move radicale to host

2024-07-20 13:23:50 +01:00 · 2024-07-20 13:23:50 +01:00 · c3bb50d7b7
parent c5172753cb
commit c3bb50d7b7
7 changed files with 52 additions and 141 deletions
--- a/hosts/hetzner-arm/containers/caldav/default.nix
+++ b/hosts/hetzner-arm/containers/caldav/default.nix
@ -1,55 +0,0 @@
-{
-  self,
-  hostPath,
-  tree,
-  inputs,
-  config,
-  pkgs,
-  ...
-}: let
-  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
-  hostIP = containerAddresses.host;
-  containerIP = containerAddresses.containers.caldav;
-in {
-  containers.caldav = {
-    autoStart = true;
-    privateNetwork = true;
-    hostAddress = hostIP;
-    localAddress = containerIP;
-
-    specialArgs = {
-      inherit inputs;
-      inherit tree;
-      inherit self;
-      inherit hostPath;
-    };
-
-    config = {...}: {
-      nixpkgs.pkgs = pkgs;
-
-      imports = with tree;
-        [
-          presets.nixos.containerBase
-          ./secrets.nix
-        ]
-        ++ (with hosts.hetzner-arm.containers.caldav.profiles; [
-          radicale
-          restic
-        ]);
-
-      networking.firewall.allowedTCPPorts = [5232];
-
-      home-manager.users.root.home.stateVersion = "24.05";
-      system.stateVersion = "24.05";
-    };
-  };
-
-  services.nginx = {
-    enable = true;
-    virtualHosts."radicale.owo.monster" = {
-      enableACME = true;
-      forceSSL = true;
-      locations."/".proxyPass = "http://${containerIP}:5232";
-    };
-  };
-}
--- a/hosts/hetzner-arm/containers/caldav/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/caldav/profiles/restic.nix
@ -1,23 +0,0 @@
-{
-  self,
-  config,
-  ...
-}: let
-  backupSchedules = import "${self}/data/backupSchedules.nix";
-  inherit (config.services.secrets) secrets;
-in {
-  services.restic.backups.caldav = {
-    user = "root";
-    paths = [
-      "/var/lib/radicale"
-    ];
-
-    repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/CalDAV";
-    passwordFile = "${secrets.restic_password.path}";
-    environmentFile = "${secrets.restic_env.path}";
-    createWrapper = true;
-
-    pruneOpts = ["--keep-last 50"];
-    timerConfig = backupSchedules.restic.high;
-  };
-}
--- a/hosts/hetzner-arm/containers/caldav/secrets.nix
+++ b/hosts/hetzner-arm/containers/caldav/secrets.nix
@ -1,58 +0,0 @@
-{pkgs, ...}: {
-  services.secrets = {
-    enable = true;
-
-    packages = with pkgs; [
-      apacheHttpd
-    ];
-
-    vaultLogin = {
-      enable = true;
-      loginUsername = "hetzner-arm-container-caldav";
-    };
-
-    requiredVaultPaths = [
-      "api-keys/data/caldav"
-      "api-keys/data/backblaze/Chaos-Backups"
-      "private-public-keys/data/restic/CalDAV"
-    ];
-
-    secrets = {
-      vault_password = {
-        manual = true;
-      };
-
-      radicale_htpasswd = {
-        user = "radicale";
-        group = "radicale";
-        fetchScript = ''
-          if [ -f "$secretFile" ]; then
-            rm "$secretFile"
-          fi
-
-          touch "$secretFile"
-
-          data=$(kv_get "/api-keys/caldav" | base64)
-          for username in $(echo "$data" | base64 -d | jq -r ".data.data | keys | .[]"); do
-            password=$(echo "$data" | base64 -d | jq -r ".data.data.\"$username\"")
-            htpasswd -bB "$secretFile" "$username" "$password" 2>/dev/null
-          done
-        '';
-      };
-
-      restic_password = {
-        fetchScript = ''
-          simple_get "/private-public-keys/restic/CalDAV" .password > "$secretFile"
-        '';
-      };
-      restic_env = {
-        fetchScript = ''
-          cat << EOF > "$secretFile"
-          AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID)
-          AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey)
-          EOF
-        '';
-      };
-    };
-  };
-}
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -22,7 +22,6 @@ in {
    ++ (forEach [
      "storage"
      "mail"
-      "caldav"
      "jellyfin"
      #"grocy"
      "vault"
@ -32,6 +31,7 @@ in {
      gotosocial
      forgejo
      mpd
+      radicale
      restic
    ]);

--- a/hosts/hetzner-arm/containers/caldav/profiles/radicale.nix
+++ b/hosts/hetzner-arm/containers/caldav/profiles/radicale.nix
@ -5,7 +5,7 @@ in {
    enable = true;
    settings = {
      server = {
-        hosts = ["0.0.0.0:5232" "[::]:5232"];
+        hosts = ["127.0.0.1:5232"];
      };
      auth = {
        type = "htpasswd";
@ -21,11 +21,17 @@ in {
    };
  };

-  users.users.radicale.uid = 1000;
-  users.groups.radicale.gid = 1000;
-
  systemd.tmpfiles.rules = [
    "d /var/lib/radicale - radicale radicale"
    "d /var/lib/radicale/collections - radicale radicale"
  ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."radicale.owo.monster" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:5232";
+    };
+  };
 }
--- a/hosts/hetzner-arm/profiles/restic.nix
+++ b/hosts/hetzner-arm/profiles/restic.nix
@ -80,6 +80,20 @@ in {
      passwordFile = secrets.restic_password_forgejo.path;
      createWrapper = true;

+      pruneOpts = ["--keep-last 50"];
+      timerConfig = backupSchedules.restic.high;
+    };
+    radicale = {
+      user = "root";
+      paths = [
+        "/var/lib/radicale"
+      ];
+
+      repository = "${repoRoot}/Radicale";
+      environmentFile = secrets.restic_backups_env.path;
+      passwordFile = secrets.restic_password_radicale.path;
+      createWrapper = true;
+
      pruneOpts = ["--keep-last 50"];
      timerConfig = backupSchedules.restic.high;
    };
--- a/hosts/hetzner-arm/secrets.nix
+++ b/hosts/hetzner-arm/secrets.nix
@ -24,6 +24,9 @@

      "api-keys/data/mpd"
      "api-keys/data/music-stream"
+
+      "api-keys/data/radicale"
+      "private-public-keys/data/restic/Radicale"
    ];

    secrets = {
@ -105,6 +108,30 @@
          htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
        '';
      };
+
+      radicale_htpasswd = {
+        user = "radicale";
+        group = "radicale";
+        fetchScript = ''
+          if [ -f "$secretFile" ]; then
+            rm "$secretFile"
+          fi
+
+          touch "$secretFile"
+
+          data=$(kv_get "/api-keys/radicale" | base64)
+          for username in $(echo "$data" | base64 -d | jq -r ".data.data | keys | .[]"); do
+            password=$(echo "$data" | base64 -d | jq -r ".data.data.\"$username\"")
+            htpasswd -bB "$secretFile" "$username" "$password" 2>/dev/null
+          done
+        '';
+      };
+
+      restic_password_radicale = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Radicale" .password > "$secretFile"
+        '';
+      };
    };
  };
 }