patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: added remote backups

Browse source
This commit is contained in:
Patrick Großmann 2024-01-15 02:13:46 +01:00
parent e4385ea2ab
commit e4deaf9fe2
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
17 changed files with 176 additions and 61 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
flake.lock
View file

@ -37,11 +37,11 @@
"pre-commit-hooks": "pre-commit-hooks"
},
"locked": {
"lastModified": 1696078264,
"narHash": "sha256-NF5G9CHaVWDD6DY0TP8z0cx30dAL1ciFYcVidVvb+NA=",
"lastModified": 1705278709,
"narHash": "sha256-CNJSc6tp12UZKAprviztJ509yAblteK4GiWwKewWEPQ=",
"owner": "oddlama",
"repo": "agenix-rekey",
"rev": "e529da8197f024c0069c4fde6237505e305b8d0a",
"rev": "e02a57e08224422934974f19853d4d70ed7eaaaa",
"type": "github"
},
"original": {
@ -1056,11 +1056,11 @@
"pre-commit-hooks": "pre-commit-hooks_2"
},
"locked": {
"lastModified": 1704999567,
"narHash": "sha256-Whj1PFPomS/f97OD30CRrETTH/dmnUJdjEevDLJG4MM=",
"lastModified": 1705280248,
"narHash": "sha256-lMuky4SlMGcc7Ok33Cp7mwx+k5WRxXCCP1Rit8vtfEA=",
"owner": "oddlama",
"repo": "nixos-extra-modules",
"rev": "4744a2844cd74ca9b122fbaaae5ae97159c0d30e",
"rev": "3057e049e731190def8e9c5bea5467b3edcdd93e",
"type": "github"
},
"original": {

5
flake.nix
View file

@ -144,6 +144,11 @@
;
}
// flake-utils.lib.eachDefaultSystem (system: rec {
apps.setupHetznerStorageBoxes = import (nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") {
inherit pkgs;
nixosConfigurations = self.nodes;
decryptIdentity = builtins.head self.secretsConfig.masterIdentities;
};
pkgs = import nixpkgs {
overlays =
import ./lib inputs

5
hosts/elisabeth/guests.nix
View file

@ -95,6 +95,7 @@ in {
mkGuest = guestName: {
enablePanzer ? false,
enableRenaultFT ? false,
enableBunker ? false,
...
}: {
autostart = true;
@ -114,6 +115,10 @@ in {
pool = "renaultft";
dataset = "safe/guests/${guestName}";
};
zfs."/bunker" = lib.mkIf enableBunker {
pool = "panzer";
dataset = "bunker/guests/${guestName}";
};
modules = [
../../modules/config
../../modules/services/${guestName}.nix

BIN
hosts/elisabeth/secrets/samba/generated/resticHetznerSsh.age Normal file
View file

Binary file not shown.

BIN
hosts/elisabeth/secrets/samba/generated/resticpasswd.age Normal file
View file

Binary file not shown.

BIN
hosts/elisabeth/secrets/vaultwarden/generated/resticpasswd.age Normal file
View file

Binary file not shown.

19
hosts/elisabeth/secrets/vaultwarden/generated/vaultwardenHetznerSsh.age Normal file
View file

