From c297aff739230961c0e3c6f1dd469ad8d4d65d98 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Fri, 6 Sep 2024 15:34:18 -0500 Subject: [PATCH] Data is flowing, hooked up to DDNS, capable off reloading from backups --- flake.nix | 13 +- modules/nixos/default.nix | 2 + modules/nixos/deno-netlify-ddns-client.nix | 4 +- nixos/beefcake.nix | 229 +++++++++++---------- secrets/beefcake/secrets.yml | 9 +- 5 files changed, 145 insertions(+), 112 deletions(-) diff --git a/flake.nix b/flake.nix index 690f14d..5c3fd02 100644 --- a/flake.nix +++ b/flake.nix @@ -49,7 +49,7 @@ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" - "h.lyte.dev:HeVWtne31ZG8iMf+c15VY3/Mky/4ufXlfTpT8+4Xbs0=" + "h.lyte.dev-2:te9xK/GcWPA/5aXav8+e5RHImKYMug8hIIbhHsKPN0M=" "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc=" ]; }; @@ -255,6 +255,17 @@ # TODO: disko? hardware.nixosModules.common-cpu-intel + outputs.nixosModules.deno-netlify-ddns-client + + { + services.deno-netlify-ddns-client = { + enable = true; + username = "beefcake.h"; + # TODO: router doesn't even do ipv6 yet... + ipv6 = false; + }; + } + common troubleshooting-tools linux diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index c79f654..b8f235d 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -11,6 +11,8 @@ pubkey, overlays, }: { + deno-netlify-ddns-client = import ./deno-netlify-ddns-client.nix; + fallback-hostname = {lib, ...}: { networking.hostName = lib.mkDefault "set-a-hostname-dingus"; }; diff --git a/modules/nixos/deno-netlify-ddns-client.nix b/modules/nixos/deno-netlify-ddns-client.nix index 9912b3e..193c256 100644 --- a/modules/nixos/deno-netlify-ddns-client.nix +++ b/modules/nixos/deno-netlify-ddns-client.nix @@ -66,14 +66,14 @@ in { ${optionalString cfg.ipv4 '' ${pkgs.curl}/bin/curl -4 -s \ -X POST \ - --max-time ${cfg.requestTimeout} \ + --max-time ${toString cfg.requestTimeout} \ -u "${cfg.username}:''${password}" \ -L "${cfg.endpoint}/v1/netlify-ddns/replace-all-relevant-user-dns-records" ''} ${optionalString cfg.ipv6 '' ${pkgs.curl}/bin/curl -6 -s \ -X POST \ - --max-time ${cfg.requestTimeout} \ + --max-time ${toString cfg.requestTimeout} \ -u "${cfg.username}:''${password}" \ -L "${cfg.endpoint}/v1/netlify-ddns/replace-all-relevant-user-dns-records" ''} diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index 9793370..9710eb1 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -133,7 +133,9 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 # group = config.systemd.services.plausible.serviceConfig.Group; # }; # nextcloud-admin-password.path = "/var/lib/nextcloud/admin-password"; + restic-ssh-priv-key-benland = {mode = "0400";}; "forgejo-runner.env" = {mode = "0400";}; + netlify-ddns-password = {mode = "0400";}; restic-rascal-passphrase = { mode = "0400"; }; @@ -144,12 +146,16 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 }; systemd.services.gitea-runner-beefcake.after = ["sops-nix.service"]; } + { + services.deno-netlify-ddns-client = { + passwordFile = config.sops.secrets.netlify-ddns-password.path; + }; + } { # nix