Re-initialize backups on beefcake

This commit is contained in:
Daniel Flanagan 2024-09-11 11:57:27 -05:00
parent 0ff4336088
commit 352e3d72a2
3 changed files with 273 additions and 278 deletions

View file

@ -1218,7 +1218,7 @@
programs.senpai = { programs.senpai = {
enable = true; enable = true;
config = { config = {
address = "irc+insecure://beefcake:6667"; address = "irc+insecure://beefcake.hare-cod.ts.net:6667";
nickname = "lytedev"; nickname = "lytedev";
password-cmd = ["pass" "soju"]; password-cmd = ["pass" "soju"];
}; };

View file

@ -999,7 +999,7 @@
}; };
time = { time = {
timeZone = lib.mkDefault "America/Chicago"; timeZone = "America/Chicago";
}; };
i18n = { i18n = {

View file

@ -21,7 +21,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
imports = [ imports = [
{ {
# hardware # hardware and boot module
networking.hostId = "541ede55"; networking.hostId = "541ede55";
boot = { boot = {
zfs = { zfs = {
@ -36,6 +36,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
initrd.availableKernelModules = ["ehci_pci" "mpt3sas" "usbhid" "sd_mod"]; initrd.availableKernelModules = ["ehci_pci" "mpt3sas" "usbhid" "sd_mod"];
kernelModules = ["kvm-intel"]; kernelModules = ["kvm-intel"];
kernelParams = ["nohibernate"];
loader.systemd-boot.enable = true; loader.systemd-boot.enable = true;
loader.efi.canTouchEfiVariables = true; loader.efi.canTouchEfiVariables = true;
}; };
@ -68,11 +69,30 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# TODO: nfs with zfs? # TODO: nfs with zfs?
# services.nfs.server.enable = true; # services.nfs.server.enable = true;
} }
({
options,
config,
...
}: let
inherit (lib) mkOption types;
in {
options.services.restic.commonPaths = mkOption {
type = types.nullOr (types.listOf types.str);
default = [];
description = ''
Which paths to backup, in addition to ones specified via
`dynamicFilesFrom`. If null or an empty array and
`dynamicFilesFrom` is also null, no backup command will be run.
This can be used to create a prune-only job.
'';
example = [
"/var/lib/postgresql"
"/home/user/backup"
];
};
})
{ {
boot.kernelParams = ["nohibernate"]; # sops secrets config
}
{
# sops secrets stuff
sops = { sops = {
defaultSopsFile = ../secrets/beefcake/secrets.yml; defaultSopsFile = ../secrets/beefcake/secrets.yml;
age = { age = {
@ -80,80 +100,21 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
keyFile = "/var/lib/sops-nix/key.txt"; keyFile = "/var/lib/sops-nix/key.txt";
generateKey = true; generateKey = true;
}; };
secrets = {
# example-key = {
# # see these and other options' documentation here:
# # https://github.com/Mic92/sops-nix#set-secret-permissionowner-and-allow-services-to-access-it
# # set permissions:
# # mode = "0440";
# # owner = config.users.users.nobody.name;
# # group = config.users.users.nobody.group;
# # restart service when a secret changes or is newly initialized
# # restartUnits = [ "home-assistant.service" ];
# # symlink to certain directories
# path = "/var/lib/my-example-key/secrets.yaml";
# # for use as a user password
# # neededForUsers = true;
# };
# subdirectory
# "myservice/my_subdir/my_secret" = { };
# "jland.env" = {
# path = "/var/lib/jland/jland.env";
# # TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
# mode = "0440";
# owner = config.users.users.daniel.name;
# group = config.users.groups.daniel.name;
# };
# "dawncraft.env" = {
# path = "/var/lib/dawncraft/dawncraft.env";
# # TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
# mode = "0440";
# owner = config.users.users.daniel.name;
# group = config.users.groups.daniel.name;
# };
# plausible-admin-password = {
# # TODO: path = "${config.systemd.services.plausible.serviceConfig.WorkingDirectory}/plausible-admin-password.txt";
# path = "/var/lib/plausible/plausible-admin-password";
# mode = "0440";
# owner = config.systemd.services.plausible.serviceConfig.User;
# group = config.systemd.services.plausible.serviceConfig.Group;
# };
# plausible-secret-key-base = {
# path = "/var/lib/plausible/plausible-secret-key-base";
# mode = "0440";
# owner = config.systemd.services.plausible.serviceConfig.User;
# group = config.systemd.services.plausible.serviceConfig.Group;
# };
# nextcloud-admin-password.path = "/var/lib/nextcloud/admin-password";
restic-ssh-priv-key-benland = {mode = "0400";};