@ -0,0 +1,19 @@
age-encryption.org/v1
-> X25519 Kj9OeDgNf3hqRLsActF53ggNumpHdHKXG6zekapeWQc
JFdTjwN1jG6b9oQ7t5fuRvvc2Dd5YYCC8Q8M39xfAE4
-> piv-p256 XTQkUA AxuWd+20Js2drUmquQtQP3nH/vRh+OkGnSO3J3JuRlVp
4SlZgvBzLZWn2qTgGWnUaML6jP+20+SIl06DYw8QbCo
-> piv-p256 ZFgiIw AgZ1QA5jqCIoxb4agWfPt527GXRfmc3BI7W2M4A4kuQn
UAbYRlVWqLanbg60XdDRtJRI6I9/PfMUYnVlM37jgNk
-> piv-p256 5vmPtQ AhAJtn26POTXs9lTBSVxv7MwQL4fg9T6RmhDtBGS/ne2
KrOM4MrP9Z6NAmcqH/3sOg+TB7IzCR+XQsC9TGAcnG4
-> piv-p256 ZFgiIw A12qAbjNfpKC7Ypv0H0svdaMQu0hx9HIvWq4yli7+hTw
jquQsKgclpq+174JFrxoJ+8qQuRtmii5h23JT1t4/6M
-> 4<;V-grease
MRprreszTkfpnjip/rJScLgENpRVXSlk412CATnMx7h1cTn5LyafKZAdPT1DHr5K
XyPouZRvPLzGHg21hj1gi3DgNA5nKULBWUYg4JmDeWQYVukI8JON7LUk6yGqPLdN
UQ
--- iiRlePkOnW1pge/OFv/nzavme3ERGqynw6ObeMW8jLs
V˜×q-býP<ßxô&Âþ¨`þ+<2B>Á m—C\oRiB™E'k¶o4ö‰`¿²$§hRÍ£J<1E>¶¢…è(+XLÙCR~P§˜)Þs.(&{,Ïé”ÍXÕpæPÁ'7¼öˆr'[2_qãúþ†íÅDÈ1:)Üë*žإújƒÂ(@YNQÇ´`g‰7¾iË<69>¶;Qd×@Ô™^P£òö/Žð§ñcóº Λ-ëòp•ÏëS_*ÿõÖ<C3B5>?ÉZáÛaã¦ÿu×;ŽWóE1 Åå—¢ùœÂ„ÃQKˆe55Uuó/¾ÕÖ®¾±\.'½Et'âÑœFeÏŠ…VÀSôãžFZàÉÛ£t
ªºtÏÀ{Mu´P4óE…£ <0C>ŒàR|oŸ¼zfNåΚÀ%nËø+c7Ê sÖêþM<äeI6`’¢—Э'ë‡uö<75>Ç::ýF @ô´I2=ßécûü`Ä£ GsÞ.ø<>·±÷.FÅ Ú²öadHGQÖ'Ÿ%jcÄ÷Šãžõí¡<C3AD>B‡½Øè
Ïr¾\ Q `™> ¬Ëk¤kèîz@«êÏ­Cˆ¸zˆú{G¹ìŽÆÉŸÙE>gcC

BIN
hosts/testienix/secrets/generated/resticHetznerSsh.age Normal file
View file

Binary file not shown.

16
hosts/testienix/secrets/generated/resticpasswd.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> X25519 z96I+Nn8qe6tg/RKh3BKQ9/TPL336LMzJmalGjNDjzo
uDSblTLmTEMUO1Y6ZTJvA/62wT/HHueBmdL/XH2g+oc
-> piv-p256 XTQkUA AvRAFEutxbIbL2FUe1V8A2QNzLGeGonzh1a6Gc/YOxpB
a2CURyCBGqFqSXi1023fxCCDdiRgJtWN0XfWesqMB2M
-> piv-p256 ZFgiIw AysOIfBv8DcAL2kYkJd+hhlDL4wvfz1ffp1H8o8Q0oq+
ecKdYFlK7o1VKeBRT98Luve3LPsPPjXYHVz6uRmx0vw
-> piv-p256 5vmPtQ AgTg1s5F1ZO2BiYekocUdtmDAOHVNEZa1Fb70sF54jEb
QdhiumwEn949jOeP5x/g/BpOcOnJ7KoAzc7desZO2rU
-> piv-p256 ZFgiIw A+SlvzmK+ypk9oZfAf4wTxua0gxPXuJuy8J26pAvWnfh
VeMmI6yqh8spCYXwUpdKKRt6Q/Bv8ZMSATrubCwslII
-> 2{jZco:7-grease 9N19Ay)
LFLWPMPWN6sYwi5+fL792xvjztCKIahMyA
--- jDQZaA9hMtVeAmiFfAVQWS55di3rJ79zQJTuJAaEPuM
œß—’<tcWw«i#¶ÑÁ[
±vhF_‡“¬”W÷òˆ©d<04>Ä(û˜ôàù•†›¥‹&¼ß†k;k ]¶‡æ¬¶G%|{žW.¨“+

BIN
hosts/testienix/secrets/generated/resticssh.age Normal file
View file

Binary file not shown.

