Compare commits

..

4 commits

2 changed files with 60 additions and 5 deletions

View file

@ -2,7 +2,7 @@
# your system. Help is available in the configuration.nix(5) man page, on # your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, pkgs, ... }: { config, pkgs, lib, ... }:
{ {
imports = imports =
@ -21,6 +21,10 @@
owner = config.users.users.named.name; owner = config.users.users.named.name;
inherit (config.users.users.named) group; inherit (config.users.users.named) group;
}; };
"onepassword-connect-json" = {
owner = config.users.users.onepassword-connect.name;
inherit (config.users.users.onepassword-connect) group;
};
}; };
}; };
@ -83,7 +87,7 @@
# also this double pxe-service config hack sucks, but it works. # also this double pxe-service config hack sucks, but it works.
pxe-service='' pxe-service=''
tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe tag:#ipxe,x86PC,"PXE chainload to iPXE",undionly.kpxe
pxe-service=tag:ipxe,0,matchbox,http://10.1.1.57:8080/boot.ipxe pxe-service=tag:ipxe,0,matchbox,http://10.1.1.57/boot.ipxe
''; '';
log-queries = true; log-queries = true;
log-dhcp = true; log-dhcp = true;
@ -104,7 +108,7 @@
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.matchbox-server}/bin/matchbox -address=0.0.0.0:8080 -data-path=/srv/matchbox -assets-path=/srv/matchbox/assets -log-level=debug"; ExecStart = "${pkgs.matchbox-server}/bin/matchbox -address=0.0.0.0:80 -data-path=/srv/matchbox -assets-path=/srv/matchbox/assets -log-level=debug";
Restart = "on-failure"; Restart = "on-failure";
User = "matchbox"; User = "matchbox";
Group = "matchbox"; Group = "matchbox";
@ -128,6 +132,56 @@
settings.KbdInteractiveAuthentication = false; settings.KbdInteractiveAuthentication = false;
}; };
# 1Password Connect API and Sync services
users.groups.onepassword-connect = {};
users.users = {
onepassword-connect = {
home = "/var/lib/onepassword-connect";
group = "onepassword-connect";
isSystemUser = true;
};
};
system.activationScripts.makeOnePasswordConnectDataDir = lib.stringAfter [ "var"] ''
mkdir -p /var/lib/onepassword-connect
chown onepassword:root /var/lib/onepassword-connect
'';
virtualisation.podman = {
enable = true;
# `docker` alias for podman
dockerCompat = true;
# Required for podman-compose so pods can talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
virtualisation.oci-containers.containers = {
onepassword-connect-api = {
image = "docker.io/1password/connect-api:1.7.2";
autoStart = true;
ports = [ "8080:8080" ];
user = "onepassword:onepassword-connect";
volumes = [
"${config.sops.secrets."onepassword-connect-json".path}:/home/opuser/.op/1password-credentials.json"
"/var/lib/onepassword-connect:/home/opuser/.op/data"
];
};
onepassword-connect-sync = {
image = "docker.io/1password/connect-sync:1.7.2";
autoStart = true;
ports = [ "8081:8080" ];
user = "onepassword:onepassword-connect";
volumes = [
"${config.sops.secrets."onepassword-connect-json".path}:/home/opuser/.op/1password-credentials.json"
"/var/lib/onepassword-connect:/home/opuser/.op/data"
];
};
};
# Open ports in the firewall. # Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ]; # networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ]; # networking.firewall.allowedUDPPorts = [ ... ];