"forgejo-runner.env" = {mode = "0400";};
netlify-ddns-password = {mode = "0400";};
nix-cache-priv-key = {mode = "0400";};
restic-rascal-passphrase = {
mode = "0400";
}; };
restic-rascal-ssh-private-key = {
mode = "0400";
};
};
};
systemd.services.gitea-runner-beefcake.after = ["sops-nix.service"];
} }
{ {
sops.secrets = {
netlify-ddns-password = {mode = "0400";};
};
services.deno-netlify-ddns-client = { services.deno-netlify-ddns-client = {
passwordFile = config.sops.secrets.netlify-ddns-password.path; passwordFile = config.sops.secrets.netlify-ddns-password.path;
}; };
} }
{ {
# nix binary cache # nix binary cache
sops.secrets = {
nix-cache-priv-key = {mode = "0400";};
};
services.nix-serve = { services.nix-serve = {
enable = true; # TODO: true enable = true; # TODO: true
secretKeyFile = config.sops.secrets.nix-cache-priv-key.path; secretKeyFile = config.sops.secrets.nix-cache-priv-key.path;
@ -180,6 +141,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
}; };
systemd.services."build-lytedev-flake" = { systemd.services."build-lytedev-flake" = {
# TODO: might want to add root for the most recent results?
script = '' script = ''
# build self (main server) configuration # build self (main server) configuration
nixos-rebuild build --flake git+https://git.lyte.dev/lytedev/nix.git --accept-flake-config nixos-rebuild build --flake git+https://git.lyte.dev/lytedev/nix.git --accept-flake-config
@ -193,7 +155,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# TODO: mkdir -p...? # TODO: mkdir -p...?
WorkingDirectory = "/home/daniel/.home/nightly-flake-builds"; WorkingDirectory = "/home/daniel/.home/nightly-flake-builds";
Type = "oneshot"; Type = "oneshot";
User = "daniel"; # might have to run as me for git ssh access to the repo User = "daniel";
}; };
}; };
@ -206,7 +168,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
} }
{ {
services.headscale = { services.headscale = {
enable = false; enable = false; # TODO: setup headscale?
address = "127.0.0.1"; address = "127.0.0.1";
port = 7777; port = 7777;
settings = { settings = {
@ -242,6 +204,9 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
networking.firewall.allowedUDPPorts = lib.mkIf config.services.headscale.enable [3478]; networking.firewall.allowedUDPPorts = lib.mkIf config.services.headscale.enable [3478];
} }
{ {
# TODO: I think I need to setup my account? wondering if this can be done in nix as well
services.restic.commonPaths = ["/var/lib/soju" "/var/lib/private/soju"];
services.soju = { services.soju = {
enable = true; enable = true;
listen = ["irc+insecure://:6667"]; listen = ["irc+insecure://:6667"];
@ -362,6 +327,8 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
# }; # };
# } # }
{ {
# nextcloud
# TODO: investigate https://carlosvaz.com/posts/the-holy-grail-nextcloud-setup-made-easy-by-nixos/
# services.postgresql = { # services.postgresql = {
# ensureDatabases = [ # ensureDatabases = [
# "nextcloud" # "nextcloud"
@ -382,119 +349,153 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
} }
{ {
# plausible # plausible
# ensureDatabases = ["plausible"]; services.postgresql = {
# ensureUsers = [ ensureDatabases = ["plausible"];
# { ensureUsers = [
# name = "plausible"; {
# ensureDBOwnership = true; name = "plausible";
# } ensureDBOwnership = true;
# ]; }
# users.users.plausible = { ];
# isSystemUser = true; };
# createHome = false; users.users.plausible = {
# group = "plausible"; isSystemUser = true;
# }; createHome = false;
# users.extraGroups = { group = "plausible";
# "plausible" = {}; };
# }; users.extraGroups = {
# services.plausible = { "plausible" = {};
# # TODO: enable };
# enable = true; services.plausible = {
# database = { enable = true;
# clickhouse.setup = true; database = {
# postgres = { clickhouse.setup = true;
# setup = false; postgres = {
# dbname = "plausible"; setup = false;
# }; dbname = "plausible";
# }; };
# server = { };
