From c3bb50d7b7c89f4797151f7cf67d70c7d5d9b759 Mon Sep 17 00:00:00 2001 From: chaos Date: Sat, 20 Jul 2024 13:23:50 +0100 Subject: [PATCH] move radicale to host --- .../hetzner-arm/containers/caldav/default.nix | 55 ------------------ .../containers/caldav/profiles/restic.nix | 23 -------- .../hetzner-arm/containers/caldav/secrets.nix | 58 ------------------- hosts/hetzner-arm/hetzner-arm.nix | 2 +- .../caldav => }/profiles/radicale.nix | 14 +++-- hosts/hetzner-arm/profiles/restic.nix | 14 +++++ hosts/hetzner-arm/secrets.nix | 27 +++++++++ 7 files changed, 52 insertions(+), 141 deletions(-) delete mode 100644 hosts/hetzner-arm/containers/caldav/default.nix delete mode 100644 hosts/hetzner-arm/containers/caldav/profiles/restic.nix delete mode 100644 hosts/hetzner-arm/containers/caldav/secrets.nix rename hosts/hetzner-arm/{containers/caldav => }/profiles/radicale.nix (71%) diff --git a/hosts/hetzner-arm/containers/caldav/default.nix b/hosts/hetzner-arm/containers/caldav/default.nix deleted file mode 100644 index 9f183e7..0000000 --- a/hosts/hetzner-arm/containers/caldav/default.nix +++ /dev/null @@ -1,55 +0,0 @@ -{ - self, - hostPath, - tree, - inputs, - config, - pkgs, - ... -}: let - containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.caldav; -in { - containers.caldav = { - autoStart = true; - privateNetwork = true; - hostAddress = hostIP; - localAddress = containerIP; - - specialArgs = { - inherit inputs; - inherit tree; - inherit self; - inherit hostPath; - }; - - config = {...}: { - nixpkgs.pkgs = pkgs; - - imports = with tree; - [ - presets.nixos.containerBase - ./secrets.nix - ] - ++ (with hosts.hetzner-arm.containers.caldav.profiles; [ - radicale - restic - ]); - - networking.firewall.allowedTCPPorts = [5232]; - - home-manager.users.root.home.stateVersion = "24.05"; - system.stateVersion = "24.05"; - }; - }; - - services.nginx = { - enable = true; - virtualHosts."radicale.owo.monster" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://${containerIP}:5232"; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/caldav/profiles/restic.nix b/hosts/hetzner-arm/containers/caldav/profiles/restic.nix deleted file mode 100644 index 76ea450..0000000 --- a/hosts/hetzner-arm/containers/caldav/profiles/restic.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ - self, - config, - ... -}: let - backupSchedules = import "${self}/data/backupSchedules.nix"; - inherit (config.services.secrets) secrets; -in { - services.restic.backups.caldav = { - user = "root"; - paths = [ - "/var/lib/radicale" - ]; - - repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/CalDAV"; - passwordFile = "${secrets.restic_password.path}"; - environmentFile = "${secrets.restic_env.path}"; - createWrapper = true; - - pruneOpts = ["--keep-last 50"]; - timerConfig = backupSchedules.restic.high; - }; -} diff --git a/hosts/hetzner-arm/containers/caldav/secrets.nix b/hosts/hetzner-arm/containers/caldav/secrets.nix deleted file mode 100644 index 8bae0a2..0000000 --- a/hosts/hetzner-arm/containers/caldav/secrets.nix +++ /dev/null @@ -1,58 +0,0 @@ -{pkgs, ...}: { - services.secrets = { - enable = true; - - packages = with pkgs; [ - apacheHttpd - ]; - - vaultLogin = { - enable = true; - loginUsername = "hetzner-arm-container-caldav"; - }; - - requiredVaultPaths = [ - "api-keys/data/caldav" - "api-keys/data/backblaze/Chaos-Backups" - "private-public-keys/data/restic/CalDAV" - ]; - - secrets = { - vault_password = { - manual = true; - }; - - radicale_htpasswd = { - user = "radicale"; - group = "radicale"; - fetchScript = '' - if [ -f "$secretFile" ]; then - rm "$secretFile" - fi - - touch "$secretFile" - - data=$(kv_get "/api-keys/caldav" | base64) - for username in $(echo "$data" | base64 -d | jq -r ".data.data | keys | .[]"); do - password=$(echo "$data" | base64 -d | jq -r ".data.data.\"$username\"") - htpasswd -bB "$secretFile" "$username" "$password" 2>/dev/null - done - ''; - }; - - restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/CalDAV" .password > "$secretFile" - ''; - }; - restic_env = { - fetchScript = '' - cat << EOF > "$secretFile" - AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) - AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) - EOF - ''; - }; - }; - }; -} diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index a8264f9..826eb4d 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -22,7 +22,6 @@ in { ++ (forEach [ "storage" "mail" - "caldav" "jellyfin" #"grocy" "vault" @@ -32,6 +31,7 @@ in { gotosocial forgejo mpd + radicale restic ]); diff --git a/hosts/hetzner-arm/containers/caldav/profiles/radicale.nix b/hosts/hetzner-arm/profiles/radicale.nix similarity index 71% rename from hosts/hetzner-arm/containers/caldav/profiles/radicale.nix rename to hosts/hetzner-arm/profiles/radicale.nix index cbf6c71..2eebdfc 100644 --- a/hosts/hetzner-arm/containers/caldav/profiles/radicale.nix +++ b/hosts/hetzner-arm/profiles/radicale.nix @@ -5,7 +5,7 @@ in { enable = true; settings = { server = { - hosts = ["0.0.0.0:5232" "[::]:5232"]; + hosts = ["127.0.0.1:5232"]; }; auth = { type = "htpasswd"; @@ -21,11 +21,17 @@ in { }; }; - users.users.radicale.uid = 1000; - users.groups.radicale.gid = 1000; - systemd.tmpfiles.rules = [ "d /var/lib/radicale - radicale radicale" "d /var/lib/radicale/collections - radicale radicale" ]; + + services.nginx = { + enable = true; + virtualHosts."radicale.owo.monster" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:5232"; + }; + }; } diff --git a/hosts/hetzner-arm/profiles/restic.nix b/hosts/hetzner-arm/profiles/restic.nix index 33087f8..7a73397 100644 --- a/hosts/hetzner-arm/profiles/restic.nix +++ b/hosts/hetzner-arm/profiles/restic.nix @@ -80,6 +80,20 @@ in { passwordFile = secrets.restic_password_forgejo.path; createWrapper = true; + pruneOpts = ["--keep-last 50"]; + timerConfig = backupSchedules.restic.high; + }; + radicale = { + user = "root"; + paths = [ + "/var/lib/radicale" + ]; + + repository = "${repoRoot}/Radicale"; + environmentFile = secrets.restic_backups_env.path; + passwordFile = secrets.restic_password_radicale.path; + createWrapper = true; + pruneOpts = ["--keep-last 50"]; timerConfig = backupSchedules.restic.high; }; diff --git a/hosts/hetzner-arm/secrets.nix b/hosts/hetzner-arm/secrets.nix index 760a868..3db1ec8 100644 --- a/hosts/hetzner-arm/secrets.nix +++ b/hosts/hetzner-arm/secrets.nix @@ -24,6 +24,9 @@ "api-keys/data/mpd" "api-keys/data/music-stream" + + "api-keys/data/radicale" + "private-public-keys/data/restic/Radicale" ]; secrets = { @@ -105,6 +108,30 @@ htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null ''; }; + + radicale_htpasswd = { + user = "radicale"; + group = "radicale"; + fetchScript = '' + if [ -f "$secretFile" ]; then + rm "$secretFile" + fi + + touch "$secretFile" + + data=$(kv_get "/api-keys/radicale" | base64) + for username in $(echo "$data" | base64 -d | jq -r ".data.data | keys | .[]"); do + password=$(echo "$data" | base64 -d | jq -r ".data.data.\"$username\"") + htpasswd -bB "$secretFile" "$username" "$password" 2>/dev/null + done + ''; + }; + + restic_password_radicale = { + fetchScript = '' + simple_get "/private-public-keys/restic/Radicale" .password > "$secretFile" + ''; + }; }; }; }