chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

move radicale to host

Browse source
This commit is contained in:
chaos 2024-07-20 13:23:50 +01:00
parent c5172753cb
commit c3bb50d7b7
No known key found for this signature in database
7 changed files with 52 additions and 141 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
hosts/hetzner-arm/containers/caldav/default.nix
View file

@ -1,55 +0,0 @@
{
self,
hostPath,
tree,
inputs,
config,
pkgs,
...
}: let
containerAddresses = import "${hostPath}/data/containerAddresses.nix";
hostIP = containerAddresses.host;
containerIP = containerAddresses.containers.caldav;
in {
containers.caldav = {
autoStart = true;
privateNetwork = true;
hostAddress = hostIP;
localAddress = containerIP;
specialArgs = {
inherit inputs;
inherit tree;
inherit self;
inherit hostPath;
};
config = {...}: {
nixpkgs.pkgs = pkgs;
imports = with tree;
[
presets.nixos.containerBase
./secrets.nix
]
++ (with hosts.hetzner-arm.containers.caldav.profiles; [
radicale
restic
]);
networking.firewall.allowedTCPPorts = [5232];
home-manager.users.root.home.stateVersion = "24.05";
system.stateVersion = "24.05";
};
};
services.nginx = {
enable = true;
virtualHosts."radicale.owo.monster" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${containerIP}:5232";
};
};
}

23
hosts/hetzner-arm/containers/caldav/profiles/restic.nix
View file

@ -1,23 +0,0 @@
{
self,
config,
...
}: let
backupSchedules = import "${self}/data/backupSchedules.nix";
inherit (config.services.secrets) secrets;
in {
services.restic.backups.caldav = {
user = "root";
paths = [
"/var/lib/radicale"
];
repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/CalDAV";
passwordFile = "${secrets.restic_password.path}";
environmentFile = "${secrets.restic_env.path}";
createWrapper = true;
pruneOpts = ["--keep-last 50"];
timerConfig = backupSchedules.restic.high;
};
}

58
hosts/hetzner-arm/containers/caldav/secrets.nix
View file

@ -1,58 +0,0 @@
{pkgs, ...}: {
services.secrets = {
enable = true;
packages = with pkgs; [
apacheHttpd
];
vaultLogin = {
enable = true;
loginUsername = "hetzner-arm-container-caldav";
};
requiredVaultPaths = [
"api-keys/data/caldav"
"api-keys/data/backblaze/Chaos-Backups"
"private-public-keys/data/restic/CalDAV"
];
secrets = {
vault_password = {
manual = true;
};
radicale_htpasswd = {
user = "radicale";
group = "radicale";
fetchScript = ''
if [ -f "$secretFile" ]; then
rm "$secretFile"
fi
touch "$secretFile"
data=$(kv_get "/api-keys/caldav" | base64)
for username in $(echo "$data" | base64 -d | jq -r ".data.data | keys | .[]"); do
password=$(echo "$data" | base64 -d | jq -r ".data.data.\"$username\"")
htpasswd -bB "$secretFile" "$username" "$password" 2>/dev/null
done
'';
};
restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/CalDAV" .password > "$secretFile"
'';
};
restic_env = {
fetchScript = ''
cat << EOF > "$secretFile"
AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID)
AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey)
EOF
'';
};
};
};
}

2
hosts/hetzner-arm/hetzner-arm.nix
View file

@ -22,7 +22,6 @@ in {
++ (forEach [ ++ (forEach [
"storage" "storage"
"mail" "mail"
"caldav"
"jellyfin" "jellyfin"
#"grocy" #"grocy"
"vault" "vault"
@ -32,6 +31,7 @@ in {
gotosocial gotosocial
forgejo forgejo
mpd mpd
radicale
restic restic
]); ]);

14
hosts/hetzner-arm/containers/caldav/profiles/radicale.nix → hosts/hetzner-arm/profiles/radicale.nix
View file

@ -5,7 +5,7 @@ in {
enable = true; enable = true;
settings = { settings = {
server = { server = {
hosts = ["0.0.0.0:5232" "[::]:5232"]; hosts = ["127.0.0.1:5232"];
}; };
auth = { auth = {
type = "htpasswd"; type = "htpasswd";
@ -21,11 +21,17 @@ in {
}; };
}; };
users.users.radicale.uid = 1000;
users.groups.radicale.gid = 1000;
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/lib/radicale - radicale radicale" "d /var/lib/radicale - radicale radicale"
"d /var/lib/radicale/collections - radicale radicale" "d /var/lib/radicale/collections - radicale radicale"
]; ];
services.nginx = {
enable = true;
virtualHosts."radicale.owo.monster" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://127.0.0.1:5232";
};
};
} }

14
hosts/hetzner-arm/profiles/restic.nix
View file

@ -80,6 +80,20 @@ in {
passwordFile = secrets.restic_password_forgejo.path; passwordFile = secrets.restic_password_forgejo.path;
createWrapper = true; createWrapper = true;
pruneOpts = ["--keep-last 50"];
timerConfig = backupSchedules.restic.high;
};
radicale = {
user = "root";
paths = [
"/var/lib/radicale"
];
repository = "${repoRoot}/Radicale";
environmentFile = secrets.restic_backups_env.path;
passwordFile = secrets.restic_password_radicale.path;
createWrapper = true;
pruneOpts = ["--keep-last 50"]; pruneOpts = ["--keep-last 50"];
timerConfig = backupSchedules.restic.high; timerConfig = backupSchedules.restic.high;
}; };

27
hosts/hetzner-arm/secrets.nix
View file

@ -24,6 +24,9 @@
"api-keys/data/mpd" "api-keys/data/mpd"
"api-keys/data/music-stream" "api-keys/data/music-stream"
"api-keys/data/radicale"
"private-public-keys/data/restic/Radicale"
]; ];
secrets = { secrets = {
@ -105,6 +108,30 @@
htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
''; '';
}; };
radicale_htpasswd = {
user = "radicale";
group = "radicale";
fetchScript = ''
if [ -f "$secretFile" ]; then
rm "$secretFile"
fi
touch "$secretFile"
data=$(kv_get "/api-keys/radicale" | base64)
for username in $(echo "$data" | base64 -d | jq -r ".data.data | keys | .[]"); do
password=$(echo "$data" | base64 -d | jq -r ".data.data.\"$username\"")
htpasswd -bB "$secretFile" "$username" "$password" 2>/dev/null
done
'';
};
restic_password_radicale = {
fetchScript = ''
simple_get "/private-public-keys/restic/Radicale" .password > "$secretFile"
'';
};
}; };
}; };
} }