# baseUrl = "https://a.lyte.dev"; server = {
# disableRegistration = true; baseUrl = "https://a.lyte.dev";
# port = 8899; disableRegistration = true;
# secretKeybaseFile = config.sops.secrets.plausible-secret-key-base.path; port = 8899;
# }; secretKeybaseFile = config.sops.secrets.plausible-secret-key-base.path;
# adminUser = { };
# activate = false; adminUser = {
# email = "daniel@lyte.dev"; activate = false;
# passwordFile = config.sops.secrets.plausible-admin-password.path; email = "daniel@lyte.dev";
# }; passwordFile = config.sops.secrets.plausible-admin-password.path;
# }; };
# systemd.services.plausible = let };
# cfg = config.services.plausible; sops.secrets = {
# in { plausible-secret-key-base = {
# serviceConfig.User = "plausible"; owner = "plausible";
# serviceConfig.Group = "plausible"; group = "plausible";
# # since createdb is not gated behind postgres.setup, this breaks };
# script = lib.mkForce '' plausible-admin-password = {
# # Elixir does not start up if `RELEASE_COOKIE` is not set, owner = "plausible";
# # even though we set `RELEASE_DISTRIBUTION=none` so the cookie should be unused. group = "plausible";
# # Thus, make a random one, which should then be ignored. };
# export RELEASE_COOKIE=$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 20) };
# export ADMIN_USER_PWD="$(< $CREDENTIALS_DIRECTORY/ADMIN_USER_PWD )" systemd.services.plausible = {
# export SECRET_KEY_BASE="$(< $CREDENTIALS_DIRECTORY/SECRET_KEY_BASE )" serviceConfig.User = "plausible";
serviceConfig.Group = "plausible";
# ${lib.optionalString (cfg.mail.smtp.passwordFile != null) };
# ''export SMTP_USER_PWD="$(< $CREDENTIALS_DIRECTORY/SMTP_USER_PWD )"''} services.caddy.virtualHosts."a.lyte.dev" = {
extraConfig = ''
# # setup reverse_proxy :${toString config.services.plausible.server.port}
# ${ '';
# if cfg.database.postgres.setup };
# then "${cfg.package}/createdb.sh" }
# else "" {
# } # clickhouse
# ${cfg.package}/migrate.sh environment.etc = {
# export IP_GEOLOCATION_DB=${pkgs.dbip-country-lite}/share/dbip/dbip-country-lite.mmdb "clickhouse-server/users.d/disable-logging-query.xml" = {
# ${cfg.package}/bin/plausible eval "(Plausible.Release.prepare() ; Plausible.Auth.create_user(\"$ADMIN_USER_NAME\", \"$ADMIN_USER_EMAIL\", \"$ADMIN_USER_PWD\"))" text = ''
# ${lib.optionalString cfg.adminUser.activate '' <clickhouse>
# psql -d plausible <<< "UPDATE users SET email_verified=true where email = '$ADMIN_USER_EMAIL';" <profiles>
# ''} <default>
<log_queries>0</log_queries>
# exec plausible start <log_query_threads>0</log_query_threads>
# ''; </default>
# }; </profiles>
# services.caddy.virtualHosts."a.lyte.dev" = { </clickhouse>
# extraConfig = '' '';
# reverse_proxy :${toString config.services.plausible.server.port} };
# ''; "clickhouse-server/config.d/reduce-logging.xml" = {
# }; text = ''
<clickhouse>
<logger>
<level>warning</level>
<console>true</console>
</logger>
<query_thread_log remove="remove"/>
<query_log remove="remove"/>
<text_log remove="remove"/>
<trace_log remove="remove"/>
<metric_log remove="remove"/>
<asynchronous_metric_log remove="remove"/>
<session_log remove="remove"/>
<part_log remove="remove"/>
</clickhouse>
'';
};
};
services.restic.commonPaths = [
# "/var/lib/clickhouse"
];
}
{
# family storage
systemd.tmpfiles.settings = {
"10-backups" = {
"/storage/family" = {
"d" = {
mode = "0770";
user = "root";
group = "family";
};
};
"/storage/family/valerie" = {
"d" = {
mode = "0750";
user = "valerie";
group = "family";
};
};
"/storage/family/daniel" = {
"d" = {
mode = "0750";
user = "daniel";
group = "family";
};
};
};
};
services.restic.commonPaths = [
"/storage/family"
];
} }
# {
# # clickhouse
# environment.etc = {
# "clickhouse-server/users.d/disable-logging-query.xml" = {
# text = ''
# <clickhouse>
# <profiles>
# <default>
# <log_queries>0</log_queries>
# <log_query_threads>0</log_query_threads>
# </default>
# </profiles>
# </clickhouse>
# '';
# };
# "clickhouse-server/config.d/reduce-logging.xml" = {
# text = ''
# <clickhouse>
# <logger>
# <level>warning</level>
# <console>true</console>
# </logger>
# <query_thread_log remove="remove"/>
# <query_log remove="remove"/>
# <text_log remove="remove"/>
# <trace_log remove="remove"/>
# <metric_log remove="remove"/>
# <asynchronous_metric_log remove="remove"/>
# <session_log remove="remove"/>
# <part_log remove="remove"/>
# </clickhouse>
# '';
# };
# };
# }
{ {
