From ac37c8229890c1daed127a48c80e7d89eef16cae Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Tue, 28 May 2024 17:20:37 -0500 Subject: [PATCH] added lego-auto --- nixos/common.nix | 9 ++++++++- nixos/gandalf/configuration.nix | 21 ++++++++++++++++++--- secrets.sops.yaml | 7 +++++-- 3 files changed, 31 insertions(+), 6 deletions(-) diff --git a/nixos/common.nix b/nixos/common.nix index e0c3688..5827334 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -67,7 +67,7 @@ users.users.jahanson = { isNormalUser = true; description = "Joseph Hanson"; - extraGroups = [ "networkmanager" "wheel" ]; + extraGroups = [ "networkmanager" "wheel" "kah" ]; shell = pkgs.fish; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w" @@ -79,6 +79,13 @@ ]; }; + # extra user for containers + users.users.kah = { + uid = 568; + group = "kah"; + }; + users.groups.kah = {}; + # Default editor environment.variables.EDITOR = "vim"; # Time zone. diff --git a/nixos/gandalf/configuration.nix b/nixos/gandalf/configuration.nix index a57dfc1..524e156 100644 --- a/nixos/gandalf/configuration.nix +++ b/nixos/gandalf/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ pkgs, inputs, ... }: +{ pkgs, inputs, config, ... }: let upsPassword = "illgettoiteventually"; vendorid = "0764"; @@ -15,6 +15,15 @@ in ./hardware-configuration.nix inputs.nixvirt-git.nixosModules.default ]; + sops = { + # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default. + secrets = { + "lego/dnsimple/token" = { + owner = config.users.users.kah; + inherit (config.users.users.kah) group; + }; + }; + }; # Use the systemd-boot EFI boot loader. boot = { @@ -260,15 +269,22 @@ in PGID = "102"; PUID = "999"; }; + }; lego-auto = { image = "ghcr.io/bjw-s/lego-auto:v0.3.0"; autoStart = true; volumes = [ "/eru/containers/volumes/unifi/cert:/certs" ]; + user = "102:999"; environment = { TZ = "America/Chicago"; - EMAIL = ""; + LA_DATADIR="/certs"; + LA_CACHEDIR="/certs/.cache"; + LA_EMAIL = "joe@veri.dev"; + LA_DOMAINS = "gandalf.jahanson.tech"; + LA_PROVIDER = "dnsimple"; + DNSIMPLE_OAUTH_TOKEN_FILE = "${config.sops.secrets."lego/dnsimple/token".path}"; }; }; # # Xen-orchestra container @@ -294,7 +310,6 @@ in # }; }; }; -}; # ZFS automated snapshots services.sanoid = { diff --git a/secrets.sops.yaml b/secrets.sops.yaml index 67c8d6e..e258d2f 100644 --- a/secrets.sops.yaml +++ b/secrets.sops.yaml @@ -1,3 +1,6 @@ +lego: + dnsimple: + token: ENC[AES256_GCM,data:yWXPbSwj3Y1gAuUCF1eK9q2WSPJmv1ZtRB/2gfvH3V58lc67MfDdN960wg==,iv:h/0Yv1oqeFVwRfi40hG3/twYNPO/MLshhgrJCPWMUMA=,tag:M5W1csc+Rsuor8lp1P4+7Q==,type:str] 