xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

desec

Browse source
This commit is contained in:
xyno (Philipp Hochkamp) 2023-09-14 15:50:04 +02:00
parent 0342390b6f
commit 91259d02e7
11 changed files with 154 additions and 99 deletions
Download patch file Download diff file Expand all files Collapse all files

18
hosts/ds9/default.nix
View file

@ -25,9 +25,9 @@ in
services.syncthing.enable = true;
services.syncthing.user = "ragon";
ragon.agenix.secrets."ds9OffsiteBackupSSH" = { owner = config.services.syncoid.user; };
ragon.agenix.secrets."ds9SyncoidHealthCheckUrl" = { owner = config.services.syncoid.user; mode = "444"; };
ragon.agenix.secrets."gatebridgeHostKeys" = { owner = config.services.syncoid.user; };
ragon.agenix.secrets."ds9OffsiteBackupSSH" = { };
ragon.agenix.secrets."ds9SyncoidHealthCheckUrl" = { };
ragon.agenix.secrets."gatebridgeHostKeys" = { };
ragon.agenix.secrets."borgmaticEncryptionKey" = { };
# services.syncoid =
# let
@ -79,7 +79,7 @@ in
};
exclude_if_present = [ ".nobackup" ];
encryption_passcommand = "cat ${config.age.secrets.borgmaticEncryptionKey.path}";
compression = "zstd,10";
compression = "auto,zstd,10";
upload_rate_limit = "4000";
ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.ds9OffsiteBackupSSH.path}";
before_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/start" ];
@ -130,22 +130,16 @@ in
boot.kernel.sysctl."fs.inotify.max_user_instances" = 512;
services.openssh.sftpServerExecutable = "internal-sftp";
services.openssh.extraConfig = ''
Match User picardbackup
ChrootDirectory ${config.users.users.picardbackup.home}
ForceCommand internal-sftp
AllowTcpForwarding no
'';
# Backup Target
users.users.picardbackup = {
createHome = false;
group = "users";
uid = 993;
home = "/backups/restic/picard";
home = "/backups/picard";
isSystemUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0"
''command="${pkgs.borgbackup}/bin/borg serve --restrict-to-path /backups/picard/",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0''
];
};

70
hosts/picard/default.nix
View file

@ -42,10 +42,6 @@
users.mutableUsers = false;
services.postgresql.package = pkgs.postgresql_13;
ragon.agenix.secrets."picardResticPassword" = { };
ragon.agenix.secrets."picardResticSSHKey" = { };
ragon.agenix.secrets."picardResticHealthCheckUrl" = { };
ragon.agenix.secrets."picardSlidingSyncSecret" = { };
services.nginx.recommendedOptimisation = true;
@ -76,14 +72,15 @@
];
credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
};
ragon.agenix.secrets."desec" = { };
security.acme.certs."xyno.systems" = {
dnsProvider = "ionos";
dnsProvider = "desec";
dnsResolver = "1.1.1.1:53";
group = "nginx";
extraDomainNames = [
"*.xyno.systems"
];
credentialsFile = "${config.age.secrets.cloudflareAcme.path}";
credentialsFile = "${config.age.secrets.desec.path}";
};
services.nginx.appendHttpConfig = ''
@ -111,38 +108,36 @@
access_log /var/log/nginx/access.log anonymized;
'';
services.restic.backups."picard" = {
passwordFile = config.age.secrets.picardResticPassword.path;
extraOptions = [
"sftp.command='ssh picardbackup@ds9 -i ${config.age.secrets.picardResticSSHKey.path} -s sftp'"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
initialize = true;
repository = "sftp:picardbackup@ds9:/restic";
paths = [
"/persistent"
];
};
systemd.services.restic-backups-picard = {
# ExecStartPost commands are only run if the ExecStart command succeeded
serviceConfig.ExecStartPost = pkgs.writeShellScript "backupSuccessful" ''
${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})
'';
unitConfig.OnFailure = "backupFailure.service";
};
systemd.services.backupFailure = {
ragon.agenix.secrets."picardResticPassword" = { };
ragon.agenix.secrets."picardResticSSHKey" = { };
ragon.agenix.secrets."picardResticHealthCheckUrl" = { };
ragon.agenix.secrets."picardSlidingSyncSecret" = { };
services.borgmatic = {
enable = true;
script = "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})/fail";
configurations."picard-ds9" = {
location = {
source_directories = [ "/persistent" ];
repositories = [ "picardbackup@ds9:/backups/picard/borgmatic" ];
};
exclude_if_present = [ ".nobackup" ];
encryption_passcommand = "cat ${config.age.secrets.picardResticPassword.path}";
compression = "auto,zstd,10";
ssh_command =
let
pks = import ../../data/pubkeys.nix;
hst = pks.ragon.host "ds9";
lst = map (h: "daedalus ${h}") hst;
s = lib.concatStringsSep "\n" lst;
fl = pkgs.writeText "ds9-offsite-ssh-known-hosts" s;
in
"ssh -o GlobalKnownHostsFile=${fl} -i ${config.age.secrets.picardResticSSHKey.path}";
before_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})/start" ];
after_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})" ];
on_error = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.picardResticHealthCheckUrl.path})/fail" ];
postgresql_databases = [ "all" ];
};
};
nixpkgs.overlays = [
(self: super: {
zfs = super.zfs.override { enableMail = true; };
@ -163,7 +158,8 @@
gitlab.enable = false; # TODO gitlab-runner
synapse.enable = true;
tailscale.enable = true;
hedgedoc.enable = false;
hedgedoc.enable = true;
authelia.enable = true;
ts3.enable = true;
nginx.enable = true;
nginx.domain = "ragon.xyz";