chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

beep

Browse source
This commit is contained in:
Chaos 2022-11-02 16:04:43 +00:00
parent 944da9a84e
commit e6a581fe57
No known key found for this signature in database
9 changed files with 137 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
flake.lock
View file

@ -96,11 +96,11 @@
"utils": "utils_3"
},
"locked": {
"lastModified": 1666990295,
"narHash": "sha256-JPMTX8W36IPV1jmKV1qEhNBI4MbIPYsnccWyTUlSiG0=",
"lastModified": 1667386877,
"narHash": "sha256-CP8CbIiykhevS9KsFO5kKP7CfrnGjORhvkHV6PMyh90=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "423211401c245934db5052e3867cac704f658544",
"rev": "916811c8f9ef37beb7705150d76cc88ce79466fd",
"type": "github"
},
"original": {
@ -138,11 +138,11 @@
]
},
"locked": {
"lastModified": 1666776005,
"narHash": "sha256-HwSMF19PpczfqNHKcFsA6cF4PVbG00uUSdbq6q3jB5o=",
"lastModified": 1667294277,
"narHash": "sha256-YhVGYUpPZNpJZ8z3Sq9aT6n1/B8vKtfRfwaCtbsosxk=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "f6648ca0698d1611d7eadfa72b122252b833f86c",
"rev": "b7177030643374e698c29e993c2808efa7b85aaf",
"type": "github"
},
"original": {
@ -186,11 +186,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1667050928,
"narHash": "sha256-xOn0ZgjImIyeecEsrjxuvlW7IW5genTwvvnDQRFncB8=",
"lastModified": 1667231093,
"narHash": "sha256-RERXruzBEBuf0c7OfZeX1hxEKB+PTCUNxWeB6C1jd8Y=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "fdebb81f45a1ba2c4afca5fd9f526e1653ad0949",
"rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
"type": "github"
},
"original": {
@ -259,11 +259,11 @@
},
"utils_3": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"lastModified": 1667077288,
"narHash": "sha256-bdC8sFNDpT0HK74u9fUkpbf1MEzVYJ+ka7NXCdgBoaA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"rev": "6ee9ebb6b1ee695d2cacc4faa053a7b9baa76817",
"type": "github"
},
"original": {

2
hosts/hetzner-vm/services/mpd.nix
View file

@ -8,7 +8,7 @@ in {
services.mpd = {
enable = true;
network.listenAddress = "0.0.0.0";
musicDirectory = "/storage/music";
musicDirectory = "https://storage-webdav.owo.monster/music_ro/";
credentials = [{
passwordFile = "${secrets-db.mpd_control_password.path}";
permissions = [ "read" "add" "control" "admin" ];

2
hosts/lappy/lappy.nix
View file

@ -10,7 +10,7 @@ in {
profiles.sshd
hosts.lappy.profiles.usb-automount
hosts.lappy.profiles.macos-vm
hosts.lappy.profiles.harry-vpn
# required for dualsense controller
profiles.kernels.latest

19
hosts/lappy/profiles/harry-vpn.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [ wireguard-tools ];
networking.wg-quick.interfaces = {
wg-harry-vpn = {
autostart = false;
address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ];
dns = [ "8.8.8.8" ];
mtu = 1280;
privateKeyFile = "/secrets/harry_vpn_wg_priv";
peers = [{
publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "185.186.9.1:8081";
persistentKeepalive = 25;
}];
};
};
}

11
hosts/storage/ports.nix Normal file
View file

@ -0,0 +1,11 @@
{ }: {
rclone_serve_webdav_main = 4242;
rclone_serve_webdav_music_ro = 4243;
rclone_serve_restic_hvm = 4244;
rclone_serve_restic_music = 4245;
rclone_serve_restic_vault = 4246;
rclone_serve_http_music = 4247;
}

17
hosts/storage/rclone_config.template
View file

@ -1,12 +1,25 @@
[StorageBox-Remote]
type = smb
type = sftp
host = u323231.your-storagebox.de
user = u323231
pass = STORAGEBOX_PASSWORD
port = 23
shell_type = unix
md5sum_command = md5 -r
sha1sum_command = sha1 -r
#type = smb
#type = webdav
#vendor = nextcloud
#host = u323231.your-storagebox.de
#url = https://u323231.your-storagebox.de
#user = u323231
#pass = STORAGEBOX_PASSWORD
[StorageBox]
type = alias
remote = StorageBox-Remote:backup
remote = StorageBox-Remote:
#backup
[B2-Chaos-Backups-Source]
type = b2

4
hosts/storage/secrets-db.nix
View file

@ -17,11 +17,11 @@
permissions = "660";
path = "/secrets/restic_vault_htpasswd";
};
webdav_htpasswd = {
webdav_main_htpasswd = {
user = "storage";
group = "storage";
permissions = "660";
path = "/secrets/webdav_htpasswd";
path = "/secrets/webdav_main_htpasswd";
};
vault_password = {
user = "root";

10
hosts/storage/secrets.nix
View file

@ -45,13 +45,13 @@ in {
chown ${secrets-db.restic_vault_htpasswd.user}:${secrets-db.restic_vault_htpasswd.group} $file
chmod ${secrets-db.restic_vault_htpasswd.permissions} $file
file=${secrets-db.webdav_htpasswd.path}
file=${secrets-db.webdav_main_htpasswd.path}
echo $file
username=$(simple_get "/api-keys/storage/webdav" .username)
password=$(simple_get "/api-keys/storage/webdav" .password)
username=$(simple_get "/api-keys/storage/webdav/main" .username)
password=$(simple_get "/api-keys/storage/webdav/main" .password)
htpasswd -bc $file "$username" "$password"
chown ${secrets-db.webdav_htpasswd.user}:${secrets-db.webdav_htpasswd.group} $file
chmod ${secrets-db.webdav_htpasswd.permissions} $file
chown ${secrets-db.webdav_main_htpasswd.user}:${secrets-db.webdav_main_htpasswd.group} $file
chmod ${secrets-db.webdav_main_htpasswd.permissions} $file
file=${secrets-db.vault_password.path}
echo $file

