From 49c21fe740cb46609c50483e5d3691595dd52f14 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 02:58:37 +0200 Subject: [PATCH 01/25] dns: add trinkgenossin, delite, blue-shell --- terraform/dns.tf | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/terraform/dns.tf b/terraform/dns.tf index e20c284..f30dee1 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -59,6 +59,36 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "49.13.236.167" } + record { + hostname = "trinkgenossin" + type = "A" + address = "85.215.152.22" + } + record { + hostname = "trinkgenossin" + type = "AAAA" + address = "2a01:239:35d:f500::1" + } + record { + hostname = "delite" + type = "A" + address = "5.255.119.132" + } + record { + hostname = "delite" + type = "AAAA" + address = "2a04:52c0:124:9d8c::2" + } + record { + hostname = "blue-shell" + type = "A" + address = "194.13.83.205" + } + record { + hostname = "blue-shell" + type = "AAAA" + address = "2a03:4000:43:24e::1" + } record { hostname = "auth" type = "CNAME" From ca8e578b118f8b441918e45f192d799532ffb066 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:00:01 +0200 Subject: [PATCH 02/25] hosts: init trinkgenossin --- hosts/default.nix | 15 +++++ hosts/trinkgenossin/configuration.nix | 37 ++++++++++++ hosts/trinkgenossin/default.nix | 12 ++++ .../trinkgenossin/hardware-configuration.nix | 56 +++++++++++++++++++ hosts/trinkgenossin/networking.nix | 15 +++++ 5 files changed, 135 insertions(+) create mode 100644 hosts/trinkgenossin/configuration.nix create mode 100644 hosts/trinkgenossin/default.nix create mode 100644 hosts/trinkgenossin/hardware-configuration.nix create mode 100644 hosts/trinkgenossin/networking.nix diff --git a/hosts/default.nix b/hosts/default.nix index af64b84..903a532 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -87,6 +87,21 @@ self.nixosModules.promtail ]; }; + + trinkgenossin = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.nixosModules.home-manager + ./trinkgenossin + self.nixosModules.overlays + self.nixosModules.unlock-luks-on-boot + self.nixosModules.core + #self.nixosModules.prometheus-exporters + #self.nixosModules.promtail + + self.nixosModules.garage + ]; + }; }; }; } diff --git a/hosts/trinkgenossin/configuration.nix b/hosts/trinkgenossin/configuration.nix new file mode 100644 index 0000000..ca20c94 --- /dev/null +++ b/hosts/trinkgenossin/configuration.nix @@ -0,0 +1,37 @@ +{ + flake, + config, + lib, + pkgs, + ... +}: +{ + boot.loader.grub.enable = true; + boot.loader.grub.devices = ["/dev/vda"]; + + boot.kernelParams = [ + "boot.shell_on_fail=1" + "ip=dhcp" + ]; + + services.openssh.openFirewall = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/trinkgenossin/default.nix b/hosts/trinkgenossin/default.nix new file mode 100644 index 0000000..845d466 --- /dev/null +++ b/hosts/trinkgenossin/default.nix @@ -0,0 +1,12 @@ +{ flake, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + + ./networking.nix + #./wireguard.nix + #./backups.nix + ]; +} diff --git a/hosts/trinkgenossin/hardware-configuration.nix b/hosts/trinkgenossin/hardware-configuration.nix new file mode 100644 index 0000000..c4ee45e --- /dev/null +++ b/hosts/trinkgenossin/hardware-configuration.nix @@ -0,0 +1,56 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + boot.initrd.luks.devices."cryptroot" = { + device = "/dev/disk/by-uuid/52a1fd17-63d7-4d0a-b7ff-74aceaf6085a"; + }; + + fileSystems."/" = { + device = "/dev/disk/by-label/nixos"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-label/boot"; + fsType = "ext4"; + }; + + fileSystems."/var/lib/garage/data" = { + device = "/dev/disk/by-label/data"; + fsType = "xfs"; + }; + + fileSystems."/var/lib/garage/meta" = { + device = "/dev/disk/by-label/metadata"; + fsType = "btrfs"; + }; + + swapDevices = [ + { device = "/dev/disk/by-label/swap"; } + ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + virtualisation.hypervGuest.enable = true; +} diff --git a/hosts/trinkgenossin/networking.nix b/hosts/trinkgenossin/networking.nix new file mode 100644 index 0000000..aa9a378 --- /dev/null +++ b/hosts/trinkgenossin/networking.nix @@ -0,0 +1,15 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + services.garage.settings.rpc_public_addr = "[2a01:239:35d:f500::1]:3901"; + + networking.hostName = "trinkgenossin"; + networking.hostId = "00000003"; + + networking.enableIPv6 = true; + networking.useDHCP = true; +} From 4ef9781d10ae6def4901ed2158ba5d7c5b4d651f Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:01:11 +0200 Subject: [PATCH 03/25] hosts: init delite --- hosts/default.nix | 16 +++++ hosts/delite/configuration.nix | 35 ++++++++++ hosts/delite/default.nix | 13 ++++ hosts/delite/disk-config.nix | 92 +++++++++++++++++++++++++ hosts/delite/hardware-configuration.nix | 18 +++++ hosts/delite/networking.nix | 26 +++++++ 6 files changed, 200 insertions(+) create mode 100644 hosts/delite/configuration.nix create mode 100644 hosts/delite/default.nix create mode 100644 hosts/delite/disk-config.nix create mode 100644 hosts/delite/hardware-configuration.nix create mode 100644 hosts/delite/networking.nix diff --git a/hosts/default.nix b/hosts/default.nix index 903a532..9a9b7e4 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -102,6 +102,22 @@ self.nixosModules.garage ]; }; + + delite = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.inputs.disko.nixosModules.disko + self.nixosModules.home-manager + ./delite + self.nixosModules.overlays + self.nixosModules.unlock-luks-on-boot + self.nixosModules.core + #self.nixosModules.prometheus-exporters + #self.nixosModules.promtail + + self.nixosModules.garage + ]; + }; }; }; } diff --git a/hosts/delite/configuration.nix