This commit is contained in:
Rachel Lambda Samuelsson 2024-05-31 10:36:14 +02:00
parent 9a451889a3
commit b81084b65c
6 changed files with 171 additions and 19 deletions

View File

@ -95,6 +95,24 @@
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
@ -204,10 +222,32 @@
"type": "github"
}
},
"rachelcafe": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1705262863,
"narHash": "sha256-gAn/k4uHl+qiZY3l4gtQd4RZ/QJSSYCqrDu/9JdzTMo=",
"ref": "refs/heads/master",
"rev": "b01d01e7b5e43424440dba2f732610710698e8e6",
"revCount": 88,
"type": "git",
"url": "https://githug.xyz/rachel/rachel.cafe"
},
"original": {
"type": "git",
"url": "https://githug.xyz/rachel/rachel.cafe"
}
},
"root": {
"inputs": {
"nixos-config": "nixos-config",
"nixpkgs": "nixpkgs_3"
"nixpkgs": "nixpkgs_3",
"rachelcafe": "rachelcafe"
}
},
"slippi-desktop": {
@ -259,6 +299,21 @@
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

View File

@ -4,9 +4,11 @@
inputs = {
nixpkgs.url = "github:NixOs/nixpkgs/nixos-23.11";
nixos-config.url = "git+https://githug.xyz/rachel/nixos-config";
rachelcafe.url = "git+https://githug.xyz/rachel/rachel.cafe";
rachelcafe.inputs.nixpkgs.follows = "nixpkgs";
};
outputs = { self, nixpkgs, nixos-config, ... }:
outputs = inputs@{ self, nixpkgs, nixos-config, rachelcafe, ... }:
let nix-config-module =
{
nix.registry.nixpkgs.flake = nixpkgs;
@ -26,8 +28,7 @@
];
};
};
keyboard-module =
{
keyboard-module = {
console = {
useXkbConfig = true;
};
@ -47,8 +48,9 @@
modules = [
nix-config-module
keyboard-module
(import ./host.nix state-version {
(import ./host.nix {
pkgs = nixpkgs.legacyPackages.x86_64-linux;
inherit inputs state-version;
})
];
in {

View File

@ -1,5 +1,9 @@
state-version: { pkgs, ... }:
let lib = import ./lib.nix { inherit pkgs; };
{ pkgs, state-version, inputs, ... }:
let hostVolumeDir = "/var/lib/container-storage/";
hostBackupDir = "/mnt/backup";
lib = import ./lib.nix { inherit pkgs; } // inputs // {
inherit hostVolumeDir hostBackupDir;
};
services = with builtins;
let services_no_ip =
map (s: import (./services + "/${s}") { inherit pkgs lib; })
@ -10,7 +14,6 @@ let lib = import ./lib.nix { inherit pkgs; };
secrets = import ./secrets/secrets.nix;
hostIp = "10.10.0.1";
hostVolumeDir = "/var/lib/container-storage/";
in
{
@ -23,7 +26,7 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }:
privateNetwork = true;
hostAddress = hostIp;
localAddress = ip;
bindMounts = lib.flatMap (volume@{ name, mountPoint }:
bindMounts = lib.flatMap (volume@{ name, mountPoint, ... }:
{
"${name}" = {
inherit mountPoint;
@ -79,6 +82,7 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }:
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedOptimisation = true;
virtualHosts =
lib.flatMap ({ ports, hosts, ip, ... }:
lib.flatMap (host:
@ -86,6 +90,7 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }:
then {}
else {
"${host}" = {
# enableACME = true;
locations."/".proxyPass =
"http://${ip}:${builtins.toString ports.http}";
};
@ -132,6 +137,7 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }:
# [SOFTWARE]
programs.bash.interactiveShellInit = ''
set -o vi
alias doas=sudo
'';
# [NIX]
@ -147,8 +153,47 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }:
};
};
security.sudo.enable = false;
security.doas.enable = true;
# [BACKUPS]
systemd = {
timers.backup-container-storage = {
enable = true;
description = "Backup container volumes";
wantedBy = ["multi-user.target"];
timerConfig = {
OnCalendar = "*-*-* 02:00:00";
Unit = "backup-container-storage.service";
};
};
services.backup-container-storage = {
description = "Backup container volumes";
startLimitBurst = 1;
startLimitIntervalSec = 1800;
script = with builtins; let
volumes = concatMap (s: s.volumes) services;
backupVolumes = filter (v: if v ? backup then v.backup else true) volumes;
backupMountpoints = map (v: hostVolumeDir + v.name) backupVolumes;
in ''
PATH="$PATH:${pkgs.lib.makeBinPath [
pkgs.gnutar
pkgs.gzip
]}"
mountpoint ${hostBackupDir} || {
echo "${hostBackupDir} is not a mountpoint!"
exit 7
}
echo "Starting Backup"
# 7 days of backups
rm -rf ${hostBackupDir}/backup.7.tgz
for x in $(seq 6); do
mv "${hostBackupDir}/backup.$x.tgz" "${hostBackupDir}/backup.$((x+1)).tgz"
done
tar -zcvpf ${hostBackupDir}/backup.1.tgz ${toString backupMountpoints}
'';
};
};
# [SECURITY]
security.sudo.execWheelOnly = true;
system.stateVersion = state-version;

View File

@ -9,7 +9,7 @@
database = {
type = "postgres";
host = "postgres.containers";
port = 3306;
port = 5432;
name = "gitea";
user = "gitea";
createDatabase = false;

31
services/nfs.nix Normal file
View File

@ -0,0 +1,31 @@
{ pkgs, lib, ... }:
{
name = "gitea";
config = {
services.nfs.server = {
enable = true;
createMountPoints = true;
exports = ''
/srv/nfs/music 192.168.0.0/16(rw,sync,no_subtree_check) *(ro,sync,no_subtree_check)
'';
};
};
ports = {
tcp = [ 111 2049 ];
udp = [ 111 2049 ];
http = null;
forward = [
{ container = 111; host = 111; proto = "tcp"; }
{ container = 111; host = 111; proto = "udp"; }
{ container = 2049; host = 2049; proto = "tcp"; }
{ container = 2049; host = 2049; proto = "udp"; }
];
};
hosts = [];
volumes = [{
name = "nfs";
mountPoint = "/srv/nfs/";
readOnly = false;
backup = false;
}];
}

View File

@ -4,26 +4,45 @@
services.postgresql = {
enable = true;
enableTCPIP = true;
port = 3306;
port = 5432;
ensureDatabases = [ "gitea" ];
ensureUsers = [{
ensureUsers = [
{
name = "gitea";
ensureDBOwnership = true;
}];
}
{
name = "root";
ensureClauses.superuser = true;
}
];
authentication = ''
host all all 10.10.0.0/16 trust
host all gitea 10.10.0.0/16 trust
local all root trust
'';
};
services.postgresqlBackup = {
enable = true;
backupAll = true;
compression = "gzip";
compressionLevel = 9;
};
};
ports = {
tcp = [ 3306 ];
tcp = [ 5432 ];
udp = [];
http = null;
forward = [];
};
hosts = [ ];
volumes = [{
volumes = [
{
name = "postgres-storage";
mountPoint = "/var/lib/postgresql";
}];
}
{
name = "postgres-backup";
mountPoint = "/var/backup/postgresql";
}
];
}