sj-srv1: init with restic backup

2024-01-18 21:06:45 +00:00 · 2024-01-18 21:06:45 +00:00 · 2c84e79f4a
commit 2c84e79f4a
parent 26f0bde4b3
12 changed files with 380 additions and 34 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -12,6 +12,7 @@ keys:
  - &justyna-p300 age1ye4fa0v37shz8q4e5uf9cp2avygcp9jtetmnj2sv9y9mqc7gjyksq2cjy8

  - &sj-vps-htz0 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+  - &sj-srv1 age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
  - &srv0-dmz0 age13cyvxrd28j68f97q2dwsn62q5dy8tdxtq86ql2dxv2ncwfrf63dsmkj7n3
  # - &router0-dmz0 age1jetxwpmd9hc4crkjtrdle2qxn9dlq7vcmqhfslv0vlxctrk4u3xq8hcvkz
  - &router0-dmz0 age1k7cejd9tqz6a3expd63wkn7kmeawhhrp9vy5vevhjn6eavhdwywqeh7j86
@ -30,6 +31,7 @@ creation_rules:
      - *router0-dmz0

      - *sj-vps-htz0
+      - *sj-srv1
      - *sj-bm-hostkey0
  - path_regex: ^secrets/steveej-t14/.+$
    key_groups:
@ -43,12 +45,14 @@ creation_rules:
      - *steveej
      age:
      - *sj-vps-htz0
+      - *sj-srv1
  - path_regex: ^nix/os/containers/.+_secrets.+$
    key_groups:
    - pgp:
      - *steveej
      age:
      - *sj-vps-htz0
+      - *sj-srv1
  - path_regex: ^secrets/holochain-infra/.+$
    key_groups:
    - pgp:
@ -67,6 +71,12 @@ creation_rules:
      - *steveej
      age:
      - *sj-vps-htz0
+  - path_regex: ^secrets/sj-srv1/.+$
+    key_groups:
+    - pgp:
+      - *steveej
+      age:
+      - *sj-srv1
  - path_regex: ^secrets/sj-bm-hostkey0/.+$
    key_groups:
    - pgp:
--- a/flake.nix
+++ b/flake.nix
@ -115,7 +115,7 @@
              # "srv0-dmz0"
              # # "router0-dmz0"

-              # "sj-vps-htz0"
+              "sj-srv1"
              "sj-bm-hostkey0"

              # "retro"
--- a/nix/os/devices/sj-srv1/README.md
+++ b/nix/os/devices/sj-srv1/README.md
@ -0,0 +1 @@
+## bootstrapping
--- a/nix/os/devices/sj-srv1/boot.nix
+++ b/nix/os/devices/sj-srv1/boot.nix
@ -0,0 +1,3 @@
+{lib, ...}: {
+  boot.extraModulePackages = [];
+}
--- a/nix/os/devices/sj-srv1/configuration.nix
+++ b/nix/os/devices/sj-srv1/configuration.nix
@ -0,0 +1,29 @@
+{ nodeName
+, config
+, pkgs
+, ...
+}: {
+  disabledModules = [ ];
+  imports = [
+    ../../profiles/common/configuration.nix
+    {
+      users.commonUsers = {
+        enable = true;
+        enableNonRoot = true;
+        rootPasswordFile = config.sops.secrets.passwords-root.path;
+      };
+
+      sops.secrets.passwords-root = {
+        sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+        neededForUsers = true;
+        format = "yaml";
+      };
+    }
+
+    ../../modules/opinionatedDisk.nix
+
+    ./system.nix
+    ./hw.nix
+    ./boot.nix
+  ];
+}
--- a/nix/os/devices/sj-srv1/default.nix
+++ b/nix/os/devices/sj-srv1/default.nix
@ -0,0 +1,28 @@
+{
+  nodeName,
+  repoFlake,
+  nodeFlake,
+  ...
+}: let
+  system = "x86_64-linux";
+in {
+  meta.nodeSpecialArgs.${nodeName} = {
+    inherit repoFlake nodeName nodeFlake;
+    packages' = repoFlake.packages.${system};
+  };
+
+  meta.nodeNixpkgs.${nodeName} = import nodeFlake.inputs.nixpkgs.outPath {
+    inherit system;
+  };
+
+  ${nodeName} = {
+    deployment.targetHost = "${nodeName}.dmz.internal";
+    deployment.replaceUnknownProfiles = false;
+
+    imports = [
+      nodeFlake.inputs.home-manager.nixosModules.home-manager
+
+      ./configuration.nix
+    ];
+  };
+}
--- a/nix/os/devices/sj-srv1/flake.lock
+++ b/nix/os/devices/sj-srv1/flake.lock
@ -0,0 +1,83 @@
+{
+  "nodes": {
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700392168,
+        "narHash": "sha256-v5LprEFx3u4+1vmds9K0/i7sHjT0IYGs7u9v54iz/OA=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "28535c3a34d79071f2ccb68671971ce0c0984d7e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-23.05",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1700501263,
+        "narHash": "sha256-M0U063Ba2DKL4lMYI7XW13Rsk5tfUXnIYiAVa39AV/0=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "f741f8a839912e272d7e87ccf4b9dbc6012cdaf9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-master": {
+      "locked": {
+        "lastModified": 1700758842,
+        "narHash": "sha256-WNpG3F/0dktkYbG6O8Put9GtBw4C4vb1KwtIibfXYEE=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "359d577687ea3eb033590cf1259f0355e30b9c6f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1700641131,
+        "narHash": "sha256-M3bsoVMQM2PcuBWb6n1KDNeMX87svcSj/4qlBcVqs3k=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "da41de71f62bf7fb989a04e39629b8adbf8aa8b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "nixpkgs-master": "nixpkgs-master",
+        "nixpkgs-unstable": "nixpkgs-unstable"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/nix/os/devices/sj-srv1/flake.nix
+++ b/nix/os/devices/sj-srv1/flake.nix
@ -0,0 +1,12 @@
+{
+  inputs.nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
+  inputs.nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable-small";
+  inputs.nixpkgs-master.url = "github:nixos/nixpkgs/master";
+
+  inputs.home-manager = {
+    url = "github:nix-community/home-manager/release-23.05";
+    inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs = _: {};
+}
--- a/nix/os/devices/sj-srv1/hw.nix
+++ b/nix/os/devices/sj-srv1/hw.nix
@ -0,0 +1,50 @@
+{...}: let
+  stage1Modules = [
+    "virtio_balloon"
+    "virtio_scsi"
+    "virtio_net"
+    "virtio_pci"
+    "virtio_ring"
+    "virtio"
+    "scsi_mod"
+
+    "virtio_blk"
+    "virtio_ring"
+    "ata_piix"
+    "pata_acpi"
+    "ata_generic"
+
+    "aesni_intel"
+    "kvm_amd"
+    "nvme"
+    "nvme_core"
+
+    "thunderbolt"
+    "e1000e"
+
+    "usbcore"
+    "xhci_hcd"
+    "usbnet"
+    "snd_usb_audio"
+    "usbhid"
+    "snd_usbmidi_lib"
+    "cdc_mbim"
+    "cdc_ncm"
+    "usb_storage"
+    "cdc_wdm"
+    "uvcvideo"
+    "btusb"
+    "xhci_pci"
+    "cdc_ether"
+    "uas"
+  ];
+in {
+  hardware.opinionatedDisk = {
+    enable = true;
+    encrypted = false;
+    diskId = "virtio-virtio-paeNi8Fof9Oe";
+    earlyDiskIdOverride  = "ata-INTEL_SSDSC2KB019TZ_PHYI315001FW1P9DGN";
+  };
+
+  boot.initrd.kernelModules = stage1Modules;
+}
--- a/nix/os/devices/sj-srv1/system.nix
+++ b/nix/os/devices/sj-srv1/system.nix
@ -0,0 +1,125 @@
+{ pkgs
+, lib
+, config
+, repoFlake
+, nodeName
+, ...
+}:
+
+{
+  imports = [
+    ../../snippets/systemd-resolved.nix
+  ];
+
+  networking.firewall.enable = true;
+  networking.nftables.enable = true;
+
+  networking.firewall.allowedTCPPorts = [
+    # iperf3
+    5201
+  ];
+
+  networking.firewall.logRefusedConnections = false;
+
+  networking.usePredictableInterfaceNames = false;
+
+  networking.useNetworkd = true;
+  networking.useDHCP = true;
+
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-*" ];
+    externalInterface = "eth0";
+  };
+
+  # virtualization
+  virtualisation = { docker.enable = false; };
+
+  nix.gc = { automatic = true; };
+
+  sops.secrets.restic-password.sopsFile = ../../../../secrets/${nodeName}/secrets.yaml;
+
+  # adapted from https://github.com/lilyinstarlight/foosteros/blob/5c75ded111878970fd4f600c7adc013f971d5e71/config/restic.nix
+  services.restic.backups.${nodeName} =
+    let
+      btrfs = "${pkgs.btrfs-progs}/bin/btrfs";
+    in
+    {
+      initialize = true;
+      repository = "sftp://u217879-sub3@u217879-sub3.your-storagebox.de:23/restic/${nodeName}";
+
+      paths = [
+        "/backup"
+      ];
+
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-monthly 12"
+        "--keep-yearly 2"
+      ];
+
+      timerConfig = {
+        OnCalendar = lib.mkDefault "daily";
+        Persistent = true;
+      };
+
+      passwordFile = config.sops.secrets.restic-password.path;
+
+      backupPrepareCommand = ''
+        ${btrfs} su snapshot -r /var/lib/container-volumes /backup/container-volumes
+      '';
+      backupCleanupCommand = ''
+        ${btrfs} su delete /backup/container-volumes
+      '';
+    };
+
+  containers = {
+    mailserver = import ../../containers/mailserver.nix {
+      inherit repoFlake;
+
+      autoStart = true;
+
+      hostAddress = "192.168.100.10";
+      localAddress = "192.168.100.11";
+
+      imapsPort = 993;
+      sievePort = 4190;
+    };
+
+    webserver =
+      import ../../containers/webserver.nix
+        {
+          inherit repoFlake;
+
+          autoStart = true;
+
+          hostAddress = "192.168.100.12";
+          localAddress = "192.168.100.13";
+
+          httpPort = 80;
+          httpsPort = 443;
+        };
+
+    syncthing = import ../../containers/syncthing.nix {
+      autoStart = true;
+
+      hostAddress = "192.168.100.14";
+      localAddress = "192.168.100.15";
+
+      syncthingPort = 22000;
+    };
+  };
+
+  home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
+    inherit pkgs;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "22.11"; # Did you read the comment?
+}
--- a/nix/os/devices/sj-vps-htz0/system.nix
+++ b/nix/os/devices/sj-vps-htz0/system.nix
@ -95,40 +95,7 @@ in
  nix.gc = { automatic = true; };