2
modules/services/ddclient.nix
View file

@ -3,6 +3,8 @@
rekeyFile = ../../secrets/cloudflare/api_token.age;
mode = "440";
};
# So we only update the A record
networking.enableIPv6 = false;
services.ddclient = {
enable = true;
zone = config.secrets.secrets.global.domains.web;

101
modules/services/samba.nix
View file

@ -7,6 +7,37 @@
enable = true; # make shares visible for windows 10 clients
openFirewall = true;
};
age.secrets.resticpasswd = {
generator.script = "alnum";
};
age.secrets.resticHetznerSsh = {
generator.script = "ssh-ed25519";
};
services.restic.backups = {
main = {
user = "root";
timerConfig = {
OnCalendar = "06:00";
Persistent = true;
RandomizedDelaySec = "3h";
};
initialize = true;
passwordFile = config.age.secrets.resticpasswd.path;
hetznerStorageBox = {
enable = true;
inherit (config.secrets.secrets.global.hetzner) mainUser;
inherit (config.secrets.secrets.global.hetzner.users.smb) subUid path;
sshAgeSecret = "resticHetznerSsh";
};
paths = ["/bunker"];
pruneOpts = [
"--keep-daily 10"
"--keep-weekly 7"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
};
services.samba = {
enable = true;
securityType = "user";
@ -55,11 +86,15 @@
name,
user ? "smb",
group ? "smb",
persistRoot ? "/panzer",
}: cfg: {
"${name}" =
hasBunker ? false,
persistRoot ? (
if hasBunker
then "/bunker"
else "/panzer"
),
}: cfg: let
config =
{
"path" = "/media/smb/${name}";
"#persistRoot" = persistRoot;
"read only" = "no";
"guest ok" = "no";
@ -74,28 +109,43 @@
"acl allow execute always" = "no";
}
// cfg;
};
in
{
"${name}" =
{"path" = "/media/smb/${name}";}
// config;
}
// lib.optionalAttrs hasBunker
{
"${name}-important" =
{"path" = "/media/smb/${name}-important";}
// config;
};
in
lib.mkMerge [
(mkShare {
name = "ggr-data";
user = "ggr";
group = "ggr";
hasBunker = true;
} {})
(mkShare {
name = "patri-data";
user = "patrick";
group = "patrick";
hasBunker = true;
} {})
(mkShare {
name = "helen-data";
user = "helen";
group = "helen";
hasBunker = true;
} {})
(mkShare {
name = "david-data";
user = "david";
group = "david";
hasBunker = true;
} {})
(mkShare {
name = "family-data";
@ -104,6 +154,8 @@
} {})
(mkShare {
name = "media";
user = "family";
group = "family";
persistRoot = "/renaultft";
}
{
@ -122,35 +174,20 @@
groups = lib.unique (users ++ (lib.mapAttrsToList (_: val: val."force group") config.services.samba.shares));
in {
users = lib.mkMerge (lib.flip map users (user: {
${user} = {
isNormalUser = true;
home = "/var/empty";
createHome = false;
useDefaultShell = false;
autoSubUidGidRange = false;
group = "${user}";
};
})
++ [
{
patrick.extraGroups = [
"family"
];
ggr.extraGroups = [
"family"
];
david.extraGroups = [
"family"
];
helen.extraGroups = [
"family"
];
}
]);
groups = lib.mkMerge (lib.flip map groups (group: {
${group} = {
${user} = {
isNormalUser = true;
home = "/var/empty";
createHome = false;
useDefaultShell = false;
autoSubUidGidRange = false;
group = "${user}";
};
}));
groups = lib.mkMerge ((lib.flip map groups (group: {
${group} = {
};
}))
++ [{family.members = ["patrick" "david" "helen" "ggr"];}]);
};
environment.persistence = lib.mkMerge (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v: {

33
modules/services/vaultwarden.nix
View file

@ -20,9 +20,42 @@ in {
}
];
age.secrets.resticpasswd = {
generator.script = "alnum";
};
age.secrets.vaultwardenHetznerSsh = {
generator.script = "ssh-ed25519";
};
services.restic.backups = {
main = {
user = "root";
timerConfig = {
OnCalendar = "06:00";
Persistent = true;
RandomizedDelaySec = "3h";
};
initialize = true;
passwordFile = config.age.secrets.resticpasswd.path;
hetznerStorageBox = {
enable = true;
inherit (config.secrets.secrets.global.hetzner) mainUser;
inherit (config.secrets.secrets.global.hetzner.users.vaultwarden) subUid path;
sshAgeSecret = "vaultwardenHetznerSsh";
};
paths = [config.services.vaultwarden.backupDir];
pruneOpts = [
"--keep-daily 10"
"--keep-weekly 7"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
};
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
backupDir = "/tmp/vaultwardenBackup";
config = {
dataFolder = lib.mkForce "/var/lib/vaultwarden";
extendedLogging = true;

BIN
secrets/secrets.nix.age
View file

Binary file not shown.

