From c4714964d1bf0e1cac7015decb6357b648d6e5d8 Mon Sep 17 00:00:00 2001 From: chaos Date: Sat, 6 Jul 2024 17:20:28 +0100 Subject: [PATCH] migrate away from hetzner storagebox and get rid of some gaming and media stuff --- home/gui/environments/gnome/default.nix | 5 +- home/musicLibrary.nix | 12 +- home/programming/languages/rust.nix | 2 +- .../containers/caldav/profiles/restic.nix | 16 +- .../hetzner-arm/containers/caldav/secrets.nix | 12 +- .../containers/forgejo/profiles/restic.nix | 16 +- .../containers/forgejo/secrets.nix | 12 +- .../containers/grocy/profiles/restic.nix | 16 +- .../hetzner-arm/containers/grocy/secrets.nix | 12 +- .../containers/jellyfin/profiles/restic.nix | 16 +- .../containers/jellyfin/secrets.nix | 11 +- .../containers/mail/profiles/restic.nix | 16 +- hosts/hetzner-arm/containers/mail/secrets.nix | 12 +- .../containers/music/profiles/mpd.nix | 1 - .../hetzner-arm/containers/music/secrets.nix | 4 - .../containers/owncast/default.nix | 74 -------- .../containers/owncast/profiles/owncast.nix | 8 - .../containers/owncast/profiles/restic.nix | 35 ---- .../containers/owncast/secrets.nix | 37 ---- .../containers/postgresql/profiles/restic.nix | 15 +- .../containers/postgresql/secrets.nix | 12 +- hosts/hetzner-arm/containers/rss/default.nix | 74 -------- .../containers/rss/profiles/freshrss.nix | 11 -- .../containers/rss/profiles/restic.nix | 35 ---- hosts/hetzner-arm/containers/rss/secrets.nix | 49 ----- .../containers/social/profiles/restic.nix | 15 +- .../hetzner-arm/containers/social/secrets.nix | 12 +- .../containers/storage/data/ports.nix | 24 +-- .../storage/data/rclone_config.template | 138 +++----------- .../containers/storage/default.nix | 24 --- .../storage/profiles/rcloneServe.nix | 168 +----------------- .../storage/profiles/rcloneSync.nix | 59 ++---- .../containers/storage/secrets.nix | 142 +-------------- .../containers/vault-ca/profiles/restic.nix | 34 ---- .../{vault-ca => vault}/data/ca.json | 0 .../{vault-ca => vault}/default.nix | 6 +- .../profiles/internalCA.nix | 0 .../containers/vault/profiles/restic.nix | 22 +++ .../{vault-ca => vault}/profiles/vault.nix | 0 .../{vault-ca => vault}/secrets.nix | 15 +- hosts/hetzner-arm/data/containerAddresses.nix | 2 +- hosts/hetzner-arm/hetzner-arm.nix | 4 +- hosts/hetzner-arm/secrets.nix | 7 - hosts/lappy-surface/secrets.nix | 28 --- hosts/lappy-t495/lappy-t495.nix | 2 - hosts/lappy-t495/profiles/restic.nix | 28 --- hosts/lappy-t495/secrets.nix | 29 --- hosts/raspberry/secrets.nix | 5 - overlay/default.nix | 2 + presets/nixos/serverHetzner.nix | 12 +- profiles/serverExtras.nix | 10 ++ 51 files changed, 152 insertions(+), 1149 deletions(-) delete mode 100644 hosts/hetzner-arm/containers/owncast/default.nix delete mode 100644 hosts/hetzner-arm/containers/owncast/profiles/owncast.nix delete mode 100644 hosts/hetzner-arm/containers/owncast/profiles/restic.nix delete mode 100644 hosts/hetzner-arm/containers/owncast/secrets.nix delete mode 100644 hosts/hetzner-arm/containers/rss/default.nix delete mode 100644 hosts/hetzner-arm/containers/rss/profiles/freshrss.nix delete mode 100644 hosts/hetzner-arm/containers/rss/profiles/restic.nix delete mode 100644 hosts/hetzner-arm/containers/rss/secrets.nix delete mode 100644 hosts/hetzner-arm/containers/vault-ca/profiles/restic.nix rename hosts/hetzner-arm/containers/{vault-ca => vault}/data/ca.json (100%) rename hosts/hetzner-arm/containers/{vault-ca => vault}/default.nix (90%) rename hosts/hetzner-arm/containers/{vault-ca => vault}/profiles/internalCA.nix (100%) create mode 100644 hosts/hetzner-arm/containers/vault/profiles/restic.nix rename hosts/hetzner-arm/containers/{vault-ca => vault}/profiles/vault.nix (100%) rename hosts/hetzner-arm/containers/{vault-ca => vault}/secrets.nix (66%) delete mode 100644 hosts/lappy-t495/profiles/restic.nix diff --git a/home/gui/environments/gnome/default.nix b/home/gui/environments/gnome/default.nix index 8f23773..a144d41 100644 --- a/home/gui/environments/gnome/default.nix +++ b/home/gui/environments/gnome/default.nix @@ -12,7 +12,10 @@ homeManagerLib = inputs.home-manager.lib.hm; fontSizesAll = { - "lappy-t495" = { small = "10"; medium = "12"; }; + "lappy-t495" = { + small = "10"; + medium = "12"; + }; default = { small = "14"; medium = "16"; diff --git a/home/musicLibrary.nix b/home/musicLibrary.nix index e01eb13..76ac0ff 100644 --- a/home/musicLibrary.nix +++ b/home/musicLibrary.nix @@ -1,12 +1,8 @@ { pkgs, tree, - nixosConfig, ... -}: let - # Requires secrets.{restic_music_env} - inherit (nixosConfig.services.secrets) secrets; -in { +}: { imports = with tree; [ home.apps.rclone home.apps.musicutil @@ -14,11 +10,6 @@ in { home.packages = [ pkgs.nodePackages.html-minifier - - (pkgs.writeShellScriptBin "restic-music" '' - env $(cat ${secrets.restic_music_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') ]; home.file."Music/music-sync-check.sh" = { @@ -82,7 +73,6 @@ in { cd "''${SCRIPT_DIR}" rclone sync -P . Storage:Music --exclude "/*.sh" - restic-music backup $(fd -t d --max-depth=1 && fd -t f --max-depth=1) bash $HOME/Music/music-gen-listing.sh ''; diff --git a/home/programming/languages/rust.nix b/home/programming/languages/rust.nix index 2aecee9..b33e400 100644 --- a/home/programming/languages/rust.nix +++ b/home/programming/languages/rust.nix @@ -1,5 +1,5 @@ {pkgs, ...}: { - programs.vscode-mod.extensions = with pkgs; [vscode-extensions.matklad.rust-analyzer]; + programs.vscode-mod.extensions = with pkgs; [vscode-extensions.rust-lang.rust-analyzer]; home.packages = with pkgs; [rustc cargo clippy rust-analyzer rustfmt]; home.sessionVariables = {RUST_SRC_PATH = pkgs.rustPlatform.rustLibSrc;}; } diff --git a/hosts/hetzner-arm/containers/caldav/profiles/restic.nix b/hosts/hetzner-arm/containers/caldav/profiles/restic.nix index 9c24e78..76ea450 100644 --- a/hosts/hetzner-arm/containers/caldav/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/caldav/profiles/restic.nix @@ -1,33 +1,21 @@ { self, - pkgs, config, ... }: let backupSchedules = import "${self}/data/backupSchedules.nix"; inherit (config.services.secrets) secrets; in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-caldav" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - services.restic.backups.caldav = { user = "root"; paths = [ "/var/lib/radicale" ]; - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/CalDAV"; + repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/CalDAV"; passwordFile = "${secrets.restic_password.path}"; environmentFile = "${secrets.restic_env.path}"; + createWrapper = true; pruneOpts = ["--keep-last 50"]; timerConfig = backupSchedules.restic.high; diff --git a/hosts/hetzner-arm/containers/caldav/secrets.nix b/hosts/hetzner-arm/containers/caldav/secrets.nix index 9cd7731..8bae0a2 100644 --- a/hosts/hetzner-arm/containers/caldav/secrets.nix +++ b/hosts/hetzner-arm/containers/caldav/secrets.nix @@ -11,13 +11,9 @@ loginUsername = "hetzner-arm-container-caldav"; }; - autoSecrets = { - enable = true; - }; - requiredVaultPaths = [ "api-keys/data/caldav" - "api-keys/data/storage/restic/CalDAV" + "api-keys/data/backblaze/Chaos-Backups" "private-public-keys/data/restic/CalDAV" ]; @@ -51,8 +47,10 @@ }; restic_env = { fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/CalDAV" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/CalDAV" > "$secretFile" + cat << EOF > "$secretFile" + AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) + AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) + EOF ''; }; }; diff --git a/hosts/hetzner-arm/containers/forgejo/profiles/restic.nix b/hosts/hetzner-arm/containers/forgejo/profiles/restic.nix index d777c14..a26c65e 100644 --- a/hosts/hetzner-arm/containers/forgejo/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/forgejo/profiles/restic.nix @@ -1,33 +1,21 @@ { self, - pkgs, config, ... }: let backupSchedules = import "${self}/data/backupSchedules.nix"; inherit (config.services.secrets) secrets; in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-forgejo" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - services.restic.backups.forgejo = { user = "root"; paths = [ "/var/lib/forgejo" ]; - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/Forgejo"; + repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Forgejo"; passwordFile = "${secrets.restic_password.path}"; environmentFile = "${secrets.restic_env.path}"; + createWrapper = true; pruneOpts = ["--keep-last 50"]; timerConfig = backupSchedules.restic.high; diff --git a/hosts/hetzner-arm/containers/forgejo/secrets.nix b/hosts/hetzner-arm/containers/forgejo/secrets.nix index 5ff4ef0..c879a8a 100644 --- a/hosts/hetzner-arm/containers/forgejo/secrets.nix +++ b/hosts/hetzner-arm/containers/forgejo/secrets.nix @@ -7,12 +7,8 @@ loginUsername = "hetzner-arm-container-forgejo"; }; - autoSecrets = { - enable = true; - }; - requiredVaultPaths = [ - "api-keys/data/storage/restic/Forgejo" + "api-keys/data/backblaze/Chaos-Backups" "private-public-keys/data/restic/Forgejo" ]; @@ -28,8 +24,10 @@ }; restic_env = { fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Forgejo" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Forgejo" > "$secretFile" + cat << EOF > "$secretFile" + AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) + AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) + EOF ''; }; }; diff --git a/hosts/hetzner-arm/containers/grocy/profiles/restic.nix b/hosts/hetzner-arm/containers/grocy/profiles/restic.nix index dd17def..b5ed84a 100644 --- a/hosts/hetzner-arm/containers/grocy/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/grocy/profiles/restic.nix @@ -1,33 +1,21 @@ { self, - pkgs, config, ... }: let inherit (config.services.secrets) secrets; backupSchedules = import "${self}/data/backupSchedules.nix"; in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-grocy" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - services.restic.backups.grocy = { user = "root"; paths = [ "/var/lib/grocy" ]; - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/Grocy"; + repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Grocy"; passwordFile = "${secrets.restic_password.path}"; environmentFile = "${secrets.restic_env.path}"; + createWrapper = true; pruneOpts = ["--keep-last 30"]; timerConfig = backupSchedules.restic.high; diff --git a/hosts/hetzner-arm/containers/grocy/secrets.nix b/hosts/hetzner-arm/containers/grocy/secrets.nix index 29e3ef0..1f04521 100644 --- a/hosts/hetzner-arm/containers/grocy/secrets.nix +++ b/hosts/hetzner-arm/containers/grocy/secrets.nix @@ -7,12 +7,8 @@ loginUsername = "hetzner-arm-container-grocy"; }; - autoSecrets = { - enable = true; - }; - requiredVaultPaths = [ - "api-keys/data/storage/restic/Grocy" + "api-keys/data/backblaze/Chaos-Backups" "private-public-keys/data/restic/Grocy" ]; @@ -28,8 +24,10 @@ }; restic_env = { fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Grocy" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Grocy" > "$secretFile" + cat << EOF > "$secretFile" + AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) + AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) + EOF ''; }; }; diff --git a/hosts/hetzner-arm/containers/jellyfin/profiles/restic.nix b/hosts/hetzner-arm/containers/jellyfin/profiles/restic.nix index d28b34a..fcd37f4 100644 --- a/hosts/hetzner-arm/containers/jellyfin/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/jellyfin/profiles/restic.nix @@ -1,33 +1,21 @@ { self, - pkgs, config, ... }: let inherit (config.services.secrets) secrets; backupSchedules = import "${self}/data/backupSchedules.nix"; in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-jellyfin" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - services.restic.backups.jellyfin = { user = "root"; paths = [ "/var/lib/jellyfin" ]; - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/Jellyfin"; + repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Jellyfin"; passwordFile = "${secrets.restic_password.path}"; environmentFile = "${secrets.restic_env.path}"; + createWrapper = true; pruneOpts = ["--keep-last 10"]; timerConfig = backupSchedules.restic.low; diff --git a/hosts/hetzner-arm/containers/jellyfin/secrets.nix b/hosts/hetzner-arm/containers/jellyfin/secrets.nix index 6aac993..d3f3adc 100644 --- a/hosts/hetzner-arm/containers/jellyfin/secrets.nix +++ b/hosts/hetzner-arm/containers/jellyfin/secrets.nix @@ -44,16 +44,11 @@ loginUsername = "hetzner-arm-container-jellyfin"; }; - autoSecrets = { - enable = true; - }; - requiredVaultPaths = [ "api-keys/data/backblaze/Chaos-Media" "api-keys/data/putio" "private-public-keys/data/rclone/Chaos-Media-Crypt" - "api-keys/data/storage/restic/Jellyfin" "private-public-keys/data/restic/Jellyfin" ]; @@ -85,8 +80,10 @@ }; restic_env = { fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Jellyfin" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Jellyfin" > "$secretFile" + cat << EOF > "$secretFile" + AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) + AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) + EOF ''; }; }; diff --git a/hosts/hetzner-arm/containers/mail/profiles/restic.nix b/hosts/hetzner-arm/containers/mail/profiles/restic.nix index 6619592..93ed1ec 100644 --- a/hosts/hetzner-arm/containers/mail/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/mail/profiles/restic.nix @@ -1,6 +1,5 @@ { self, - pkgs, config, ... }: let @@ -9,16 +8,6 @@ mailConfig = config.services.mailserver; in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-mail" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - services.restic.backups.mail = { user = "root"; paths = [ @@ -27,11 +16,10 @@ in { mailConfig.dkim.directory ]; - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/Mail"; + repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Mail"; passwordFile = "${secrets.restic_password.path}"; environmentFile = "${secrets.restic_env.path}"; + createWrapper = true; pruneOpts = ["--keep-last 60"]; timerConfig = backupSchedules.restic.medium; diff --git a/hosts/hetzner-arm/containers/mail/secrets.nix b/hosts/hetzner-arm/containers/mail/secrets.nix index 4da29bd..da61800 100644 --- a/hosts/hetzner-arm/containers/mail/secrets.nix +++ b/hosts/hetzner-arm/containers/mail/secrets.nix @@ -7,12 +7,8 @@ loginUsername = "hetzner-arm-container-mail"; }; - autoSecrets = { - enable = true; - }; - requiredVaultPaths = [ - "api-keys/data/storage/restic/Mail" + "api-keys/data/backblaze/Chaos-Backups" "api-keys/data/chaos_mail/system" "api-keys/data/chaos_mail/gotosocial" "passwords/data/mail" @@ -36,8 +32,10 @@ }; restic_env = { fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Mail" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Mail" > "$secretFile" + cat << EOF > "$secretFile" + AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) + AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) + EOF ''; }; private_mail_aliases = { diff --git a/hosts/hetzner-arm/containers/music/profiles/mpd.nix b/hosts/hetzner-arm/containers/music/profiles/mpd.nix index 0baf2a6..5c2fcf8 100644 --- a/hosts/hetzner-arm/containers/music/profiles/mpd.nix +++ b/hosts/hetzner-arm/containers/music/profiles/mpd.nix @@ -14,7 +14,6 @@ in { mpc_cli ]; - systemd.tmpfiles.rules = [ "d /Music - mpd mpd" ]; diff --git a/hosts/hetzner-arm/containers/music/secrets.nix b/hosts/hetzner-arm/containers/music/secrets.nix index c4e64e8..6973de4 100644 --- a/hosts/hetzner-arm/containers/music/secrets.nix +++ b/hosts/hetzner-arm/containers/music/secrets.nix @@ -7,10 +7,6 @@ loginUsername = "hetzner-arm-container-music"; }; - autoSecrets = { - enable = true; - }; - requiredVaultPaths = [ "api-keys/data/mpd" "api-keys/data/music-stream" diff --git a/hosts/hetzner-arm/containers/owncast/default.nix b/hosts/hetzner-arm/containers/owncast/default.nix deleted file mode 100644 index e4e8096..0000000 --- a/hosts/hetzner-arm/containers/owncast/default.