jahanson/nix-config
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

add 1password connect/sync as containers

Browse source
This commit is contained in:
Joseph Hanson 2024-04-30 16:50:10 -05:00
parent 6ac65cc357
commit e30b557622
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
1 changed files with 55 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
nixos/telperion/configuration.nix
View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page, on # your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports =
@ -21,6 +21,10 @@
owner = config.users.users.named.name; owner = config.users.users.named.name;
inherit (config.users.users.named) group; inherit (config.users.users.named) group;
}; };
"onepassword-connect-json" = {
owner = config.users.users.named.name;
inherit (config.users.users.named) group;
};
}; };
}; };
@ -83,7 +87,7 @@
# also this double pxe-service config hack sucks, but it works. # also this double pxe-service config hack sucks, but it works.
pxe-service='' pxe-service=''
tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe
pxe-service=tag:ipxe,0,matchbox,http://10.1.1.57:8080/boot.ipxe pxe-service=tag:ipxe,0,matchbox,http://10.1.1.57/boot.ipxe
''; '';
log-queries = true; log-queries = true;
log-dhcp = true; log-dhcp = true;
@ -104,7 +108,7 @@
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.matchbox-server}/bin/matchbox -address=0.0.0.0:8080 -data-path=/srv/matchbox -assets-path=/srv/matchbox/assets -log-level=debug"; ExecStart = "${pkgs.matchbox-server}/bin/matchbox -address=0.0.0.0:80 -data-path=/srv/matchbox -assets-path=/srv/matchbox/assets -log-level=debug";
Restart = "on-failure"; Restart = "on-failure";
User = "matchbox"; User = "matchbox";
Group = "matchbox"; Group = "matchbox";
@ -128,6 +132,54 @@
settings.KbdInteractiveAuthentication = false; settings.KbdInteractiveAuthentication = false;
}; };
# 1Password Connect API and Sync services
users.users = {
onepassword-connect = {
home = "/var/lib/onepassword-connect";
isSystemUser = true;
};
};
system.activationScripts.makeOnePasswordConnectDataDir = lib.stringAfter [ "var"] ''
mkdir -p /var/lib/onepassword-connect
chown onepassword:root /var/lib/onepassword-connect
'';
virtualisation.podman = {
enable = true;
# `docker` alias for podman
dockerCompat = true;
# Required for podman-compose so pods can talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
virtualisation.oci-containers.containers = {
onepassword-connect-api = {
image = "docker.io/1password/connect-api:1.7.2";
autoStart = true;
ports = [ "8080:8080" ];
user = "onepassword:root";
volumes = [
"${config.sops.secrets."onepassword-connect-json".path}:/home/opuser/.op/1password-credentials.json"
"/var/lib/onepassword-connect:/home/opuser/.op/data"
];
};
onepassword-connect-sync = {
image = "docker.io/1password/connect-sync:1.7.2";
autoStart = true;
ports = [ "8081:8080" ];
user = "onepassword:root";
volumes = [
"${config.sops.secrets."onepassword-connect-json".path}:/home/opuser/.op/1password-credentials.json"
"/var/lib/onepassword-connect:/home/opuser/.op/data"
];
};
};
# Open ports in the firewall. # Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ];