chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

beep

Browse source
This commit is contained in:
Chaos 2022-11-02 16:04:43 +00:00
parent 944da9a84e
commit e6a581fe57
No known key found for this signature in database
9 changed files with 137 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
flake.lock
View file

@ -96,11 +96,11 @@
"utils": "utils_3" "utils": "utils_3"
}, },
"locked": { "locked": {
"lastModified": 1666990295, "lastModified": 1667386877,
"narHash": "sha256-JPMTX8W36IPV1jmKV1qEhNBI4MbIPYsnccWyTUlSiG0=", "narHash": "sha256-CP8CbIiykhevS9KsFO5kKP7CfrnGjORhvkHV6PMyh90=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "423211401c245934db5052e3867cac704f658544", "rev": "916811c8f9ef37beb7705150d76cc88ce79466fd",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -138,11 +138,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1666776005, "lastModified": 1667294277,
"narHash": "sha256-HwSMF19PpczfqNHKcFsA6cF4PVbG00uUSdbq6q3jB5o=", "narHash": "sha256-YhVGYUpPZNpJZ8z3Sq9aT6n1/B8vKtfRfwaCtbsosxk=",
"owner": "lnl7", "owner": "lnl7",
"repo": "nix-darwin", "repo": "nix-darwin",
"rev": "f6648ca0698d1611d7eadfa72b122252b833f86c", "rev": "b7177030643374e698c29e993c2808efa7b85aaf",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -186,11 +186,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1667050928, "lastModified": 1667231093,
"narHash": "sha256-xOn0ZgjImIyeecEsrjxuvlW7IW5genTwvvnDQRFncB8=", "narHash": "sha256-RERXruzBEBuf0c7OfZeX1hxEKB+PTCUNxWeB6C1jd8Y=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "fdebb81f45a1ba2c4afca5fd9f526e1653ad0949", "rev": "d40fea9aeb8840fea0d377baa4b38e39b9582458",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -259,11 +259,11 @@
}, },
"utils_3": { "utils_3": {
"locked": { "locked": {
"lastModified": 1659877975, "lastModified": 1667077288,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=", "narHash": "sha256-bdC8sFNDpT0HK74u9fUkpbf1MEzVYJ+ka7NXCdgBoaA=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0", "rev": "6ee9ebb6b1ee695d2cacc4faa053a7b9baa76817",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
hosts/hetzner-vm/services/mpd.nix
View file

@ -8,7 +8,7 @@ in {
services.mpd = { services.mpd = {
enable = true; enable = true;
network.listenAddress = "0.0.0.0"; network.listenAddress = "0.0.0.0";
musicDirectory = "/storage/music"; musicDirectory = "https://storage-webdav.owo.monster/music_ro/";
credentials = [{ credentials = [{
passwordFile = "${secrets-db.mpd_control_password.path}"; passwordFile = "${secrets-db.mpd_control_password.path}";
permissions = [ "read" "add" "control" "admin" ]; permissions = [ "read" "add" "control" "admin" ];

2
hosts/lappy/lappy.nix
View file

@ -10,7 +10,7 @@ in {
profiles.sshd profiles.sshd
hosts.lappy.profiles.usb-automount hosts.lappy.profiles.usb-automount
hosts.lappy.profiles.macos-vm hosts.lappy.profiles.harry-vpn
# required for dualsense controller # required for dualsense controller
profiles.kernels.latest profiles.kernels.latest

19
hosts/lappy/profiles/harry-vpn.nix Normal file
View file

@ -0,0 +1,19 @@
{ pkgs, ... }: {
environment.systemPackages = with pkgs; [ wireguard-tools ];
networking.wg-quick.interfaces = {
wg-harry-vpn = {
autostart = false;
address = [ "185.186.9.71/26" "2a0b:6b84:2022:6::1/64" ];
dns = [ "8.8.8.8" ];
mtu = 1280;
privateKeyFile = "/secrets/harry_vpn_wg_priv";
peers = [{
publicKey = "7B6KSFqTHM7A7Nv24GIeUhDDh2XnlT7UqG5U+Si+zmc=";
allowedIPs = [ "0.0.0.0/0" "::/0" ];
endpoint = "185.186.9.1:8081";
persistentKeepalive = 25;
}];
};
};
}

11
hosts/storage/ports.nix Normal file
View file

@ -0,0 +1,11 @@
{ }: {
rclone_serve_webdav_main = 4242;
rclone_serve_webdav_music_ro = 4243;
rclone_serve_restic_hvm = 4244;
rclone_serve_restic_music = 4245;
rclone_serve_restic_vault = 4246;
rclone_serve_http_music = 4247;
}

17
hosts/storage/rclone_config.template
View file

@ -1,12 +1,25 @@
[StorageBox-Remote] [StorageBox-Remote]
type = smb type = sftp
host = u323231.your-storagebox.de host = u323231.your-storagebox.de
user = u323231 user = u323231
pass = STORAGEBOX_PASSWORD pass = STORAGEBOX_PASSWORD
port = 23
shell_type = unix
md5sum_command = md5 -r
sha1sum_command = sha1 -r
#type = smb
#type = webdav
#vendor = nextcloud
#host = u323231.your-storagebox.de
#url = https://u323231.your-storagebox.de
#user = u323231
#pass = STORAGEBOX_PASSWORD
[StorageBox] [StorageBox]
type = alias type = alias
remote = StorageBox-Remote:backup remote = StorageBox-Remote:
#backup
[B2-Chaos-Backups-Source] [B2-Chaos-Backups-Source]
type = b2 type = b2

4
hosts/storage/secrets-db.nix
View file

@ -17,11 +17,11 @@
permissions = "660"; permissions = "660";
path = "/secrets/restic_vault_htpasswd"; path = "/secrets/restic_vault_htpasswd";
}; };
webdav_htpasswd = { webdav_main_htpasswd = {
user = "storage"; user = "storage";
group = "storage"; group = "storage";
permissions = "660"; permissions = "660";
path = "/secrets/webdav_htpasswd"; path = "/secrets/webdav_main_htpasswd";
}; };
vault_password = { vault_password = {
user = "root"; user = "root";

10
hosts/storage/secrets.nix
View file

@ -45,13 +45,13 @@ in {
chown ${secrets-db.restic_vault_htpasswd.user}:${secrets-db.restic_vault_htpasswd.group} $file chown ${secrets-db.restic_vault_htpasswd.user}:${secrets-db.restic_vault_htpasswd.group} $file
chmod ${secrets-db.restic_vault_htpasswd.permissions} $file chmod ${secrets-db.restic_vault_htpasswd.permissions} $file
file=${secrets-db.webdav_htpasswd.path} file=${secrets-db.webdav_main_htpasswd.path}
echo $file echo $file
username=$(simple_get "/api-keys/storage/webdav" .username) username=$(simple_get "/api-keys/storage/webdav/main" .username)
password=$(simple_get "/api-keys/storage/webdav" .password) password=$(simple_get "/api-keys/storage/webdav/main" .password)
htpasswd -bc $file "$username" "$password" htpasswd -bc $file "$username" "$password"
chown ${secrets-db.webdav_htpasswd.user}:${secrets-db.webdav_htpasswd.group} $file chown ${secrets-db.webdav_main_htpasswd.user}:${secrets-db.webdav_main_htpasswd.group} $file
chmod ${secrets-db.webdav_htpasswd.permissions} $file chmod ${secrets-db.webdav_main_htpasswd.permissions} $file
file=${secrets-db.vault_password.path} file=${secrets-db.vault_password.path}
echo $file echo $file

104
hosts/storage/storage.nix
View file

@ -1,5 +1,8 @@
{ modulesPath, tree, config, pkgs, lib, ... }: { modulesPath, tree, config, pkgs, lib, ... }:
let secrets-db = (import ./secrets-db.nix { }); let
secrets-db = (import ./secrets-db.nix { });
ports = (import ./ports.nix { });
in { in {
imports = with tree; [ imports = with tree; [
users.root users.root
@ -70,8 +73,22 @@ in {
remote = "StorageBox:"; remote = "StorageBox:";
type = "webdav"; type = "webdav";
wants = [ "populate-rclone-config.service" ]; wants = [ "populate-rclone-config.service" ];
extraArgs = extraArgs = [
[ "--addr=:4242" "--htpasswd=${secrets-db.webdav_htpasswd.path}" ]; "--addr=:${toString ports.rclone_serve_webdav_main}"
"--htpasswd=${secrets-db.webdav_main_htpasswd.path}"
"--baseurl=/main/"
];
}
{
user = "storage";
remote = "StorageBox:Music";
type = "webdav";
wants = [ "populate-rclone-config.service" ];
extraArgs = [
"--addr=:${toString ports.rclone_serve_webdav_music_ro}"
"--read-only"
"--baseurl=/music_ro/"
];
} }
{ {
user = "storage"; user = "storage";
@ -79,7 +96,7 @@ in {
type = "restic"; type = "restic";
wants = [ "populate-rclone-config.service" ]; wants = [ "populate-rclone-config.service" ];
extraArgs = [ extraArgs = [
"--addr=:4243" "--addr=:${toString ports.rclone_serve_restic_hvm}"
"--htpasswd=${secrets-db.restic_hetznervm_htpasswd.path}" "--htpasswd=${secrets-db.restic_hetznervm_htpasswd.path}"
"--baseurl=/HetznerVM/" "--baseurl=/HetznerVM/"
]; ];
@ -90,7 +107,7 @@ in {
type = "restic"; type = "restic";
wants = [ "populate-rclone-config.service" ]; wants = [ "populate-rclone-config.service" ];
extraArgs = [ extraArgs = [
"--addr=:4244" "--addr=:${toString ports.rclone_serve_restic_music}"
"--htpasswd=${secrets-db.restic_music_htpasswd.path}" "--htpasswd=${secrets-db.restic_music_htpasswd.path}"
"--baseurl=/Music/" "--baseurl=/Music/"
]; ];
@ -101,11 +118,22 @@ in {
type = "restic"; type = "restic";
wants = [ "populate-rclone-config.service" ]; wants = [ "populate-rclone-config.service" ];
extraArgs = [ extraArgs = [
"--addr=:4245" "--addr=:${toString ports.rclone_serve_restic_vault}"
"--htpasswd=${secrets-db.restic_vault_htpasswd.path}" "--htpasswd=${secrets-db.restic_vault_htpasswd.path}"
"--baseurl=/Vault/" "--baseurl=/Vault/"
]; ];
} }
{
user = "storage";
remote = "StorageBox:Music";
type = "http";
wants = [ "populate-rclone-config.service" ];
extraArgs = [
"--addr=:${toString ports.rclone_serve_http_music}"
"--baseurl=/music/"
"--read-only"
];
}
]; ];
}; };
@ -114,59 +142,69 @@ in {
services.nginx.virtualHosts."storage-webdav.owo.monster" = { services.nginx.virtualHosts."storage-webdav.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { "/".proxyPass = "http://localhost:4242"; }; locations = {
"/main/".proxyPass =
"http://localhost:${toString ports.rclone_serve_webdav_main}";
"/music_ro/".proxyPass =
"http://localhost:${toString ports.rclone_serve_webdav_music_ro}";
};
};
services.nginx.virtualHosts."storage-http.owo.monster" = {
forceSSL = true;
enableACME = true;
locations = {
"/music/".proxyPass =
"http://localhost:${toString ports.rclone_serve_http_music}";
};
}; };
services.nginx.virtualHosts."storage-restic.owo.monster" = { services.nginx.virtualHosts."storage-restic.owo.monster" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations = { locations = {
"/HetznerVM/".proxyPass = "http://localhost:4243"; "/HetznerVM/".proxyPass =
"/Music/".proxyPass = "http://localhost:4244"; "http://localhost:${toString ports.rclone_serve_restic_hvm}";
"/Vault/".proxyPass = "http://localhost:4245"; "/Music/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_music}";
"/Vault/".proxyPass =
"http://localhost:${toString ports.rclone_serve_restic_vault}";
}; };
}; };
services.rclone-sync = { services.rclone-sync = let
sync_defaults = {
wants = [ "populate-rclone-config.service" ];
timerConfig = {
OnStartupSec = "60";
OnCalendar = "4h";
};
};
in {
enable = true; enable = true;
user = "storage"; user = "storage";
sync_jobs = [ sync_jobs = map (x: lib.mkMerge [ x sync_defaults ]) [
# My B2
{ {
source = "StorageBox:Chaos-Backups"; source = "StorageBox:Chaos-Backups";
dest = "B2-Chaos-Backups:"; dest = "B2-Chaos-Backups:";
wants = [ "populate-rclone-config.service" ];
timerConfig = {
OnStartupSec = "60";
OnCalendar = "4h";
};
} }
{ {
source = "StorageBox:Chaos-Photos"; source = "StorageBox:Chaos-Photos";
dest = "B2-Chaos-Photos:"; dest = "B2-Chaos-Photos:";
wants = [ "populate-rclone-config.service" ];
timerConfig = {
OnStartupSec = "60";
OnCalendar = "4h";
};
} }
# Cassie's B2
{ {
source = "StorageBox:Chaos-Backups"; source = "StorageBox:Chaos-Backups";
dest = "B2-Cassie-Cryptidz-Backup:Chaos-Backups"; dest = "B2-Cassie-Cryptidz-Backup:Chaos-Backups";
wants = [ "populate-rclone-config.service" ];
timerConfig = {
OnStartupSec = "60";
OnCalendar = "4h";
};
} }
{ {
source = "StorageBox:Chaos-Photos"; source = "StorageBox:Chaos-Photos";
dest = "B2-Cassie-Cryptidz-Backup:Chaos-Photos"; dest = "B2-Cassie-Cryptidz-Backup:Chaos-Photos";
wants = [ "populate-rclone-config.service" ]; }
timerConfig = { {
OnStartupSec = "60"; source = "StorageBox:Music";
OnCalendar = "4h"; dest = "B2-Cassie-Cryptidz-Backup:Music";
};
} }
]; ];
}; };