nixfiles/hosts/storage/storage.nix

255 lines
6.6 KiB
Nix
Raw Normal View History

2022-10-27 16:25:26 +01:00
{ modulesPath, tree, config, pkgs, lib, ... }:
2022-11-02 16:04:43 +00:00
let
secrets-db = (import ./secrets-db.nix { });
ports = (import ./ports.nix { });
2022-11-02 11:32:03 +00:00
in {
2022-10-27 16:25:26 +01:00
imports = with tree; [
users.root
profiles.base
profiles.sshd
2022-11-02 10:24:47 +00:00
profiles.nix-gc
profiles.nginx
2022-10-27 16:25:26 +01:00
./hardware.nix
2022-11-02 10:24:47 +00:00
./networking.nix
2022-11-02 11:32:03 +00:00
./secrets.nix
2022-10-27 16:25:26 +01:00
];
2022-11-02 10:24:47 +00:00
systemd.tmpfiles.rules = [
"d /storage - root root"
2022-11-03 07:57:35 +00:00
"d /caches - storage storage"
"d /caches/main_webdav_serve - storage storage"
2022-11-02 10:24:47 +00:00
];
2022-10-27 20:27:22 +01:00
users.groups.storage = { };
users.users.storage = {
isNormalUser = true;
extraGroups = [ "storage" ];
};
systemd.services.populate-rclone-config = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
path = with pkgs; [ bash rclone vault getent jq ];
script = let
vault_username = "storage";
2022-11-02 11:32:03 +00:00
vault_password_file = "${secrets-db.vault_password.path}";
config_dir = "/home/storage/.config/rclone";
config_file = "/home/storage/.config/rclone/rclone.conf";
2022-10-27 20:27:22 +01:00
in ''
2022-11-02 11:32:03 +00:00
mkdir -p ${config_dir}
2022-10-27 20:27:22 +01:00
VAULT_ADDR="https://vault.owo.monster" bash ${
./populate-rclone-config.sh
} ${vault_username} ${vault_password_file} ${
./rclone_config.template
2022-11-02 11:32:03 +00:00
} ${config_file}
chown storage:storage ${config_file}
chmod 660 ${config_file}
2022-10-27 20:27:22 +01:00
'';
};
systemd.services.storage-mount = {
wantedBy = [ "multi-user.target" ];
2022-11-03 06:44:02 +00:00
after = [ "network.target" "populate-rclone-config.service" ];
partOf = [ "populate-rclone-config.service" ];
2022-10-28 13:56:51 +01:00
path = with pkgs; [ bash rclone mount umount ];
2022-10-27 20:27:22 +01:00
script = ''
set -e
2022-10-28 13:56:51 +01:00
umount /storage -fl || true
sleep 2
rclone --config /home/storage/.config/rclone/rclone.conf mount StorageBox: /storage --allow-non-empty
2022-10-27 20:27:22 +01:00
'';
};
2022-10-27 16:25:26 +01:00
2022-11-03 06:44:02 +00:00
services.rclone-serve = let
serviceConfig = {
after = [ "populate-rclone-config.service" ];
partOf = [ "populate-rclone-config.service" ];
};
in {
2022-10-27 20:27:22 +01:00
enable = true;
2022-10-28 13:56:51 +01:00
remotes = [
{
user = "storage";
remote = "StorageBox:";
type = "webdav";
2022-11-02 16:04:43 +00:00
extraArgs = [
"--addr=:${toString ports.rclone_serve_webdav_main}"
"--htpasswd=${secrets-db.webdav_main_htpasswd.path}"
"--baseurl=/main/"
2022-11-03 07:57:35 +00:00
"--cache-dir=/caches/main_webdav_serve"
"--vfs-cache-mode=full"
2022-11-02 16:04:43 +00:00
];
2022-11-03 06:44:02 +00:00
inherit serviceConfig;
2022-11-02 16:04:43 +00:00
}
{
user = "storage";
remote = "StorageBox:Music";
type = "webdav";
extraArgs = [
"--addr=:${toString ports.rclone_serve_webdav_music_ro}"
"--read-only"
"--baseurl=/music_ro/"
];
2022-11-03 06:44:02 +00:00
inherit serviceConfig;
}
{
user = "storage";
remote = "StorageBox:Music";
type = "http";
extraArgs = [
"--addr=:${toString ports.rclone_serve_http_music}"
"--baseurl=/Music/"
"--read-only"
];
inherit serviceConfig;
}
{
user = "storage";
remote = "StorageBox:Public";
type = "http";
extraArgs = [
"--addr=:${toString ports.rclone_serve_http_public}"
"--baseurl=/Public/"
2022-11-03 06:44:02 +00:00
"--read-only"
];
inherit serviceConfig;
2022-10-28 13:56:51 +01:00
}
{
user = "storage";
2022-11-03 06:44:02 +00:00
remote = "StorageBox:Backups/Restic/HetznerVM";
2022-10-28 13:56:51 +01:00
type = "restic";
extraArgs = [
2022-11-02 16:04:43 +00:00
"--addr=:${toString ports.rclone_serve_restic_hvm}"
2022-11-02 11:32:03 +00:00