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - self, - hostPath, - tree, - inputs, - pkgs, - config, - ... -}: let - containerName = "owncast"; - - containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - - hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.${containerName}; -in { - containers.owncast = { - autoStart = true; - privateNetwork = true; - hostAddress = hostIP; - localAddress = containerIP; - - specialArgs = { - inherit inputs; - inherit tree; - inherit self; - inherit hostPath; - }; - - config = {...}: { - nixpkgs.pkgs = pkgs; - - imports = with tree; - [ - presets.nixos.containerBase - ./secrets.nix - ] - ++ (with hosts.hetzner-arm.containers.owncast.profiles; [ - owncast - restic - ]); - - networking.firewall.allowedTCPPorts = [ - 1935 - 8080 - ]; - - home-manager.users.root.home.stateVersion = "24.05"; - system.stateVersion = "24.05"; - }; - }; - - services.nginx.virtualHosts."stream.owo.monster" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://${containerIP}:8080"; - proxyWebsockets = true; - }; - }; - - networking = { - nat.forwardPorts = [ - { - sourcePort = 1935; - destination = "${containerIP}\:1935"; - } - ]; - - firewall.allowedTCPPorts = [ - 1935 - ]; - }; -} diff --git a/hosts/hetzner-arm/containers/owncast/profiles/owncast.nix b/hosts/hetzner-arm/containers/owncast/profiles/owncast.nix deleted file mode 100644 index a65ad67..0000000 --- a/hosts/hetzner-arm/containers/owncast/profiles/owncast.nix +++ /dev/null @@ -1,8 +0,0 @@ -{...}: { - services.owncast = { - enable = true; - listen = "0.0.0.0"; - port = 8080; - rtmp-port = 1935; - }; -} diff --git a/hosts/hetzner-arm/containers/owncast/profiles/restic.nix b/hosts/hetzner-arm/containers/owncast/profiles/restic.nix deleted file mode 100644 index d24fe79..0000000 --- a/hosts/hetzner-arm/containers/owncast/profiles/restic.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - self, - pkgs, - config, - ... -}: let - backupSchedules = import "${self}/data/backupSchedules.nix"; - inherit (config.services.secrets) secrets; -in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-owncast" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - - services.restic.backups.owncast = { - user = "root"; - paths = [ - "/var/lib/owncast" - ]; - - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/Owncast"; - passwordFile = "${secrets.restic_password.path}"; - environmentFile = "${secrets.restic_env.path}"; - - pruneOpts = ["--keep-last 5"]; - timerConfig = backupSchedules.restic.low; - }; -} diff --git a/hosts/hetzner-arm/containers/owncast/secrets.nix b/hosts/hetzner-arm/containers/owncast/secrets.nix deleted file mode 100644 index 83b2073..0000000 --- a/hosts/hetzner-arm/containers/owncast/secrets.nix +++ /dev/null @@ -1,37 +0,0 @@ -{...}: { - services.secrets = { - enable = true; - - vaultLogin = { - enable = true; - loginUsername = "hetzner-arm-container-owncast"; - }; - - autoSecrets = { - enable = true; - }; - - requiredVaultPaths = [ - "api-keys/data/storage/restic/Owncast" - "private-public-keys/data/restic/Owncast" - ]; - - secrets = { - vault_password = { - manual = true; - }; - - restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Owncast" .password > "$secretFile" - ''; - }; - restic_env = { - fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Owncast" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Owncast" > "$secretFile" - ''; - }; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix index 81f5fa5..03a3076 100644 --- a/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/postgresql/profiles/restic.nix @@ -13,27 +13,16 @@ '') }/bin/backupPrepareCommand"; in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-postgresql" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - services.restic.backups.postgresql = { user = "root"; paths = [ "/var/backup/postgresql" ]; - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/PostgreSQL"; + repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/PostgreSQL"; passwordFile = "${secrets.restic_password.path}"; environmentFile = "${secrets.restic_env.path}"; + createWrapper = true; pruneOpts = ["--keep-last 10"]; timerConfig = backupSchedules.restic.high; diff --git a/hosts/hetzner-arm/containers/postgresql/secrets.nix b/hosts/hetzner-arm/containers/postgresql/secrets.nix index 2ecf56b..d29d6d4 100644 --- a/hosts/hetzner-arm/containers/postgresql/secrets.nix +++ b/hosts/hetzner-arm/containers/postgresql/secrets.nix @@ -7,12 +7,8 @@ loginUsername = "hetzner-arm-container-postgresql"; }; - autoSecrets = { - enable = true; - }; - requiredVaultPaths = [ - "api-keys/data/storage/restic/PostgreSQL" + "api-keys/data/backblaze/Chaos-Backups" "private-public-keys/data/restic/PostgreSQL" ]; @@ -28,8 +24,10 @@ }; restic_env = { fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/PostgreSQL" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/PostgreSQL" > "$secretFile" + cat << EOF > "$secretFile" + AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) + AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) + EOF ''; }; }; diff --git a/hosts/hetzner-arm/containers/rss/default.nix b/hosts/hetzner-arm/containers/rss/default.nix deleted file mode 100644 index 96d0336..0000000 --- a/hosts/hetzner-arm/containers/rss/default.nix +++ /dev/null @@ -1,74 +0,0 @@ -{ - self, - hostPath, - tree, - inputs, - config, - pkgs, - ... -}: let - containerAddresses = import "${hostPath}/data/containerAddresses.nix"; - hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.rss; -in { - containers.rss = { - autoStart = true; - privateNetwork = true; - hostAddress = hostIP; - localAddress = containerIP; - - specialArgs = { - inherit inputs; - inherit tree; - inherit self; - inherit hostPath; - }; - - config = {...}: { - nixpkgs.pkgs = pkgs; - - imports = with tree; - [ - presets.nixos.containerBase - ./secrets.nix - ] - ++ (with hosts.hetzner-arm.containers.rss.profiles; [ - freshrss - restic - ]); - - networking.firewall.allowedTCPPorts = [80]; - - home-manager.users.root.home.stateVersion = "24.05"; - system.stateVersion = "24.05"; - }; - }; - - services.nginx = { - enable = true; - virtualHosts."freshrss.owo.monster" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://${containerIP}:80/"; - recommendedProxySettings = false; - extraConfig = '' - add_header X-Frame-Options SAMEORIGIN; - add_header X-XSS-Protection "1; mode=block"; - proxy_redirect off; - proxy_buffering off; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Port $server_port; - proxy_read_timeout 90; - - # Forward the Authorization header for the Google Reader API. - proxy_set_header Authorization $http_authorization; - proxy_pass_header Authorization; - ''; - }; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/rss/profiles/freshrss.nix b/hosts/hetzner-arm/containers/rss/profiles/freshrss.nix deleted file mode 100644 index b9b91b3..0000000 --- a/hosts/hetzner-arm/containers/rss/profiles/freshrss.nix +++ /dev/null @@ -1,11 +0,0 @@ -{config, ...