torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions 1 Packages Projects 1 Releases Wiki Activity
Files
8b0a4ea33abcafe1faad98038857bf74fad2db44
nixos-servers/services/ns/master-authorative.nix
Torjus Håkestad 0700033c0a secrets: migrate all hosts from sops to OpenBao vault 
Replace sops-nix secrets with OpenBao vault secrets across all hosts.
Hardcode root password hash, add extractKey option to vault-secrets
module, update Terraform with secrets/policies for all hosts, and
create AppRole provisioning playbook.

Hosts migrated: ha1, monitoring01, ns1, ns2, http-proxy, nix-cache01
Wave 1 hosts (nats1, jelly01, pgdb1) get AppRole policies only.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 18:43:09 +01:00

49 lines
1.1 KiB
Nix
Raw Blame History

{ self, lib, ... }:
let
dnsLib = import ../../lib/dns-zone.nix { inherit lib; };
externalHosts = import ./external-hosts.nix;
# Generate zone from flake hosts + external hosts
# Use lastModified from git commit as serial number
zoneData = dnsLib.generateZone {
inherit self externalHosts;
serial = self.sourceInfo.lastModified;
domain = "home.2rjus.net";
};
in
{
vault.secrets.ns-xfer-key = {
secretPath = "shared/dns/xfer-key";
extractKey = "key";
outputDir = "/etc/nsd/xfer.key";
services = [ "nsd" ];
};
networking.firewall.allowedTCPPorts = [ 8053 ];
networking.firewall.allowedUDPPorts = [ 8053 ];
services.nsd = {
enable = true;
port = 8053;
ipv6 = false;
verbosity = 2;
identity = "home.2rjus.net server";
interfaces = [ "0.0.0.0" ];
keys = {
"xferkey" = {
algorithm = "hmac-sha256";
keyFile = "/etc/nsd/xfer.key";
};
};
zones = {
"home.2rjus.net" = {
provideXFR = [ "10.69.13.6 xferkey" ];
notify = [ "10.69.13.6@8053 xferkey" ];
data = zoneData;
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink