2022-10-27 16:25:26 +01:00
|
|
|
{ modulesPath, tree, config, pkgs, lib, ... }:
|
2022-11-02 16:04:43 +00:00
|
|
|
let
|
|
|
|
|
secrets-db = (import ./secrets-db.nix { });
|
|
|
|
|
ports = (import ./ports.nix { });
|
|
|
|
|
|
2022-11-02 11:32:03 +00:00
|
|
|
in {
|
2022-10-27 16:25:26 +01:00
|
|
|
imports = with tree; [
|
|
|
|
|
users.root
|
|
|
|
|
|
|
|
|
|
profiles.base
|
|
|
|
|
profiles.sshd
|
2022-11-02 10:24:47 +00:00
|
|
|
profiles.nix-gc
|
|
|
|
|
profiles.nginx
|
2022-10-27 16:25:26 +01:00
|
|
|
|
|
|
|
|
./hardware.nix
|
2022-11-02 10:24:47 +00:00
|
|
|
./networking.nix
|
2022-11-02 11:32:03 +00:00
|
|
|
./secrets.nix
|
2022-10-27 16:25:26 +01:00
|
|
|
];
|
|
|
|
|
|
2022-11-02 10:24:47 +00:00
|
|
|
systemd.tmpfiles.rules = [
|
|
|
|
|
"d /storage - root root"
|
2022-11-03 07:57:35 +00:00
|
|
|
"d /caches - storage storage"
|
|
|
|
|
"d /caches/main_webdav_serve - storage storage"
|
2022-11-02 10:24:47 +00:00
|
|
|
];
|
|
|
|
|
|
2022-10-27 20:27:22 +01:00
|
|
|
users.groups.storage = { };
|
|
|
|
|
users.users.storage = {
|
|
|
|
|
isNormalUser = true;
|
|
|
|
|
extraGroups = [ "storage" ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.populate-rclone-config = {
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
|
after = [ "network.target" ];
|
|
|
|
|
path = with pkgs; [ bash rclone vault getent jq ];
|
|
|
|
|
script = let
|
|
|
|
|
vault_username = "storage";
|
2022-11-02 11:32:03 +00:00
|
|
|
vault_password_file = "${secrets-db.vault_password.path}";
|
|
|
|
|
|
|
|
|
|
config_dir = "/home/storage/.config/rclone";
|
|
|
|
|
config_file = "/home/storage/.config/rclone/rclone.conf";
|
2022-10-27 20:27:22 +01:00
|
|
|
in ''
|
2022-11-02 11:32:03 +00:00
|
|
|
mkdir -p ${config_dir}
|
2022-10-27 20:27:22 +01:00
|
|
|
|
|
|
|
|
VAULT_ADDR="https://vault.owo.monster" bash ${
|
|
|
|
|
./populate-rclone-config.sh
|
|
|
|
|
} ${vault_username} ${vault_password_file} ${
|
|
|
|
|
./rclone_config.template
|
2022-11-02 11:32:03 +00:00
|
|
|
} ${config_file}
|
|
|
|
|
chown storage:storage ${config_file}
|
|
|
|
|
chmod 660 ${config_file}
|
2022-10-27 20:27:22 +01:00
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
systemd.services.storage-mount = {
|
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
2022-11-03 06:44:02 +00:00
|
|
|
after = [ "network.target" "populate-rclone-config.service" ];
|
|
|
|
|
partOf = [ "populate-rclone-config.service" ];
|
2022-10-28 13:56:51 +01:00
|
|
|
|
|
|
|
|
path = with pkgs; [ bash rclone mount umount ];
|
2022-10-27 20:27:22 +01:00
|
|
|
script = ''
|
|
|
|
|
set -e
|
2022-10-28 13:56:51 +01:00
|
|
|