binary cache - # TODO: move /nix to a big drive? services.nix-serve = { enable = false; # TODO: true - secretKeyFile = "/var/cache-priv-key.pem"; + secretKeyFile = config.sops.secrets.nix-cache-priv-key.path; }; services.caddy.virtualHosts."nix.h.lyte.dev" = { extraConfig = '' @@ -615,112 +621,123 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 # group = "flanilla"; # }; # } - # { - # # restic backups - # users.users.restic = { - # # used for other machines to backup to - # isNormalUser = true; - # openssh.authorizedKeys.keys = - # [ - # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbPqzKB09U+i4Kqu136yOjflLZ/J7pYsNulTAd4x903 root@chromebox.h.lyte.dev" - # ] - # ++ config.users.users.daniel.openssh.authorizedKeys.keys; - # }; - # # TODO: move previous backups over and put here - # # clickhouse and plausible analytics once they're up and running? - # services.restic.backups = let - # defaults = { - # passwordFile = "/root/restic-remotebackup-password"; - # paths = [ - # "/storage/files.lyte.dev" - # "/storage/daniel" - # "/storage/forgejo" # TODO: should maybe use configuration.nix's services.forgejo.dump ? - # "/storage/postgres-backups" + { + systemd.tmpfiles.settings = { + "10-backups" = { + "/storage/daniel" = { + "d" = { + mode = "0700"; + user = "daniel"; + group = "nogroup"; + }; + }; + "/storage/daniel/critical" = { + "d" = { + mode = "0700"; + user = "daniel"; + group = "nogroup"; + }; + }; + }; + }; + # restic backups + users.groups.restic = {}; + users.users.restic = { + # used for other machines to backup to + isSystemUser = true; + group = "restic"; + openssh.authorizedKeys.keys = [] ++ config.users.users.daniel.openssh.authorizedKeys.keys; + }; + # # TODO: move previous backups over and put here + # # clickhouse and plausible analytics once they're up and running? + # services.restic.backups = let + # defaults = { + # passwordFile = "/root/restic-remotebackup-password"; + # paths = [ + # "/storage/files.lyte.dev" + # "/storage/daniel" + # "/storage/forgejo" # TODO: should maybe use configuration.nix's services.forgejo.dump ? + # "/storage/postgres-backups" - # # https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault - # # specifically, https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#sqlite-database-files - # "/var/lib/bitwarden_rs" # does this need any sqlite preprocessing? + # # https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault + # # specifically, https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#sqlite-database-files + # "/var/lib/bitwarden_rs" # does this need any sqlite preprocessing? - # # TODO: backup *arr configs? - # ]; - # initialize = true; - # exclude = []; - # timerConfig = { - # OnCalendar = ["04:45" "17:45"]; - # }; - # }; - # in { - # local = - # defaults - # // { - # passwordFile = "/root/restic-localbackup-password"; - # repository = "/storage/backups/local"; - # }; - # rascal = - # defaults - # // { - # extraOptions = [ - # "sftp.command='ssh beefcake@rascal -i /root/.ssh/id_ed25519 -s sftp'" - # ]; - # repository = "sftp://beefcake@rascal://storage/backups/beefcake"; - # }; - # # TODO: add ruby? - # benland = - # defaults - # // { - # extraOptions = [ - # "sftp.command='ssh daniel@n.benhaney.com -p 10022 -i /root/.ssh/id_ed25519 -s sftp'" - # ]; - # repository = "sftp://daniel@n.benhaney.com://storage/backups/beefcake"; - # }; - # }; - # } - # { - # services.caddy = { - # # TODO: 502 and other error pages - # enable = true; - # email = "daniel@lyte.dev"; - # adapter = "caddyfile"; - # virtualHosts = { - # "dev.h.lyte.dev" = { - # extraConfig = '' - # reverse_proxy :8000 - # ''; - # }; - # "files.lyte.dev" = { - # # TODO: customize the files.lyte.dev template? - # extraConfig = '' - # # @options { - # # method OPTIONS - # # } - # # @corsOrigin { - # # header_regexp Origin ^https?://([a-zA-Z0-9-]+\.)*lyte\.dev$ - # # } - # header { - # Access-Control-Allow-Origin "{http.request.header.Origin}" - # Access-Control-Allow-Credentials true - # Access-Control-Allow-Methods * - # Access-Control-Allow-Headers * - # Vary Origin - # defer - # } - # # reverse_proxy shuwashuwa:8848 { - # # header_down -Access-Control-Allow-Origin - # # } - # file_server browse { - # # browse template - # # hide .* - # root /storage/files.lyte.dev - # } - # ''; - # }; - # }; - # # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; - # }; - # networking.firewall.allowedTCPPorts = [ - # 8000 # random development stuff - # ]; - # } + # # TODO: backup *arr configs? + # ]; + # initialize = true; + # exclude = []; + # timerConfig = { + # OnCalendar = ["04:45" "17:45"]; + # }; + # }; + # in { + # local = + # defaults + # // { + # passwordFile = "/root/restic-localbackup-password"; + # repository = "/storage/backups/local"; + # }; + # rascal = + # defaults + # // { + # extraOptions = [ + # "sftp.command='ssh beefcake@rascal -i /root/.ssh/id_ed25519 -s sftp'" + # ]; + # repository = "sftp://beefcake@rascal://storage/backups/beefcake"; + # }; + # # TODO: add ruby? + # benland = + # defaults + # // { + # passwordFile = config.sops.secrets.restic-ssh-priv-key-benland.path; + # extraOptions = [ + # "sftp.command='ssh daniel@n.benhaney.com -p 10022 -i /root/.ssh/id_ed25519 -s sftp'" + # ]; + # repository = "sftp://daniel@n.benhaney.com://storage/backups/beefcake"; + # }; + # }; + } + { + systemd.tmpfiles.settings = { + "10-caddy" = { + "/storage/files.lyte.dev" = { + "d" = { + mode = "2775"; + user = "root"; + group = "wheel"; + }; + }; + }; + }; + services.caddy = { + # TODO: 502 and other error pages + enable = true; + email = "daniel@lyte.dev"; + adapter = "caddyfile"; + virtualHosts = { + "files.lyte.dev" = { + # TODO: customize the files.lyte.dev template? + extraConfig = '' + header { + Access-Control-Allow-Origin "{http.request.header.Origin}" + Access-Control-Allow-Credentials true + Access-Control-Allow-Methods * + Access-Control-Allow-Headers * + Vary Origin + defer + } + file_server browse { + # browse template + # hide .* + root /storage/files.lyte.dev + } + ''; + }; + }; + # acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory"; + }; + } # { # services.forgejo = { # enable = true; diff --git a/secrets/beefcake/secrets.yml b/secrets/beefcake/secrets.yml index 5f2d458..308c30c 100644 --- a/secrets/beefcake/secrets.yml +++ b/secrets/beefcake/secrets.yml @@ -9,11 +9,13 @@ example_number: ENC[AES256_GCM,data:AifVPuuPnEw2lQ==,iv:/L/vG2znNlM35u4ZGM31bweT example_booleans: - ENC[AES256_GCM,data:GD3U7Q==,iv:ahTK9d6m8lQkjd2sS9Yo6V3EyFWoyEbeQG6Uke4hF40=,tag:rykfnfaLz39V+SJbomu5Zw==,type:bool] - ENC[AES256_GCM,data:hK/CtTQ=,iv:EFXdBumvMKdaXdd97vUBIMKIaw1rMfUt+/irkRZGc4Y=,tag:JofhZ5SS+jzRe6WJmP34Xg==,type:bool] +nix-cache-priv-key: ENC[AES256_GCM,data:ClVXffaK6MPQGAizjY7WcQ/PWmihkFgudLzVdWVnnp9R/GcgHjDB5RBBKqxa7pBlEM+Bvh6VrK/2AXxAC73JUhJxK44s7PaJBgBvdLk04c1abAgIT1idC0DL1izIbsGOqB+SweQ=,iv:KU2o20Vv0Ob3D+WIpJNRHCBd+FhuCKiGKaiTkGXJfKI=,tag:ZG+WF2YBeI+ZnCNIEWUXTQ==,type:str] +nix-cache-pub-key: ENC[AES256_GCM,data:E03CllQyoFO1/Ts6RCEuHZlHqLpd4OZ4nLDs+TlLEbY16mEBG3lFJnqAattmiJb41EjDUmiv1RqU,iv:SZbSMvRU2PC8/t4PS24EU9nVhYgrgKvJ0dfYTtW7YkM=,tag:5rmu6a0wPPkcB3JGnFF+7w==,type:str] plausible-admin-password: ENC[AES256_GCM,data:dC9olypZgMLdPOsmjthOaa/fMLtbGBlF9A==,iv:GU2ccj10TKQ0KW9b9X9AgYnvhS/wMVqYTyxr6Xt50Gk=,tag:ypQ0VtutVD8wgdfm40QZkw==,type:str] plausible-erlang-cookie: ENC[AES256_GCM,data:zhmC+D6EjIE8Rw91lIrMqY0QIazTX1e1jBzcZJP/76B9VvHWZ5bCkP1+KdfCY0lk3wIEq5vRfb8=,iv:RNNjlV3OFtXn1N0a5fEb/3FWzcHX19wtCLMdaVlKNJ0=,tag:8iU5oFVbzd0eMe5Mo1PiAw==,type:str] plausible-secret-key-base: ENC[AES256_GCM,data:ylakPGzY4S9640krl0fxYgm0Getf0+I7zthyTqTD/IpVhz5xgYBYx3Y2lSNa9Oi9yQ7+f9OdOBC6nc7n6MuUBg==,iv:YLPax/cRjMdIFti26gJd8COKr+3jXNZ7HCA5VvQVyAo=,tag:LHqYi590oEIp1IihLcFTtw==,type:str] nextcloud-admin-password: ENC[AES256_GCM,data:QaoSZyommeGED3nWNru92UVO2tjk24HE9fWX7ExYT101o4ZL411TmV1TXHSyfwjmE7yLIm1K/j4xpEbIY3zvFg==,iv:xC5EZVPHumVPOob5jiiXMFAmdFQcFSUPtZgioAgGDDs=,tag:Q/kY38XWkGsqcmCkd2lodg==,type:str] -netlify-ddns.env: ENC[AES256_GCM,data:HWy7RCUATwsPUMpLFstC2vPq4ErOPTQ+DzfQei9w0nCBKpdhzRJWb5+FAyQBmQBENn3cmrOThe6bRhuJabl2UMvp2/om0U1MF3N00sq+4dFhtvZZ6TaKBxhHMr0EIGAYdpDuJ1PXyXtKzDYPhFiGPAYb5GTe6U0+aF/pM9l6p3vMAz9GmnGD4eK7iMFZhrF4gLVKYbDx4rtWv4U9fjpUOf0/y+b+L+JFTrukzQ==,iv:8uNv3m01SEmrKVUTy+okac2HyWWCYPMiv/kO+/IZ+xE=,tag:+9AkWJSKw6L3HrPfL58QSg==,type:str] +netlify-ddns-password: ENC[AES256_GCM,data:mz9MS93ZPbtziwo56DP27q5ZgA1rgCptQpgTPrq2Ihc3KjSxSACJ6p6t8NjRPr4lSDLPzDa47OnRct/N4fcm5Q==,iv:upOh9S0wvTXBwfso3GhQzpl5befY0T0hTW/LGNcvv0k=,tag:/LNP0wIaxtExulV0blVkXA==,type:str] #ENC[AES256_GCM,data:IDauOj95sPt6LQkNWOaAV3AR7XPHJljX7Gef/IgtzC227ln7aKpVLCbhxD6pNTwd9/KhIXJp3vagCjfgkO/utA==,iv:Pn5jIPsFMBA2xnp3SUBgBug1NN8d3h3zy1pGVzO2hO0=,tag:NzhLA7nqE7SRRMV+rKgCjQ==,type:comment] forgejo-runner.env: ENC[AES256_GCM,data:10wKRImXKS7ezcWnkwz7ak194snQ4wG8GBePeHXN1I23JfOvuD00427fOJ4jbCY=,iv:8jrmcXa2yqFTSf4fFnZXCuyGft90RzUO3S4rZGXaTDI=,tag:EGDqTK8GKBGfogkqkCODxg==,type:str] jland.env: ENC[AES256_GCM,data:u+QKwKWG9NFduuofhe3aatof3KoC0N4ZpNOD8E/7l0BTSoTe5Tqmz5/33EOcBUw99+YLFR4kTJwdUmLWHk4UD87aGsJ4liPCtXnBsToAzBGg0I3mhGQ/QM8iKXMW9oKb3ciapitQBuJa1WIp5/bHNtCXWQ==,iv:iZDET5EWM4DnAoQqLP9+Ll4S+mFHt2wZ3ENtN79Dbqw=,tag:qVpocN3FxlHfte2hAmtGPA==,type:str] @@ -21,6 +23,7 @@ dawncraft.env: ENC[AES256_GCM,data:8n1ymQZpMeVwTyoHhccV+W5diMLcsZw5zZQy4Z4eaMcLF api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/nji61t1eDbKX3d+SQL1UBchJFoBrWrUxnf0mUERhED1196z8vUq2jKEkcqKCAUS3soECInlb8zcxTcxaTFjYSjp1vUBdAn05AqLsF+hh9Bsm4fMQYjnHEZke9EmPZhuTlUdZa4eLv3+L3xAPHk2QIHQhdsjcTjGAZRMZOgTEcCvtGlb5pQuo11XmR2JzwzOXMC51WFDeOIWMAdO80yQBAdILso7rp1Nts/lwF0Bc9t7bNdHyoVTOA==,iv:jWGqUpXOTb/O972qXOqeX0EMFQLDKwaNHBqlpuGrZOk=,tag:uwB/jlAgESkLZ+vJ/OeV0A==,type:str] restic-rascal-passphrase: ENC[AES256_GCM,data:yonKbBh4riGwxc/qcj8F/qrgAtA1sWhYejw9rdOTdCNW3a7zL/Ny1+XCI/P3bMOsY6UTmg/gxA2itp4cSbvqjg==,iv:5GwaEExn7b3dIkCVehLxaBXW+nUuSexY/bcqfCUwF5Q=,tag:dinyyw2XeVoSnw/IsYfK0w==,type:str] restic-rascal-ssh-private-key: ENC[AES256_GCM,data:ddsOs0XsayyQI9qc6LzwQpdDnfwNpbj8PbBJ5fyuqtlVNYndeLxaYcbZI2ULSUhgR1tN0FS+ggGTHQhVvjwksNvpskUGHNKkSLKH3D/mn5N9tsoeAblN4gZsloZdqXBVzEehumcQMdhh6iy6NkNbuinKrVKDhLV25PrFKuSBEYw9VHU7HAMW5Tfop3RzBXjZWETCDAR2OQa7d1dXsJ0Kw6b9RFmRe5MGQ0J7YhjdTg26JGMMVSeHvr5UbiUJkGA5RvOLEDM2Dfai7Lf8yRPZVxUl+rdRsNvNYEoYGu5rGLUFcuqIbQ+s40dP2uXwWauwkIvHUjEahkbP0httj4Kg3qIJBRPg7OuS+MOwAnLEAs3hl5zeBV396yA9qjWW8nhnbml58/uFFbfXbJWTM3r8cMpFbHKD+Ojo/99fm5Vy3pAMzNzEsHOaT+iyDYyNkV5OH1GyKK9n7kIRLdqmWe7GmaKXlwVvNUPi3RvLX9VXq83a4BuupFyTmaNfPGMs/17830aleV674+QVgKh3VyFtuJy6KBpMXDv16wFo,iv:S2I3h6pmKLxEc29E0zn2b8lscqA//5/ZMTV9q+/tdvs=,tag:ALeCT+nrVPDfS21xC555sA==,type:str] +restic-ssh-priv-key-benland: ENC[AES256_GCM,data:G+uiYZTvqXhpJb66j6Q6S+otlXeRX0CdYeMHzSMjIbvbI0AVm0yCU7COO5/O8i47NpvrKKS1kVxVEK8ixLRUowkl3hgRXhxsBIPFnpkMD0ENmJttm4HOpi0qIWMwzPYTjkz/slY4HcTFnCfYy1ZpURQdWwZsr1EdAA05bUMTtM22R3uOMzjO8uf72PCWX7yffo8MxsLmWvNVAOhVlrb2H5KQNR/IquFK3TFoZitq5nVDG9tcEFkX+lgA3zsmCHU/2DvvodgeRoltaAFvgjVznNGf4e5p8owHUtSzX52HwGZRiUlMuhpre2gm1r73n8AyZe41II+LX/85fMfZDdyayIGv3AAMBib8H0/AoChexRcdLQEmzOgRrXsgucDJrWSWP6WMBVyamUm79m5ep0fvL1lJftuJqN0uuq9dBrispdso4x+6jk/pDf5pEM/FE6s1rY832BEb7q0PnjyvVogOez+cIihmMpDdnS0A/8TFzg29i3C+93x5vrt3k7atNzR/jN+/GqX2FKLzxWrrIw2d,iv:IP+N8JQu+XRvwTtBnxu54ujzU5UliltXG3mk9HfJaN8=,tag:4oinE9QMaSh8IfUd/ttM3Q==,type:str] sops: kms: [] gcp_kms: [] @@ -45,8 +48,8 @@ sops: bGpacHFRSkJYUUMwOEh4cVBXZ1NESmsKa5EhZ7148ojCqZldukLcPLr93HqnpNgq rMI0Nyz4Z4lkTVMRpA94zyNTkNwJ02/CYcKi8EJi6jGZnNPUTcnTwg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-06T13:45:54Z" - mac: ENC[AES256_GCM,data:eK+7MfeVtdNxlnBOgAuz9QIpXQMo0e8SXnDVmwMbB6nILti7Z9CRe/XHxriH5+eml5QOqi2t9YIjhYa27V89VBP/d/NSMh1IXBkYfCE+jFhaG6ParI5Y4+pJH7EijQ4RpBrOnlCr1+e84HiuJoqyU4/V7vdorYZOXVWxATs5vRw=,iv:YEHqy/Pzt7GLbuumAzvcMcavB8Rkt+hEyD+lH/++Fiw=,tag:fIrdz2fouKZ86MgAZ0f0zA==,type:str] + lastmodified: "2024-09-06T20:10:59Z" + mac: ENC[AES256_GCM,data:VAu4K4XjAd4HOy4EoaDuU5nYPi/UbSjoS2vxIGmWMFByjSBE38W/7/mTef3DxlgmiyiwO8o/nv8w1GvjYbKb3px99XLeKdiAMhlBoDm0k1YVBo5V+tBO272GiGBxvIcdIrNLc914Uf3cWXykWD69smeug33BfbGa6OsJUN0GTiQ=,iv:3kGkzzQKPqBYCLuG4Nbp7xsNEAti3PddTKo6b3Eaat8=,tag:UwzQM0szWOuAasXf3Lf/mw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0