From b81084b65cd62d9df1e4ef51ec0603147ce5fb0f Mon Sep 17 00:00:00 2001 From: Rachel Lambda Samuelsson Date: Fri, 31 May 2024 10:36:14 +0200 Subject: [PATCH] backups --- flake.lock | 57 ++++++++++++++++++++++++++++++++++++++++++- flake.nix | 10 +++++--- host.nix | 57 ++++++++++++++++++++++++++++++++++++++----- services/gitea.nix | 2 +- services/nfs.nix | 31 +++++++++++++++++++++++ services/postgres.nix | 33 +++++++++++++++++++------ 6 files changed, 171 insertions(+), 19 deletions(-) create mode 100644 services/nfs.nix diff --git a/flake.lock b/flake.lock index 8762653..7a010a3 100644 --- a/flake.lock +++ b/flake.lock @@ -95,6 +95,24 @@ "type": "github" } }, + "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "home-manager": { "inputs": { "nixpkgs": [ @@ -204,10 +222,32 @@ "type": "github" } }, + "rachelcafe": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1705262863, + "narHash": "sha256-gAn/k4uHl+qiZY3l4gtQd4RZ/QJSSYCqrDu/9JdzTMo=", + "ref": "refs/heads/master", + "rev": "b01d01e7b5e43424440dba2f732610710698e8e6", + "revCount": 88, + "type": "git", + "url": "https://githug.xyz/rachel/rachel.cafe" + }, + "original": { + "type": "git", + "url": "https://githug.xyz/rachel/rachel.cafe" + } + }, "root": { "inputs": { "nixos-config": "nixos-config", - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_3", + "rachelcafe": "rachelcafe" } }, "slippi-desktop": { @@ -259,6 +299,21 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index ce5a634..416e507 100644 --- a/flake.nix +++ b/flake.nix @@ -4,9 +4,11 @@ inputs = { nixpkgs.url = "github:NixOs/nixpkgs/nixos-23.11"; nixos-config.url = "git+https://githug.xyz/rachel/nixos-config"; + rachelcafe.url = "git+https://githug.xyz/rachel/rachel.cafe"; + rachelcafe.inputs.nixpkgs.follows = "nixpkgs"; }; - outputs = { self, nixpkgs, nixos-config, ... }: + outputs = inputs@{ self, nixpkgs, nixos-config, rachelcafe, ... }: let nix-config-module = { nix.registry.nixpkgs.flake = nixpkgs; @@ -26,8 +28,7 @@ ]; }; }; - keyboard-module = - { + keyboard-module = { console = { useXkbConfig = true; }; @@ -47,8 +48,9 @@ modules = [ nix-config-module keyboard-module - (import ./host.nix state-version { + (import ./host.nix { pkgs = nixpkgs.legacyPackages.x86_64-linux; + inherit inputs state-version; }) ]; in { diff --git a/host.nix b/host.nix index bbf306d..88c306e 100644 --- a/host.nix +++ b/host.nix @@ -1,5 +1,9 @@ -state-version: { pkgs, ... }: -let lib = import ./lib.nix { inherit pkgs; }; +{ pkgs, state-version, inputs, ... }: +let hostVolumeDir = "/var/lib/container-storage/"; + hostBackupDir = "/mnt/backup"; + lib = import ./lib.nix { inherit pkgs; } // inputs // { + inherit hostVolumeDir hostBackupDir; + }; services = with builtins; let services_no_ip = map (s: import (./services + "/${s}") { inherit pkgs lib; }) @@ -10,7 +14,6 @@ let lib = import ./lib.nix { inherit pkgs; }; secrets = import ./secrets/secrets.nix; hostIp = "10.10.0.1"; - hostVolumeDir = "/var/lib/container-storage/"; in { @@ -23,7 +26,7 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }: privateNetwork = true; hostAddress = hostIp; localAddress = ip; - bindMounts = lib.flatMap (volume@{ name, mountPoint }: + bindMounts = lib.flatMap (volume@{ name, mountPoint, ... }: { "${name}" = { inherit mountPoint; @@ -79,6 +82,7 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }: services.nginx = { enable = true; recommendedProxySettings = true; + recommendedOptimisation = true; virtualHosts = lib.flatMap ({ ports, hosts, ip, ... }: lib.flatMap (host: @@ -86,6 +90,7 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }: then {} else { "${host}" = { + # enableACME = true; locations."