umount /storage -fl || true
|
|
|
|
|
sleep 2
|
|
|
|
|
rclone --config /home/storage/.config/rclone/rclone.conf mount StorageBox: /storage --allow-non-empty
|
2022-10-27 20:27:22 +01:00
|
|
|
'';
|
|
|
|
|
};
|
2022-10-27 16:25:26 +01:00
|
|
|
|
2022-11-03 06:44:02 +00:00
|
|
|
services.rclone-serve = let
|
|
|
|
|
serviceConfig = {
|
|
|
|
|
after = [ "populate-rclone-config.service" ];
|
|
|
|
|
partOf = [ "populate-rclone-config.service" ];
|
|
|
|
|
};
|
|
|
|
|
in {
|
2022-10-27 20:27:22 +01:00
|
|
|
enable = true;
|
2022-10-28 13:56:51 +01:00
|
|
|
remotes = [
|
|
|
|
|
{
|
|
|
|
|
user = "storage";
|
|
|
|
|
remote = "StorageBox:";
|
|
|
|
|
type = "webdav";
|
2022-11-02 16:04:43 +00:00
|
|
|
extraArgs = [
|
|
|
|
|
"--addr=:${toString ports.rclone_serve_webdav_main}"
|
|
|
|
|
"--htpasswd=${secrets-db.webdav_main_htpasswd.path}"
|
|
|
|
|
"--baseurl=/main/"
|
2022-11-03 07:57:35 +00:00
|
|
|
"--cache-dir=/caches/main_webdav_serve"
|
|
|
|
|
"--vfs-cache-mode=full"
|
2022-11-02 16:04:43 +00:00
|
|
|
];
|
2022-11-03 06:44:02 +00:00
|
|
|
inherit serviceConfig;
|
2022-11-02 16:04:43 +00:00
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
user = "storage";
|
|
|
|
|
remote = "StorageBox:Music";
|
|
|
|
|
type = "webdav";
|
|
|
|
|
extraArgs = [
|
|
|
|
|
"--addr=:${toString ports.rclone_serve_webdav_music_ro}"
|
|
|
|
|
"--read-only"
|
|
|
|
|
"--baseurl=/music_ro/"
|
|
|
|
|
];
|
2022-11-03 06:44:02 +00:00
|
|
|
inherit serviceConfig;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
user = "storage";
|
|
|
|
|
remote = "StorageBox:Music";
|
|
|
|
|
type = "http";
|
|
|
|
|
extraArgs = [
|
|
|
|
|
"--addr=:${toString ports.rclone_serve_http_music}"
|
2022-11-10 14:57:07 +00:00
|
|
|
"--baseurl=/Music/"
|
|
|
|
|
"--read-only"
|
|
|
|
|
];
|
|
|
|
|
inherit serviceConfig;
|
|
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
user = "storage";
|
|
|
|
|
remote = "StorageBox:Public";
|
|
|
|
|
type = "http";
|
|
|
|
|
extraArgs = [
|
|
|
|
|
"--addr=:${toString ports.rclone_serve_http_public}"
|
|
|
|
|
"--baseurl=/Public/"
|
2022-11-03 06:44:02 +00:00
|
|
|
"--read-only"
|
|
|
|
|
];
|
|
|
|
|
inherit serviceConfig;
|
2022-10-28 13:56:51 +01:00
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
user = "storage";
|
2022-11-03 06:44:02 +00:00
|
|
|
remote = "StorageBox:Backups/Restic/HetznerVM";
|
2022-10-28 13:56:51 +01:00
|
|
|
type = "restic";
|
|
|
|
|
extraArgs = [
|
2022-11-02 16:04:43 +00:00
|
|
|
"--addr=:${toString ports.rclone_serve_restic_hvm}"
|
2022-11-02 11:32:03 +00:00
|
|
|
"--htpasswd=${secrets-db.restic_hetznervm_htpasswd.path}"
|
2022-10-28 13:56:51 +01:00
