move gotosocial to host

2024-07-20 12:24:27 +01:00 · 2024-07-20 12:24:27 +01:00 · 8eaf5c205f
parent 28b1c4a363
commit 8eaf5c205f
7 changed files with 105 additions and 179 deletions
--- a/hosts/hetzner-arm/containers/social/default.nix
+++ b/hosts/hetzner-arm/containers/social/default.nix
@ -1,67 +0,0 @@
-{
-  self,
-  hostPath,
-  tree,
-  inputs,
-  config,
-  pkgs,
-  ...
-}: let
-  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
-  hostIP = containerAddresses.host;
-  containerIP = containerAddresses.containers.social;
-in {
-  containers.social = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = hostIP;
-    localAddress = containerIP;
-
-    specialArgs = {
-      inherit inputs;
-      inherit tree;
-      inherit self;
-      inherit hostPath;
-    };
-
-    config = {...}: {
-      nixpkgs.pkgs = pkgs;
-
-      imports = with tree;
-        [
-          presets.nixos.containerBase
-          ./secrets.nix
-        ]
-        ++ (with hosts.hetzner-arm.containers.social.profiles; [
-          gotosocial
-          restic
-        ]);
-
-      networking.firewall = {
-        enable = true;
-        allowedTCPPorts = [8080];
-      };
-
-      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "24.05";
-    };
-  };
-
-  services.nginx.virtualHosts."gts-02.owo.monster" = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/" = {
-      proxyPass = "http://${containerIP}:8080";
-      proxyWebsockets = true;
-      extraConfig = ''
-        # uncomment if running nginx without recommendedProxySettings
-        # proxy_set_header Host $host;
-        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        # proxy_set_header X-Forwarded-Proto $scheme;
-      '';
-    };
-    extraConfig = ''
-      client_max_body_size 128M;
-    '';
-  };
-}
--- a/hosts/hetzner-arm/containers/social/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/social/profiles/restic.nix
@ -1,56 +0,0 @@
-{
-  self,
-  pkgs,
-  config,
-  ...
-}: let
-  inherit (config.services.secrets) secrets;
-  backupSchedules = import "${self}/data/backupSchedules.nix";
-
-  # Because gotosocial-admin isn't a seporate package we need to generate a seperate config
-  # and duplicate the wrapper for use in a systemd unit
-  gotoSocialConfigFile = (pkgs.formats.yaml {}).generate "config.yml" config.services.gotosocial.settings;
-  gotoSocialAdmin = "${(pkgs.writeShellScriptBin "gts-admin" ''
-    exec systemd-run \
-      -u gotosocial-admin.service \
-      -p Group=gotosocial \
-      -p User=gotosocial \
-      -q -t -G --wait --service-type=exec \
-      ${pkgs.gotosocial}/bin/gotosocial --config-path ${gotoSocialConfigFile} admin "$@"
-  '')}/bin/gts-admin";
-
-  backupPrepareCommand = "${
-    (pkgs.writeShellScriptBin "backupPrepareCommand" ''
-      systemctl stop gotosocial
-
-      ${gotoSocialAdmin} export --path /var/lib/gotosocial/gts-export.json
-
-      ${gotoSocialAdmin} media prune all --dry-run=false
-
-      systemctl start gotosocial
-    '')
-  }/bin/backupPrepareCommand";
-
-  backupCleanupCommand = "${(pkgs.writeShellScriptBin "backupCleanupCommand" ''
-    rm /var/lib/gotosocial/gts-export.json || true
-  '')}/bin/backupCleanupCommand";
-in {
-  services.restic.backups.social = {
-    user = "root";
-    paths = [
-      "/var/lib/gotosocial"
-    ];
-
-    repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Social";
-    passwordFile = "${secrets.restic_password.path}";
-    environmentFile = "${secrets.restic_env.path}";
-    createWrapper = true;
-
-    pruneOpts = ["--keep-last 10"];
-    # Don't want to cause too much downtime and take too long to prune media
-    timerConfig = backupSchedules.restic.medium;
-
-    inherit backupPrepareCommand;
-    inherit backupCleanupCommand;
-  };
-}
--- a/hosts/hetzner-arm/containers/social/secrets.nix
+++ b/hosts/hetzner-arm/containers/social/secrets.nix
@ -1,44 +0,0 @@
-{...}: {
-  services.secrets = {
-    enable = true;
-
-    vaultLogin = {
-      enable = true;
-      loginUsername = "hetzner-arm-container-social";
-    };
-
-    requiredVaultPaths = [
-      "private-public-keys/data/restic/Social"
-
-      "api-keys/data/backblaze/Chaos-Backups"
-
-      "api-keys/data/chaos_mail/gotosocial"
-    ];
-
-    secrets = {
-      vault_password = {
-        manual = true;
-      };
-
-      restic_password = {
-        fetchScript = ''
-          simple_get "/private-public-keys/restic/Social" .password > "$secretFile"
-        '';
-      };
-      restic_env = {
-        fetchScript = ''
-          cat << EOF > "$secretFile"
-          AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID)
-          AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey)
-          EOF
-        '';
-      };
-      env_secrets = {
-        fetchScript = ''
-          smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
-          echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile"
-        '';
-      };
-    };
-  };
-}
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -20,9 +20,7 @@ in {
      ./secrets.nix
    ]
    ++ (forEach [
-      "social"
      "storage"
-      "postgresql"
      "mail"
      "forgejo"
      "caldav"
--- a/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix
+++ b/hosts/hetzner-arm/containers/social/profiles/gotosocial.nix
@ -3,10 +3,6 @@
  config,
  ...
 }: let
-  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
-  hostIP = containerAddresses.host;
-  containerIP = containerAddresses.containers.social;
-
  inherit (config.services.secrets) secrets;
 in {
  services.gotosocial = {
@ -22,16 +18,12 @@ in {
      log-level = "info";
      log-client-ip = true;

-      db-type = "postgres";
-      db-user = "gotosocial";
-      db-database = "gotosocial";
-      db-address = "${containerAddresses.containers.postgresql}";
+      db-type = "sqlite";
+      db-address = "/var/lib/gotosocial/sqlite.db";

      trusted-proxies = [
        "127.0.0.1/32"
        "::1"
-        hostIP
-        containerIP
      ];

      port = 8080;
@ -70,4 +62,22 @@ in {
      };
    };
  };
+
+  services.nginx.virtualHosts."gts-02.owo.monster" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8080";
+      proxyWebsockets = true;
+      extraConfig = ''
+        # uncomment if running nginx without recommendedProxySettings
+        # proxy_set_header Host $host;
+        # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # proxy_set_header X-Forwarded-Proto $scheme;
+      '';
+    };
+    extraConfig = ''
+      client_max_body_size 128M;
+    '';
+  };
 }
--- a/hosts/hetzner-arm/profiles/restic.nix
+++ b/hosts/hetzner-arm/profiles/restic.nix
@ -0,0 +1,58 @@
+{
+  self,
+  pkgs,
+  config,
+  ...
+}: let
+  inherit (config.services.secrets) secrets;
+  backupSchedules = import "${self}/data/backupSchedules.nix";
+
+  repoRoot = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic";
+in {
+  services.restic.backups = {
+    social = {
+      user = "root";
+      paths = [
+        "/var/lib/gotosocial"
+      ];
+
+      repository = "${repoRoot}/Social-02";
+      environmentFile = "${secrets.restic_backups_env.path}";
+      passwordFile = "${secrets.restic_social_password.path}";
+      createWrapper = true;
+
+      pruneOpts = ["--keep-last 10"];
+      timerConfig = backupSchedules.restic.medium;
+
+      backupPrepareCommand = let
+        # Because gotosocial-admin isn't a seporate package we need to generate a seperate config
+        # and duplicate the wrapper for use in a systemd unit
+        gotoSocialConfigFile = (pkgs.formats.yaml {}).generate "config.yml" config.services.gotosocial.settings;
+        gotoSocialAdmin = "${(pkgs.writeShellScriptBin "gts-admin" ''
+          exec systemd-run \
+            -u gotosocial-admin.service \
+            -p Group=gotosocial \
+            -p User=gotosocial \
+            -q -t -G --wait --service-type=exec \
+            ${pkgs.gotosocial}/bin/gotosocial --config-path ${gotoSocialConfigFile} admin "$@"
+        '')}/bin/gts-admin";
+      in "${
+        (pkgs.writeShellScriptBin "backupPrepareCommand" ''
+          systemctl stop gotosocial
+
+          ${gotoSocialAdmin} export --path /var/lib/gotosocial/gts-export.json
+
+          ${gotoSocialAdmin} media prune all --dry-run=false
+
+          systemctl start gotosocial
+        '')
+      }/bin/backupPrepareCommand";
+
+      backupCleanupCommand = "${
+        (pkgs.writeShellScriptBin "backupCleanupCommand" ''
+          rm /var/lib/gotosocial/gts-export.json || true
+        '')
+      }/bin/backupCleanupCommand";
+    };
+  };
+}
--- a/hosts/hetzner-arm/secrets.nix
+++ b/hosts/hetzner-arm/secrets.nix
@ -10,6 +10,10 @@
    requiredVaultPaths = [
      "private-public-keys/data/ssh/root@hetzner-arm"
      "private-public-keys/data/ssh/root@hetzner-arm-decrypt"
+
+      "api-keys/data/backblaze/Chaos-Backup"
+
+      "private-public-keys/data/restic/Social"
    ];

    secrets = {
@ -44,6 +48,29 @@
          simple_get "/private-public-keys/ssh/root@hetzner-arm-decrypt" .private | base64 -d > "$secretFile"
        '';
      };
+
+      # B2 Keys for all backups
+      restic_backups_env = {
+        fetchScript = ''
+          cat << EOF > "$secretFile"
+          AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID)
+          AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey)
+          EOF
+        '';
+      };
+
+      restic_password_social = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Social" .password > "$secretFile"
+        '';
+      };
+
+      gotosocial_env = {
+        fetchScript = ''
+          smtp_password=$(simple_get "/api-keys/chaos_mail/gotosocial" .password)
+          echo "GTS_SMTP_PASSWORD=$smtp_password" > "$secretFile"
+        '';
+      };
    };
  };
 }