felixalb/nixos-config
felixalb/nixos-config
2
2
Fork 0
mirror of https://git.feal.no/felixalb/nixos-config.git synced 2024-12-22 20:17:31 +01:00
Code Issues Activity

Compare commits

base: felixalb:cb0a465003b5b63effc0d3d94c14d1d876fd8c59
Branches Tags
felixalb:main
...
compare: felixalb:579bf5d00fab0ac10040799ca7a0c81012656d3b
Branches Tags
felixalb:main

7 Commits
cb0a465003 ... 579bf5d00f

Author SHA1 Message Date
Felix Albrigtsen
579bf5d00f defiant: initialize borg backup 2024-03-08 01:48:06 +01:00
Felix Albrigtsen
f37c981182 voyager: initialize borg backups 2024-03-08 01:19:40 +01:00
Felix Albrigtsen
a1b5f2b0ad voyager: cleanup postgres 2024-03-07 23:52:42 +01:00
Felix Albrigtsen
3ef7bf6496 defiant: Enable postgresql backups 2024-03-07 23:52:36 +01:00
Felix Albrigtsen
556bd25ce3 defiant: open loki port in the firewall 2024-03-07 23:52:36 +01:00
Felix Albrigtsen
f0173ad68e defiant: update microbin settings 2024-03-07 23:52:36 +01:00
Felix Albrigtsen
e92e999d2b voyager: monthly zfs scrubs 2024-03-07 23:11:06 +01:00
15 changed files with 146 additions and 26 deletions
Show Stats Expand all files Collapse all files

62
hosts/defiant/backup.nix Normal file
View File

@ -0,0 +1,62 @@
{ config, pkgs, lib, ... }:
{
services.borgbackup.jobs =
let
borgJob = name: {
environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/defiant/${name}";
compression = "auto,zstd";
};
in {
postgresDaily = borgJob "postgres::daily" // {
paths = "/data/backup/postgresql";
startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
postgresWeekly = borgJob "postgres::weekly" // {
paths = "/data/backup/postgresql";
startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
gitea = borgJob "gitea::weekly" // {
paths = "/tank/services/gitea";
startAt = "Mon *-*-* 05:15:00";
extraInitArgs = "--storage-quota 20G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/gitea".path}";
};
};
minecraft = borgJob "minecraft::weekly" // {
paths = "/var/lib/minecraft-wack";
startAt = "weekly";
extraInitArgs = "--storage-quota 20G";
encryption.mode = "none";
preHook = ''
${pkgs.mcrcon}/bin/mcrcon -p wack "say Starting Backup" "save-off" "save-all"
'';
postHook = ''
${pkgs.mcrcon}/bin/mcrcon -p wack "save-all" "say Completed Backup" "save-on" "save-all"
'';
};
};
# TODO: Matrix (keys,media,db), home-assistant, pihole, vaultwarden
sops.secrets."borg/postgres" = { };
sops.secrets."borg/gitea" = { };
}

1
hosts/defiant/configuration.nix
View File

@ -8,6 +8,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
# Infrastructure # Infrastructure
./backup.nix
./libvirt.nix ./libvirt.nix
./services/nginx.nix ./services/nginx.nix
./services/pihole.nix ./services/pihole.nix

2
hosts/defiant/services/gitea.nix
View File

@ -58,5 +58,7 @@ in {
systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work"; systemd.services.gitea.serviceConfig.WorkingDirectory = lib.mkForce "${cfg.stateDir}/work";
services.postgresqlBackup.databases = [ "gitea" ];
networking.firewall.allowedTCPPorts = [ sshPort ]; networking.firewall.allowedTCPPorts = [ sshPort ];
} }

2
hosts/defiant/services/hedgedoc.nix
View File

@ -95,6 +95,8 @@ in {
}]; }];
}; };
services.postgresqlBackup.databases = [ "hedgedoc" ];
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
listen = [ listen = [
{ addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43443; ssl = true; }