|
|
|
"--baseurl=/HetznerVM/"
|
|
|
|
|
];
|
2022-11-03 06:44:02 +00:00
|
|
|
inherit serviceConfig;
|
2022-10-28 13:56:51 +01:00
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
user = "storage";
|
2022-11-03 06:44:02 +00:00
|
|
|
remote = "StorageBox:Backups/Restic/Music";
|
2022-10-28 13:56:51 +01:00
|
|
|
type = "restic";
|
|
|
|
|
extraArgs = [
|
2022-11-02 16:04:43 +00:00
|
|
|
"--addr=:${toString ports.rclone_serve_restic_music}"
|
2022-11-02 11:32:03 +00:00
|
|
|
"--htpasswd=${secrets-db.restic_music_htpasswd.path}"
|
2022-10-28 13:56:51 +01:00
|
|
|
"--baseurl=/Music/"
|
|
|
|
|
];
|
2022-11-03 06:44:02 +00:00
|
|
|
inherit serviceConfig;
|
2022-10-28 13:56:51 +01:00
|
|
|
}
|
2022-11-02 10:24:47 +00:00
|
|
|
{
|
|
|
|
|
user = "storage";
|
2022-11-03 06:44:02 +00:00
|
|
|
remote = "StorageBox:Backups/Restic/Vault";
|
2022-11-02 10:24:47 +00:00
|
|
|
type = "restic";
|
|
|
|
|
extraArgs = [
|
2022-11-02 16:04:43 +00:00
|
|
|
"--addr=:${toString ports.rclone_serve_restic_vault}"
|
2022-11-02 11:32:03 +00:00
|
|
|
"--htpasswd=${secrets-db.restic_vault_htpasswd.path}"
|
2022-11-02 10:24:47 +00:00
|
|
|
"--baseurl=/Vault/"
|
|
|
|
|
];
|
2022-11-03 06:44:02 +00:00
|
|
|
inherit serviceConfig;
|
2022-11-02 16:04:43 +00:00
|
|
|
}
|
2022-10-28 13:56:51 +01:00
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
2022-11-02 10:24:47 +00:00
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
|
|
|
|
2022-10-28 13:56:51 +01:00
|
|
|
services.nginx.virtualHosts."storage-webdav.owo.monster" = {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
2022-11-02 16:04:43 +00:00
|
|
|
locations = {
|
|
|
|
|
"/main/".proxyPass =
|
|
|
|
|
"http://localhost:${toString ports.rclone_serve_webdav_main}";
|
|
|
|
|
"/music_ro/".proxyPass =
|
|
|
|
|
"http://localhost:${toString ports.rclone_serve_webdav_music_ro}";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
services.nginx.virtualHosts."storage-http.owo.monster" = {
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
|
|
|
|
locations = {
|
2022-11-10 14:57:07 +00:00
|
|
|
"/Music/".proxyPass =
|
2022-11-02 16:04:43 +00:00
|
|
|
"http://localhost:${toString ports.rclone_serve_http_music}";
|
2022-11-10 14:57:07 +00:00
|
|
|
"/Public/".proxyPass =
|
|
|
|
|
"http://localhost:${toString ports.rclone_serve_http_public}";
|
2022-11-02 16:04:43 +00:00
|
|
|
};
|
2022-10-27 20:27:22 +01:00
|
|
|
};
|
|
|
|
|
|
2022-10-28 13:56:51 +01:00
|
|
|
services.nginx.virtualHosts."storage-restic.owo.monster" = {
|
2022-10-27 20:27:22 +01:00
|
|
|
forceSSL = true;
|
|
|
|
|
enableACME = true;
|
2022-10-28 13:56:51 +01:00
|
|
|
