From e6a581fe57aeafa3ddc8a03a22e05e217c77d54e Mon Sep 17 00:00:00 2001 From: Chaos Date: Wed, 2 Nov 2022 16:04:43 +0000 Subject: [PATCH] beep --- flake.lock | 24 +++---- hosts/hetzner-vm/services/mpd.nix | 2 +- hosts/lappy/lappy.nix | 2 +- hosts/lappy/profiles/harry-vpn.nix | 19 +++++ hosts/storage/ports.nix | 11 +++ hosts/storage/rclone_config.template | 17 ++++- hosts/storage/secrets-db.nix | 4 +- hosts/storage/secrets.nix | 10 +-- hosts/storage/storage.nix | 104 ++++++++++++++++++--------- 9 files changed, 137 insertions(+), 56 deletions(-) create mode 100644 hosts/lappy/profiles/harry-vpn.nix create mode 100644 hosts/storage/ports.nix diff --git a/flake.lock b/flake.lock index 7caf21a..19d765a 100644 --- a/flake.lock +++ b/flake.lock @@ -96,11 +96,11 @@ "utils": "utils_3" }, "locked": { - "lastModified": 1666990295, - "narHash": "sha256-JPMTX8W36IPV1jmKV1qEhNBI4MbIPYsnccWyTUlSiG0=", + "lastModified": 1667386877, + "narHash": "sha256-CP8CbIiykhevS9KsFO5kKP7CfrnGjORhvkHV6PMyh90=", "owner": "nix-community", "repo": "home-manager", - "rev": "423211401c245934db5052e3867cac704f658544", + "rev": "916811c8f9ef37beb7705150d76cc88ce79466fd", "type": "github" }, "original": { @@ -138,11 +138,11 @@ ] }, "locked": { - "lastModified": 1666776005, - "narHash": "sha256-HwSMF19PpczfqNHKcFsA6cF4PVbG00uUSdbq6q3jB5o=", + "lastModified": 1667294277, + "narHash": "sha256-YhVGYUpPZNpJZ8z3Sq9aT6n1/B8vKtfRfwaCtbsosxk=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "f6648ca0698d1611d7eadfa72b122252b833f86c", + "rev": "b7177030643374e698c29e993c2808efa7b85aaf", "type": "github" }, "original": { @@ -186,11 +186,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1667050928, - "narHash": "sha256-xOn0ZgjImIyeecEsrjxuvlW7IW5genTwvvnDQRFncB8=", + "lastModified": 1667231093, + "narHash": "sha256-RERXruzBEBuf0c7OfZeX1hxEKB+PTCUNxWeB6C1jd8Y=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fdebb81f45a1ba2c4afca5fd9f526e1653ad0949", + "rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458", "type": "github" }, "original": { @@ -259,11 +259,11 @@ }, "utils_3": { "locked": { - "lastModified": 1659877975, - "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", + "lastModified": 1667077288, + "narHash": "sha256-bdC8sFNDpT0HK74u9fUkpbf1MEzVYJ+ka7NXCdgBoaA=", "owner": "numtide", "repo": "flake-utils", - "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", + "rev": "6ee9ebb6b1ee695d2cacc4faa053a7b9baa76817", "type": "github" }, "original": { diff --git a/hosts/hetzner-vm/services/mpd.nix b/hosts/hetzner-vm/services/mpd.nix index 23f6ea9..e2998e9 100644 --- a/hosts/hetzner-vm/services/mpd.nix +++ b/hosts/hetzner-vm/services/mpd.nix @@ -8,7 +8,7 @@ in { services.mpd = { enable = true; network.listenAddress = "0.0.0.0"; - musicDirectory = "/storage/music"; + musicDirectory = "https://storage-webdav.owo.monster/music_ro/"; credentials = [{ passwordFile = "${secrets-db.mpd_control_password.path}"; permissions = [ "read" "add" "control" "admin" ]; diff --git a/hosts/lappy/lappy.nix b/hosts/lappy/lappy.nix index f1fa51a..2a6b745 100644 --- a/hosts/lappy/lappy.nix +++ b/hosts/lappy/lappy.nix @@ -10,7 +10,7 @@ in { profiles.sshd hosts.lappy.profiles.usb-automount - hosts.lappy.profiles.macos-vm + hosts.lappy.profiles.harry-vpn # required for dualsense controller profiles.kernels.latest diff --git a/hosts/lappy/profiles/harry-vpn.nix b/hosts/lappy/profiles/harry-vpn.nix new file mode 100644 index 0000000..77a6c08 --- /dev/null +++ b/hosts/lappy/profiles/harry-vpn.nix @@ -0,0 +1,19 @@ +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ wireguard-tools ]; + networking.wg-quick.interfaces = { + wg-harry-vpn = { + autostart = false; + address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ]; + dns = [ "8.8.8.8" ]; + mtu = 1280; + privateKeyFile = "/secrets/harry_vpn_wg_priv"; + + peers = [{ + publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc="; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "185.186.9.1:8081"; + persistentKeepalive = 25; + }]; + }; + }; +} diff --git a/hosts/storage/ports.nix b/hosts/storage/ports.nix new file mode 100644 index 0000000..0ff4a4d --- /dev/null +++ b/hosts/storage/ports.nix @@ -0,0 +1,11 @@ +{ }: { + rclone_serve_webdav_main = 4242; + rclone_serve_webdav_music_ro = 4243; + + rclone_serve_restic_hvm = 4244; + rclone_serve_restic_music = 4245; + rclone_serve_restic_vault = 4246; + + rclone_serve_http_music = 4247; + +} diff --git a/hosts/storage/rclone_config.template b/hosts/storage/rclone_config.template index 0d7f3dc..25eed91 100644 --- a/hosts/storage/rclone_config.template +++ b/hosts/storage/rclone_config.template @@ -1,12 +1,25 @@ [StorageBox-Remote] -type = smb +type = sftp host = u323231.your-storagebox.de user = u323231 pass = STORAGEBOX_PASSWORD +port = 23 +shell_type = unix +md5sum_command = md5 -r +sha1sum_command = sha1 -r + +#type = smb +#type = webdav +#vendor = nextcloud +#host = u323231.your-storagebox.de +#url = https://u323231.your-storagebox.de +#user = u323231 +#pass = STORAGEBOX_PASSWORD [StorageBox] type = alias -remote = StorageBox-Remote:backup +remote = StorageBox-Remote: +#backup [B2-Chaos-Backups-Source] type = b2 diff --git a/hosts/storage/secrets-db.nix b/hosts/storage/secrets-db.nix index b6b1b7f..aeb1c2e 100644 --- a/hosts/storage/secrets-db.nix +++ b/hosts/storage/secrets-db.nix @@ -17,11 +17,11 @@ permissions = "660"; path = "/secrets/restic_vault_htpasswd"; }; - webdav_htpasswd = { + webdav_main_htpasswd = { user = "storage"; group = "storage"; permissions = "660"; - path = "/secrets/webdav_htpasswd"; + path = "/secrets/webdav_main_htpasswd"; }; vault_password = { user = "root"; diff --git a/hosts/storage/secrets.nix b/hosts/storage/secrets.nix index 1e72b3e..8449956 100644 --- a/hosts/storage/secrets.nix +++ b/hosts/storage/secrets.nix @@ -45,13 +45,13 @@ in { chown ${secrets-db.restic_vault_htpasswd.user}:${secrets-db.restic_vault_htpasswd.group} $file chmod ${secrets-db.restic_vault_htpasswd.permissions} $file - file=${secrets-db.webdav_htpasswd.path} + file=${secrets-db.webdav_main_htpasswd.path} echo $file - username=$(simple_get "/api-keys/storage/webdav" .username) - password=$(simple_get "/api-keys/storage/webdav" .password) + username=$(simple_get "/api-keys/storage/webdav/main" .username) + password=$(simple_get "/api-keys/storage/webdav/main" .password) htpasswd -bc $file "$username" "$password" - chown ${secrets-db.webdav_htpasswd.user}:${secrets-db.webdav_htpasswd.group} $file - chmod ${secrets-db.webdav_htpasswd.permissions} $file + chown ${secrets-db.webdav_main_htpasswd.user}:${secrets-db.webdav_main_htpasswd.group} $file + chmod ${secrets-db.webdav_main_htpasswd.permissions} $file file=${secrets-db.vault_password.path} echo $file diff --git a/hosts/storage/storage.nix b/hosts/storage/storage.nix index 341aaa2..50198a6 100644 --- a/hosts/storage/storage.nix +++ b/hosts/storage/storage.nix @@ -1,5 +1,8 @@ { modulesPath, tree, config, pkgs, lib, ... }: -let secrets-db = (import ./secrets-db.nix { }); +let + secrets-db = (import ./secrets-db.nix { }); + ports = (import ./ports.nix { }); + in { imports = with tree; [ users.root @@ -70,8 +73,22 @@ in { remote = "StorageBox:"; type = "webdav"; wants = [ "populate-rclone-config.service" ]; - extraArgs = - [ "--addr=:4242" "--htpasswd=${secrets-db.webdav_htpasswd.path}" ]; + extraArgs = [ + "--addr=:${toString ports.rclone_serve_webdav_main}" + "--htpasswd=${secrets-db.webdav_main_htpasswd.path}" + "--baseurl=/main/" + ]; + } + { + user = "storage"; + remote = "StorageBox:Music"; + type = "webdav"; + wants = [ "populate-rclone-config.service" ]; + extraArgs = [ + "--addr=:${toString ports.rclone_serve_webdav_music_ro}" + "--read-only" + "--baseurl=/music_ro/" + ]; } { user = "storage"; @@ -79,7 +96,7 @@ in { type = "restic"; wants = [ "populate-rclone-config.service" ]; extraArgs = [ - "--addr=:4243" + "--addr=:${toString ports.rclone_serve_restic_hvm}" "--htpasswd=${secrets-db.restic_hetznervm_htpasswd.path}" "--baseurl=/HetznerVM/" ]; @@ -90,7 +107,7 @@ in { type = "restic"; wants = [ "populate-rclone-config.service" ]; extraArgs = [ - "--addr=:4244" + "--addr=:${toString ports.rclone_serve_restic_music}" "--htpasswd=${secrets-db.restic_music_htpasswd.path}" "--baseurl=/Music/" ]; @@ -101,11 +118,22 @@ in { type = "restic"; wants = [ "populate-rclone-config.service" ]; extraArgs = [ - "--addr=:4245" + "--addr=:${toString ports.rclone_serve_restic_vault}" "--htpasswd=${secrets-db.restic_vault_htpasswd.path}" "--baseurl=/Vault/" ]; } + { + user = "storage"; + remote = "StorageBox:Music"; + type = "http"; + wants = [ "populate-rclone-config.service" ]; + extraArgs = [ + "--addr=:${toString ports.rclone_serve_http_music}" + "--baseurl=/music/" + "--read-only" + ]; + } ]; }; @@ -114,59 +142,69 @@ in { services.nginx.virtualHosts."storage-webdav.owo.monster" = { forceSSL = true; enableACME = true; - locations = { "/".proxyPass = "http://localhost:4242"; }; + locations = { + "/main/".proxyPass = + "http://localhost:${toString ports.rclone_serve_webdav_main}"; + "/music_ro/".proxyPass = + "http://localhost:${toString ports.rclone_serve_webdav_music_ro}"; + }; + }; + + services.nginx.virtualHosts."storage-http.owo.monster" = { + forceSSL = true; + enableACME = true; + locations = { + "/music/".proxyPass = + "http://localhost:${toString ports.rclone_serve_http_music}"; + }; }; services.nginx.virtualHosts."storage-restic.owo.monster" = { forceSSL = true; enableACME = true; locations = { - "/HetznerVM/".proxyPass = "http://localhost:4243"; - "/Music/".proxyPass = "http://localhost:4244"; - "/Vault/".proxyPass = "http://localhost:4245"; + "/HetznerVM/".proxyPass = + "http://localhost:${toString ports.rclone_serve_restic_hvm}"; + "/Music/".proxyPass = + "http://localhost:${toString ports.rclone_serve_restic_music}"; + "/Vault/".proxyPass = + "http://localhost:${toString ports.rclone_serve_restic_vault}"; }; }; - services.rclone-sync = { + services.rclone-sync = let + sync_defaults = { + wants = [ "populate-rclone-config.service" ]; + timerConfig = { + OnStartupSec = "60"; + OnCalendar = "4h"; + }; + }; + in { enable = true; user = "storage"; - sync_jobs = [ + sync_jobs = map (x: lib.mkMerge [ x sync_defaults ]) [ + # My B2 { source = "StorageBox:Chaos-Backups"; dest = "B2-Chaos-Backups:"; - wants = [ "populate-rclone-config.service" ]; - timerConfig = { - OnStartupSec = "60"; - OnCalendar = "4h"; - }; } { source = "StorageBox:Chaos-Photos"; dest = "B2-Chaos-Photos:"; - wants = [ "populate-rclone-config.service" ]; - timerConfig = { - OnStartupSec = "60"; - OnCalendar = "4h"; - }; } - + # Cassie's B2 { source = "StorageBox:Chaos-Backups"; dest = "B2-Cassie-Cryptidz-Backup:Chaos-Backups"; - wants = [ "populate-rclone-config.service" ]; - timerConfig = { - OnStartupSec = "60"; - OnCalendar = "4h"; - }; } { source = "StorageBox:Chaos-Photos"; dest = "B2-Cassie-Cryptidz-Backup:Chaos-Photos"; - wants = [ "populate-rclone-config.service" ]; - timerConfig = { - OnStartupSec = "60"; - OnCalendar = "4h"; - }; + } + { + source = "StorageBox:Music"; + dest = "B2-Cassie-Cryptidz-Backup:Music"; } ]; };