# daniel augments # daniel augments
systemd.tmpfiles.settings = {
"10-backups" = {
"/storage/daniel" = {
"d" = {
mode = "0700";
user = "daniel";
group = "nogroup";
};
};
"/storage/daniel/critical" = {
"d" = {
mode = "0700";
user = "daniel";
group = "nogroup";
};
};
};
};
users.groups.daniel.members = ["daniel"]; users.groups.daniel.members = ["daniel"];
users.groups.nixadmin.members = ["daniel"]; users.groups.nixadmin.members = ["daniel"];
users.users.daniel = { users.users.daniel = {
@ -509,6 +510,10 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
"forgejo" "forgejo"
]; ];
}; };
services.restic.commonPaths = [
"/storage/daniel"
];
services.postgresql = { services.postgresql = {
ensureDatabases = ["daniel"]; ensureDatabases = ["daniel"];
ensureUsers = [ ensureUsers = [
@ -599,7 +604,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
package = pkgs.postgresql_15; package = pkgs.postgresql_15;
# https://www.postgresql.org/docs/current/auth-pg-hba-conf.html # https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
# TODO: enable the "daniel" user to access all databases # TODO: give the "daniel" user access to all databases
authentication = pkgs.lib.mkOverride 10 '' authentication = pkgs.lib.mkOverride 10 ''
#type database user auth-method auth-options #type database user auth-method auth-options
local all postgres peer map=superuser_map local all postgres peer map=superuser_map
@ -628,56 +633,41 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
services.postgresqlBackup = { services.postgresqlBackup = {
enable = true; enable = true;
backupAll = true; backupAll = true;
compression = "none"; # hoping for deduplication here? compression = "none"; # hoping for restic deduplication here?
location = "/storage/postgres-backups"; location = "/storage/postgres-backups";
startAt = "*-*-* 03:00:00"; startAt = "*-*-* 03:00:00";
}; };
services.restic.commonPaths = [
"/storage/postgres-backups"
];
} }
# {
# # friends
# users.users.ben = {
# isNormalUser = true;
# packages = [pkgs.vim];
# openssh.authorizedKeys.keys = [
# "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUfLZ+IX85p9355Po2zP1H2tAxiE0rE6IYb8Sf+eF9T ben@benhany.com"
# ];
# };
# users.users.alan = {
# isNormalUser = true;
# packages = [pkgs.vim];
# openssh.authorizedKeys.keys = [
# ""
# ];
# };
# networking.firewall.allowedTCPPorts = [
# 64022
# ];
# networking.firewall.allowedUDPPorts = [
# 64020
# ];
# }
{ {
systemd.tmpfiles.settings = { # friends
"10-backups" = { users.users.ben = {
"/storage/daniel" = { isNormalUser = true;
"d" = { packages = [pkgs.vim];
mode = "0700"; openssh.authorizedKeys.keys = [
user = "daniel"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUfLZ+IX85p9355Po2zP1H2tAxiE0rE6IYb8Sf+eF9T ben@benhany.com"
group = "nogroup"; ];
};
};
"/storage/daniel/critical" = {
"d" = {
mode = "0700";
user = "daniel";
group = "nogroup";
};
};
}; };
users.users.alan = {
isNormalUser = true;
packages = [pkgs.vim];
# openssh.authorizedKeys.keys = [];
}; };
}
{
# restic backups # restic backups
sops.secrets = {
restic-ssh-priv-key-benland = {mode = "0400";};
restic-rascal-passphrase = {
mode = "0400";
};
restic-rascal-ssh-private-key = {
mode = "0400";
};
};
users.groups.restic = {}; users.groups.restic = {};
users.users.restic = { users.users.restic = {
# used for other machines to backup to # used for other machines to backup to
@ -685,55 +675,45 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
group = "restic"; group = "restic";
openssh.authorizedKeys.keys = [] ++ config.users.users.daniel.openssh.authorizedKeys.keys; openssh.authorizedKeys.keys = [] ++ config.users.users.daniel.openssh.authorizedKeys.keys;
}; };