1password-credentials.json: ENC[AES256_GCM,data:WBFSyiq30df5D2A3jAvYHLHz1b7nnk4MR0W4E8qDblIo2gug3uBbugR0Dcg2XQRSKfTDpk1kc9KPMrqYPsPtAgKjqQzL1XzuAL9i0C/xBO4+VzFoG8Puwm43791bVjFcG4hxdoMiKY28Pi2MnKlQZEivZUatSNHJqouYfTM/pIuLhRkng6YmUIzT2w47bl0K3Sdu+lh+aGxFsL+k1zepMALq+GZO7IHC9xBq32HwhpWd8UDpgCNqdICaJJ6G8iJxjSqUHjoijkU9QUS+WwWFpVGJ8f1WkmQZ6/gcKudMNg8msMrcyobPw/JgeigxDzF3SpujShRJN6O8QdtE8TBnxb2RZSxC5uNojvqgJVcR4ZvQH5wEZZ9PmNbhpS2vo5nb2/b5fmSFvkIsugOveZ/92O6ffA3rSqT7Eb+nPIH9H1BAu7cUxu0RPXBmM72ohMtFoMpPNXJBkJHODcYNxCYrzWaMfa3673jS5QElzJYeKn0Ir45MFIwWArttq2EVW38Vuwx2YA6qqTrpIiNmhOvKalnVW5f678lwIIzpHDP+1XfiK2MhIXTXst3nV3t/7z4wop4mRLAclS6nmnHMEZ8QrbvK4vVQLUgLDw8r2wRcYa8v8BcdqXdLbkrrHVoPUTn4XHZ0tgO+dfAR5KwkESI/l4B0gxNAlIbYs7edfapphZdbWsyUSbURxt+u70fXovXvgISf9EPT/FcUribInzf4V2PM++x7R72VRARilSXysEouNdeAqreFER/fuMKnXO+7+ywSMwMPLPk2q/J3/u1F+MXTVq4wWJD4UKHek+csAE3qk847/u/XTCJmtVzRLEjJMG5ShNxLI1HuH4Pvf5ebB4MQIeO2gZhiXP2fWNtWt1w+A47FL1GcdXx+Oyl3Mjhze+/762vwVODu9fsY5ySqa86TT96xH67RiVfDp+iTRQYKirwui69LsRACpB6LnKt4yNX3QlS0mawFZhWSuzy6EUqhufQI0I/Pzf2DatyYXtLwHrw/8AYf+J2ouDpew6tghsdSy4s0BnypSL6UmP8OitpDmD+IHSom/eeOCG/vXtUD2KOzzmCR7FFRXrqyYtyQ10djq4jUKO43bzKkWINm/NDVzfQf8NQdXTAR6eneyXJ6Zt+FzMtmbHVjfdrCfLNdXROSfhRFX/YZHVwF+HwtK33RK0DOwpFZGOnW1bceQ2BhgEQbv06IPK6mS9WGx6ymDJ6C/nldTBXLbc5LV/S5sKnnIi8stkd47e3olJSp3xs9ri/ZSFrT3JxVIU2mUL8PGjuOuHDknv8VTZlx1WFp1xqj0l3kgz40SzpWcvSyavHFnPs/+W5UN0N4xBZo7Wuf21u1gqAagypDzoUCnWakjHXQK2LsREFcN72FXHRihpcJLQOjWnZEuQDpH+1Dk5RpUjIZl3M0VQFb0XPwHlnK0pBaBn9eiKZU17gyElXKAz8=,iv:YqHHD0nHnil9s2rG7nmaTjCSvH1TtiiOEi6uqcZKdMM=,tag:/bRmXUnt25SJBJMu6IywTA==,type:str] bind: rndc-keys: @@ -38,8 +41,8 @@ sops: L3I3c1VHZTNUQUNjVjFYaXZXMHlsUTgKplXR6ZN5+Z25n5IlC7jGDHYLH/6g8dWI MtkYR0606ZC+b4w8PmsHyf6SBfocb8kP9uZKhJAHCtgzn1IQakPN+A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-28T21:41:30Z" - mac: ENC[AES256_GCM,data:wuPcfauGrw67p071Sjr+9TXrFRC/0DOsKbr+t5wM9j3rASN1KOLRCxkyVIkvST02Q62IrjbYJhs3A6Iwl+H0e1VD55ZgR5u5nMZjpxRu+sH9Vl3KZVgKbKgeA+tVvsaK3KNPLUp6rHPVb9f9c0aUAfOD8q4RHE57esdGA5pY0yI=,iv:mL4RMh5LgWO6O03uuoeo6VfCyH9IUQTpk2GXd7VWzqo=,tag:dVqRHlA4P4FIueWg6eVgzw==,type:str] + lastmodified: "2024-05-28T21:57:17Z" + mac: ENC[AES256_GCM,data:etYudHElbqYn9o5FZLtTIt7ZGXk1bvk6+mSF07kqgaM+6H05gNMv9w9KhVd3dpfRvjjWNOvOerp+oa0UwWNU+nYJ2nOjYlkbVGpzIpHlAHSdJKN0AXlrjiSQM3fHpcyEdKX2DyEADUGQWAV5HWBUClgBC48Wzkrrt8nGPm4R0tQ=,iv:OeidHvWz5S64GPHFCtA/v/npwaWiamufQnYFaXAYJDw=,tag:gGCSeL2XxWixKzXgkkSFEA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1