"--htpasswd=${secrets-db.restic_hetznervm_htpasswd.path}"
2022-10-28 13:56:51 +01:00
"--baseurl=/HetznerVM/"
];
2022-11-03 06:44:02 +00:00
inherit serviceConfig;
2022-10-28 13:56:51 +01:00
}
{
user = "storage";
2022-11-03 06:44:02 +00:00
remote = "StorageBox:Backups/Restic/Music";
2022-10-28 13:56:51 +01:00
type = "restic";
extraArgs = [
2022-11-02 16:04:43 +00:00
"--addr=:${toString ports.rclone_serve_restic_music}"
2022-11-02 11:32:03 +00:00
"--htpasswd=${secrets-db.restic_music_htpasswd.path}"
2022-10-28 13:56:51 +01:00
"--baseurl=/Music/"
];
2022-11-03 06:44:02 +00:00
inherit serviceConfig;
2022-10-28 13:56:51 +01:00
}
2022-11-02 10:24:47 +00:00
{
user = "storage";
2022-11-03 06:44:02 +00:00
remote = "StorageBox:Backups/Restic/Vault";
2022-11-02 10:24:47 +00:00
type = "restic";
extraArgs = [
2022-11-02 16:04:43 +00:00
"--addr=:${toString ports.rclone_serve_restic_vault}"
2022-11-02 11:32:03 +00:00
"--htpasswd=${secrets-db.restic_vault_htpasswd.path}"
2022-11-02 10:24:47 +00:00
"--baseurl=/Vault/"
];
2022-11-03 06:44:02 +00:00
inherit serviceConfig;
2022-11-02 16:04:43 +00:00
}
2022-10-28 13:56:51 +01:00
];
};
2022-11-02 10:24:47 +00:00
networking.firewall.allowedTCPPorts = [ 80 443 ];
2022-10-28 13:56:51 +01:00
services.nginx.virtualHosts."storage-webdav.owo.monster" = {
forceSSL = true;
enableACME = true;
2022-11-02 16:04:43 +00:00
locations = {
"/main/".proxyPass =
"http://localhost:${toString ports.rclone_serve_webdav_main}";
"/music_ro/".proxyPass =
"http://localhost:${toString ports.rclone_serve_webdav_music_ro}";
};
};
services.nginx.virtualHosts."storage-http.owo.monster" = {
forceSSL = true;
enableACME = true;
locations = {
"/Music/".proxyPass =
2022-11-02 16:04:43 +00:00
"http://localhost:${toString ports.rclone_serve_http_music}";
"/Public/".proxyPass =
"http://localhost:${toString ports.rclone_serve_http_public}";
2022-11-02 16:04:43 +00:00
};
2022-10-27 20:27:22 +01:00
};
2022-10-28 13:56:51 +01:00
services.nginx.virtualHosts."storage-restic.owo.monster" = {
2022-10-27 20:27:22 +01:00
forceSSL = true;
enableACME = true;
2022-10-28 13:56:51 +01:00
locations = {
2022-11-02 16:04:43 +00:00
"/HetznerVM/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_hvm}";
"/Music/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_music}";
"/Vault/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_vault}";
2022-10-28 13:56:51 +01:00
};
2022-10-27 20:27:22 +01:00
};
2022-11-02 16:04:43 +00:00
services.rclone-sync = let
sync_defaults = {
2022-11-03 06:44:02 +00:00
serviceConfig = { after = [ "populate-rclone-config.service" ]; };
2022-11-02 16:04:43 +00:00
timerConfig = {
OnStartupSec = "60";
OnCalendar = "4h";
};
};
in {
2022-10-28 13:56:51 +01:00
enable = true;
user = "storage";
2022-11-02 16:04:43 +00:00
sync_jobs = map (x: lib.mkMerge [ x sync_defaults ]) [
# My B2
2022-10-28 13:56:51 +01:00
{
2022-11-03 06:44:02 +00:00
source = "StorageBox:Backups";
2022-10-28 13:56:51 +01:00
dest = "B2-Chaos-Backups:";
}
{
2022-11-03 06:44:02 +00:00
source = "StorageBox:Photos";
2022-10-28 13:56:51 +01:00
dest = "B2-Chaos-Photos:";
}
2022-11-03 06:44:02 +00:00
{
source = "StorageBox:Music";
dest = "B2-Chaos-Music:";
}
# Pheonix System's B2
2022-11-02 11:32:03 +00:00
{
2022-11-03 06:44:02 +00:00
source = "StorageBox:Backups";
dest = "B2-Phoenix-Cryptidz-Storage:Backups";
2022-11-02 11:32:03 +00:00
}
{
2022-11-03 06:44:02 +00:00
source = "StorageBox:Photos";
dest = "B2-Phoenix-Cryptidz-Storage:Photos";
2022-11-02 16:04:43 +00:00
}
{
source = "StorageBox:Music";
dest = "B2-Phoenix-Cryptidz-Storage:Music";
2022-11-02 11:32:03 +00:00
}
2022-10-28 13:56:51 +01:00
];
};
environment.systemPackages = with pkgs; [
rclone
cifs-utils
apacheHttpd
restic
];
2022-10-27 16:25:26 +01:00
home-manager.users.root = {
imports = with tree; [ home.base home.dev.small ];
home.stateVersion = "22.05";
};
networking.hostName = "storage";
time.timeZone = "Europe/London";
system.stateVersion = "21.11";
}