# # TODO: move previous backups over and put here services.restic.backups = let
# # clickhouse and plausible analytics once they're up and running? defaults = {
# services.restic.backups = let passwordFile = "/root/restic-remotebackup-password";
# defaults = { paths =
# passwordFile = "/root/restic-remotebackup-password"; config.services.restic.commonPaths
# paths = [ ++ [
# "/storage/files.lyte.dev" ];
# "/storage/daniel" initialize = true;
# "/storage/forgejo" # TODO: should maybe use configuration.nix's services.forgejo.dump ? exclude = [];
# "/storage/postgres-backups" timerConfig = {
OnCalendar = ["04:45" "17:45"];
# # https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault };
# # specifically, https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#sqlite-database-files };
# "/var/lib/bitwarden_rs" # does this need any sqlite preprocessing? in {
local =
# # TODO: backup *arr configs? defaults
# ]; // {
# initialize = true; passwordFile = "/root/restic-localbackup-password";
# exclude = []; repository = "/storage/backups/local";
# timerConfig = { };
# OnCalendar = ["04:45" "17:45"]; rascal =
# }; defaults
# }; // {
# in { extraOptions = [
# local = "sftp.command='ssh beefcake@rascal -i /root/.ssh/id_ed25519 -s sftp'"
# defaults ];
# // { repository = "sftp://beefcake@rascal://storage/backups/beefcake";
# passwordFile = "/root/restic-localbackup-password"; };
# repository = "/storage/backups/local"; # TODO: add ruby?
# }; benland =
# rascal = defaults
# defaults // {
# // { passwordFile = config.sops.secrets.restic-ssh-priv-key-benland.path;
# extraOptions = [ extraOptions = [
# "sftp.command='ssh beefcake@rascal -i /root/.ssh/id_ed25519 -s sftp'" "sftp.command='ssh daniel@n.benhaney.com -p 10022 -i /root/.ssh/id_ed25519 -s sftp'"
# ]; ];
# repository = "sftp://beefcake@rascal://storage/backups/beefcake"; repository = "sftp://daniel@n.benhaney.com://storage/backups/beefcake";
# }; };
# # TODO: add ruby? };
# benland =
# defaults
# // {
# passwordFile = config.sops.secrets.restic-ssh-priv-key-benland.path;
# extraOptions = [
# "sftp.command='ssh daniel@n.benhaney.com -p 10022 -i /root/.ssh/id_ed25519 -s sftp'"
# ];
# repository = "sftp://daniel@n.benhaney.com://storage/backups/beefcake";
# };
# };
} }
{ {
systemd.tmpfiles.settings = { systemd.tmpfiles.settings = {
@ -747,6 +727,9 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
}; };
}; };
}; };
services.restic.commonPaths = [
"/storage/files.lyte.dev"
];
services.caddy = { services.caddy = {
# TODO: 502 and other error pages # TODO: 502 and other error pages
enable = true; enable = true;
@ -828,13 +811,20 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
enable = true; enable = true;
}; };
dump = { dump = {
enable = true; enable = false;
}; };
database = { database = {
# TODO: move to postgres? # TODO: move to postgres?
type = "sqlite3"; type = "sqlite3";
}; };
}; };
services.restic.commonPaths = [
config.services.forgejo.stateDir
];
sops.secrets = {
"forgejo-runner.env" = {mode = "0400";};
};
systemd.services.gitea-runner-beefcake.after = ["sops-nix.service"];
services.gitea-actions-runner = { services.gitea-actions-runner = {
# TODO: simple git-based automation would be dope? maybe especially for # TODO: simple git-based automation would be dope? maybe especially for
# mirroring to github super easy? # mirroring to github super easy?
@ -885,8 +875,12 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
}; };
} }
{ {
services.restic.commonPaths = [
config.services.vaultwarden.backupDir
];
services.vaultwarden = { services.vaultwarden = {
enable = true; enable = true;
backupDir = "/storage/vaultwarden/backups";
config = { config = {
DOMAIN = "https://bw.lyte.dev"; DOMAIN = "https://bw.lyte.dev";
SIGNUPS_ALLOWED = "false"; SIGNUPS_ALLOWED = "false";
@ -912,6 +906,7 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
enable = true; enable = true;
database = { database = {
createLocally = false; createLocally = false;
# NOTE: this uses postgres over the unix domain socket by default
# uri = "postgresql://atuin@localhost:5432/atuin"; # uri = "postgresql://atuin@localhost:5432/atuin";
}; };
openRegistration = false; openRegistration = false;