View file

@ -1,3 +1,4 @@
onepassword-credentials-json: ENC[AES256_GCM,data:rPVEuV77VAoBrielyiJZNiJbm4P5BLoTNl6ZPseiq6F/muaWrhEg6x0T1tyqU6uE3NixWamvAAzhXLcDAPIK03mBi4veHfaHdH2UB0snISIW6rdOJOCRBpiay5X8oDGKgt2/4/iqp8XAOoo4fPtohp0ukl/N8qRF431wWjlIJEGzkT758ZkgAkYPQEI5Wd1zES+zCievSOXP/yQmWIMWUlEpAdiSyDwFjt8BaIO7tLl5Xght5iHqImGmEncY+FW2nqU7A7EbvpBYH5ZtUT2sgRcuCW8MoTQzxD7Sl4Hh0vKvX8ZN1/WJg2DRTg721O77hWHCBth8ft1c1rZ4eOmobcfi/nqr9bFGZRKZYP8/LF0XHJOEljM6+FzlkFU4qlutBBbJDzafa1Lvfpkat5ZzMS23qTsKm3prCu/pYcyubPHCsfA7J5PDRNY9uhWodBZ2X5Ol9cYPA8wIv+j6wj/BsXfcWAPg/ODfx0+aHxoXuADR77QDSbamnsVBznemHemUmZDi5PCXVTopF/kvx9GNhTQfT3UUYMb12Mzd6BobBZ6Llh74ykaBZaKLb99rWIyAruuXRuu4ENKssO07eK+IW2PI/XX7kXufCw0ttYCuUR9LyRXsCIsacuM7O7pvJiyDGSRNh9bdyplAwpWImWGmhkwnjDSDWwAchlBlIEFswXBNsqz11lhiStbXALUFvQZxzDXbRPz/TfX12a3rJHP3gJGp6l1Q/FdTLLeq1k/Qdy3mhMxDP5JaD4vfXrraSlKMhdlrZ/hoVmWccLTErwG2iKlFXfuGYxQ2icecFdiPQErtUhMmQAJ5D2ODaoFTut8uXaTl5tkr3BsP5yD25PtkuFSrzbZ5Z/HlhyxlH5DoMCuX21nisshPFC6o3RWKjV98gHTr8VqRoQ+1nrshEErQ4AFzYmPpqOcUWMs6G4PFY5VhrX1d/gDrOeWzdFlPdtWjQkXcGvEPuwwnGRYkhLgmIcy8dOlqtzsdxOqQPo63TjmQVzCnZY9EvG5fTtiAnq9ckbqV26E+cqGZEpl8gpyUahQWXwUadYqa3BmQvTxnJWF/X8u9nOx7l5NaUMOd8ierJ6Rn7lgqumMR6gPM/req8EIgsKWTXgR4TJFwf92kESluWJhSLsGRwOvpHuBRvPf6pqgi1r/H3EIOPqeUfIvhviX54V5AZxO/b1b1PhYrEZ4EhKElmUL6kaJJzFSQc8mQDwc3Ch8uS72WQcDOlsaf7uCoH6/LKfpjNvat9cwgiStX1TBGreb5EmXBiK5sdEAW6IrjQnvWW6NiQ+0YeAoQk0KdMZwo8OwDpVscB/xkQICw1uOxQ+WZZ8YT/dadFfHhf0431DWEdTqaadh2sgZmDc6iyevgEaJXh471tEb6ZEUjAhCxblAFq1eueKX7USm0PhsgScp3lGawOgC6Cy+o4NLaryIUmkVHtVHakUYsAUQ=,iv:TGggiOwAdKPakf2+vDO3uWL0Y6/jT7fgMg8sZz0OFFU=,tag:LdYKzoE6ZT08qT8jrQnC5g==,type:str]
bind: bind:
rndc-keys: rndc-keys:
main: ENC[AES256_GCM,data:kHDSEJ9bX8vugV923GXRIibrnx3vRjdvzv5VtDaam3GSI8CSjJd9aIT5K70sJXRRkh+en5dLJlUO/LHPjwIybwQgZpj5DgOcyE0ks3FEyJsgpxYRXrQtGtUb83c5CaY07f4vL9oy,iv:rENbmwqpsos6lBIo8B6gp8XE+dYA/eWWH+4dv6tK/Rc=,tag:Jgr12K+nIPzc2P+RtBRlRA==,type:str] main: ENC[AES256_GCM,data:kHDSEJ9bX8vugV923GXRIibrnx3vRjdvzv5VtDaam3GSI8CSjJd9aIT5K70sJXRRkh+en5dLJlUO/LHPjwIybwQgZpj5DgOcyE0ks3FEyJsgpxYRXrQtGtUb83c5CaY07f4vL9oy,iv:rENbmwqpsos6lBIo8B6gp8XE+dYA/eWWH+4dv6tK/Rc=,tag:Jgr12K+nIPzc2P+RtBRlRA==,type:str]
@ -28,8 +29,8 @@ sops:
SHZmN3JDL1ExVHZ5K2txM2h6MzRKWE0KbS3kO9teIcRDY4hnb54LgWzcRQu7aGGf SHZmN3JDL1ExVHZ5K2txM2h6MzRKWE0KbS3kO9teIcRDY4hnb54LgWzcRQu7aGGf
TjnTJzqKqmRRMLOs5be6wbrxBiRe9p5nCN/WJ9nqhr7rfNNMUiZePw== TjnTJzqKqmRRMLOs5be6wbrxBiRe9p5nCN/WJ9nqhr7rfNNMUiZePw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-29T18:31:20Z" lastmodified: "2024-04-30T21:03:59Z"
mac: ENC[AES256_GCM,data:sVHIZr0JV+Pe0jcilOPEgk8c62NhpNZSX6FUlwdQiV0gwjR7EIlcQkMXumWEvwp14HyWJmi6GPRb2yM2TRwtu8kMABwXQteO47JBdBeqlF384avINtGLv6dRAYu8MDlRWy868eFSTO6IFnvMA2JM8l5TlCSZFPUFhIHNdY49/O8=,iv:aChGQGakivvVFggZWK3CK1DP9EedUXHvZS4CCgjUlJM=,tag:dB0gXKTdqSDgMZiR8DBaRg==,type:str] mac: ENC[AES256_GCM,data:FSJr15N5RDrX+5Mnth+Rti5opEdbkON4faBIZw1D7C1O7G6c7FAqijCh/NhQAkqOutaUWQ7E/BAO1gZ/h0sPdi37WH5fg6sfPkY5zOZ0qf1DiWWu6JHMO3JJhI3wfJMLmmbeLsZjKSEfRyExAPZa4qrZM4+FWA/GyY87T4ZMGu4=,iv:sW98vMQrTRWy7S8ybm24lhIZTm41FlbttT4nVxXOEI8=,tag:ezvRbQwVhJL71kq6OBZ26g==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1