  containers = {
-    mailserver = import ../../containers/mailserver.nix {
-      inherit repoFlake;

-      autoStart = true;
-
-      hostAddress = "192.168.100.10";
-      localAddress = "192.168.100.11";
-
-      imapsPort = 993;
-      sievePort = 4190;
-    };
-
-    webserver =
-      import ../../containers/webserver.nix
-        {
-          inherit repoFlake;
-
-          autoStart = true;
-
-          hostAddress = "192.168.100.12";
-          localAddress = "192.168.100.13";
-
-          httpPort = 80;
-          httpsPort = 443;
-        };
-
-    syncthing = import ../../containers/syncthing.nix {
-      autoStart = true;
-
-      hostAddress = "192.168.100.14";
-      localAddress = "192.168.100.15";
-
-      syncthingPort = 22000;
-    };
  };

  home-manager.users.steveej = import ../../../home-manager/configuration/text-minimal.nix {
--- a/secrets/sj-srv1/secrets.yaml
+++ b/secrets/sj-srv1/secrets.yaml
@ -0,0 +1,38 @@
+#ENC[AES256_GCM,data:NJd2BaOWeCr6IER0GSL4OrnABI65kMLg0ft0auq4gazQJ+40vYKwN7pMimXnhQrIsax01pQocF0x0R9we0i/dbE=,iv:OlqfIRF9FtZVHT4QzjQuKCMbVaA+ei7PE9QvbyWj9OA=,tag:8uPJVrva06SUg0DQ26mNow==,type:comment]
+passwords-root: ENC[AES256_GCM,data:mDQXWfH3zcvIifhmFdB5rfuiImHLX0Wb2WuR5Jb4lBII72AN9sEy436nHKLHdDHYDgzBkTHXDz63SfK28GEckJJKXHPcKuYl/g==,iv:M8tcUyUVuYAIesuGxQHQ/JRDlzeklTBAVgD1oBzsbVM=,tag:E8g5Qo1zAJkCvNPDeAv7pw==,type:str]
+restic-password: ENC[AES256_GCM,data:0cTVlqHCW/xCk7y3ikh0RtVk/5xFOrcrnQmMbIBtfOd7PYbiTUzwBtYXwOaXO4ob7/+KJUEwhl5TzX/Of1J+y7ML7JbpNPtLr8r0gzDYOvBPY5GlmkDGcorz7QTaomuDprJkoD06lJWme/L893u7rxwamF222D2JvGz5FfTuWfaRWb1PcehBkew89gjdAgqFJJwqlX1vwvQDPg6yj+vnk9ZqR/E967bbQeN/G/qGJ9xfVmeuOPYoZH2IrL0Zgif/FLqZWZtlJ1JnRUBXsVN6FZXfT1Q82euLPOpaUHrFJjAF26PuTwVreIjcBLX3wqc8vhAYWfc+RThS3ITwNdNTSA==,iv:KBqME0cqIIX15xPgKi5mBalk01tswj8xVd8rFETX9zU=,tag:V6KltIGVarWXP1R5lY2FAw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18dmqd7r7fanrfmdxsvwgv9psvhs3hw5ydpvw0na0dv3dlrg4rs3q2wpvgv
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOFB4VWUyT1pqVWF6b01v
+            ZmEyeG0zSjRsWTRkWW9FUmtUWlNiS3VTN2dNClcvQitVUDk1d3oxTnErRG1wZmpL
+            dHlkZnE2VlVUOGMyeW0xNmo5OHdmbmcKLS0tIFlnbXNvUWRPWGI2KzkrMW01Y0E2
+            czdzaWhBRWJyb0pBSnphamZVZDgyMDAKjTYixgD7CzJImvPFRYJKJXefXqxSA6I0
+            iOyW6E++Ax0MsYll77sR9eMNMgPCromY3uzKVJe640HKY/E1cLoi0Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-19T20:25:37Z"
+    mac: ENC[AES256_GCM,data:gAn4HAJRiejixDApIBZD87JjHLyOnC9LvYR0E4oDa0GVu6/BLVNbie0zG1TdnYl4LAuLa0rf4gkSDCLNvjkBGesGb7oez06WAHJd3VAK6wyFYxQSxKA8U5OZu8nozciuatTCvc/JL1ZjxxGlDFDSHSP2m1PsB6br2e0g8oL1vJw=,iv:7rOU6w+Ly+OYEnF5SikijEpauMp5lhTae74zDi2vF+U=,tag:EURfxNbEe4ZLFF4l19EzFA==,type:str]
+    pgp:
+        - created_at: "2023-08-11T16:31:41Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcBMA0SHG/zF3227AQf+ONiHDN6/hgu1g4WBaQOtAd3tnruoG+O9pbv/IIR86T3n
+            TIQElcQNsWJpHpoTeXB9G+H3HPh1f3z95tdHwQZOD78HpP0B7sOqx/KUOSJqTkC7
+            R8jsuAxrIpidr9MIxAypsK5UE3SnZodf6E0IhWR5H26oWXtKPRd2TIBEMwbJZ4dZ
+            JLZ1D1pYIrJfNez1SP9r8SBMaKJgxLn65sFzonj8j6C+8CpStun2ykLfflsoQzXP
+            kiCzxG/IR9fA7fyq38h+QdeQgcX7/kyhC/g1tnfDoZRjmcS7gA2yI9Dlxr08cOvy
+            0Dbruq0tykU0isHSPQHgKQpX/7PD5aV3mXTyvNyzEtJRASftwq7H5sDJXvAXWLMT
+            eKfUnGyPanQqVNA/jAPhOj/tAIVQZbL4UIPOlT6REfxmNk9tl7JSDhMJzKAEdkk7
+            C5Jot9exml6467YZkApBm0eM
+            =HulH
+            -----END PGP MESSAGE-----
+          fp: 6F7069FE6B96E894E60EC45C6EEFA706CB17E89B
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3