}: let - inherit (config.services.secrets) secrets; -in { - services.freshrss = { - enable = true; - defaultUser = "chaos"; - baseUrl = "127.0.0.1"; - virtualHost = "127.0.0.1"; - passwordFile = secrets.chaos_password.path; - }; -} diff --git a/hosts/hetzner-arm/containers/rss/profiles/restic.nix b/hosts/hetzner-arm/containers/rss/profiles/restic.nix deleted file mode 100644 index f7656c5..0000000 --- a/hosts/hetzner-arm/containers/rss/profiles/restic.nix +++ /dev/null @@ -1,35 +0,0 @@ -{ - self, - pkgs, - config, - ... -}: let - backupSchedules = import "${self}/data/backupSchedules.nix"; - inherit (config.services.secrets) secrets; -in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-rss" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - - services.restic.backups.rss = { - user = "root"; - paths = [ - "/var/lib/freshrss" - ]; - - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/RSS"; - passwordFile = "${secrets.restic_password.path}"; - environmentFile = "${secrets.restic_env.path}"; - - pruneOpts = ["--keep-last 50"]; - timerConfig = backupSchedules.restic.high; - }; -} diff --git a/hosts/hetzner-arm/containers/rss/secrets.nix b/hosts/hetzner-arm/containers/rss/secrets.nix deleted file mode 100644 index 3b1ea4c..0000000 --- a/hosts/hetzner-arm/containers/rss/secrets.nix +++ /dev/null @@ -1,49 +0,0 @@ -{pkgs, ...}: { - services.secrets = { - enable = true; - - packages = with pkgs; [ - apacheHttpd - ]; - - vaultLogin = { - enable = true; - loginUsername = "hetzner-arm-container-rss"; - }; - - autoSecrets = { - enable = true; - }; - - requiredVaultPaths = [ - "passwords/data/freshrss" - - "api-keys/data/storage/restic/RSS" - "private-public-keys/data/restic/RSS" - ]; - - secrets = { - vault_password = { - manual = true; - }; - - chaos_password = { - fetchScript = '' - simple_get "/passwords/freshrss" .password > "$secretFile" - ''; - }; - - restic_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/RSS" .password > "$secretFile" - ''; - }; - restic_env = { - fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/RSS" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/TSS" > "$secretFile" - ''; - }; - }; - }; -} diff --git a/hosts/hetzner-arm/containers/social/profiles/restic.nix b/hosts/hetzner-arm/containers/social/profiles/restic.nix index e6e6e40..3c21a0a 100644 --- a/hosts/hetzner-arm/containers/social/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/social/profiles/restic.nix @@ -35,27 +35,16 @@ rm /var/lib/gotosocial/gts-export.json || true '')}/bin/backupCleanupCommand"; in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-social" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - services.restic.backups.social = { user = "root"; paths = [ "/var/lib/gotosocial" ]; - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/Social"; + repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Social"; passwordFile = "${secrets.restic_password.path}"; environmentFile = "${secrets.restic_env.path}"; + createWrapper = true; pruneOpts = ["--keep-last 10"]; # Don't want to cause too much downtime and take too long to prune media diff --git a/hosts/hetzner-arm/containers/social/secrets.nix b/hosts/hetzner-arm/containers/social/secrets.nix index a5e64e8..83da870 100644 --- a/hosts/hetzner-arm/containers/social/secrets.nix +++ b/hosts/hetzner-arm/containers/social/secrets.nix @@ -7,14 +7,10 @@ loginUsername = "hetzner-arm-container-social"; }; - autoSecrets = { - enable = true; - }; - requiredVaultPaths = [ "private-public-keys/data/restic/Social" - "api-keys/data/storage/restic/Social" + "api-keys/data/backblaze/Chaos-Backups" "api-keys/data/chaos_mail/gotosocial" ]; @@ -31,8 +27,10 @@ }; restic_env = { fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Social" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Social" > "$secretFile" + cat << EOF > "$secretFile" + AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) + AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) + EOF ''; }; env_secrets = { diff --git a/hosts/hetzner-arm/containers/storage/data/ports.nix b/hosts/hetzner-arm/containers/storage/data/ports.nix index 6d920df..594bd4d 100644 --- a/hosts/hetzner-arm/containers/storage/data/ports.nix +++ b/hosts/hetzner-arm/containers/storage/data/ports.nix @@ -1,27 +1,11 @@ let webdav = 4200; - restic = 4300; - http = 4400; + http = 4300; in { webdav_main = webdav + 0; - webdav_media = webdav + 1; - webdav_music_ro = webdav + 2; - webdav_public = webdav + 3; - webdav_uploads = webdav + 4; - webdav_gaming = webdav + 5; - webdav_notes = webdav + 6; - - restic_music = restic + 0; - restic_vault = restic + 1; - restic_social = restic + 2; - restic_postgresql = restic + 3; - restic_mail = restic + 4; - restic_forgejo = restic + 5; - restic_caldav = restic + 6; - restic_owncast = restic + 7; - restic_jellyfin = restic + 8; - restic_grocy = restic + 9; - restic_lappy_t495 = restic + 10; + webdav_music_ro = webdav + 1; + webdav_uploads = webdav + 2; + webdav_notes = webdav + 3; http_music = http + 0; http_public = http + 1; diff --git a/hosts/hetzner-arm/containers/storage/data/rclone_config.template b/hosts/hetzner-arm/containers/storage/data/rclone_config.template index 2211c70..3177d4f 100644 --- a/hosts/hetzner-arm/containers/storage/data/rclone_config.template +++ b/hosts/hetzner-arm/containers/storage/data/rclone_config.template @@ -1,162 +1,74 @@ -[StorageBox-Remote-WebDAV] -type = webdav -vendor = other -host = u323231.your-storagebox.de -url = https://u323231.your-storagebox.de -user = u323231 -pass = STORAGEBOX_PASSWORD +[Storage] +type = combine +upstreams = "Backups=B2-Chaos-Backups:Chaos-Backups" "Photos=B2-Chaos-Photos:Chaos-Photos" "Music=B2-Chaos-Music:Chaos-Music" "Public=B2-Chaos-Public:Chaos-Public" "Notes=Notes:" "Media=Media:" "Personal=B2-Chaos-Personal:Chaos-Personal" "Uploads=B2-Chaos-Uploads:Chaos-Uploads" -[StorageBox-Remote-SFTP] -type = sftp -host = u323231.your-storagebox.de -user = u323231 -port = 23 -pass = STORAGEBOX_PASSWORD -shell_type = unix -md5sum_command = md5 -r -sha1sum_command = sha1 -r - -# Can change which protocol to use at runtime by editing config -# after deploy or redeploying with different alias if storagebox breaks -[StorageBox-Remote] -type = alias -remote = StorageBox-Remote-WebDAV: - -[StorageBox-Hasher] -type = hasher -remote = StorageBox-Remote: -hashes = sha1,md5 -max_age = off - -[StorageBox] -type = alias -remote = StorageBox-Hasher: - -[B2-Chaos-Backups-Source] +[B2-Chaos-Backups] type = b2 account = B2_CHAOS_BACKUPS_ACCOUNT key = B2_CHAOS_BACKUPS_KEY hard_delete = true -[B2-Chaos-Backups] -type = alias -remote = B2-Chaos-Backups-Source:Chaos-Backups - -[B2-Chaos-Photos-Source] +[B2-Chaos-Photos] type = b2 account = B2_CHAOS_PHOTOS_ACCOUNT key = B2_CHAOS_PHOTOS_KEY hard_delete = true -[B2-Chaos-Photos] -type = alias -remote = B2-Chaos-Photos-Source:Chaos-Photos - -[B2-Chaos-Music-Source] +[B2-Chaos-Music] type = b2 account = B2_CHAOS_MUSIC_ACCOUNT key = B2_CHAOS_MUSIC_KEY hard_delete = true -[B2-Chaos-Music] -type = alias -remote = B2-Chaos-Music-Source:Chaos-Music - -[B2-Chaos-Personal-Source] +[B2-Chaos-Personal] type = b2 account = B2_CHAOS_PERSONAL_ACCOUNT key = B2_CHAOS_PERSONAL_KEY hard_delete = true -[B2-Chaos-Personal] -type = alias -remote = B2-Chaos-Personal-Source:Chaos-Personal - -[B2-Chaos-Public-Source] +[B2-Chaos-Public] type = b2 account = B2_CHAOS_PUBLIC_ACCOUNT key = B2_CHAOS_PUBLIC_KEY hard_delete = true -[B2-Chaos-Public] -type = alias -remote = B2-Chaos-Public-Source:Chaos-Public - -[B2-Chaos-Notes-Source] +[B2-Chaos-Notes] type = b2 account = B2_CHAOS_NOTES_ACCOUNT key = B2_CHAOS_NOTES_KEY hard_delete = true -[B2-Chaos-Notes] -type = alias -remote = B2-Chaos-Notes-Source:Chaos-Notes - -[B2-Phoenix-Cryptidz-Storage-Source] -type = b2 -account = B2_PHOENIX_CRYPTIDZ_STORAGE_ACCOUNT -key = B2_PHOENIX_CRYPTIDZ_STORAGE_KEY -hard_delete = true - -[B2-Phoenix-Cryptidz-Storage] -type = alias -remote = B2-Phoenix-Cryptidz-Storage-Source:Phoenix-Cryptidz-Storage - -[PutIO-WebDAV] -type = webdav -url = https://webdav.put.io -vendor = other -user = chaoticryptidz -pass = PUTIO_PASSWORD - -[B2-Media-Source] +[B2-Chaos-Media] type = b2 account = B2_CHAOS_MEDIA_ACCOUNT key = B2_CHAOS_MEDIA_KEY hard_delete = true -[B2-Media] -type = alias -remote = B2-Media-Source:Chaos-Media +[B2-Chaos-Uploads] +type = b2 +account = B2_CHAOS_UPLOADS_ACCOUNT +key = B2_CHAOS_UPLOADS_KEY +hard_delete = true -[Media-Source] +[B2-Phoenix-Cryptidz-Storage] +type = b2 +account = B2_PHOENIX_CRYPTIDZ_STORAGE_ACCOUNT +key = B2_PHOENIX_CRYPTIDZ_STORAGE_KEY +hard_delete = true + +[Media-Crypt] type = crypt -remote = B2-Media: +remote = B2-Chaos-Media:Chaos-Media password = STORAGE_MEDIA_CRYPT_PASSWORD password2 = STORAGE_MEDIA_CRYPT_SALT [Media] type = chunker -remote = Media-Source: +remote = Media-Crypt: chunk_size = 256Mi -[Media-Combine] -type = combine -upstreams = "Media=Media:" "PutIO=PutIO-WebDAV:" - -[B2-Gaming-Source] -type = b2 -account = B2_CHAOS_GAMING_ACCOUNT -key = B2_CHAOS_GAMING_KEY -hard_delete = true - -[B2-Gaming] -type = alias -remote = B2-Gaming-Source:Chaos-Gaming - -[Gaming-Source] -type = crypt -remote = B2-Gaming: -password = STORAGE_GAMING_CRYPT_PASSWORD -password2 = STORAGE_GAMING_CRYPT_SALT - -[Gaming] -type = chunker -remote = Gaming-Source: -chunk_size = 128Mi - [Notes] type = crypt -remote = StorageBox:Notes +remote = B2-Chaos-Notes:Chaos-Notes password = STORAGE_NOTES_CRYPT_PASSWORD password2 = STORAGE_NOTES_CRYPT_SALT \ No newline at end of file diff --git a/hosts/hetzner-arm/containers/storage/default.nix b/hosts/hetzner-arm/containers/storage/default.nix index 524c516..79099d1 100644 --- a/hosts/hetzner-arm/containers/storage/default.nix +++ b/hosts/hetzner-arm/containers/storage/default.nix @@ -86,11 +86,8 @@ in { enableACME = true; locations = { "/Main/".proxyPass = "http://${containerIP}:${toString ports.webdav_main}"; - "/Media/".proxyPass = "http://${containerIP}:${toString ports.webdav_media}"; "/MusicRO/".proxyPass = "http://${containerIP}:${toString ports.webdav_music_ro}"; - "/Public/".proxyPass = "http://${containerIP}:${toString ports.webdav_public}"; "/Uploads/".proxyPass = "http://${containerIP}:${toString ports.webdav_uploads}"; - "/Gaming/".proxyPass = "http://${containerIP}:${toString ports.webdav_gaming}"; "/Notes/".proxyPass = "http://${containerIP}:${toString ports.webdav_notes}"; }; extraConfig = '' @@ -110,25 +107,4 @@ in { client_max_body_size ${clientMaxBodySize}; ''; }; - - services.nginx.virtualHosts."storage-restic.owo.monster" = { - forceSSL = true; - enableACME = true; - locations = { - "/Music/".proxyPass = "http://${containerIP}:${toString ports.restic_music}"; - "/Vault/".proxyPass = "http://${containerIP}:${toString ports.restic_vault}"; - "/Social/".proxyPass = "http://${containerIP}:${toString ports.restic_social}"; - "/PostgreSQL/".proxyPass = "http://${containerIP}:${toString ports.restic_postgresql}"; - "/Mail/".proxyPass = "http://${containerIP}:${toString ports.restic_mail}"; - "/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.restic_forgejo}"; - "/CalDAV/".proxyPass = "http://${containerIP}:${toString ports.restic_caldav}"; - "/Owncast/".proxyPass = "http://${containerIP}:${toString ports.restic_owncast}"; - "/Jellyfin/".proxyPass = "http://${containerIP}:${toString ports.restic_jellyfin}"; - "/Grocy/".proxyPass = "http://${containerIP}:${toString ports.restic_grocy}"; - "/Lappy-T495/".proxyPass = "http://${containerIP}:${toString ports.restic_lappy_t495}"; - }; - extraConfig = '' - client_max_body_size ${clientMaxBodySize}; - ''; - }; } diff --git a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix index 9426ba4..b199141 100644 --- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix +++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix @@ -6,7 +6,6 @@ in { "d /caches - storage storage" "d /caches/main_webdav_serve - storage storage" "d /caches/media_webdav_serve - storage storage" - "d /caches/gaming_webdav_serve - storage storage" ]; services.rclone-serve = { @@ -14,16 +13,11 @@ in { remotes = map (remote: { user = "storage"; - serviceConfig = { - after = ["auto-secrets.service"]; - wants = ["auto-secrets.service"]; - partOf = ["auto-secrets.service"]; - }; } // remote) [ { id = "main"; - remote = "StorageBox:"; + remote = "Storage:"; type = "webdav"; extraArgs = [ "--addr=0.0.0.0:${toString ports.webdav_main}" @@ -33,25 +27,9 @@ in { "--vfs-cache-mode=full" ]; } - { - # This isn't really being directly used anymore but its nice as a backup - # Jellyfin directly mounts from StorageBox instead - id = "media-combine"; - remote = "Media-Combine:"; - type = "webdav"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.webdav_media}" - "--htpasswd=${secrets.webdav_media_htpasswd.path}" - "--baseurl=/Media/" - "--cache-dir=/caches/media_webdav_serve" - "--vfs-cache-max-age=120m" - "--vfs-cache-max-size=5g" - "--vfs-cache-mode=full" - ]; - } { id = "music-ro"; - remote = "StorageBox:Music"; + remote = "Storage:Music"; type = "webdav"; extraArgs = [ "--addr=0.0.0.0:${toString ports.webdav_music_ro}" @@ -59,19 +37,9 @@ in { "--baseurl=/MusicRO/" ]; } - { - id = "public"; - remote = "StorageBox:Public"; - type = "webdav"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.webdav_public}" - "--htpasswd=${secrets.webdav_media_htpasswd.path}" - "--baseurl=/Public/" - ]; - } { id = "uploads"; - remote = "StorageBox:Uploads"; + remote = "Storage:Uploads"; type = "webdav"; extraArgs = [ "--addr=0.0.0.0:${toString ports.webdav_uploads}" @@ -79,20 +47,6 @@ in { "--baseurl=/Uploads/" ]; } - { - id = "gaming"; - remote = "Gaming:"; - type = "webdav"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.webdav_gaming}" - "--htpasswd=${secrets.webdav_gaming_htpasswd.path}" - "--baseurl=/Gaming/" - "--cache-dir=/caches/gaming_webdav_serve" - "--vfs-cache-max-age=5m" - "--vfs-cache-max-size=1g" - "--vfs-cache-mode=full" - ]; - } { id = "notes"; remote = "Notes:"; @@ -105,7 +59,7 @@ in { } { id = "music-ro"; - remote = "StorageBox:Music"; + remote = "Storage:Music"; type = "http"; extraArgs = [ "--addr=0.0.0.0:${toString ports.http_music}" @@ -115,7 +69,7 @@ in { } { id = "public"; - remote = "StorageBox:Public"; + remote = "Storage:Public"; type = "http"; extraArgs = [ "--addr=0.0.0.0:${toString