locations = {
|
2022-11-02 16:04:43 +00:00
|
|
|
"/HetznerVM/".proxyPass =
|
|
|
|
|
"http://localhost:${toString ports.rclone_serve_restic_hvm}";
|
|
|
|
|
"/Music/".proxyPass =
|
|
|
|
|
"http://localhost:${toString ports.rclone_serve_restic_music}";
|
|
|
|
|
"/Vault/".proxyPass =
|
|
|
|
|
"http://localhost:${toString ports.rclone_serve_restic_vault}";
|
2022-10-28 13:56:51 +01:00
|
|
|
};
|
2022-10-27 20:27:22 +01:00
|
|
|
};
|
|
|
|
|
|
2022-11-02 16:04:43 +00:00
|
|
|
services.rclone-sync = let
|
|
|
|
|
sync_defaults = {
|
2022-11-03 06:44:02 +00:00
|
|
|
serviceConfig = { after = [ "populate-rclone-config.service" ]; };
|
2022-11-02 16:04:43 +00:00
|
|
|
timerConfig = {
|
|
|
|
|
OnStartupSec = "60";
|
|
|
|
|
OnCalendar = "4h";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
in {
|
2022-10-28 13:56:51 +01:00
|
|
|
enable = true;
|
|
|
|
|
user = "storage";
|
2022-11-02 16:04:43 +00:00
|
|
|
sync_jobs = map (x: lib.mkMerge [ x sync_defaults ]) [
|
|
|
|
|
# My B2
|
2022-10-28 13:56:51 +01:00
|
|
|
{
|
2022-11-03 06:44:02 +00:00
|
|
|
source = "StorageBox:Backups";
|
2022-10-28 13:56:51 +01:00
|
|
|
dest = "B2-Chaos-Backups:";
|
|
|
|
|
}
|
|
|
|
|
{
|
2022-11-03 06:44:02 +00:00
|
|
|
source = "StorageBox:Photos";
|
2022-10-28 13:56:51 +01:00
|
|
|
dest = "B2-Chaos-Photos:";
|
|
|
|
|
}
|
2022-11-03 06:44:02 +00:00
|
|
|
{
|
|
|
|
|
source = "StorageBox:Music";
|
|
|
|
|
dest = "B2-Chaos-Music:";
|
|
|
|
|
}
|
2022-11-10 14:57:07 +00:00
|
|
|
# Pheonix System's B2
|
2022-11-02 11:32:03 +00:00
|
|
|
{
|
2022-11-03 06:44:02 +00:00
|
|
|
source = "StorageBox:Backups";
|
2022-11-10 14:57:07 +00:00
|
|
|
dest = "B2-Phoenix-Cryptidz-Storage:Backups";
|
2022-11-02 11:32:03 +00:00
|
|
|
}
|
|
|
|
|
{
|
2022-11-03 06:44:02 +00:00
|
|
|
source = "StorageBox:Photos";
|
2022-11-10 14:57:07 +00:00
|
|
|
dest = "B2-Phoenix-Cryptidz-Storage:Photos";
|
2022-11-02 16:04:43 +00:00
|
|
|
}
|
|
|
|
|
{
|
|
|
|
|
source = "StorageBox:Music";
|
2022-11-10 14:57:07 +00:00
|
|
|
dest = "B2-Phoenix-Cryptidz-Storage:Music";
|
2022-11-02 11:32:03 +00:00
|
|
|
}
|
2022-10-28 13:56:51 +01:00
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
|
rclone
|
|
|
|
|
cifs-utils
|
|
|
|
|
apacheHttpd
|
|
|
|
|
restic
|
|
|
|
|
];
|
2022-10-27 16:25:26 +01:00
|
|
|
|
|
|
|
|
home-manager.users.root = {
|
|
|
|
|
imports = with tree; [ home.base home.dev.small ];
|
|
|
|
|
home.stateVersion = "22.05";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
networking.hostName = "storage";
|
|
|
|
|
time.timeZone = "Europe/London";
|
|
|
|
|
|
|
|
|
|
system.stateVersion = "21.11";
|
|
|
|
|
}
|
|
|
|
|
|