2
hosts/defiant/services/matrix/synapse.nix
View File

@ -72,6 +72,8 @@
}; };
}; };
services.postgresqlBackup.databases = [ "matrix-synapse" ];
services.redis.servers."".enable = true; services.redis.servers."".enable = true;
services.nginx.virtualHosts."matrix.feal.no" = { services.nginx.virtualHosts."matrix.feal.no" = {

4
hosts/defiant/services/metrics/loki.nix
View File

@ -71,4 +71,8 @@ in {
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [
cfg.configuration.server.http_listen_port
];
} }

12
hosts/defiant/services/microbin.nix
View File

@ -3,7 +3,6 @@ let
cfg = config.services.microbin; cfg = config.services.microbin;
domain = "p.feal.no"; domain = "p.feal.no";
address = "127.0.1.2"; address = "127.0.1.2";
max_upload_mb = 1024;
port = 5006; port = 5006;
in { in {
@ -14,14 +13,13 @@ in {
MICROBIN_BIND = address; MICROBIN_BIND = address;
MICROBIN_DISABLE_TELEMETRY = true; MICROBIN_DISABLE_TELEMETRY = true;
MICROBIN_ENABLE_BURN_AFTER = true; MICROBIN_ENABLE_BURN_AFTER = true;
MICROBIN_ETERNAL_PASTA = true;
MICROBIN_FOOTER_TEXT = "Be nice or go away"; MICROBIN_FOOTER_TEXT = "Be nice or go away";
MICROBIN_MAX_FILE_SIZE_ENCRYPTED_MB = max_upload_mb; MICROBIN_NO_FILE_UPLOAD = true;
MICROBIN_MAX_FILE_SIZE_UNENCRYPTED_MB = max_upload_mb; MICROBIN_NO_LISTING = true;
MICROBIN_PORT = port; MICROBIN_PORT = port;
MICROBIN_PUBLIC_PATH = "https://${domain}/"; MICROBIN_PUBLIC_PATH = "https://${domain}/";
MICROBIN_QR = true; MICROBIN_QR = true;
MICROBIN_TITLE = "felixalbs pasta collection"; MICROBIN_TITLE = "Temporary pasta collection";
}; };
}; };
@ -36,10 +34,6 @@ in {
{ addr = "192.168.10.175"; port = 43080; ssl = false; } { addr = "192.168.10.175"; port = 43080; ssl = false; }
]; ];
extraConfig = ''
client_max_body_size ${toString max_upload_mb}M;
'';
locations."/" = { locations."/" = {
proxyPass = "http://${address}:${toString port}"; proxyPass = "http://${address}:${toString port}";
}; };

6
hosts/defiant/services/postgresql.nix
View File

@ -6,10 +6,12 @@
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
# enable = true; enable = true;
location = "/data/backup/postgresql/"; location = "/data/backup/postgresql/";
startAt = "*-*-* 03:15:00"; startAt = "*-*-* 03:15:00";
backupAll = true;
# Each service is registered in its own configuration file
databases = [ ];
}; };
environment.systemPackages = [ config.services.postgresql.package ]; environment.systemPackages = [ config.services.postgresql.package ];

2
hosts/defiant/services/vaultwarden.nix
View File

@ -35,6 +35,8 @@ in {
}]; }];
}; };
services.postgresqlBackup.databases = [ "vaultwarden" ];
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;

47
hosts/voyager/backup.nix Normal file
View File

@ -0,0 +1,47 @@
{ config, pkgs, lib, ... }:
{
services.borgbackup.jobs =
let
borgJob = name: {
environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/voyager/${name}";
compression = "auto,zstd";
};
in {
postgresDaily = borgJob "postgres::daily" // {
paths = "/var/backup/postgres";
startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
postgresWeekly = borgJob "postgres::weekly" // {
paths = "/var/backup/postgres";
startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
extraInitArgs = "--storage-quota 10G";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
};
};
transmission = borgJob "transmission::weekly" // {
paths = "/var/lib/transmission";
startAt = "weekly";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.sops.secrets."borg/transmission".path}";
};
};
# TODO: kanidm, timemachine, calibre(?), nextcloud
};
sops.secrets."borg/postgres" = { };
sops.secrets."borg/transmission" = { };
}