ports.http_public}" @@ -125,7 +79,7 @@ in { } { id = "uploads-public"; - remote = "StorageBox:Uploads/Public"; + remote = "Storage:Uploads/Public"; type = "http"; extraArgs = [ "--addr=0.0.0.0:${toString ports.http_uploads_public}" @@ -133,116 +87,6 @@ in { "--read-only" ]; } - { - id = "restic-music"; - remote = "StorageBox:Backups/Restic/Music"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_music}" - "--htpasswd=${secrets.restic_music_htpasswd.path}" - "--baseurl=/Music/" - ]; - } - { - id = "restic-vault"; - remote = "StorageBox:Backups/Restic/Vault"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_vault}" - "--htpasswd=${secrets.restic_vault_htpasswd.path}" - "--baseurl=/Vault/" - ]; - } - { - id = "restic-social"; - remote = "StorageBox:Backups/Restic/Social"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_social}" - "--htpasswd=${secrets.restic_social_htpasswd.path}" - "--baseurl=/Social/" - ]; - } - { - id = "restic-postgresql"; - remote = "StorageBox:Backups/Restic/PostgreSQL"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_postgresql}" - "--htpasswd=${secrets.restic_postgresql_htpasswd.path}" - "--baseurl=/PostgreSQL/" - ]; - } - { - id = "restic-caldav"; - remote = "StorageBox:Backups/Restic/CalDAV"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_caldav}" - "--htpasswd=${secrets.restic_caldav_htpasswd.path}" - "--baseurl=/CalDAV/" - ]; - } - { - id = "restic-mail"; - remote = "StorageBox:Backups/Restic/Mail"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_mail}" - "--htpasswd=${secrets.restic_mail_htpasswd.path}" - "--baseurl=/Mail/" - ]; - } - { - id = "restic-forgejo"; - remote = "StorageBox:Backups/Restic/Forgejo"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_forgejo}" - "--htpasswd=${secrets.restic_forgejo_htpasswd.path}" - "--baseurl=/Forgejo/" - ]; - } - { - id = "restic-owncast"; - remote = "StorageBox:Backups/Restic/Owncast"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_owncast}" - "--htpasswd=${secrets.restic_owncast_htpasswd.path}" - "--baseurl=/Owncast/" - ]; - } - { - id = "restic-jellyfin"; - remote = "StorageBox:Backups/Restic/Jellyfin"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_jellyfin}" - "--htpasswd=${secrets.restic_jellyfin_htpasswd.path}" - "--baseurl=/Jellyfin/" - ]; - } - { - id = "restic-grocy"; - remote = "StorageBox:Backups/Restic/Grocy"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_grocy}" - "--htpasswd=${secrets.restic_grocy_htpasswd.path}" - "--baseurl=/Grocy/" - ]; - } - { - id = "restic-lappy-t495"; - remote = "StorageBox:Backups/Restic/Lappy-T495"; - type = "restic"; - extraArgs = [ - "--addr=0.0.0.0:${toString ports.restic_lappy_t495}" - "--htpasswd=${secrets.restic_lappy_t495_htpasswd.path}" - "--baseurl=/Lappy-T495/" - ]; - } ]; }; } diff --git a/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix index f407193..6fe8921 100644 --- a/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix +++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneSync.nix @@ -7,10 +7,6 @@ in { syncJobs = map (syncJob: syncJob // { - serviceConfig = { - after = ["auto-secrets.service"]; - wants = ["auto-secrets.service"]; - }; timerConfig = backupSchedules.remoteBackups; extraArgs = [ "--fast-list" @@ -21,66 +17,35 @@ in { "--bwlimit 80M" ]; }) [ - # My B2 - { - source = "StorageBox:Backups"; - dest = "B2-Chaos-Backups:"; - id = "chaos_b2_backups"; - } - { - source = "StorageBox:Photos"; - dest = "B2-Chaos-Photos:"; - id = "chaos_b2_photos"; - } - { - source = "StorageBox:Music"; - dest = "B2-Chaos-Music:"; - id = "chaos_b2_music"; - } - { - source = "StorageBox:Personal"; - dest = "B2-Chaos-Personal:"; - id = "chaos_b2_personal"; - } - { - source = "StorageBox:Public"; - dest = "B2-Chaos-Public:"; - id = "chaos_b2_public"; - } - { - source = "StorageBox:Notes"; - dest = "B2-Chaos-Notes:"; - id = "chaos_notes"; - } # Pheonix System's B2 { - source = "StorageBox:Backups"; - dest = "B2-Phoenix-Cryptidz-Storage:Backups"; + source = "Storage:Backups"; + dest = "B2-Phoenix-Cryptidz-Storage:Phoenix-Cryptidz-Storage/Backups"; id = "phoenix_b2_backups"; } { - source = "StorageBox:Photos"; - dest = "B2-Phoenix-Cryptidz-Storage:Photos"; + source = "Storage:Photos"; + dest = "B2-Phoenix-Cryptidz-Storage:Phoenix-Cryptidz-Storage/Photos"; id = "phoenix_b2_photos"; } { - source = "StorageBox:Music"; - dest = "B2-Phoenix-Cryptidz-Storage:Music"; + source = "Storage:Music"; + dest = "B2-Phoenix-Cryptidz-Storage:Phoenix-Cryptidz-Storage/Music"; id = "phoenix_b2_music"; } { - source = "StorageBox:Personal"; - dest = "B2-Phoenix-Cryptidz-Storage:Personal"; + source = "Storage:Personal"; + dest = "B2-Phoenix-Cryptidz-Storage:Phoenix-Cryptidz-Storage/Personal"; id = "phoenix_b2_personal"; } { - source = "StorageBox:Public"; - dest = "B2-Phoenix-Cryptidz-Storage:Public"; + source = "Storage:Public"; + dest = "B2-Phoenix-Cryptidz-Storage:Phoenix-Cryptidz-Storage/Public"; id = "phoenix_b2_public"; } { - source = "StorageBox:Notes"; - dest = "B2-Phoenix-Cryptidz-Storage:Notes"; + source = "B2-Chaos-Notes:Chaos-Notes:Notes"; + dest = "B2-Phoenix-Cryptidz-Storage:Phoenix-Cryptidz-Storage/Notes"; id = "phoenix_b2_notes"; } ]; diff --git a/hosts/hetzner-arm/containers/storage/secrets.nix b/hosts/hetzner-arm/containers/storage/secrets.nix index 11529c5..b937a21 100644 --- a/hosts/hetzner-arm/containers/storage/secrets.nix +++ b/hosts/hetzner-arm/containers/storage/secrets.nix @@ -7,46 +7,23 @@ loginUsername = "hetzner-arm-container-storage"; }; - autoSecrets = { - enable = true; - }; - requiredVaultPaths = [ - "api-keys/data/hetzner/storagebox" - - "api-keys/data/putio" - "api-keys/data/backblaze/Chaos-Backups" "api-keys/data/backblaze/Chaos-Photos" "api-keys/data/backblaze/Chaos-Music" "api-keys/data/backblaze/Chaos-Personal" "api-keys/data/backblaze/Chaos-Public" "api-keys/data/backblaze/Chaos-Media" - "api-keys/data/backblaze/Chaos-Gaming" "api-keys/data/backblaze/Chaos-Notes" + "api-keys/data/backblaze/Chaos-Uploads" "api-keys/data/backblaze/Phoenix-Cryptidz-Storage" - "api-keys/data/storage/restic/Music" - "api-keys/data/storage/restic/Vault" - "api-keys/data/storage/restic/Social" - "api-keys/data/storage/restic/PostgreSQL" - "api-keys/data/storage/restic/Mail" - "api-keys/data/storage/restic/Forgejo" - "api-keys/data/storage/restic/CalDAV" - "api-keys/data/storage/restic/Owncast" - "api-keys/data/storage/restic/Jellyfin" - "api-keys/data/storage/restic/Grocy" - "api-keys/data/storage/restic/Lappy-T495" - "api-keys/data/storage/webdav/Main" - "api-keys/data/storage/webdav/Media" "api-keys/data/storage/webdav/Public" "api-keys/data/storage/webdav/Uploads" - "api-keys/data/storage/webdav/Gaming" "api-keys/data/storage/webdav/Notes" "private-public-keys/data/rclone/Chaos-Media-Crypt" - "private-public-keys/data/rclone/Chaos-Gaming-Crypt" "private-public-keys/data/rclone/Chaos-Notes-Crypt" ]; @@ -108,92 +85,6 @@ manual = true; }; - restic_music_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/Music" "$secretFile" - ''; - }; - restic_vault_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/Vault" "$secretFile" - ''; - }; - restic_social_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/Social" "$secretFile" - ''; - }; - - restic_postgresql_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/PostgreSQL" "$secretFile" - ''; - }; - - restic_mail_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/Mail" "$secretFile" - ''; - }; - - restic_forgejo_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/Forgejo" "$secretFile" - ''; - }; - - restic_caldav_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/CalDAV" "$secretFile" - ''; - }; - - restic_owncast_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/Owncast" "$secretFile" - ''; - }; - - restic_jellyfin_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/Jellyfin" "$secretFile" - ''; - }; - - restic_grocy_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/Grocy" "$secretFile" - ''; - }; - - restic_lappy_t495_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/restic/Lappy-T495" "$secretFile" - ''; - }; - webdav_main_htpasswd = { user = "storage"; group = "storage"; @@ -201,20 +92,6 @@ simple_get_htpasswd "/api-keys/storage/webdav/Main" "$secretFile" ''; }; - webdav_media_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/webdav/Media" "$secretFile" - ''; - }; - webdav_public_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/webdav/Public" "$secretFile" - ''; - }; webdav_uploads_htpasswd = { user = "storage"; group = "storage"; @@ -222,13 +99,6 @@ simple_get_htpasswd "/api-keys/storage/webdav/Uploads" "$secretFile" ''; }; - webdav_gaming_htpasswd = { - user = "storage"; - group = "storage"; - fetchScript = '' - simple_get_htpasswd "/api-keys/storage/webdav/Gaming" "$secretFile" - ''; - }; webdav_notes_htpasswd = { user = "storage"; group = "storage"; @@ -243,10 +113,6 @@ fetchScript = '' cp ${./data/rclone_config.template} "$secretFile" - STORAGEBOX_PASSWORD=$(simple_get_obscure /api-keys/hetzner/storagebox .password) - sed -i "s/STORAGEBOX_PASSWORD/$STORAGEBOX_PASSWORD/" "$secretFile" - - simple_get_replace_b2 "/api-keys/backblaze/Chaos-Gaming" "B2_CHAOS_GAMING" "$secretFile" simple_get_replace_b2 "/api-keys/backblaze/Chaos-Media" "B2_CHAOS_MEDIA" "$secretFile" simple_get_replace_b2 "/api-keys/backblaze/Chaos-Backups" "B2_CHAOS_BACKUPS" "$secretFile" simple_get_replace_b2 "/api-keys/backblaze/Chaos-Photos" "B2_CHAOS_PHOTOS" "$secretFile" @@ -254,14 +120,10 @@ simple_get_replace_b2 "/api-keys/backblaze/Chaos-Personal" "B2_CHAOS_PERSONAL" "$secretFile" simple_get_replace_b2 "/api-keys/backblaze/Chaos-Public" "B2_CHAOS_PUBLIC" "$secretFile" simple_get_replace_b2 "/api-keys/backblaze/Chaos-Notes" "B2_CHAOS_NOTES" "$secretFile" + simple_get_replace_b2 "/api-keys/backblaze/Chaos-Uploads" "B2_CHAOS_UPLOADS" "$secretFile" simple_get_replace_b2 "/api-keys/backblaze/Phoenix-Cryptidz-Storage" "B2_PHOENIX_CRYPTIDZ_STORAGE" "$secretFile" - PUTIO_PASSWORD="token/$(simple_get /api-keys/putio .oauth_token)" - PUTIO_PASSWORD="$(rclone obscure "$PUTIO_PASSWORD")" - sed -i "s/PUTIO_PASSWORD/$PUTIO_PASSWORD/" "$secretFile" - simple_get_replace_crypt "/private-public-keys/rclone/Chaos-Media-Crypt" "STORAGE_MEDIA_CRYPT" "$secretFile" - simple_get_replace_crypt "/private-public-keys/rclone/Chaos-Gaming-Crypt" "STORAGE_GAMING_CRYPT" "$secretFile" simple_get_replace_crypt "/private-public-keys/rclone/Chaos-Notes-Crypt" "STORAGE_NOTES_CRYPT" "$secretFile" ''; }; diff --git a/hosts/hetzner-arm/containers/vault-ca/profiles/restic.nix b/hosts/hetzner-arm/containers/vault-ca/profiles/restic.nix deleted file mode 100644 index 6c2e077..0000000 --- a/hosts/hetzner-arm/containers/vault-ca/profiles/restic.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ - self, - pkgs, - config, - ... -}: let - backupSchedules = import "${self}/data/backupSchedules.nix"; - inherit (config.services.secrets) secrets; -in { - environment.systemPackages = with pkgs; [ - restic - (pkgs.writeShellScriptBin "restic-vault" '' - env \ - RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ - $(cat ${secrets.restic_env.path}) \ - ${pkgs.restic}/bin/restic $@ - '') - ]; - - services.restic.backups.vault = { - user = "root"; - paths = [ - "/var/lib/vault" - "/var/lib/private/step-ca" - ]; - timerConfig = backupSchedules.restic.high; - - # repository is overrided in environmentFile to contain auth - # make sure to keep up to date when changing repository - repository = "rest:https://storage-restic.owo.monster/Vault"; - passwordFile = "${secrets.restic_password.path}"; - environmentFile = "${secrets.restic_env.path}"; - }; -} diff --git a/hosts/hetzner-arm/containers/vault-ca/data/ca.json b/hosts/hetzner-arm/containers/vault/data/ca.json similarity index 100% rename from hosts/hetzner-arm/containers/vault-ca/data/ca.json rename to hosts/hetzner-arm/containers/vault/data/ca.json diff --git a/hosts/hetzner-arm/containers/vault-ca/default.nix b/hosts/hetzner-arm/containers/vault/default.nix similarity index 90% rename from hosts/hetzner-arm/containers/vault-ca/default.nix rename to hosts/hetzner-arm/containers/vault/default.nix index 6f71dc7..6f9f512 100644 --- a/hosts/hetzner-arm/containers/vault-ca/default.nix +++ b/hosts/hetzner-arm/containers/vault/default.nix @@ -9,9 +9,9 @@ }: let containerAddresses = import "${hostPath}/data/containerAddresses.nix"; hostIP = containerAddresses.host; - containerIP = containerAddresses.containers.vault-ca; + containerIP = containerAddresses.containers.vault; in { - containers.vault-ca = { + containers.vault = { autoStart = true; privateNetwork = true; hostAddress = hostIP; @@ -33,7 +33,7 @@ in { presets.nixos.containerBase ./secrets.nix ] - ++ (with hosts.hetzner-arm.containers.vault-ca.profiles; [ + ++ (with hosts.hetzner-arm.containers.vault.profiles; [ vault #internalCA restic diff --git a/hosts/hetzner-arm/containers/vault-ca/profiles/internalCA.nix b/hosts/hetzner-arm/containers/vault/profiles/internalCA.nix similarity index 100% rename from hosts/hetzner-arm/containers/vault-ca/profiles/internalCA.nix rename to hosts/hetzner-arm/containers/vault/profiles/internalCA.nix diff --git a/hosts/hetzner-arm/containers/vault/profiles/restic.nix b/hosts/hetzner-arm/containers/vault/profiles/restic.nix new file mode 100644 index 0000000..ea93873 --- /dev/null +++ b/hosts/hetzner-arm/containers/vault/profiles/restic.nix @@ -0,0 +1,22 @@ +{ + self, + config, + ... +}: let + backupSchedules = import "${self}/data/backupSchedules.nix"; + inherit (config.services.secrets) secrets; +in { + services.restic.backups.vault = { + user = "root"; + paths = [ + "/var/lib/vault" + "/var/lib/private/step-ca" + ]; + timerConfig = backupSchedules.restic.high; + + repository = "s3:s3.eu-central-003.backblazeb2.com/Chaos-Backups/Restic/Vault"; + passwordFile = "${secrets.restic_password.path}"; + environmentFile = "${secrets.restic_env.path}"; + createWrapper = true; + }; +} diff --git a/hosts/hetzner-arm/containers/vault-ca/profiles/vault.nix b/hosts/hetzner-arm/containers/vault/profiles/vault.nix similarity index 100% rename from hosts/hetzner-arm/containers/vault-ca/profiles/vault.nix rename to hosts/hetzner-arm/containers/vault/profiles/vault.nix diff --git a/hosts/hetzner-arm/containers/vault-ca/secrets.nix b/hosts/hetzner-arm/containers/vault/secrets.nix similarity index 66% rename from hosts/hetzner-arm/containers/vault-ca/secrets.nix rename to hosts/hetzner-arm/containers/vault/secrets.nix index 52e0bda..0952b0b 100644 --- a/hosts/hetzner-arm/containers/vault-ca/secrets.nix +++ b/hosts/hetzner-arm/containers/vault/secrets.nix @@ -8,18 +8,13 @@ vaultLogin = { enable = true; - # TODO: change to hetzner-arm-container-vault-ca - loginUsername = "vault"; - }; - - autoSecrets = { - enable = true; + loginUsername = "hetzner-arm-container-vault"; }; requiredVaultPaths = [ "private-public-keys/data/restic/Vault" - "api-keys/data/storage/restic/Vault" + "api-keys/data/backblaze/Chaos-Backups" "infra/data/internalCAPassword" ]; @@ -36,8 +31,10 @@ }; restic_env = { fetchScript = '' - RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Vault" .restic) - echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Vault" > "$secretFile" + cat << EOF > "$secretFile" + AWS_ACCESS_KEY_ID=$(simple_get "/api-keys/backblaze/Chaos-Backups" .keyID) + AWS_SECRET_ACCESS_KEY=$(simple_get "/api-keys/backblaze/Chaos-Backups" .applicationKey) + EOF ''; }; diff --git a/hosts/hetzner-arm/data/containerAddresses.nix b/hosts/hetzner-arm/data/containerAddresses.nix index a1d6cc3..ce72b6b 100644 --- a/hosts/hetzner-arm/data/containerAddresses.nix +++ b/hosts/hetzner-arm/data/containerAddresses.nix @@ -11,6 +11,6 @@ jellyfin = "10.0.1.9"; grocy = "10.0.1.10"; rss = "10.0.1.11"; - vault-ca = "10.0.1.12"; + vault = "10.0.1.12"; }; } diff --git a/hosts/hetzner-arm/hetzner-arm.nix b/hosts/hetzner-arm/hetzner-arm.nix index 58d688f..690adf0 100644 --- a/hosts/hetzner-arm/hetzner-arm.nix +++ b/hosts/hetzner-arm/hetzner-arm.nix @@ -28,10 +28,8 @@ in { "caldav" "jellyfin" "grocy" - "vault-ca" + "vault" "music" - # "owncast" - # TODO: "rss" ] (name: ./containers + "/${name}")) ++ (with hosts.hetzner-arm.profiles; [ staticSites diff --git a/hosts/hetzner-arm/secrets.nix b/hosts/hetzner-arm/secrets.nix index e3687e0..9189721 100644 --- a/hosts/hetzner-arm/secrets.nix +++ b/hosts/hetzner-arm/secrets.nix @@ -7,13 +7,6 @@ loginUsername = "hetzner-arm"; }; - autoSecrets = { - enable = true; - affectedSystemdServices = [ - "wg-quick-wg0" - ]; - }; - requiredVaultPaths = [ "private-public-keys/data/ssh/root@hetzner-arm" "private-public-keys/data/ssh/root@hetzner-arm-decrypt" diff --git a/hosts/lappy-surface/secrets.nix b/hosts/lappy-surface/secrets.nix index 8a2e788..6778044 100644 --- a/hosts/lappy-surface/secrets.nix +++ b/hosts/lappy-surface/secrets.nix @@ -13,34 +13,6 @@ simple_get "/api-keys/music-stream" .password > "$secretFile" ''; }; - - # Required for home.apps.manualBackupApps - restic_music_env = { - user = "chaos"; - fetchScript = '' - api_username=restic - api_password=$(simple_get "/api-keys/storage/restic/Music" ".$api_username") - restic_password=$(simple_get "/private-public-keys/restic/Music" .password) - - echo > "$secretFile" - echo "RESTIC_REPOSITORY=rest:https://$api_username:$api_password@storage-restic.owo.monster/Music" >> "$secretFile" - echo "RESTIC_PASSWORD=''${restic_password}" >> "$secretFile" - ''; - }; - - #restic_backups_password = { - # fetchScript = '' - # simple_get "/private-public-keys/restic/Lappy-Surface" .password > "$secretFile" - # ''; - #}; - - #restic_backups_repository_file = { - # fetchScript = '' - # api_username=restic - # api_password=$(simple_get "/api-keys/storage/restic/Lappy-Surface" ".$api_username") - # echo "rest:https://$api_username:$api_password@storage-restic.owo.monster/Lappy-Surface" > "$secretFile" - # ''; - #}; }; }; } diff --git a/hosts/lappy-t495/lappy-t495.nix b/hosts/lappy-t495/lappy-t495.nix index 1928d2b..4f0605b 100644 --- a/hosts/lappy-t495/lappy-t495.nix +++ b/hosts/lappy-t495/lappy-t495.nix @@ -14,8 +14,6 @@ profiles.gaming.steam - hosts.lappy-t495.profiles.restic - ./secrets.nix ]; diff --git a/hosts/lappy-t495/profiles/restic.nix b/hosts/lappy-t495/profiles/restic.nix deleted file mode 100644 index 443c4e2..0000000 --- a/hosts/lappy-t495/profiles/restic.nix +++ /dev/null @@ -1,28 +0,0 @@ -{config, ...}: let - inherit (config.services.secrets) secrets; -in { - services.restic.backups.lappy-t495 = { - user = "root"; - createWrapper = true; - - paths = [ - "/etc/NetworkManager/system-connections" - "/home/chaos/Projects" - ]; - extraBackupArgs = [ - "--exclude-caches" - "--exclude=node_modules" - "--exclude=/home/chaos/Projects/*/target" - ]; - - repositoryFile = "${secrets.restic_backups_repository_file.path}"; - passwordFile = "${secrets.restic_backups_password.path}"; - - pruneOpts = ["--keep-within=14d"]; - - timerConfig = { - OnStartupSec = "5m"; - OnUnitActiveSec = "30m"; - }; - }; -} diff --git a/hosts/lappy-t495/secrets.nix b/hosts/lappy-t495/secrets.nix index f5a5605..6778044 100644 --- a/hosts/lappy-t495/secrets.nix +++ b/hosts/lappy-t495/secrets.nix @@ -13,35 +13,6 @@ simple_get "/api-keys/music-stream" .password > "$secretFile" ''; }; - - # Required for home.apps.manualBackupApps - restic_music_env = { - user = "chaos"; - fetchScript = '' - api_username=restic - api_password=$(simple_get "/api-keys/storage/restic/Music" ".$api_username") - restic_password=$(simple_get "/private-public-keys/restic/Music" .password) - - echo > "$secretFile" - echo "RESTIC_REPOSITORY=rest:https://$api_username:$api_password@storage-restic.owo.monster/Music" >> "$secretFile" - echo "RESTIC_PASSWORD=''${restic_password}" >> "$secretFile" - ''; - }; - - restic_backups_password = { - fetchScript = '' - simple_get "/private-public-keys/restic/Lappy-T495" .password > "$secretFile" - ''; - }; - - restic_backups_repository_file = { - fetchScript = '' - api_username=restic - api_password=$(simple_get "/api-keys/storage/restic/Lappy-T495" ".$api_username") - - echo "rest:https://$api_username:$api_password@storage-restic.owo.monster/Lappy-T495" > "$secretFile" - ''; - }; }; }; } diff --git a/hosts/raspberry/secrets.nix b/hosts/raspberry/secrets.nix index 1ea5d3c..b6661a3 100644 --- a/hosts/raspberry/secrets.nix +++ b/hosts/raspberry/secrets.nix @@ -7,11 +7,6 @@ loginUsername = "raspberry"; }; - autoSecrets = { - enable = true; - affectedSystemdServices = ["wg-quick-wg0"]; - }; - # some are also added from wireguard internal config requiredVaultPaths = [ "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically diff --git a/overlay/default.nix b/overlay/default.nix index 5fded06..bf4837a 100644 --- a/overlay/default.nix +++ b/overlay/default.nix @@ -13,6 +13,8 @@ final: prev: rec { cp -r ${./kitty-terminfo}/* $out/share ''; + vault = prev.vault-bin; + mpd-headless = (prev.mpdWithFeatures.override { ffmpeg = final.ffmpeg_6-headless; diff --git a/presets/nixos/serverHetzner.nix b/presets/nixos/serverHetzner.nix index 057a4ed..9e3f534 100644 --- a/presets/nixos/serverHetzner.nix +++ b/presets/nixos/serverHetzner.nix @@ -66,19 +66,15 @@ in { routes = [ # v4 { - routeConfig = { - Destination = gateway; - }; + Destination = gateway; } { - routeConfig = { - Gateway = gateway; - GatewayOnLink = true; - }; + Gateway = gateway; + GatewayOnLink = true; } # v6 { - routeConfig.Gateway = "fe80::1"; + Gateway = "fe80::1"; } ]; }; diff --git a/profiles/serverExtras.nix b/profiles/serverExtras.nix index 69c0548..4403eb5 100644 --- a/profiles/serverExtras.nix +++ b/profiles/serverExtras.nix @@ -34,6 +34,8 @@ in { Lists all failed units in host and containers - restart-service-all Restarts a service on host and all containers + - run-command-all + Runs a command on host and all containers - shell-enter-`$name` Opens an interactive shell with container ''} @@ -63,6 +65,14 @@ in { systemctl -M ${name} restart $@ ''))} '') + (writeShellScriptBin "run-command-all" '' + echo "Host: " + $@ + ${concatStringsSep "\n" (forEach containerNames (name: '' + echo "Container: ${name}" + machinectl shell ${name} $@ + ''))} + '') ] ++ forEach containerNames (name: (writeShellScriptBin "journalctl-vaccum-${name}" '' journalctl --vacuum-size=${vaccumSize} --root /var/lib/nixos-containers/${name}