/".proxyPass = "http://${ip}:${builtins.toString ports.http}"; }; @@ -132,6 +137,7 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }: # [SOFTWARE] programs.bash.interactiveShellInit = '' set -o vi + alias doas=sudo ''; # [NIX] @@ -147,8 +153,47 @@ lib.flatMap ({ name, config, ip, ports, volumes, ... }: }; }; - security.sudo.enable = false; - security.doas.enable = true; + # [BACKUPS] + systemd = { + timers.backup-container-storage = { + enable = true; + description = "Backup container volumes"; + wantedBy = ["multi-user.target"]; + timerConfig = { + OnCalendar = "*-*-* 02:00:00"; + Unit = "backup-container-storage.service"; + }; + }; + services.backup-container-storage = { + description = "Backup container volumes"; + startLimitBurst = 1; + startLimitIntervalSec = 1800; + script = with builtins; let + volumes = concatMap (s: s.volumes) services; + backupVolumes = filter (v: if v ? backup then v.backup else true) volumes; + backupMountpoints = map (v: hostVolumeDir + v.name) backupVolumes; + in '' + PATH="$PATH:${pkgs.lib.makeBinPath [ + pkgs.gnutar + pkgs.gzip + ]}" + mountpoint ${hostBackupDir} || { + echo "${hostBackupDir} is not a mountpoint!" + exit 7 + } + echo "Starting Backup" + # 7 days of backups + rm -rf ${hostBackupDir}/backup.7.tgz + for x in $(seq 6); do + mv "${hostBackupDir}/backup.$x.tgz" "${hostBackupDir}/backup.$((x+1)).tgz" + done + tar -zcvpf ${hostBackupDir}/backup.1.tgz ${toString backupMountpoints} + ''; + }; + }; + + # [SECURITY] + security.sudo.execWheelOnly = true; system.stateVersion = state-version; diff --git a/services/gitea.nix b/services/gitea.nix index c95b486..5bc3f06 100644 --- a/services/gitea.nix +++ b/services/gitea.nix @@ -9,7 +9,7 @@ database = { type = "postgres"; host = "postgres.containers"; - port = 3306; + port = 5432; name = "gitea"; user = "gitea"; createDatabase = false; diff --git a/services/nfs.nix b/services/nfs.nix new file mode 100644 index 0000000..874097c --- /dev/null +++ b/services/nfs.nix @@ -0,0 +1,31 @@ +{ pkgs, lib, ... }: +{ + name = "gitea"; + config = { + services.nfs.server = { + enable = true; + createMountPoints = true; + exports = '' + /srv/nfs/music 192.168.0.0/16(rw,sync,no_subtree_check) *(ro,sync,no_subtree_check) + ''; + }; + }; + ports = { + tcp = [ 111 2049 ]; + udp = [ 111 2049 ]; + http = null; + forward = [ + { container = 111; host = 111; proto = "tcp"; } + { container = 111; host = 111; proto = "udp"; } + { container = 2049; host = 2049; proto = "tcp"; } + { container = 2049; host = 2049; proto = "udp"; } + ]; + }; + hosts = []; + volumes = [{ + name = "nfs"; + mountPoint = "/srv/nfs/"; + readOnly = false; + backup = false; + }]; +} diff --git a/services/postgres.nix b/services/postgres.nix index 674d99c..2dfa49a 100644 --- a/services/postgres.nix +++ b/services/postgres.nix @@ -4,26 +4,45 @@ services.postgresql = { enable = true; enableTCPIP = true; - port = 3306; + port = 5432; ensureDatabases = [ "gitea" ]; - ensureUsers = [{ + ensureUsers = [ + { name = "gitea"; ensureDBOwnership = true; - }]; + } + { + name = "root"; + ensureClauses.superuser = true; + } + ]; authentication = '' - host all all 10.10.0.0/16 trust + host all gitea 10.10.0.0/16 trust + local all root trust ''; }; + services.postgresqlBackup = { + enable = true; + backupAll = true; + compression = "gzip"; + compressionLevel = 9; + }; }; ports = { - tcp = [ 3306 ]; + tcp = [ 5432 ]; udp = []; http = null; forward = []; }; hosts = [ ]; - volumes = [{ + volumes = [ + { name = "postgres-storage"; mountPoint = "/var/lib/postgresql"; - }]; + } + { + name = "postgres-backup"; + mountPoint = "/var/backup/postgresql"; + } + ]; }