b/hosts/delite/configuration.nix new file mode 100644 index 0000000..1cfa0ae --- /dev/null +++ b/hosts/delite/configuration.nix @@ -0,0 +1,35 @@ +{ + flake, + config, + pkgs, + ... +}: +{ + boot.loader.grub.enable = true; + + boot.kernelParams = [ + "boot.shell_on_fail=1" + "ip=dhcp" + ]; + + services.openssh.openFirewall = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/delite/default.nix b/hosts/delite/default.nix new file mode 100644 index 0000000..3ac09fd --- /dev/null +++ b/hosts/delite/default.nix @@ -0,0 +1,13 @@ +{ flake, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + ./disk-config.nix + + ./networking.nix + #./wireguard.nix + #./backups.nix + ]; +} diff --git a/hosts/delite/disk-config.nix b/hosts/delite/disk-config.nix new file mode 100644 index 0000000..e478b7f --- /dev/null +++ b/hosts/delite/disk-config.nix @@ -0,0 +1,92 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/vda"; + content = { + type = "gpt"; + partitions = { + bios = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + boot = { + size = "1G"; + type = "8300"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + extraOpenArgs = [ ]; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + passwordFile = "/tmp/luks-password"; + content = { + type = "lvm_pv"; + vg = "vg0"; + }; + }; + }; + }; + }; + }; + }; + lvm_vg = { + vg0 = { + type = "lvm_vg"; + lvs = { + root = { + size = "40G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + swap = { + size = "8G"; + content = { + type = "swap"; + }; + }; + data = { + size = "800G"; + content = { + type = "filesystem"; + format = "xfs"; + mountpoint = "/var/lib/garage/data"; + mountOptions = [ + "defaults" + ]; + }; + }; + metadata = { + size = "50G"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/var/lib/garage/meta"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/delite/hardware-configuration.nix b/hosts/delite/hardware-configuration.nix new file mode 100644 index 0000000..bfdede7 --- /dev/null +++ b/hosts/delite/hardware-configuration.nix @@ -0,0 +1,18 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ]; + boot.initrd.kernelModules = [ "dm-snapshot" ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/delite/networking.nix b/hosts/delite/networking.nix new file mode 100644 index 0000000..357e3b0 --- /dev/null +++ b/hosts/delite/networking.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + services.garage.settings.rpc_public_addr = "[2a04:52c0:124:9d8c::2]:3901"; + + networking.hostName = "delite"; + networking.hostId = "00000004"; + + networking.useDHCP = false; + systemd.network.enable = true; + systemd.network.networks."10-wan" = { + matchConfig.Name = "ens3"; + address = [ + "5.255.119.132/24" + "2a04:52c0:124:9d8c::2/48" + ]; + gateway = [ + "5.255.119.1" + "2a04:52c0:124::1" + ]; + }; +} From 83b7e3e11e9b713e2fa98b246cdfee0b89b4c917 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:02:15 +0200 Subject: [PATCH 04/25] hosts: init blue-shell --- hosts/blue-shell/configuration.nix | 30 ++++++ hosts/blue-shell/default.nix | 13 +++ hosts/blue-shell/disk-config.nix | 109 ++++++++++++++++++++ hosts/blue-shell/hardware-configuration.nix | 17 +++ hosts/blue-shell/networking.nix | 26 +++++ hosts/default.nix | 16 +++ 6 files changed, 211 insertions(+) create mode 100644 hosts/blue-shell/configuration.nix create mode 100644 hosts/blue-shell/default.nix create mode 100644 hosts/blue-shell/disk-config.nix create mode 100644 hosts/blue-shell/hardware-configuration.nix create mode 100644 hosts/blue-shell/networking.nix diff --git a/hosts/blue-shell/configuration.nix b/hosts/blue-shell/configuration.nix new file mode 100644 index 0000000..07364e5 --- /dev/null +++ b/hosts/blue-shell/configuration.nix @@ -0,0 +1,30 @@ +{ config, lib, pkgs, ... }: +{ + boot.loader.grub.enable = true; + + boot.kernelParams = [ + "boot.shell_on_fail=1" + "ip=dhcp" + ]; + + services.openssh.openFirewall = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/blue-shell/default.nix b/hosts/blue-shell/default.nix new file mode 100644 index 0000000..3ac09fd --- /dev/null +++ b/hosts/blue-shell/default.nix @@ -0,0 +1,13 @@ +{ flake, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./configuration.nix + ./disk-config.nix + + ./networking.nix + #./wireguard.nix + #./backups.nix + ]; +} diff --git a/hosts/blue-shell/disk-config.nix b/hosts/blue-shell/disk-config.nix new file mode 100644 index 0000000..9be1ff5 --- /dev/null +++ b/hosts/blue-shell/disk-config.nix @@ -0,0 +1,109 @@ +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = "/dev/vdb"; + content = { + type = "gpt"; + partitions = { + bios = { + size = "1M"; + type = "EF02"; # for grub MBR + }; + boot = { + size = "1G"; + type = "8300"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/boot"; + mountOptions = [ + "defaults" + ]; + }; + }; + luks = { + size = "100%"; + content = { + type = "luks"; + name = "cryptroot"; + extraOpenArgs = [ ]; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + passwordFile = "/tmp/luks-password"; + content = { + type = "lvm_pv"; + vg = "vg0"; + }; + }; + }; + }; + }; + }; + data = { + type = "disk"; + device = "/dev/vdc"; + content = { + type = "gpt"; + partitions = { + luks = { + size = "100%"; + content = { + type = "luks"; + name = "cryptdata"; + extraOpenArgs = [ ]; + # if you want to use the key for interactive login be sure there is no trailing newline + # for example use `echo -n "password" > /tmp/secret.key` + passwordFile = "/tmp/luks-password"; + content = { + type = "filesystem"; + format = "xfs"; + mountpoint = "/var/lib/garage/data"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; + }; + lvm_vg = { + vg0 = { + type = "lvm_vg"; + lvs = { + root = { + size = "100G"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + mountOptions = [ + "defaults" + ]; + }; + }; + swap = { + size = "16G"; + content = { + type = "swap"; + }; + }; + metadata = { + size = "50G"; + content = { + type = "filesystem"; + format = "btrfs"; + mountpoint = "/var/lib/garage/meta"; + mountOptions = [ + "defaults" + ]; + }; + }; + }; + }; + }; + }; +} diff --git a/hosts/blue-shell/hardware-configuration.nix b/hosts/blue-shell/hardware-configuration.nix new file mode 100644 index 0000000..d6d2835 --- /dev/null +++ b/hosts/blue-shell/hardware-configuration.nix @@ -0,0 +1,17 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/hosts/blue-shell/networking.nix b/hosts/blue-shell/networking.nix new file mode 100644 index 0000000..8aea3d9 --- /dev/null +++ b/hosts/blue-shell/networking.nix @@ -0,0 +1,26 @@ +{ + config, + pkgs, + flake, + ... +}: +{ + services.garage.settings.rpc_public_addr = "[2a03:4000:43:24e::1]:3901"; + + networking.hostName = "blue-shell"; + networking.hostId = "00000005"; + + networking.useDHCP = false; + systemd.network.enable = true; + systemd.network.networks."10-wan" = { + matchConfig.Name = "ens3"; + address = [ + "194.13.83.205/22" + "2a03:4000:43:24e::1/64" + ]; + gateway = [ + "194.13.80.1" + "fe80::1" + ]; + }; +} diff --git a/hosts/default.nix b/hosts/default.nix index 9a9b7e4..0d7fa47 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -118,6 +118,22 @@ self.nixosModules.garage ]; }; + + blue-shell = self.nixos-flake.lib.mkLinuxSystem { + imports = [ + self.inputs.agenix.nixosModules.default + self.inputs.disko.nixosModules.disko + self.nixosModules.home-manager + ./blue-shell + self.nixosModules.overlays + self.nixosModules.unlock-luks-on-boot + self.nixosModules.core + #self.nixosModules.prometheus-exporters + #self.nixosModules.promtail + + self.nixosModules.garage + ]; + }; }; }; } From 9eb746313e2b02916532e407724d6533c1d48b45 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:03:55 +0200 Subject: [PATCH 05/25] flake: add disko https://github.com/nix-community/disko And add hosts to deploy-rs --- flake.lock | 21 +++++++++++++++++++++ flake.nix | 15 +++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/flake.lock b/flake.lock index fd62f67..e2e51fb 100644 --- a/flake.lock +++ b/flake.lock @@ -87,6 +87,26 @@ "type": "github" } }, + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1724349583, + "narHash": "sha256-zgB1Cfk46irIsto8666yLdKjqKdBrjR48Dd3lhQ0CnQ=", + "owner": "nix-community", + "repo": "disko", + "rev": "435737144be0259559ca3b43f7d72252b1fdcc1b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, "element-stickers": { "inputs": { "maunium-stickerpicker": [ @@ -376,6 +396,7 @@ "inputs": { "agenix": "agenix", "deploy-rs": "deploy-rs", + "disko": "disko", "element-stickers": "element-stickers", "element-themes": "element-themes", "flake-parts": "flake-parts", diff --git a/flake.nix b/flake.nix index b5473e1..6f84843 100644 --- a/flake.nix +++ b/flake.nix @@ -18,6 +18,9 @@ deploy-rs.url = "github:serokell/deploy-rs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; + disko.url = "github:nix-community/disko"; + disko.inputs.nixpkgs.follows = "nixpkgs"; + agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; agenix.inputs.darwin.follows = "nix-darwin"; @@ -135,6 +138,18 @@ hostname = "tankstelle.wg.pub.solar"; sshUser = username; }; + trinkgenossin = { + #hostname = "trinkgenossin.wg.pub.solar"; + sshUser = username; + }; + delite = { + #hostname = "delite.wg.pub.solar"; + sshUser = username; + }; + blue-shell = { + #hostname = "delite.wg.pub.solar"; + sshUser = username; + }; }; }; }; From 4a3d3ce84b7060b590227d9ed90077ce854725e5 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:05:16 +0200 Subject: [PATCH 06/25] garage: init module --- modules/garage/default.nix | 75 +++++++++++++++++++++++++++++++++ secrets/garage-admin-token.age | 47 +++++++++++++++++++++ secrets/garage-rpc-secret.age | Bin 0 -> 2686 bytes secrets/secrets.nix | 9 ++++ 4 files changed, 131 insertions(+) create mode 100644 modules/garage/default.nix create mode 100644 secrets/garage-admin-token.age create mode 100644 secrets/garage-rpc-secret.age diff --git a/modules/garage/default.nix b/modules/garage/default.nix new file mode 100644 index 0000000..0ee39d4 --- /dev/null +++ b/modules/garage/default.nix @@ -0,0 +1,75 @@ +{ + config, + lib, + pkgs, + flake, + ... +}: +{ + age.secrets."garage-rpc-secret" = { + file = "${flake.self}/secrets/garage-rpc-secret.age"; + mode = "400"; + }; + + age.secrets."garage-admin-token" = { + file = "${flake.self}/secrets/garage-admin-token.age"; + mode = "400"; + }; + + networking.firewall.allowedTCPPorts = [ + 3900 + 3901 + 3902 + ]; + + services.garage = { + enable = true; + package = pkgs.garage_1_0_0; + settings = { + data_dir = "/var/lib/garage/data"; + metadata_dir = "/var/lib/garage/meta"; + db_engine = "lmdb"; + replication_factor = 3; + compression_level = 2; + rpc_bind_addr = "[::]:3901"; + s3_api = { + s3_region = "eu-central"; + api_bind_addr = "[::]:3900"; + root_domain = ".s3.${config.pub-solar-os.networking.domain}"; + }; + s3_web = { + bind_addr = "[::]:3902"; + root_domain = ".web.