28
secrets/smb.cred.age
View file

@ -1,14 +1,16 @@
age-encryption.org/v1
-> X25519 g3YIxGyN1eZ+1EBvmDOidwML6GtFdSDZdqmgcoXStkU
CX8+qiwK+8snDkwzQ4hjP1LvXFuSIGjzGzB8ZXoZFgY
-> piv-p256 XTQkUA A+v6zX1feVTgp7PcQVxdVb9f+swtpTREyjDfi00AgTEE
MVwPR6qqPmNrhStXBN4JqzGLiKaQQkoQBUGzknUpLgs
-> piv-p256 ZFgiIw A37uVQyzvorE7+GOYcSNpGvwVfxqh1OJYz5lQ5+sIQ+m
AJqdNjxgifzfmYTXn5XTPC4DHY3r982xmSQU/HirrrM
-> piv-p256 ZFgiIw Am/nyZaSfikZr+OdP9qhIjhRfUSRwlxUclus3Bahl1Ed
+IWfzeNXvFO5Q/s8XJkGCJguMHiuTM5dnks9M9pRw/M
-> qPGW+-grease
VsuA9wcfbxca5OGjj6gOm2z4sivSF2lzhHM5gOznobFeMZDAbv8i+G0KPepxwalM
/CAzsYTmY5Qb6abKb2zAFNQ
--- eJn/i1/7jmP6oCQ6a3oRiAkSf6IKhVnLBIc2Dm1EmeQ
Ž¸«ůĘ=Ązrs«r°ß·Ż ř„p5đÖŽĄöÉ˙.+N­qŚÂÂ…ţĽţ)Ně@ľťiQÍ _Ţ™?Â˙·13Č—^Ř&Ú{ă°*,}<7D>zBŠ
-> X25519 oq2s1ILoU7/MPd89ZOQ1GheuM055xNZzeQAnc8tgRAI
hvauZoXVK5aXDYobhbe2d0RBVM0MKOoqLikTN4Rxii8
-> piv-p256 XTQkUA A1fUvvVMRV4NmSc52Tm3FAwN923gsyoKE72weUjjdOXC
icTwWnRL/caHMTCqefnIWWpOIRU9G/HMAnWT7/tMKY0
-> piv-p256 ZFgiIw At/IKx37ci7ZVhHeBWLJblyb41+vl34RdibSxoC6rGYU
qt4mjQ+bPpqMgNu0258jVVSdJzuky/3M62OWB2bJSoo
-> piv-p256 5vmPtQ A1OGQCBRY6jQnTAiaj6jTTJKF7LHSSBBSA/O9L7Ibhwk
VsrWqFxavcbpjGMlEfmooPJGVTZMRvuAP+51g+oZfwk
-> piv-p256 ZFgiIw AxHZKPT8E27iGO4XhYw8L3eUrUwQXimhFuF0Jww9V5wa
aYyF8ucsNEqzUSD3tZnYz1tbi3VDF6Z3FvQOZCtfDSA
-> Q;:-grease AH 5XB&'
pDxtEnToRMpFg9cmOXWL10juYPfZ/pxYTygLqOWMXbRFXp2QsGIwSxS+BWY
--- apoEKRQDY6ZWsJai5wPO86kcEaqh7au6UqlOjW0ZOfI
/`S°FGY;m©˙ÜrŢ0w{„Tţ@Uţ nŕtqYU ëp:ÂHJ1KöSżM÷KV×ů@GnŔsŚĆ*—Ŕ:€éĺ/¦ö*˛v
Ô9

BIN
secrets/smbpassdb.tdb.age
View file

Binary file not shown.

16
users/patrick/smb.nix
View file

@ -1,6 +1,6 @@
{nixosConfig, ...}: {
home.smb = let
address = "192.168.178.2";
address = "192.168.178.12";
credentials = nixosConfig.age.secrets.smb-creds.path;
in [
{
@ -8,15 +8,11 @@
remotePath = "patri-data";
automatic = true;
}
{
inherit address credentials;
remotePath = "ggr-data";
}
{
inherit address credentials;
remotePath = "patri-paperless";
automatic = true;
}
#{
# inherit address credentials;
# remotePath = "patri-paperless";
# automatic = true;
#}
{
inherit address credentials;
remotePath = "media";