg+k52knETYQMRJMn54lxCwIgGxJ0pkcgIXxdg5,iv:VAUzo2UQ0DfLUcchlNJW7lmS0BK/KFgAYncqwmMDpxw=,tag:pLVWO63bIV4vn12kbeS6Ug==,type:str] externaldns: ENC[AES256_GCM,data:aAKeXstTUfpTSR7M3TMtXaHoYRiaQAVUsfEbIIOAP4V1vAwsTTZg7u8hKdyDh3xA+oXnrcZL9Z0/lKyfvEaZSkHdC1ATTNgnFXEhoJg+k52knETYQMRJMn54lxCwIgGxJ0pkcgIXxdg5,iv:VAUzo2UQ0DfLUcchlNJW7lmS0BK/KFgAYncqwmMDpxw=,tag:pLVWO63bIV4vn12kbeS6Ug==,type:str]
named_extraconfig: ENC[AES256_GCM,data:wrkNCGFDR2h97PIYd3Ij0bge2sAD90GoqP4TqbYOUYYsxUiyZg9CCqtg6y4y3CwOt034L5ZKERMdEvohRevMONnsA3QW9pqdAudGPHrkkhu95EgfrFp4auSPhZA622D/1H0bNNomtYiL/LNwxXfHgwrsfKEzAQwjZBunAbclBrJQRUer6I6n5Mcfl26oxlng7UWgGlJm+484rCrMm2x/5qAaQU7Gb4B8ufCBneINoLsWaSZ3Mj94kQwZyShqDyJfjXn6Lm5Zq+iXUQI1foHHmGK4+wR3nI9X9/9Xq3eszZWfZltft4UJQUhipV4O87/Wh6gG60YQGfZAwJsC6pwk9GVo2RxxdKiKj8LiEIGxfcMLSZra45uF8A==,iv:xBnA1dbXDqU0YwDd7v9S/RAHQABz8cQhAbMkAQkW1NU=,tag:VmQorIWxmHpMW2zZRt2FvA==,type:str]
zones: zones:
jahanson.tech: ENC[AES256_GCM,data:Q6vuMug4oNR8tn7hKhxFCeYlV16EV2fuenC/ZX5+VCpj+79YYuKWvegRihDFSF+pyzbSDXiN2VWBUgxR1nrNv7lQNr6Etz3q3fGZEj/+0H8hbKEnNsvqlh9r8XZvOYR+bcXF8cEuz8UUDmQmErC9b0m7VEfvz8ahlJ8kh7dgWWP4VUjrrLj3Fy3+/q48LwBMRRrqbNJMLbnF+JNSuL3W0TeO9mtXhXM4U27p1pW2ucfGlKoFBevEe+JiknDz6QKSlRae4En6xstXtlDsX20hmyTvmX9mjPo2PHdzn2hvBJ9PHUEUPUJfVSlErli0Y2Hl22MTmH0TbdGFoGWYVJjwPT25DGdxlEDuucw9ioTGZFC9X0ffdoBD8ffaiKdLywZwfmF4j2ZrqzaGqF7IsT1sCAnvo8iKcwU3P22ma7ZVBSGN2umll5f2+Go6yGEsNjQtsYrqqGHYi3OXTKskQdFcYy17hoAchcW8fYRlGwK3SvGKZGr/QZU0xkhPRbyFF25AVfto0LzKwOi3KwMRxkArQM/g4P42lzNs76OaqW7FZfBPsEL/H9z0Ff2ctyewwjck0HkFdCBrNZAr62HU74V8/Ytl039NFK6BCRH5K+3miDFw0px7IUdXIJx8sL8yzaP0fW/P5vmGF5ONBzJkzVmaB5ma8qij1W8zQlF6QRIVe0YuNfsiugatUEbRZppqpb7eIH9v4se+SBUN89w54mOuiQ/VY9oBT6nkSrEiJuVnWk/8z3rXGpxnEGCFjWAe2dqKo0c2D/xdmUHkJyoqDqBZdSphpXtEJ/UVWQMjCL8EBKKobARCmy2FiPQhuQ+PAy3Z991jhJ9RVTcckFu90Q4LWkrDHd4iZDVrLosdgV0GCE9VK5eH2OSHCGkiQ8Y7QaIfAqTYt+Asbvv5lad7n5n2PpXslGMOkQgz2xWMwv9SLNVn3xmegBxb14l4PT+lIQexXkewcBZ9JPTsuTTqJXT5VGDglncXXehJqnezQD+V2dSX6AUAUCAvOCRs1/uRAHzh4IZsQxsmaxPNrCybq8uiGj1bymfX2LbS8ZsQ,iv:Jnw8C+KA4DjKeitEGrqY51Os1ar+ZOIqivsF0x5hvQM=,tag:p/cDPkK3URWk8fTZhYO9nA==,type:str] jahanson.tech: ENC[AES256_GCM,data:Q6vuMug4oNR8tn7hKhxFCeYlV16EV2fuenC/ZX5+VCpj+79YYuKWvegRihDFSF+pyzbSDXiN2VWBUgxR1nrNv7lQNr6Etz3q3fGZEj/+0H8hbKEnNsvqlh9r8XZvOYR+bcXF8cEuz8UUDmQmErC9b0m7VEfvz8ahlJ8kh7dgWWP4VUjrrLj3Fy3+/q48LwBMRRrqbNJMLbnF+JNSuL3W0TeO9mtXhXM4U27p1pW2ucfGlKoFBevEe+JiknDz6QKSlRae4En6xstXtlDsX20hmyTvmX9mjPo2PHdzn2hvBJ9PHUEUPUJfVSlErli0Y2Hl22MTmH0TbdGFoGWYVJjwPT25DGdxlEDuucw9ioTGZFC9X0ffdoBD8ffaiKdLywZwfmF4j2ZrqzaGqF7IsT1sCAnvo8iKcwU3P22ma7ZVBSGN2umll5f2+Go6yGEsNjQtsYrqqGHYi3OXTKskQdFcYy17hoAchcW8fYRlGwK3SvGKZGr/QZU0xkhPRbyFF25AVfto0LzKwOi3KwMRxkArQM/g4P42lzNs76OaqW7FZfBPsEL/H9z0Ff2ctyewwjck0HkFdCBrNZAr62HU74V8/Ytl039NFK6BCRH5K+3miDFw0px7IUdXIJx8sL8yzaP0fW/P5vmGF5ONBzJkzVmaB5ma8qij1W8zQlF6QRIVe0YuNfsiugatUEbRZppqpb7eIH9v4se+SBUN89w54mOuiQ/VY9oBT6nkSrEiJuVnWk/8z3rXGpxnEGCFjWAe2dqKo0c2D/xdmUHkJyoqDqBZdSphpXtEJ/UVWQMjCL8EBKKobARCmy2FiPQhuQ+PAy3Z991jhJ9RVTcckFu90Q4LWkrDHd4iZDVrLosdgV0GCE9VK5eH2OSHCGkiQ8Y7QaIfAqTYt+Asbvv5lad7n5n2PpXslGMOkQgz2xWMwv9SLNVn3xmegBxb14l4PT+lIQexXkewcBZ9JPTsuTTqJXT5VGDglncXXehJqnezQD+V2dSX6AUAUCAvOCRs1/uRAHzh4IZsQxsmaxPNrCybq8uiGj1bymfX2LbS8ZsQ,iv:Jnw8C+KA4DjKeitEGrqY51Os1ar+ZOIqivsF0x5hvQM=,tag:p/cDPkK3URWk8fTZhYO9nA==,type:str]
sops: sops:
@ -29,8 +28,8 @@ sops:
SHZmN3JDL1ExVHZ5K2txM2h6MzRKWE0KbS3kO9teIcRDY4hnb54LgWzcRQu7aGGf SHZmN3JDL1ExVHZ5K2txM2h6MzRKWE0KbS3kO9teIcRDY4hnb54LgWzcRQu7aGGf
TjnTJzqKqmRRMLOs5be6wbrxBiRe9p5nCN/WJ9nqhr7rfNNMUiZePw== TjnTJzqKqmRRMLOs5be6wbrxBiRe9p5nCN/WJ9nqhr7rfNNMUiZePw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-29T17:31:42Z" lastmodified: "2024-04-29T17:44:50Z"
mac: ENC[AES256_GCM,data:mrfK8pGbj3w2BvcwzsL9YHPJyh+T42IGAIpy+XFmUXvrV8rqkWcSabCOddmGDqUtHGpEHQ7xxDvUmI83zSRt5hS/pbVYMVrwAw8lWjJS59bE6sUO0F3kKPzIH1G2K1evZ1hesSk/y7RWuL3+KV+KQ7YzMSYD1Iqabc2Q5HEqZ94=,iv:6IdFxpvpNjE2JNMlbOTr+CZis85x3D7jFVtMD9TUNo4=,tag:H1JJlszywcvVGHNa8juR5g==,type:str] mac: ENC[AES256_GCM,data:ebvcOej/ADwCQd7a1m9wUHI6Hccj50WMraeYvNZRe8GCtyUWA6tnBsJk/d4NnhLpuWXVOXV+CuTcUr7C+Q6I6ZcPsiQoDyuwf0+LvtsMWf2Ep8tVLc55JCyoOWAdVYPif2Elisaj9X1y5Z0hGhKy8nfJ5j7J87CP32bZo59+Hbg=,iv:mMLq0uV4lnaeTdnCyVBbJuwsZxcGQWuZn8BTvmtXO0Q=,tag:4O/tQxKrZV183fIw9CVdXQ==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1