4
hosts/voyager/configuration.nix
View File

@ -6,9 +6,9 @@
../../base.nix ../../base.nix
../../common/metrics-exporters.nix ../../common/metrics-exporters.nix
./hardware-configuration.nix ./hardware-configuration.nix
./filesystems.nix ./backup.nix
# ./wireguard.nix
./exports.nix ./exports.nix
./filesystems.nix
./services/snappymail.nix ./services/snappymail.nix
./services/calibre.nix ./services/calibre.nix

5
hosts/voyager/filesystems.nix
View File

@ -10,7 +10,10 @@
supportedFilesystems = [ "zfs" ]; supportedFilesystems = [ "zfs" ];
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
}; };
services.zfs.autoScrub.enable = true; services.zfs.autoScrub = {
enable = true;
interval = "Sun *-*-8..14 00:00:00";
};
# Network mounts (import) # Network mounts (import)
fileSystems = { fileSystems = {

7
hosts/voyager/services/postgres.nix
View File

@ -4,16 +4,10 @@
enable = true; enable = true;
/* enableTCPIP = true; # Expose on the network */ /* enableTCPIP = true; # Expose on the network */
authentication = pkgs.lib.mkOverride 10 '' authentication = pkgs.lib.mkOverride 10 ''
local gitea all ident map=gitea-users
local vaultwarden all ident map=vaultwarden-users
local all all trust local all all trust
host all all 127.0.0.1/32 trust host all all 127.0.0.1/32 trust
host all all ::1/128 trust host all all ::1/128 trust
''; '';
identMap = ''
gitea-users gitea gitea
vaultwarden-users vaultwarden vaultwarden
'';
}; };
services.postgresqlBackup = { services.postgresqlBackup = {
@ -23,7 +17,6 @@
backupAll = true; backupAll = true;
}; };
environment.systemPackages = [ config.services.postgresql.package ]; environment.systemPackages = [ config.services.postgresql.package ];
} }

9
secrets/defiant/defiant.yaml
View File

@ -6,7 +6,10 @@ hedgedoc:
vaultwarden: vaultwarden:
admintoken: ENC[AES256_GCM,data:sUPOe3goxpJFpe5fBdwcM5Z6+DXNdZr5Xd6HzRUb7LtDk9IUtwL4wtlckwnMRoLF628XvCV3ObrX2UmTqUX/6pWqLkWL/vWb3C8ogq4=,iv:vvO9nEkCjcKvl+ILEMlMorMmvyNM1juRYRnEolwg9sQ=,tag:wFnz9oOA+ZGrb4UqKrtUcA==,type:str] admintoken: ENC[AES256_GCM,data:sUPOe3goxpJFpe5fBdwcM5Z6+DXNdZr5Xd6HzRUb7LtDk9IUtwL4wtlckwnMRoLF628XvCV3ObrX2UmTqUX/6pWqLkWL/vWb3C8ogq4=,iv:vvO9nEkCjcKvl+ILEMlMorMmvyNM1juRYRnEolwg9sQ=,tag:wFnz9oOA+ZGrb4UqKrtUcA==,type:str]
microbin: microbin:
secrets: ENC[AES256_GCM,data:GaEbiNENeLnVrqcJBHCks844WiYtVmU3yeGTLdrhPhPCfdgMiGst2nwIeTAGxqcy2Wn3Jo6hsGsHaGnFVgZ8+6Ej8rAU2Q==,iv:0EPKzBU/iy8YWZhJDF/iPCpfOneiLgf27XHby89RvB8=,tag:4oNhGEFjz4GylUXH/UuF+Q==,type:str] secrets: ENC[AES256_GCM,data:B2yOSEXFyge7fgphtKcy8CjaeEiwmHAxgGoiqa4lmQtRtnxy5UuH3dFuCXHvbd3n6YA24zX3ANIQpj6ilT4I96+P+L9TjA==,iv:3mryQf3GdKCqBkLsfyqJk5ZN+/gOEbL/LmEzreINGME=,tag:YD8uvkS23c5B7J9srRrU9w==,type:str]
borg:
postgres: ENC[AES256_GCM,data:vwfLF2qkUMl9b/4oYVm+pzfbbw==,iv:+QlTXjowne2d+ufw9YbhgaAIVvYg78LkMS0BqfPwoRI=,tag:JAbR3/DbYp+vRApJteg4zA==,type:str]
gitea: ENC[AES256_GCM,data:GIZ/wkzEkm6DUZETv8GpXd8k5w==,iv:MLnVtrev+poT+3D5+o5UV8FBQWpvqlYAkcXMF53bKJw=,tag:89zkLJNZw04ZPyqvpspgsw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -31,8 +34,8 @@ sops:
RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ== fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-21T21:11:56Z" lastmodified: "2024-03-08T00:37:40Z"
mac: ENC[AES256_GCM,data:NBmL+eOcavjU/xhQZtDvuJvvG+wXjU+PGayaNuTDdbo4zk1j8twoVrLCSOLVZuCFO88/2YEtmMJkNOEsPO2hbDhJl5k20g1880rQt4LhPn5sdHyxzrPL3ehDWNLyZy+JMl0SbDI/yjNRH/jX7UxjcBjMCW4WVQpqFK2na20PYfI=,iv:A9h6ziIZUDbtzTmTeSFYZcBKQ1KMkEkQe7PW6ahW/XQ=,tag:VfYygPnzeTMDUXyyNlCcZg==,type:str] mac: ENC[AES256_GCM,data:2S6Z4ZqffGA5Clz+h4J44s7yhb6lMFdUq9KpE4IJUu2cgJyD1Zsh0i1Z1ZwTiD7MH+F1UUMyVhBYk6Fkm1UY07wmDLodNkKfpKRnU2EGa4+yQudin2QHsId+k3C2iAI1UtGlL5Vi00p5VZfihuntcAbwn63RZriCrKn0ayzTQKw=,iv:bwQECQCQghG0DTeWrg73IlFwmz8Fob2ftLKM3kaKOE4=,tag:8HXjvNnzqmIprsXd5d/SmA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

