nix-config/nixos/telperion/configuration.nix

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).

{ config, pkgs, lib, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  sops = {
    # Mounts unencrypted sops values at /run/secrets/rndc_keys accessible by root only by default.
    secrets = {
      "bind/rndc-keys/externaldns" = {
        owner = config.users.users.named.name;
        inherit (config.users.users.named) group;
      };
      "bind/zones/jahanson.tech" = {
        owner = config.users.users.named.name;
        inherit (config.users.users.named) group;
      };
      "1password-credentials.json" = {
        mode = "0444";
      };
    };
  };

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  # Network settings
  networking = {
    hostName = "telperion"; # Define your hostname.
    networkmanager.enable = true;
  };
  # Set your time zone.
  time.timeZone = "America/Chicago";

  # Select internationalisation properties.
  i18n.defaultLocale = "en_US.UTF-8";

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.jahanson = {
    isNormalUser = true;
    extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
    packages = with pkgs; [
      tree
    ];
  };

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
    wget
    matchbox-server
  ];

  # Bind DNS server for externaldns on k8s to push zone updates
  services.bind = {
    enable = true;
    extraConfig = import ./config/bind.nix {inherit config;};
  };

  # Proxy DHCP for PXE booting. This leaves DHCP address allocation alone and dhcp clients 
  # should merge all responses from their DHCPDISCOVER request.
  # https://matchbox.psdn.io/network-setup/#proxy-dhcp
  services.dnsmasq = {
    enable = true;
    resolveLocalQueries = false;
    settings = {
      # Disables only the DNS port.
      port = 0;
      dhcp-range = [ "10.1.1.1,proxy,255.255.255.0" ];
      enable-tftp = true;
      tftp-root = "/srv/tftp";
      # if request comes from iPXE user class, set tag "ipxe"
      dhcp-userclass = "set:ipxe,iPXE";
      # if request comes from older PXE ROM, chainload to iPXE (via TFTP)
      # ALSO 
      # point ipxe tagged requests to the matchbox iPXE boot script (via HTTP)
      # pxe-service="tag:ipxe,0,matchbox,http://10.1.1.57:8080/boot.ipxe";
      pxe-service = [
        "tag:#ipxe,x86PC,\"PXE chainload to iPXE\",undionly.kpxe"
        "tag:ipxe,0,matchbox,http://10.1.1.57:8086/boot.ipxe"
      ];
      log-queries = true;
      log-dhcp = true;
    };
  };

  # Matchbox Server for PXE booting via device profiles
  users.groups.matchbox = {};
  users.users = {
    matchbox = {
      home = "/srv/matchbox";
      group = "matchbox";
      isSystemUser = true;
    };
  };

  systemd.services.matchbox = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.matchbox-server}/bin/matchbox -address=0.0.0.0:8086 -data-path=/srv/matchbox -assets-path=/srv/matchbox/assets -log-level=debug";
      Restart = "on-failure";
      User = "matchbox";
      Group = "matchbox";
    };
  };

  # haproxy for load balancing talos and kubernetes api.
    services.haproxy = {
    enable = true;
    config = ''
      global
        log /dev/log local0
        log /dev/log local1 notice
        daemon

      defaults
        mode http
        log global
        option httplog
        option dontlognull
        option http-server-close
        option redispatch
        retries 3
        timeout http-request 10s
        timeout queue 20s
        timeout connect 10s
        timeout client 1h
        timeout server 1h
        timeout http-keep-alive 10s
        timeout check 10s

      frontend k8s_apiserver
        bind *:6443
        mode tcp
        option tcplog
        default_backend k8s_controlplane
      
      frontend talos_apiserver                                              
        bind *:50000                                                      
        mode tcp                                                          
        option tcplog                                                     
        default_backend talos_controlplane                                

      backend k8s_controlplane
        option httpchk GET /healthz
        http-check expect status 200
        mode tcp
        option ssl-hello-chk
        balance roundrobin
        server worker1 10.1.1.61:6443 check
        server worker2 10.1.1.62:6443 check
        server worker3 10.1.1.63:6443 check

      backend talos_controlplane                                
        option httpchk GET /healthz                           
        http-check expect status 200                          
        mode tcp                                              
        option ssl-hello-chk                                  
        balance     roundrobin                                
        server worker1 10.1.1.61:50000 check  
        server worker2 10.1.1.62:50000 check
        server worker3 10.1.1.63:50000 check   
    '';
  };

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  services.openssh = {
    enable = true;
    settings.PasswordAuthentication = false;
    settings.KbdInteractiveAuthentication = false;
  };

  # 1Password Connect API and Sync services
  virtualisation.podman = {
    enable = true;

    # `docker` alias for podman
    dockerCompat = true;

    # Required for podman-compose so pods can talk to each other.
    defaultNetwork.settings.dns_enabled = true;

  };

  virtualisation.oci-containers.containers = {
    onepassword-connect-api = {
      image = "docker.io/1password/connect-api:1.7.2";
      autoStart = true;
      ports = [ "8080:8080" ];
      volumes = [
        "${config.sops.secrets."1password-credentials.json".path}:/home/opuser/.op/1password-credentials.json"
        "/var/lib/onepassword-connect:/home/opuser/.op/data"
      ];
    };

    onepassword-connect-sync = {
      image = "docker.io/1password/connect-sync:1.7.2";
      autoStart = true;
      ports = [ "8081:8080" ];
      volumes = [
        "${config.sops.secrets."1password-credentials.json".path}:/home/opuser/.op/1password-credentials.json"
        "/var/lib/onepassword-connect:/home/opuser/.op/data"
      ];
    };
  };

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  networking.firewall.enable = false;
  system.stateVersion = "24.05"; # Did you read the comment?

}