${config.pub-solar-os.networking.domain}"; + index = "index.html"; + }; + }; + }; + + users.users.garage = { + isSystemUser = true; + home = "/var/lib/garage"; + group = "garage"; + }; + + users.groups.garage = { }; + + # Adapted from https://git.clan.lol/clan/clan-core/src/commit/23a9e35c665ff531fe1193dcc47056432fbbeacf/clanModules/garage/default.nix + # Disabled DynamicUser https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/web-servers/garage.nix + # for mounts + permissions to work + systemd.services.garage = { + serviceConfig = { + user = "garage"; + group = "garage"; + DynamicUser = false; + LoadCredential = [ + "rpc_secret_path:${config.age.secrets.garage-rpc-secret.path}" + "admin_token_path:${config.age.secrets.garage-admin-token.path}" + ]; + Environment = [ + "GARAGE_ALLOW_WORLD_READABLE_SECRETS=true" + "GARAGE_RPC_SECRET_FILE=%d/rpc_secret_path" + "GARAGE_ADMIN_TOKEN_FILE=%d/admin_token_path" + ]; + }; + }; +} diff --git a/secrets/garage-admin-token.age b/secrets/garage-admin-token.age new file mode 100644 index 0000000..a8ed9e9 --- /dev/null +++ b/secrets/garage-admin-token.age @@ -0,0 +1,47 @@ +age-encryption.org/v1 +-> ssh-ed25519 NID4eA MqbdKdPSNLU32j+ZFTT1bmSFk4ZQowSuYcuP/FRtKgs +m0UaJclORGOrQDLIvdIv4Aq4U3XNOet9CzU8pX/pGsI +-> ssh-ed25519 9RQHxg WyTt2Lqd2mRtwsx2PLajmk68IB1yP0DkgXR/xfIMERM +4JaJ+DB97XxOuI2G/qnk+NX8Xv1ruY28NPRl7aUPWEc +-> ssh-ed25519 eP5MMw HUf/aXRbaIEjQFdWpo8vWtNSqzYcQKaNKJ7y+ewMVz0 +6IcRiPufkMLjOV5mSaOBclPmFDVKII/8mqGN7jmfkYk +-> ssh-ed25519 uYcDNw gHg0z1q+4AGZtuMzbV1dZjWojmYNE0JO1ZhMnGqAbR0 +sFE6mIV3ZgRMlsuHFltkC4M+aAhEDzVQQ3rkgiR5GSY +-> ssh-rsa f5THog +BFJZWIMurARpA6XJMlxnDYFUTGCX5gEb6IycqUQbIdu9+91mpDR3WxlJYLLZC3vD +j7e5xFvr4bOXQg56N59k4AD5CnC7CoZld/PqGtP5JqUcoXPFHgq95GzfiuTLedkZ +esPsPvXfdeyqfzcdMhxTz8pO0RRPUk9Xc2wnvHrDyeNO0vS5N+bMsNMvFfRaMZTi +xV2Xl98VFl90+gzuPACN0zpfoEqajcJhPtMqoaOjOzD7sGaAz5UYLAIyOHdh3t9w +DwVorUheXKLqq1kxZRZ5QCC7N+TCbi7x6B5xCezz9hF2vXkzunDh/d7maQG34AXJ +x1sQ4R9dXn778j14RqBBNbsFPDg8WIS4Zs+ypdqev8w+aOhZkcDf5unKQJLdeu3N +W+IUJTN5zFObMX0TXtj0yI7xUSkZKSLuZs43MhdVkNo1YewHalMpKetctnw2Lz+z +ZcDCRLmD91U5BL7xp9KYQQ9EBjEn8dyw9hn8RmCaRKsvi71cIStv4OtuGxzIvTOJ +phqDJdjz53E6L/0NDmhgN7bxolYZJsPC2o/ca0lG1rx3SZdfI18WaTsQrOO2NaeZ +i4u9vkw/k7xT65mPxPsN7s67niE6lVGyTOLMwjvfO1sAHABbtto2GL0zRc454b9v +gObMCi/ZbOUo6wndMMPnrQh9SsSGKB6EIOEzmg+8M+Y +-> ssh-rsa kFDS0A +h9TH7j+1hquLDwCIRDvQiN7UJaO6rJ/NtWdeWTuqTqTGSS+aVvm9gDZBZiLzWyqb +GLd2guhepOCuSQkxocD7KAz1hp5pqf++XI8/yqepnHuU+CmInsOBmSZsG8QGktbk +wjY3ZqZdcfCorgAxjIaw4aNW3zeoq7ATC3rC3aDeOsZC6jImdgEeCvd8BczWSqOa +9acfRqd+QNDjqq3MIGIepVBlQ0nNniRtQoh4XtUey8jVb6kjow4TqBo9V33UhO7x +r3WMgk5q1onECAhaAlYFxQ3DzLjUxAVdulnkIoSBqdE1b6Njyc70CI9oYwZcGmbD +gC3qdQWmcoeOQ95YkdJAxaFIl3VNOTyn9rSXtn3a1PsVygaT+98qd1zwGPY+3ZDk +B1chqWp3IJ4y2oPqt1mO4j0am2NAChpcWlEhgeldD0HoUixoXvp2Gu0igD5ENfyH +BopesdhSoIxw8PbjKvnuwPFNSa9ysS6mpdmChTdBGpOCSpwMEcEE/m3pLo4FkzJf +nhQaxav7VmvZ2jxnmEgP/NUgxmZPHKOzlI3vqWfTsIwz/chHDwekhb6dB0O5nrjO +LzmKVrkVH0EEa3R1/BIfF674RSPXOmW89NNU7tCax3IOuPWC0QYv+2r/zjmAEq+Q +LJMPf1fUjLlsCmkOlxDYK4E/EyiG5dcjxdyXk8J+l6s +-> piv-p256 vRzPNw AzRQKtxg/bXdDoLXM4IBQaPXZ7Tg/6GSg0LeQQ3GNUnw +xf8jnJPg8nqUt26lvtemwdvV8h0nT8k/H4iGO8fBa1k +-> piv-p256 zqq/iw AtpFzxs9a5N87BOsagEIMnJFxyBv8PZwsF4orrWS7dlP +8w3nDD2dIXKRKtnz/xnFW3it99ZmfY9X4ZiQhjXnaPM +-> ssh-ed25519 YFSOsg E3q3wZk2o3+Gmv0xMuokFWqhckCEZxVomrj61M2U21w +CUlB8ynJwO5JmHND3+x/NN/PyV0HJXfoxI3TgPjOD/4 +-> ssh-ed25519 iHV63A 4tjRDQ0kSZZYda0V3pEs6teT7n8r0WFQ1iHj90XIP1c +OMGjdTkZo8LOojtNDhIw5OXaWpC21f8hIOcnv1suLA4 +-> ssh-ed25519 BVsyTA 5BzUJ7kmv/3ZwxRGOq6QNohlWn5nuHgCBTjbcGtA1jU +vaN4i/JBvrDtdb9IX+F4uLG8v6wiaF0zjTyBXJ7B0Ts +-> ssh-ed25519 +3V2lQ eS/DpYwsqIkwm1JENRu1kIHqe+qAcMssglt/DHIAuBk +JYdv3kTgpF+3b4a9eycCzl3FWyLSkunas4IYqfw9z48 +--- iffZKXnN9jbIrfnm0NrUmqfNhsBtd0FCBEc9Zp0YSj8 +[4aϓ ܥG( \)YQ '~@LKTw;j~,*q?o}' ? ׿ diff --git a/secrets/garage-rpc-secret.age b/secrets/garage-rpc-secret.age new file mode 100644 index 0000000000000000000000000000000000000000..e8ad9873aacd2faef45d3d51bec8592f5be944a3 GIT binary patch literal 2686 zcmZXWyUYAo9fuWBmNYJw+PtmA*Gz7c1VPMoGRfqA9}#wPzfJC$TpByETN_IkY!+SZ zU93cHEd&u23vI+gY{bUO5&Vg+f517<;d?&k`J7vpye3UFY~56}%@^AtgB~#O`sJ5# z%wLlj!Eu;+QO_Kf&@VB$fxgNLj9Ge^bDJa`LR~WLjheCww8eduXNE>P`Thc6(WBIq zP83eVS&|xJG{#hwm0@%f~f5e3V9+hPY-g(>=&7gWXon3b9T&z`3(; zIYlKybGI%mrc~Ez5G+eE&%mY~uA(m4!?buai0gF>77?VEZGAzV3f&DwH#%k|ZbI}? zTB75Mvb?AJnn50BR&_$X}-B2HaiPO-E2+Q@0H1H*bbROF;+N|6U^E+hh6 zq%D{d0wt^Y86cMd)0^@l+PJNv=xA*lg~N)`cc7P5w?k?t%?LdV{&}*0-`gvQfs`Pd`q~gLgB`XG!HI3_~kj#5TAXGQ*CeWlB zt3yeDvE6l(#e;LEw>>FUwenlpVqvyGf>yg2N@k_tpvT=1C=w`*VV+RFcT|8~x_c(; zVF8wn6s3snNtg!$hs2&@%~;Q=B`zo@z$hwMuSzN@BwK#kFvc zm{1p5{9sBs$8`#maVkPIz!x6$i3>`RSTC39MkBW{Iv16SPlX(Ix-c;vPvD~u>TN-S z#G`9nIN~ZU0lnO!ZZQym<1x9F84)Ejih}r3dC{R(W-8Hc5s&5D^+278*)a2Q^Q<*k z&Xk84ZOX2((vAZG7>5gNbrzRj>-CXcdn0o%giW)u>MfKx_9t(&;roWAR^>lDO+T7W zrup@~RO^5~gAs6uh`Ea^Jr~#ZQHC7Iq6}u}&TyFvq5^X>N%JdzK$*iDKVKA&Ne^%e zYQBBYN6oTqAa;UIleqZ+Uh~{jhUcOor7rf$I;V?ssqq61V;;JgwO=0TiFO4g@-li z6QIKK&`b1D=1w$nx!?n``;2jKLx^lwWxpj6pDt0_sW6o*ITGd4A;qn})z`xqU0DQp zU_9akqVL>Nd162kub~uDn(a=tBMrgrEI@)@cDxW^>d0JA_anWO(%75uyh_930mmEZ zo)Er5TA_O|$Xr-9v7)C#X{FqB#6_c-(~EGa4|evi9CyXzwL|dZ%fsCDr~2t^p;!u| z={ro|`MC(3Iv6x=x@Wj#=QTrI3i}R0mi#~(0NqU88x-V-R;*6D9Avb}qHgio$6(0~1rxH7=v-C~An02$4rIJUQwCba9@Kxp5Z)j8QwV6J^ z!K-cEml8?g&(ZyiVXI1yjzt3bStfDNHLc)KAp+t_Yv)U*Twz$O^AVnQyz0o5rfJvz zn^xgHi_a-MnM)zqxw)vhysuq#6)9$t!6z@!Js1ZCEhD|svJ z8F40?%Mz%x-Uznztjs1?bB*3*O95VAUtfG0S%pxJdV_pwI=-oGb2T7&r2Y zt4|4ZDJmX-uYUMb>^Hw4wzuhz-QI%W`Th3qpS$GPC!6p7 Date: Sat, 24 Aug 2024 03:05:28 +0200 Subject: [PATCH 07/25] modules: add unlock-luks-on-boot --- modules/unlock-luks-on-boot/default.