104
hosts/storage/storage.nix
View file

@ -1,5 +1,8 @@
{ modulesPath, tree, config, pkgs, lib, ... }:
let secrets-db = (import ./secrets-db.nix { });
let
secrets-db = (import ./secrets-db.nix { });
ports = (import ./ports.nix { });
in {
imports = with tree; [
users.root
@ -70,8 +73,22 @@ in {
remote = "StorageBox:";
type = "webdav";
wants = [ "populate-rclone-config.service" ];
extraArgs =
[ "--addr=:4242" "--htpasswd=${secrets-db.webdav_htpasswd.path}" ];
extraArgs = [
"--addr=:${toString ports.rclone_serve_webdav_main}"
"--htpasswd=${secrets-db.webdav_main_htpasswd.path}"
"--baseurl=/main/"
];
}
{
user = "storage";
remote = "StorageBox:Music";
type = "webdav";
wants = [ "populate-rclone-config.service" ];
extraArgs = [
"--addr=:${toString ports.rclone_serve_webdav_music_ro}"
"--read-only"
"--baseurl=/music_ro/"
];
}
{
user = "storage";
@ -79,7 +96,7 @@ in {
type = "restic";
wants = [ "populate-rclone-config.service" ];
extraArgs = [
"--addr=:4243"
"--addr=:${toString ports.rclone_serve_restic_hvm}"
"--htpasswd=${secrets-db.restic_hetznervm_htpasswd.path}"
"--baseurl=/HetznerVM/"
];
@ -90,7 +107,7 @@ in {
type = "restic";
wants = [ "populate-rclone-config.service" ];
extraArgs = [
"--addr=:4244"
"--addr=:${toString ports.rclone_serve_restic_music}"
"--htpasswd=${secrets-db.restic_music_htpasswd.path}"
"--baseurl=/Music/"
];
@ -101,11 +118,22 @@ in {
type = "restic";
wants = [ "populate-rclone-config.service" ];
extraArgs = [
"--addr=:4245"
"--addr=:${toString ports.rclone_serve_restic_vault}"
"--htpasswd=${secrets-db.restic_vault_htpasswd.path}"
"--baseurl=/Vault/"
];
}
{
user = "storage";
remote = "StorageBox:Music";
type = "http";
wants = [ "populate-rclone-config.service" ];
extraArgs = [
"--addr=:${toString ports.rclone_serve_http_music}"
"--baseurl=/music/"
"--read-only"
];
}
];
};
@ -114,59 +142,69 @@ in {
services.nginx.virtualHosts."storage-webdav.owo.monster" = {
forceSSL = true;
enableACME = true;
locations = { "/".proxyPass = "http://localhost:4242"; };
locations = {
"/main/".proxyPass =
"http://localhost:${toString ports.rclone_serve_webdav_main}";
"/music_ro/".proxyPass =
"http://localhost:${toString ports.rclone_serve_webdav_music_ro}";
};
};
services.nginx.virtualHosts."storage-http.owo.monster" = {
forceSSL = true;
enableACME = true;
locations = {
"/music/".proxyPass =
"http://localhost:${toString ports.rclone_serve_http_music}";
};
};
services.nginx.virtualHosts."storage-restic.owo.monster" = {
forceSSL = true;
enableACME = true;
locations = {
"/HetznerVM/".proxyPass = "http://localhost:4243";
"/Music/".proxyPass = "http://localhost:4244";
"/Vault/".proxyPass = "http://localhost:4245";
"/HetznerVM/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_hvm}";
"/Music/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_music}";
"/Vault/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_vault}";
};
};
services.rclone-sync = {
services.rclone-sync = let
sync_defaults = {
wants = [ "populate-rclone-config.service" ];
timerConfig = {
OnStartupSec = "60";
OnCalendar = "4h";
};
};
in {
enable = true;
user = "storage";
sync_jobs = [
sync_jobs = map (x: lib.mkMerge [ x sync_defaults ]) [
# My B2
{
source = "StorageBox:Chaos-Backups";
dest = "B2-Chaos-Backups:";
wants = [ "populate-rclone-config.service" ];
timerConfig = {
OnStartupSec = "60";
OnCalendar = "4h";
};
}
{
source = "StorageBox:Chaos-Photos";
dest = "B2-Chaos-Photos:";
wants = [ "populate-rclone-config.service" ];
timerConfig = {
OnStartupSec = "60";
OnCalendar = "4h";
};
}
# Cassie's B2
{
source = "StorageBox:Chaos-Backups";
dest = "B2-Cassie-Cryptidz-Backup:Chaos-Backups";
wants = [ "populate-rclone-config.service" ];
timerConfig = {
OnStartupSec = "60";
OnCalendar = "4h";
};
}
{
source = "StorageBox:Chaos-Photos";
dest = "B2-Cassie-Cryptidz-Backup:Chaos-Photos";
wants = [ "populate-rclone-config.service" ];
timerConfig = {
OnStartupSec = "60";
OnCalendar = "4h";
};
}
{
source = "StorageBox:Music";
dest = "B2-Cassie-Cryptidz-Backup:Music";
}
];
};