diff --git a/systems/jeeves/docker/default.nix b/systems/jeeves/docker/default.nix index 514c522..41d7fa6 100644 --- a/systems/jeeves/docker/default.nix +++ b/systems/jeeves/docker/default.nix @@ -6,5 +6,17 @@ ./postgresql.nix ]; + users = { + users.docker-service = { + isSystemUser = true; + group = "docker-service"; + extraGroups = [ "docker" ]; + uid = 600; + }; + groups.docker-service = { + gid = 600; + }; + }; + virtualisation.oci-containers.backend = "docker"; } diff --git a/systems/jeeves/docker/haproxy.cfg b/systems/jeeves/docker/haproxy.cfg new file mode 100644 index 0000000..3a325ec --- /dev/null +++ b/systems/jeeves/docker/haproxy.cfg @@ -0,0 +1,43 @@ +global + log stdout format raw local0 + # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + +defaults + log global + mode http + timeout client 10s + timeout connect 5s + timeout server 10s + timeout http-request 10s + + +#Application Setup +frontend ContentSwitching + bind *:80 + bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem + mode http + # tmmworkshop.com + acl host_mirror hdr(host) -i mirror.tmmworkshop.com + acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com + acl host_grafana hdr(host) -i grafana.tmmworkshop.com + + use_backend mirror_nodes if host_mirror + use_backend dndrules_nodes if host_dndrules + use_backend grafana_nodes if host_grafana + +backend mirror_nodes + mode http + server server arch_mirror:80 + +backend mirror_rsync + mode http + server server arch_mirror:873 + +backend grafana_nodes + mode http + server server grafana:3000 + +backend dndrules_nodes + mode http + server server dnd_file_server:80 diff --git a/systems/jeeves/docker/postgresql.nix b/systems/jeeves/docker/postgresql.nix index 938846f..469b9ac 100644 --- a/systems/jeeves/docker/postgresql.nix +++ b/systems/jeeves/docker/postgresql.nix @@ -21,7 +21,7 @@ POSTGRES_DB = "archive"; POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256"; }; - environmentFiles = [ config.sops.secrets."postgres".path ]; + environmentFiles = [ config.sops.secrets."docker/postgres".path ]; autoStart = true; user = "postgres:postgres"; }; @@ -29,6 +29,6 @@ sops = { defaultSopsFile = ../secrets.yaml; - secrets."postgres".owner = "postgres"; + secrets."docker/postgres".owner = "postgres"; }; } diff --git a/systems/jeeves/docker/web.nix b/systems/jeeves/docker/web.nix index 97d4d27..d58b9e4 100644 --- a/systems/jeeves/docker/web.nix +++ b/systems/jeeves/docker/web.nix @@ -1,3 +1,4 @@ +{ config, ... }: { virtualisation.oci-containers.containers = { grafana = { @@ -34,7 +35,7 @@ }; volumes = [ "/zfs/media/docker/cloudflare.pem:/etc/ssl/certs/cloudflare.pem" - "/zfs/media/docker/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg" + "/root/nix-dotfiles/systems/jeeves/docker/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg" ]; dependsOn = [ "grafana" @@ -50,10 +51,19 @@ "tunnel" "run" ]; - environmentFiles = [ "/zfs/media/docker/cloudflare_tunnel.env" ]; + environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel:".path ]; dependsOn = [ "haproxy" ]; extraOptions = [ "--network=web" ]; autoStart = true; }; }; + + sops = { + defaultSopsFile = ../secrets.yaml; + secrets."docker/cloud_flare_tunnel:".owner = "docker-service"; + secrets."docker/haproxy_cert:" = { + owner = "docker-service"; + path = "/zfs/media/docker/test_cloudflare.pem"; + }; + }; } diff --git a/systems/jeeves/secrets.yaml b/systems/jeeves/secrets.yaml index 7bdad99..179f41c 100644 --- a/systems/jeeves/secrets.yaml +++ b/systems/jeeves/secrets.yaml @@ -1,4 +1,7 @@ -postgres: ENC[AES256_GCM,data:OqV8CH0ULLuKL3cIno1pGIGZKEY4Ox9t/lQ9/w/O98vGNWFC6lnh2m+m+O8q4VRdwKvPTLBXzTHA,iv:kFXNJaSigTD/1PZeB/oiijxXjhtHLd14h+jcTDOLZ6I=,tag:Hp8zfs5mtpOgDd6KiD9fxQ==,type:str] +docker: + postgres: ENC[AES256_GCM,data:IpXIrRDzyGFjDz908w1NNb0GBna/ce9lCtOkXrpUfyllsTWca6AeqaRo23bL4jfFGfHn0Zf9okLO,iv:IwO7vJJHFfm0SGcJETpWtdhr41jPddN9nuVAH/Ooa7Y=,tag:xstwPvpvkNOZucxvzq2+ag==,type:str] + cloud_flare_tunnel: ENC[AES256_GCM,data:O4LATPE4iFZyYL8YROMUAOY8b3r5RKg3OgWTng47Y+sCDGPN7+fkXxwP6aThAFRQdUvt8dw7XM8SEI6CupDsNYCHrMUzgFsCi1Fk3HnG0hGZIgl7rDFLU+ueKVi0TQIOi8ooK7gBwCn25A8fPmR2+hDeNKBRMotqty+tpge/xWOpHePzayKLidyevdc8Ha775sbWuBas5U+uy3eWeOeUrnmaO1QqzZwfX7UjMMXVdsBGeOLG9QC8tiy1cps9ZlvuBpafVgbSdw==,iv:1948RXXwIudqykInRG/1mp7ZPSzfkLsSj59re+RRPo0=,tag:Oa1RNWjewdV7aQx9djIzIg==,type:str] + haproxy_cert: ENC[AES256_GCM,data:sPM58lQC3wrpwjlY1QVmoe2/fMDcv5Fa2/FaKBrBf90YEPOrQKQlM40GdtWo2PmApsgSUir0cq5I2QUo3hy7eAAaSwZjsq3jvq8uW1KPqL7sZIV6yvmrvtmDr+LN/PLII/CyfyHdMAjfGEYCzrn6DeMZxvi+F6ERY9DP5K/+D8sErrVkw8U8t/xU15l/zzdDdIO1tmvtpDzoaL2NPgMFTTklveeE2HL6wDak/Ukoc5CVFsHeZDF6sMdc1hdzkVvXs8eUmKupviOPGvw3ZDGsxY0teX44ePQVDsdQPYVrzby9AHrQQ00vsgxnkGjO6+t7bHflG5ujM9C/5i9fkGbtDtiKIyXg4q6aUMucyifEoRD7t0P0Hu9gBASV2V6Bhx3xAs2x275N7QnWV6Fbz01TmmxWxvLfaRzhWKLRRsh8aaDPp1Qyyn/vpXK/RKVGa9s9bSEqa4wy0UfFjyosk6KQx56kPTEj6fcIz0myp2Saamf2PChcZTxIbMK/wI9V0vGDSM4sFqHCuPtypidBSXzkOMh4BFzhp7jW5rG1IM+6rEsJuL4aGpvPPz4DfNd69FFSvYFKQN9RNerUZdqIgHzy5vGH52Ta/AysRnHRYhnb6PsfmJIXli1rFu+ikZIWMIADQ7vzPzuB+EcNLDjuI1upghqoXomLJYVYFkIKrENvLJ869cSWh+PUequCZDujYgf+J3Ntdtb8yM6zR3wy8hkxzHnyO4lOlhl+7Phre3TyBfiLm9TqEcgtBwEFWy4mugi2L2Alq46EuU0vbFUqJJwVEGNl4N+ZYHGZTIkwPe1az+Hs9dZ/2Q9XwuVw6Ghyd12w9E061oOLi2yOwW+lZ+5OvSvdgVOHFjTwkUw1VnHK//jj6ZjmuZ+efAxxlXwSEq+RRPdOho1a21ZMU2MsVFWbYZx0vLp0rkQzF6fPvQvTAdiWl/d5LX/62gouomLq9YFZPMro7ml5NZqN+j8UgXvgQCr41L9oG8n9a4Vy427AdjQNJVafi/ZI3PoEeoseoinWN647G7bjmPYB144rnM3HiN43plZrbnyVlYBpE2WFzbly0saZWXjj8QcrdxzGunpy3b4e65bXW6/2D2CSnBUJdp2VZxZYCxBpxoj760o67J+pvQrApN50sAuvBQC7lRN0JSkG198Q2qNEcKBMLRmxRiNvHH/CuuoJt3aB8BWJE9YWs9Jbz8zkpyXglrP574kH9EecDqMuLGBpf93MI12+0ZJs4kUm8k3pT+7oIJNg9xTFJ6j9zu3T/RlZaqh3qhSMt13v1rrVUaS1Yw2GgB8/E2L/ZyTOfIZ3Y00TnIKL3Mzwk5M6YC1NSfZPEUGXT1fn4Iaz+4Jdid4MtmTzcds67eJJbY9bGVeMoT2Mogaov2sjEIFRtCxsQD/6ohUqJcj1To+DIGeOf6ZZjSWRyUM+Vbl8iSE6AnHLOrDxcDRkUQw05nu2Z7L9kW4QoiIy73y9PsxgkJ8ETAbnnAHTLG5MPYHe8Sg1Y73LLR4SYSzuu+rO4UMUm9wEy3PTwUw9CDn7jpJU+DgQDb8iOLNUW3fBgiGyVfsfdR0tUr3P8Mwkweu+YepAFFF1yn/Qe4bINEgQF83pvy7RhqiCo1tfotWGpP1lEgXg0PtCHaC/HFpy4FLzrkOq867mEjSoXFqYD5dND40hEvrmDqIEemCgAsjq0H9Mbp68XtEBGfilAwapD/23t0XzbjEMjajAdoyf+ynwTHbomckGqL68GkdG+6ma4O1ddWy061T6vjOO6DQsV4HTIrJNIxQf2jAZIqbEMfjUyogYgvPvP5spwYzFVNM6Wn/wbJWWAWdU+yO+Eq12wVDz8J3tHbFwzKgTKDLsHnSJyRdkdopfhCUQvNoPZzOQTTUhMujtH1JEZNCc,iv:W4RyDZyIkSrOOgd4to37A6gKm0v1Z9lVjMzcERVJGC0=,tag:0HFBoTys09y2Xt7AqEFFQA==,type:str] zfs: backup_key: ENC[AES256_GCM,data:sJzR/DfM6+tmmcewZT+NAJk0gj8wmU43QfFCRCj9+2GITOS8suRL7E5rHTherCZgRe79T90ikM97bYf9RbZdtQ==,iv:j8F3BG/hh7UK3kC+pB6WO0OHlSSHn0jo90AgaTdpyNY=,tag:5hraDn8YqS/q57y26AXwjw==,type:str] docker_key: ENC[AES256_GCM,data:HiW+3IYJCgqg9HJmPYQinhb6kWJouORABKniryY5e35tf8BQGKn1ldgj4Dw+79SYmvIUbf4ZSja0Ziz1isKTWA==,iv:6vBtbIlTHC+PUgyXYb92SnMTuWd8jCaEzZ3Vmv2QHhA=,tag:izKWtAQWRfn5tAYKyOO+ZQ==,type:str] @@ -25,8 +28,8 @@ sops: bVhXamJyMWMvODUvajk2aDZnQ1k1blEKoNIYxUA+k+DA+1WYq5BSa0iXuQ2Lctuy 9W7OO2m+QGzjdLLM0uS7WWGXWP2cDDgUGcqozTqM0Oqi2/OY0Bo3Jg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-19T22:15:57Z" - mac: ENC[AES256_GCM,data:FLbbRez083ACStzNH3Elfej7jGlI2x/h5tq2NmqVMn8eyt5MkhWG2TDFwHXya5lpu+ZoaeGrvMgPDmpD2j1GNmlts6D735VR7RuYz7hqckxyqIcQSUVOPhR+yeOoV3Br2sfnn/ABLr+McljEmEj+TLhOw8tVEPXxGDBkIYRYnYE=,iv:iOaXC7Mrj2F/zY2wAgH/GbU+Q/fk9eMwVUvilBwt8Fo=,tag:gE20QJyhaj+cX2RzrH3l1Q==,type:str] + lastmodified: "2024-06-22T01:19:52Z" + mac: ENC[AES256_GCM,data:rTKW0ENLZgPbiJgvX+WXuKY7Eq1goBrka1Lw3N5ZxAiH/a2s14lpNHC1rp9t+pW/KSCEv7DeVzHb/zx8F1vztdRSjZgsTw/C7qjjE2jA34nLBYYPelPtpYbXCrzoGrChL9PVU+wh8kHb+X6WVfJo3oKKGG5Cca4MD1ojSnPdDN4=,iv:xLH5weSYmN/SUcwjLAJaER4J0Frb++z9A/s1gDLCOjA=,tag:3vAtqQEQL1YsLLbIDIw/7g==,type:str] pgp: - created_at: "2024-03-02T20:52:17Z" enc: |-