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 modules/unlock-luks-on-boot/default.nix diff --git a/modules/unlock-luks-on-boot/default.nix b/modules/unlock-luks-on-boot/default.nix new file mode 100644 index 0000000..0952188 --- /dev/null +++ b/modules/unlock-luks-on-boot/default.nix @@ -0,0 +1,20 @@ +{ flake, config, ... }: +{ + boot.initrd.network = { + enable = true; + ssh = { + enable = true; + # To prevent ssh clients from freaking out because a different host key is used, + # a different port for ssh is useful (assuming the same host has also a regular sshd running) + port = 2222; + + # Please create this manually the first time. + hostKeys = [ "/etc/secrets/initrd/ssh_host_ed25519_key" ]; + authorizedKeys = config.pub-solar-os.authentication.sshPubKeys; + }; + postCommands = '' + # Automatically ask for the password on SSH login + echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile + ''; + }; +} From b6070d0f7589d6ae0cad246ca28178952acc045b Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 03:06:17 +0200 Subject: [PATCH 08/25] docs: initial docs for nixos-anywhere and garage setup --- docs/garage.md | 19 +++++++++++++++++++ docs/nixos-anywhere.md | 13 +++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 docs/garage.md create mode 100644 docs/nixos-anywhere.md diff --git a/docs/garage.md b/docs/garage.md new file mode 100644 index 0000000..de40b05 --- /dev/null +++ b/docs/garage.md @@ -0,0 +1,19 @@ +``` +export GARAGE_RPC_SECRET= + +garage node id + +garage node connect +garage node connect + +garage status + +#Zones +#DE-1 DE-2 NL-1 + +garage layout assign fdaa -z DE-1 -c 800G -t trinkgenossin +garage layout assign 8835 -z DE-2 -c 800G -t blue-shell +garage layout assign 73da -z NL-1 -c 800G -t delite +garage layout show +garage layout apply --version 1 +``` diff --git a/docs/nixos-anywhere.md b/docs/nixos-anywhere.md new file mode 100644 index 0000000..a8f7925 --- /dev/null +++ b/docs/nixos-anywhere.md @@ -0,0 +1,13 @@ +``` +curl -L https://github.com/nix-community/nixos-images/releases/download/nixos-unstable/nixos-kexec-installer-noninteractive-x86_64-linux.tar.gz | tar -xzf- -C /root +/root/kexec/run +``` + +``` +mkdir -p /etc/secrets/initrd +ssh-keygen -t ed25519 -f /etc/secrets/initrd/ssh_host_ed25519_key +``` + +``` +nix run github:nix-community/nixos-anywhere -- --flake .#blue-shell root@194.13.83.205 +``` From b0790876ec1f9841010e071d374eebc41fb1d621 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 17:39:49 +0200 Subject: [PATCH 09/25] style: format using nixfmt-rfc-style --- hosts/blue-shell/configuration.nix | 7 ++++++- hosts/blue-shell/disk-config.nix | 16 ++++----------- hosts/blue-shell/hardware-configuration.nix | 20 ++++++++++++++----- hosts/delite/disk-config.nix | 16 ++++----------- hosts/delite/hardware-configuration.nix | 20 +++++++++++++------ hosts/trinkgenossin/configuration.nix | 2 +- .../trinkgenossin/hardware-configuration.nix | 6 ++---- secrets/secrets.nix | 6 +++++- 8 files changed, 51 insertions(+), 42 deletions(-) diff --git a/hosts/blue-shell/configuration.nix b/hosts/blue-shell/configuration.nix index 07364e5..20ad291 100644 --- a/hosts/blue-shell/configuration.nix +++ b/hosts/blue-shell/configuration.nix @@ -1,4 +1,9 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: { boot.loader.grub.enable = true; diff --git a/hosts/blue-shell/disk-config.nix b/hosts/blue-shell/disk-config.nix index 9be1ff5..2903130 100644 --- a/hosts/blue-shell/disk-config.nix +++ b/hosts/blue-shell/disk-config.nix @@ -18,9 +18,7 @@ type = "filesystem"; format = "ext4"; mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; luks = { @@ -60,9 +58,7 @@ type = "filesystem"; format = "xfs"; mountpoint = "/var/lib/garage/data"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; }; @@ -80,9 +76,7 @@ type = "filesystem"; format = "ext4"; mountpoint = "/"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; swap = { @@ -97,9 +91,7 @@ type = "filesystem"; format = "btrfs"; mountpoint = "/var/lib/garage/meta"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; }; diff --git a/hosts/blue-shell/hardware-configuration.nix b/hosts/blue-shell/hardware-configuration.nix index d6d2835..86e1e30 100644 --- a/hosts/blue-shell/hardware-configuration.nix +++ b/hosts/blue-shell/hardware-configuration.nix @@ -1,14 +1,24 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "sr_mod" "virtio_blk" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "sr_mod" + "virtio_blk" + ]; boot.initrd.kernelModules = [ ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; diff --git a/hosts/delite/disk-config.nix b/hosts/delite/disk-config.nix index e478b7f..dea45f4 100644 --- a/hosts/delite/disk-config.nix +++ b/hosts/delite/disk-config.nix @@ -18,9 +18,7 @@ type = "filesystem"; format = "ext4"; mountpoint = "/boot"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; luks = { @@ -52,9 +50,7 @@ type = "filesystem"; format = "ext4"; mountpoint = "/"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; swap = { @@ -69,9 +65,7 @@ type = "filesystem"; format = "xfs"; mountpoint = "/var/lib/garage/data"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; metadata = { @@ -80,9 +74,7 @@ type = "filesystem"; format = "btrfs"; mountpoint = "/var/lib/garage/meta"; - mountOptions = [ - "defaults" - ]; + mountOptions = [ "defaults" ]; }; }; }; diff --git a/hosts/delite/hardware-configuration.nix b/hosts/delite/hardware-configuration.nix index bfdede7..5fff330 100644 --- a/hosts/delite/hardware-configuration.nix +++ b/hosts/delite/hardware-configuration.nix @@ -1,18 +1,26 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { - imports = - [ (modulesPath + "/profiles/qemu-guest.nix") - ]; + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_blk" ]; + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_blk" + ]; boot.initrd.kernelModules = [ "dm-snapshot" ]; boot.kernelModules = [ ]; boot.extraModulePackages = [ ]; - nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; } diff --git a/hosts/trinkgenossin/configuration.nix b/hosts/trinkgenossin/configuration.nix index ca20c94..c5e0016 100644 --- a/hosts/trinkgenossin/configuration.nix +++ b/hosts/trinkgenossin/configuration.nix @@ -7,7 +7,7 @@ }: { boot.loader.grub.enable = true; - boot.loader.grub.devices = ["/dev/vda"]; + boot.loader.grub.devices = [ "/dev/vda" ]; boot.kernelParams = [ "boot.shell_on_fail=1" diff --git a/hosts/trinkgenossin/hardware-configuration.nix b/hosts/trinkgenossin/hardware-configuration.nix index c4ee45e..a1432c9 100644 --- a/hosts/trinkgenossin/hardware-configuration.nix +++ b/hosts/trinkgenossin/hardware-configuration.nix @@ -24,7 +24,7 @@ boot.extraModulePackages = [ ]; boot.initrd.luks.devices."cryptroot" = { - device = "/dev/disk/by-uuid/52a1fd17-63d7-4d0a-b7ff-74aceaf6085a"; + device = "/dev/disk/by-uuid/52a1fd17-63d7-4d0a-b7ff-74aceaf6085a"; }; fileSystems."