added lego-auto

This commit is contained in:
Joseph Hanson 2024-05-28 17:20:37 -05:00
parent ec567d2c03
commit ac37c82298
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
3 changed files with 31 additions and 6 deletions

View file

@ -67,7 +67,7 @@
users.users.jahanson = { users.users.jahanson = {
isNormalUser = true; isNormalUser = true;
description = "Joseph Hanson"; description = "Joseph Hanson";
extraGroups = [ "networkmanager" "wheel" ]; extraGroups = [ "networkmanager" "wheel" "kah" ];
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w"
@ -79,6 +79,13 @@
]; ];
}; };
# extra user for containers
users.users.kah = {
uid = 568;
group = "kah";
};
users.groups.kah = {};
# Default editor # Default editor
environment.variables.EDITOR = "vim"; environment.variables.EDITOR = "vim";
# Time zone. # Time zone.

View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page, on # your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ pkgs, inputs, ... }: { pkgs, inputs, config, ... }:
let let
upsPassword = "illgettoiteventually"; upsPassword = "illgettoiteventually";
vendorid = "0764"; vendorid = "0764";
@ -15,6 +15,15 @@ in
./hardware-configuration.nix ./hardware-configuration.nix
inputs.nixvirt-git.nixosModules.default inputs.nixvirt-git.nixosModules.default
]; ];
sops = {
# Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
secrets = {
"lego/dnsimple/token" = {
owner = config.users.users.kah;
inherit (config.users.users.kah) group;
};
};
};
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
boot = { boot = {
@ -260,15 +269,22 @@ in
PGID = "102"; PGID = "102";
PUID = "999"; PUID = "999";
}; };
};
lego-auto = { lego-auto = {
image = "ghcr.io/bjw-s/lego-auto:v0.3.0"; image = "ghcr.io/bjw-s/lego-auto:v0.3.0";
autoStart = true; autoStart = true;
volumes = [ volumes = [
"/eru/containers/volumes/unifi/cert:/certs" "/eru/containers/volumes/unifi/cert:/certs"
]; ];
user = "102:999";
environment = { environment = {
TZ = "America/Chicago"; TZ = "America/Chicago";
EMAIL = ""; LA_DATADIR="/certs";
LA_CACHEDIR="/certs/.cache";
LA_EMAIL = "joe@veri.dev";
LA_DOMAINS = "gandalf.jahanson.tech";
LA_PROVIDER = "dnsimple";
DNSIMPLE_OAUTH_TOKEN_FILE = "${config.sops.secrets."lego/dnsimple/token".path}";
}; };
}; };
# # Xen-orchestra container # # Xen-orchestra container
@ -294,7 +310,6 @@ in
# }; # };
}; };
}; };
};
# ZFS automated snapshots # ZFS automated snapshots
services.sanoid = { services.sanoid = {