7
secrets/voyager/voyager.yaml
View File

@ -12,6 +12,9 @@ transmission:
vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str] vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
nextcloud: nextcloud:
adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str] adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
borg:
transmission: ENC[AES256_GCM,data:VGP23BjX6rjMbcEMA6O7UEX6,iv:C0ehtDSO0eMkIYbwi9wYAKncOBrNCiJB4S5tJ1rxctI=,tag:RNcGwihAxOwCt3XOSoCvfw==,type:str]
postgres: ENC[AES256_GCM,data:nA+Ga56rG8XippMmHsOLEik=,iv:41llHBWEU7ESiUetJC/SkcjHG+beXs/ur8QTmxDGFE8=,tag:92n88ZtrDQWz0gYZmuWD8g==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -45,8 +48,8 @@ sops:
NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw== 4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-08T13:44:57Z" lastmodified: "2024-03-07T23:59:51Z"
mac: ENC[AES256_GCM,data:oy6uBKFDm7J70OZuZtCziKeNkV5u9/RabGF2gXOONeHqFD/9jXhHsWIrDYrgwHPCyauJyAZqwnw/+wNUMNUzk25rM1iBaBJg0+mjUnFGBEhrAUJu8hSHl2EAHEauhzPqRS0L7bew75FmuGs56Wo58DkdvdnCjjs3XIAOj8kjv/g=,iv:/rbPS8xANKV9sSC7e1OAQuIeJK7OtlUMggxN/RW+GLs=,tag:5kE7m7ZrfIPF+ulCsiPLVQ==,type:str] mac: ENC[AES256_GCM,data:tRsHevzZTnfIqjqJI2lqbUCoFrNq8Hb7hyZKt41A1XUrd54BiqHhhPqXwp2HN7KmdxXWdnXBRGZEkNVfocGbi2gFV5IhW1oh+VRMnBLvDriqDbj6nh87wZ0OEZNLDuz/MjMaL3UIgMNzxFnjM47QNgt9oj9fXenfuFYitlwCw58=,iv:nL5vhy370eqVEHRk6jrm1mjPcHet0RN9txD9lTMi0Qo=,tag:4TvH2N8jm+AJLr/Pp6jgOA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1