View file

@ -1,3 +1,6 @@
lego:
dnsimple:
token: ENC[AES256_GCM,data:yWXPbSwj3Y1gAuUCF1eK9q2WSPJmv1ZtRB/2gfvH3V58lc67MfDdN960wg==,iv:h/0Yv1oqeFVwRfi40hG3/twYNPO/MLshhgrJCPWMUMA=,tag:M5W1csc+Rsuor8lp1P4+7Q==,type:str]
1password-credentials.json: ENC[AES256_GCM,data:WBFSyiq30df5D2A3jAvYHLHz1b7nnk4MR0W4E8qDblIo2gug3uBbugR0Dcg2XQRSKfTDpk1kc9KPMrqYPsPtAgKjqQzL1XzuAL9i0C/xBO4+VzFoG8Puwm43791bVjFcG4hxdoMiKY28Pi2MnKlQZEivZUatSNHJqouYfTM/pIuLhRkng6YmUIzT2w47bl0K3Sdu+lh+aGxFsL+k1zepMALq+GZO7IHC9xBq32HwhpWd8UDpgCNqdICaJJ6G8iJxjSqUHjoijkU9QUS+WwWFpVGJ8f1WkmQZ6/gcKudMNg8msMrcyobPw/JgeigxDzF3SpujShRJN6O8QdtE8TBnxb2RZSxC5uNojvqgJVcR4ZvQH5wEZZ9PmNbhpS2vo5nb2/b5fmSFvkIsugOveZ/92O6ffA3rSqT7Eb+nPIH9H1BAu7cUxu0RPXBmM72ohMtFoMpPNXJBkJHODcYNxCYrzWaMfa3673jS5QElzJYeKn0Ir45MFIwWArttq2EVW38Vuwx2YA6qqTrpIiNmhOvKalnVW5f678lwIIzpHDP+1XfiK2MhIXTXst3nV3t/7z4wop4mRLAclS6nmnHMEZ8QrbvK4vVQLUgLDw8r2wRcYa8v8BcdqXdLbkrrHVoPUTn4XHZ0tgO+dfAR5KwkESI/l4B0gxNAlIbYs7edfapphZdbWsyUSbURxt+u70fXovXvgISf9EPT/FcUribInzf4V2PM++x7R72VRARilSXysEouNdeAqreFER/fuMKnXO+7+ywSMwMPLPk2q/J3/u1F+MXTVq4wWJD4UKHek+csAE3qk847/u/XTCJmtVzRLEjJMG5ShNxLI1HuH4Pvf5ebB4MQIeO2gZhiXP2fWNtWt1w+A47FL1GcdXx+Oyl3Mjhze+/762vwVODu9fsY5ySqa86TT96xH67RiVfDp+iTRQYKirwui69LsRACpB6LnKt4yNX3QlS0mawFZhWSuzy6EUqhufQI0I/Pzf2DatyYXtLwHrw/8AYf+J2ouDpew6tghsdSy4s0BnypSL6UmP8OitpDmD+IHSom/eeOCG/vXtUD2KOzzmCR7FFRXrqyYtyQ10djq4jUKO43bzKkWINm/NDVzfQf8NQdXTAR6eneyXJ6Zt+FzMtmbHVjfdrCfLNdXROSfhRFX/YZHVwF+HwtK33RK0DOwpFZGOnW1bceQ2BhgEQbv06IPK6mS9WGx6ymDJ6C/nldTBXLbc5LV/S5sKnnIi8stkd47e3olJSp3xs9ri/ZSFrT3JxVIU2mUL8PGjuOuHDknv8VTZlx1WFp1xqj0l3kgz40SzpWcvSyavHFnPs/+W5UN0N4xBZo7Wuf21u1gqAagypDzoUCnWakjHXQK2LsREFcN72FXHRihpcJLQOjWnZEuQDpH+1Dk5RpUjIZl3M0VQFb0XPwHlnK0pBaBn9eiKZU17gyElXKAz8=,iv:YqHHD0nHnil9s2rG7nmaTjCSvH1TtiiOEi6uqcZKdMM=,tag:/bRmXUnt25SJBJMu6IywTA==,type:str] 1password-credentials.json: ENC[AES256_GCM,data:WBFSyiq30df5D2A3jAvYHLHz1b7nnk4MR0W4E8qDblIo2gug3uBbugR0Dcg2XQRSKfTDpk1kc9KPMrqYPsPtAgKjqQzL1XzuAL9i0C/xBO4+VzFoG8Puwm43791bVjFcG4hxdoMiKY28Pi2MnKlQZEivZUatSNHJqouYfTM/pIuLhRkng6YmUIzT2w47bl0K3Sdu+lh+aGxFsL+k1zepMALq+GZO7IHC9xBq32HwhpWd8UDpgCNqdICaJJ6G8iJxjSqUHjoijkU9QUS+WwWFpVGJ8f1WkmQZ6/gcKudMNg8msMrcyobPw/JgeigxDzF3SpujShRJN6O8QdtE8TBnxb2RZSxC5uNojvqgJVcR4ZvQH5wEZZ9PmNbhpS2vo5nb2/b5fmSFvkIsugOveZ/92O6ffA3rSqT7Eb+nPIH9H1BAu7cUxu0RPXBmM72ohMtFoMpPNXJBkJHODcYNxCYrzWaMfa3673jS5QElzJYeKn0Ir45MFIwWArttq2EVW38Vuwx2YA6qqTrpIiNmhOvKalnVW5f678lwIIzpHDP+1XfiK2MhIXTXst3nV3t/7z4wop4mRLAclS6nmnHMEZ8QrbvK4vVQLUgLDw8r2wRcYa8v8BcdqXdLbkrrHVoPUTn4XHZ0tgO+dfAR5KwkESI/l4B0gxNAlIbYs7edfapphZdbWsyUSbURxt+u70fXovXvgISf9EPT/FcUribInzf4V2PM++x7R72VRARilSXysEouNdeAqreFER/fuMKnXO+7+ywSMwMPLPk2q/J3/u1F+MXTVq4wWJD4UKHek+csAE3qk847/u/XTCJmtVzRLEjJMG5ShNxLI1HuH4Pvf5ebB4MQIeO2gZhiXP2fWNtWt1w+A47FL1GcdXx+Oyl3Mjhze+/762vwVODu9fsY5ySqa86TT96xH67RiVfDp+iTRQYKirwui69LsRACpB6LnKt4yNX3QlS0mawFZhWSuzy6EUqhufQI0I/Pzf2DatyYXtLwHrw/8AYf+J2ouDpew6tghsdSy4s0BnypSL6UmP8OitpDmD+IHSom/eeOCG/vXtUD2KOzzmCR7FFRXrqyYtyQ10djq4jUKO43bzKkWINm/NDVzfQf8NQdXTAR6eneyXJ6Zt+FzMtmbHVjfdrCfLNdXROSfhRFX/YZHVwF+HwtK33RK0DOwpFZGOnW1bceQ2BhgEQbv06IPK6mS9WGx6ymDJ6C/nldTBXLbc5LV/S5sKnnIi8stkd47e3olJSp3xs9ri/ZSFrT3JxVIU2mUL8PGjuOuHDknv8VTZlx1WFp1xqj0l3kgz40SzpWcvSyavHFnPs/+W5UN0N4xBZo7Wuf21u1gqAagypDzoUCnWakjHXQK2LsREFcN72FXHRihpcJLQOjWnZEuQDpH+1Dk5RpUjIZl3M0VQFb0XPwHlnK0pBaBn9eiKZU17gyElXKAz8=,iv:YqHHD0nHnil9s2rG7nmaTjCSvH1TtiiOEi6uqcZKdMM=,tag:/bRmXUnt25SJBJMu6IywTA==,type:str]
bind: bind:
rndc-keys: rndc-keys:
@ -38,8 +41,8 @@ sops:
L3I3c1VHZTNUQUNjVjFYaXZXMHlsUTgKplXR6ZN5+Z25n5IlC7jGDHYLH/6g8dWI L3I3c1VHZTNUQUNjVjFYaXZXMHlsUTgKplXR6ZN5+Z25n5IlC7jGDHYLH/6g8dWI
MtkYR0606ZC+b4w8PmsHyf6SBfocb8kP9uZKhJAHCtgzn1IQakPN+A== MtkYR0606ZC+b4w8PmsHyf6SBfocb8kP9uZKhJAHCtgzn1IQakPN+A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-28T21:41:30Z" lastmodified: "2024-05-28T21:57:17Z"
mac: ENC[AES256_GCM,data:wuPcfauGrw67p071Sjr+9TXrFRC/0DOsKbr+t5wM9j3rASN1KOLRCxkyVIkvST02Q62IrjbYJhs3A6Iwl+H0e1VD55ZgR5u5nMZjpxRu+sH9Vl3KZVgKbKgeA+tVvsaK3KNPLUp6rHPVb9f9c0aUAfOD8q4RHE57esdGA5pY0yI=,iv:mL4RMh5LgWO6O03uuoeo6VfCyH9IUQTpk2GXd7VWzqo=,tag:dVqRHlA4P4FIueWg6eVgzw==,type:str] mac: ENC[AES256_GCM,data:etYudHElbqYn9o5FZLtTIt7ZGXk1bvk6+mSF07kqgaM+6H05gNMv9w9KhVd3dpfRvjjWNOvOerp+oa0UwWNU+nYJ2nOjYlkbVGpzIpHlAHSdJKN0AXlrjiSQM3fHpcyEdKX2DyEADUGQWAV5HWBUClgBC48Wzkrrt8nGPm4R0tQ=,iv:OeidHvWz5S64GPHFCtA/v/npwaWiamufQnYFaXAYJDw=,tag:gGCSeL2XxWixKzXgkkSFEA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1