/" = { @@ -47,9 +47,7 @@ fsType = "btrfs"; }; - swapDevices = [ - { device = "/dev/disk/by-label/swap"; } - ]; + swapDevices = [ { device = "/dev/disk/by-label/swap"; } ]; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; virtualisation.hypervGuest.enable = true; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 6661e18..686345a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -21,7 +21,11 @@ let metronomKeys = [ metronom-host ]; - garageKeys = [ trinkgenossin-host delite-host blue-shell-host ]; + garageKeys = [ + trinkgenossin-host + delite-host + blue-shell-host + ]; in { # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall From 15b507904fb24a0b3f37e6e6ebd4da7ea1e62de2 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 24 Aug 2024 21:48:48 +0200 Subject: [PATCH 10/25] garage: init buckets.pub.solar, use nginx as reverse proxy https://garagehq.deuxfleurs.fr/documentation/cookbook/reverse-proxy/ --- hosts/default.nix | 3 ++ modules/garage/default.nix | 61 +++++++++++++++++++++++++++++++++ secrets/acme-namecheap-env.age | Bin 0 -> 2700 bytes secrets/secrets.nix | 2 ++ terraform/dns.tf | 45 ++++++++++++++++++++++++ 5 files changed, 111 insertions(+) create mode 100644 secrets/acme-namecheap-env.age diff --git a/hosts/default.nix b/hosts/default.nix index 0d7fa47..a9e0b5a 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -100,6 +100,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; @@ -116,6 +117,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; @@ -132,6 +134,7 @@ #self.nixosModules.promtail self.nixosModules.garage + self.nixosModules.nginx ]; }; }; diff --git a/modules/garage/default.nix b/modules/garage/default.nix index 0ee39d4..21c7ca7 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -16,12 +16,73 @@ mode = "400"; }; + age.secrets."acme-namecheap-env" = { + file = "${flake.self}/secrets/acme-namecheap-env.age"; + mode = "400"; + }; + networking.firewall.allowedTCPPorts = [ 3900 3901 3902 ]; + security.acme = { + defaults = { + environmentFile = config.age.secrets.acme-namecheap-env.path; + }; + certs = { + # Wildcard certificate gets created automatically + "buckets.${config.pub-solar-os.networking.domain}" = { + # disable http challenge + webroot = null; + # enable dns challenge + dnsProvider = "namecheap"; + dnsPropagationCheck = false; + }; + # Wildcard certificate gets created automatically + "web.${config.pub-solar-os.networking.domain}" = { + # disable http challenge + webroot = null; + # enable dns challenge + dnsProvider = "namecheap"; + dnsPropagationCheck = false; + }; + }; + }; + + services.nginx = { + upstreams.s3_backend.servers = { + "[::1]:3900" = { }; + }; + upstreams.web_backend.servers = { + "[::1]:3902" = { }; + }; + virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = { + serverAliases = ["*.buckets.${config.pub-solar-os.networking.domain}"]; + + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://s3_backend"; + extraConfig = '' + proxy_max_temp_file_size 0; + ''; + }; + }; + virtualHosts."web.${config.pub-solar-os.networking.domain}" = { + serverAliases = ["*.web.${config.pub-solar-os.networking.domain}"]; + + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://web_backend"; + }; + }; + }; + services.garage = { enable = true; package = pkgs.garage_1_0_0; diff --git a/secrets/acme-namecheap-env.age b/secrets/acme-namecheap-env.age new file mode 100644 index 0000000000000000000000000000000000000000..a09e587497125f91dbbfc33c4194b0f2351f286d GIT binary patch literal 2700 zcmZXW$?N=f8OQY+z34>`B3~4t8h&Qqz=ce<$v)W^5lk|Z%w#gzGg%Hj2zpWQAbL{t z9}p?tL&_L5JDP^bAVQ4Ib99`N zGczQ%$39Ox9SB{YpUymmYUgu%O3f=Xi26aE(cxTJhc2<;$VbMjB1V#iu9gKHYm9^S zs*yU1vqdB0+m&9Z5Nx8hA!)sA%sjv`3&KJ8dD;|ZyfHs%Q0!fq)1fnD&x&sj?_8$X zy!8`IiM1mcs0{Bo$PB1`0q7bY6ir{-FnL3+^AJMk;zGk31tn-p8EkP=)QKs}C>GwQ z^+WQM6Yjn#fHtrUblac7@KT65v*|2uQwWP8I74j51Z;y7e?HrOPDJ_SQ->=fIjcJ8 z#$!y6BNC9hR)keex^<1ZHfN_tPiaASt2UfkyQoxN4G+t7onUAgFg5TL2A()Pa|SJz z1u@+KwQ+2F@GiMc4H&AD$)IX%EQX_g%3E|&d#jaCdJ)`@VK=%-(4S9Xr@E zy0%kK)~jq7*FyC5y*e^1or|uEiA5iPZggaAY-~45OcTdHMp|l+A--&M2+TR?9>?=G zS0}#Ac?Lx-q8=swBqV|ZLb+Ys_?ko(+e#;=zMGdA!LGI;%7$`BFrD+poX`(^PHIXh>Eyn;FCErWlSjk3C;>k22CZ4oDK4L{_d24E zw7^t{`cQ1*QBJ5R@Q;CO?KeU_+AE$4P{ZcV;aV#;uYy7YZ0&LrWX^2hFr3@C0#Ceo zo$eKdMRCt2PP{*KWgjyw^FboKr{k;0J1`66Y2J$cXmofoGgy7N`BnM!R;oGIqjFQO~!j0Rd%L?cNkVO z$JV^$1$2pG9HRgn|7LDbaySCRzZCs zjij)T9F+mY6=|ULGJ>Yt!K5f-l8Ul019SVJOzso7Zb4thC*+iro!G;ijmj_12vO$ndI<^Od2*y>q}66Dj}-VTrG zXM5_f2Up$<>M15dzSOl|`%qc&$MxWHL%GP=$} zds*n&J1;}l6|r=dGg*9iFZ(}WZCwXl9<26wV?`vi9eN%zxYt13gI73Rh=}!xEz)W$ zQ0Y@FGhql+RR=x_5AJ*=_L_|q=GlVuWhSS1+K)LyGCpw>EJJ1H_j~63|3M@==1@G{ z`XC?=M^=%U#I+s{%N+>ZVh77)L8^CTwI3F=hqVp%fJ2ozAj$}66dxOtu}U9AXE%%0 zhcje}i4?IR?j6)!dHH$TW$%+1`^4PYd2KX5kr2MzS^nTl9JvgLa@&T7h}C-E#s}R@ z@NxjW*@uiswwhIhS3@Bh&kt#(CvRcHI5V#C)`}o`yT7X(&pIq-#KMRtgT6Z%8^eaod85+xoE%mz)jW)(l81g}D(N z#Da+pn@X_Jaj#N>N8?~#SP;!^;EHmpVGla+?Afy?g>$!+%#%s2aPe-Sr!(21SZ(7C zOK~Ls=;~|XY;+`%5%A&H-=JRm=)Ye0$cx`n_1FKbena2C{K8wW{&@b!PhWcb#m{_4 z|Nc8)`s?@J`Rc#l{9*a`x4!u`{?+KWANt29|MY9;wNL!urFTEy{`{4{eT@6(ACX^u x_ZPnjm%qIE_Ag)Qzx}h9Z-4#rPrmT(f9}WMf9lg;|HJ1#{>G2s*FO8Z{{oXdeO>?n literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 686345a..9407375 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -100,4 +100,6 @@ in # garage "garage-rpc-secret.age".publicKeys = garageKeys ++ adminKeys; "garage-admin-token.age".publicKeys = garageKeys ++ adminKeys; + + "acme-namecheap-env.age".publicKeys = garageKeys ++ adminKeys; } diff --git a/terraform/dns.tf b/terraform/dns.tf index f30dee1..70d9f15 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -99,6 +99,51 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "80.71.153.210" } + record { + hostname = "buckets" + type = "A" + address = "85.215.152.22" + } + record { + hostname = "buckets" + type = "A" + address = "5.255.119.132" + } + record { + hostname = "buckets" + type = "A" + address = "194.13.83.205" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a01:239:35d:f500::1" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a04:52c0:124:9d8c::2" + } + record { + hostname = "buckets" + type = "AAAA" + address = "2a03:4000:43:24e::1" + } + record { + hostname = "*.buckets" + type = "CNAME" + address = "buckets.pub.solar." + } + record { + hostname = "web" + type = "CNAME" + address = "buckets.pub.solar." + } + record { + hostname = "*.web" + type = "CNAME" + address = "buckets.pub.solar." + } record { hostname = "tankstelle" type = "A" From d32abd7a7f1eb35eb555bebc961b600d83473c9a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 25 Aug 2024 00:13:53 +0200 Subject: [PATCH 11/25] wireguard: add trinkgenossin, delite, blue-shell --- flake.nix | 6 +-- hosts/blue-shell/configuration.nix | 2 - hosts/blue-shell/default.nix | 2 +- hosts/blue-shell/wireguard.nix | 49 +++++++++++++++++++++++ hosts/delite/configuration.nix | 2 - hosts/delite/default.nix | 2 +- hosts/delite/wireguard.nix | 49 +++++++++++++++++++++++ hosts/flora-6/wireguard.nix | 27 +++++++++++++ hosts/trinkgenossin/configuration.nix | 2 - hosts/trinkgenossin/default.nix | 2 +- hosts/trinkgenossin/wireguard.nix | 49 +++++++++++++++++++++++ secrets/blue-shell-wg-private-key.age | 43 ++++++++++++++++++++ secrets/delite-wg-private-key.age | Bin 0 -> 2446 bytes secrets/secrets.nix | 9 +++++ secrets/trinkgenossin-wg-private-key.age | 43 ++++++++++++++++++++ terraform/dns.tf | 30 ++++++++++++++ 16 files changed, 305 insertions(+), 12 deletions(-) create mode 100644 hosts/blue-shell/wireguard.nix create mode 100644 hosts/delite/wireguard.nix create mode 100644 hosts/trinkgenossin/wireguard.nix create mode 100644 secrets/blue-shell-wg-private-key.age create mode 100644 secrets/delite-wg-private-key.age create mode 100644 secrets/trinkgenossin-wg-private-key.age diff --git a/flake.nix b/flake.nix index 6f84843..ae5cc8e 100644 --- a/flake.nix +++ b/flake.nix @@ -139,15 +139,15 @@ sshUser = username; }; trinkgenossin = { - #hostname = "trinkgenossin.wg.pub.solar"; + hostname = "trinkgenossin.wg.pub.solar"; sshUser = username; }; delite = { - #hostname = "delite.wg.pub.solar"; + hostname = "delite.wg.pub.solar"; sshUser = username; }; blue-shell = { - #hostname = "delite.wg.pub.solar"; + hostname = "blue-shell.wg.pub.solar"; sshUser = username; }; }; diff --git a/hosts/blue-shell/configuration.nix b/hosts/blue-shell/configuration.nix index 20ad291..df9424b 100644 --- a/hosts/blue-shell/configuration.nix +++ b/hosts/blue-shell/configuration.nix @@ -12,8 +12,6 @@ "ip=dhcp" ]; - services.openssh.openFirewall = true; - # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # diff --git a/hosts/blue-shell/default.nix b/hosts/blue-shell/default.nix index 3ac09fd..ff8c0cc 100644 --- a/hosts/blue-shell/default.nix +++ b/hosts/blue-shell/default.nix @@ -7,7 +7,7 @@ ./disk-config.nix ./networking.nix - #./wireguard.nix + ./wireguard.nix #./backups.nix ]; } diff --git a/hosts/blue-shell/wireguard.nix b/hosts/blue-shell/wireguard.nix new file mode 100644 index 0000000..ad37918 --- /dev/null +++ b/hosts/blue-shell/wireguard.nix @@ -0,0 +1,49 @@ +{ + config, + pkgs, + flake, + ... +}: +let + wireguardIPv4 = "10.7.6.7"; + wireguardIPv6 = "fd00:fae:fae:fae:fae:7::"; +in +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/blue-shell-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "${wireguardIPv4}/32" + "${wireguardIPv6}/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } + ]; + }; + }; + + services.openssh.listenAddresses = [ + { + addr = wireguardIPv4; + port = 22; + } + { + addr = "[${wireguardIPv6}]"; + port = 22; + } + ]; +} diff --git a/hosts/delite/configuration.nix b/hosts/delite/configuration.nix index 1cfa0ae..3ba7d50 100644 --- a/hosts/delite/configuration.nix +++ b/hosts/delite/configuration.nix @@ -12,8 +12,6 @@ "ip=dhcp" ]; - services.openssh.openFirewall = true; - # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # diff --git a/hosts/delite/default.nix b/hosts/delite/default.nix index 3ac09fd..ff8c0cc 100644 --- a/hosts/delite/default.nix +++ b/hosts/delite/default.nix @@ -7,7 +7,7 @@ ./disk-config.nix ./networking.nix - #./wireguard.nix + ./wireguard.nix #./backups.nix ]; } diff --git a/hosts/delite/wireguard.nix b/hosts/delite/wireguard.nix new file mode 100644 index 0000000..17eba5a --- /dev/null +++ b/hosts/delite/wireguard.nix @@ -0,0 +1,49 @@ +{ + config, + pkgs, + flake, + ... +}: +let + wireguardIPv4 = "10.7.6.6"; + wireguardIPv6 = "fd00:fae:fae:fae:fae:6::"; +in +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/delite-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "${wireguardIPv4}/32" + "${wireguardIPv6}/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } + ]; + }; + }; + + services.openssh.listenAddresses = [ + { + addr = wireguardIPv4; + port = 22; + } + { + addr = "[${wireguardIPv6}]"; + port = 22; + } + ]; +} diff --git a/hosts/flora-6/wireguard.nix b/hosts/flora-6/wireguard.nix index 3da4e16..d825e38 100644 --- a/hosts/flora-6/wireguard.nix +++ b/hosts/flora-6/wireguard.nix @@ -47,6 +47,33 @@ "fd00:fae:fae:fae:fae:4::/96" ]; } + { + # trinkgenossin.pub.solar + endpoint = "85.215.152.22:51820"; + publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; + allowedIPs = [ + "10.7.6.5/32" + "fd00:fae:fae:fae:fae:5::/96" + ]; + } + { + # delite.pub.solar + endpoint = "5.255.119.132:51820"; + publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k="; + allowedIPs = [ + "10.7.6.6/32" + "fd00:fae:fae:fae:fae:6::/96" + ]; + } + { + # blue-shell.pub.solar + endpoint = "194.13.83.205:51820"; + publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8="; + allowedIPs = [ + "10.7.6.7/32" + "fd00:fae:fae:fae:fae:7::/96" + ]; + } ]; }; }; diff --git a/hosts/trinkgenossin/configuration.nix b/hosts/trinkgenossin/configuration.nix index c5e0016..f6cf06f 100644 --- a/hosts/trinkgenossin/configuration.nix +++ b/hosts/trinkgenossin/configuration.nix @@ -14,8 +14,6 @@ "ip=dhcp" ]; - services.openssh.openFirewall = true; - # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # diff --git a/hosts/trinkgenossin/default.nix b/hosts/trinkgenossin/default.nix index 845d466..a1699f1 100644 --- a/hosts/trinkgenossin/default.nix +++ b/hosts/trinkgenossin/default.nix @@ -6,7 +6,7 @@ ./configuration.nix ./networking.nix - #./wireguard.nix + ./wireguard.nix #./backups.nix ]; } diff --git a/hosts/trinkgenossin/wireguard.nix b/hosts/trinkgenossin/wireguard.nix new file mode 100644 index 0000000..f56b6a1 --- /dev/null +++ b/hosts/trinkgenossin/wireguard.nix @@ -0,0 +1,49 @@ +{ + config, + pkgs, + flake, + ... +}: +let + wireguardIPv4 = "10.7.6.5"; + wireguardIPv6 = "fd00:fae:fae:fae:fae:5::"; +in +{ + networking.firewall.allowedUDPPorts = [ 51820 ]; + + age.secrets.wg-private-key.file = "${flake.self}/secrets/trinkgenossin-wg-private-key.age"; + + networking.wireguard.interfaces = { + wg-ssh = { + listenPort = 51820; + mtu = 1300; + ips = [ + "${wireguardIPv4}/32" + "${wireguardIPv6}/96" + ]; + privateKeyFile = config.age.secrets.wg-private-key.path; + peers = flake.self.logins.admins.wireguardDevices ++ [ + { + # flora-6.pub.solar + endpoint = "80.71.153.210:51820"; + publicKey = "jtSR5G2P/nm9s8WrVc26Xc/SQLupRxyXE+5eIeqlsTU="; + allowedIPs = [ + "10.7.6.2/32" + "fd00:fae:fae:fae:fae:2::/96" + ]; + } + ]; + }; + }; + + services.openssh.listenAddresses = [ + { + addr = wireguardIPv4; + port = 22; + } + { + addr = "[${wireguardIPv6}]"; + port = 22; + } + ]; +} diff --git a/secrets/blue-shell-wg-private-key.age b/secrets/blue-shell-wg-private-key.age new file mode 100644 index 0000000..3e1c3cf --- /dev/null +++ b/secrets/blue-shell-wg-private-key.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 eP5MMw xAObv9OBtCMHWnbnO9b9w5fiG3tkJJTvjFNWmYmGfhQ +sXmgq1drzY3rap8aD8/iMbMgjGkajfENkBQDdK/2TKQ +-> ssh-ed25519 uYcDNw sxw3K1xYG+OZQy+4U2UfX//ZElPaCieANzFHanJxfxw +VyhqjYppfHVb2jTceXLL/yYwEJE2uD9TY4PliHu7c0E +-> ssh-rsa f5THog +hRIMIg4P7SOOS3IGr2vF/TAdvgAXjJ8CbjKQt+Bd8MUjxf769rD3bln3lF3DlfIU +RMkicdnwRdWTnqp+HyV0/UsD4ZzVb0YY+ntK6wujqgEwhpef9NOE2Hsiyvv228l5 +pu6eUTrosmb0ysnw8zRmr4RYdv1+MsD9gbnLOnnuHkA+i28jAE6o4gXIdnKfDcIk +ptJISTFwyzz+q8UvdfO4YGRBL4zSoWM5VEQS0IPjrt4+qBlOyC2IlXz1/aaGZk41 +ODgPUO68USpzFsLqsmRJJQOMxxkdnYWy4DoeHKUyZI4YO0t94zVEHIS3x6w2l+/Q +9r7TdKXxniLFYW9t5+28ez5XfLruapXroA8kp2hy3S7ybuOyB2MIfCXVvK0kiOfw +2kZnv7LvL4BLUMtgPKoAxj8Pzpi8HzFGxQudqNwSkjb4bvFg8eej0oP/WhvFalsY +MGSdlFJkKKeLWh8MzmD2WXHJ5yVcRFHydyWGMHlZJ4soi0I3gTSQaNSPUxWtFSd3 +Trk3Jz4Qrd7EA6y6wn2Jc4xCX+cWb8Q3nrXVZJL/FSxss+zstQit5O3BwWupJQLt +ubyqLxQI/PKP/gIU8sGhwKDWGjZUlwvjPBG+EdWJAxoI7S7+4UxkGgsNvx67VKgi +xxz3ANlHPbGLgAZTtEk5AqHWLWE6ZRn/7i3Qv1HWZJ4 +-> ssh-rsa kFDS0A +OqNv7KThlRd0aD1gixsI2LVb+Zj2r7OVm4lUD/UJ0WVe/ihlcBAeEj8noqNA3zgH +djO53WpAkGrbt8CejuQcPYLyw8Bdk++cBu9Po+X0dAp2cCPqakgIpEI6qG1uiEty +LOOF13TivCB802UrJmX/8HLDV3yv7IWIr2XV0V8s5UvasYlgCt1eg4suhXIngnJG +wd7WFnXwtNtR/UcnWtpE8c6p5kaAn4wSAtx6hFqnkN5ANjKXHy29NkFR1Lgu55OU +qoJPpcZpvEESYMQfPvfuCUSZgcSvJE8B1MJZzxdKBHFiaWa7BkkWOL2KNIARFji5 +nBrGzGLV9IaHWsS0UfIWixvM3OPl4wgwpdLtVJsnLX/ggFZrZmj+iR5DdqurfW7E +0a8Ie1NKK7FU+HnzEk6+8aiDb0QozEhrmaE5olc8dBOKK13e1idDTCsquaQcSOEh +DBP8r0LhqU7YwnNF6UpQiYs3Zs2HyPegfz2GwB3yeaHqc7+MnXm/j4B5qUcX5naz +llQoNfddAtoXGeK3G0yjugkSluValw6o2hQ+4iRx4n1f3dVcurXkBr9fjCKMmjC4 +qbOHhsBU4dHCvFIOXY27Xvq5qZ4/ceNb6fq/NXvkD87eePMLg9R9hmtTaCDlEN2d +a350/FxlWOZXEox+mRZhE+mE5qSIg+LbnFZ+zjWq+yc +-> piv-p256 vRzPNw AzwIBCtS5Tx/zuFHRYsYSOffxAE79O5foV+ndpw0hR1t +HDmWtvUS9wSnlNjbkD0Rc0jQ4tNhqpcqpeztW1GXC3g +-> piv-p256 zqq/iw Av5ZYxbCJrjUImhX7hoO8nxtWEtd7mPWhofwCxtW5GNI +tB/mFmw4U2NbeDKdasi/Z99VggQYhnv6+n9+VJekq/k +-> ssh-ed25519 YFSOsg nl0SHBFBylYgoy4qrZ851AQ6NLuDpXtIQ5WffqQPckU +/yk/gT3enujLcjHkYuE0XGUDrYUEEzvyPvIlKhHtf5c +-> ssh-ed25519 iHV63A 2Gq6dIvLDJQmwgQwxhqrPpubkToiseczLkobeCZiOSA +IXddfsh84BrA0v6X/SjqoFbUfJfw3v+zD3Dk5RdsfAE +-> ssh-ed25519 BVsyTA 9oRVFqCqPoQ35/u+Cg4dPkG4eXw7vSRaPwhel430TGE +C54Ofc94lPFMGLljqY4Ag0AhM/MHWeZjZ6x1fmyMmqI +-> ssh-ed25519 +3V2lQ 2g1xRrQZy30nCaDq6RtfXQfUchtD8oOnmGYX+A2venQ +oop5rNpGKvTUOLGN2HGc7B63H/8XYrhO+XsCjsKfPgA +--- cMgwwO4kfMX17njkjYczc4R6FVRwC+cpK37g2cFAapc + `сXӓ;RV]tbM"N4a/IpB7QeM npʱ2}z-R4E(N \ No newline at end of file diff --git a/secrets/delite-wg-private-key.age b/secrets/delite-wg-private-key.age new file mode 100644 index 0000000000000000000000000000000000000000..48d0fe1c279a9347db302d5a61c39a977f75c119 GIT binary patch literal 2446 zcmZXWIm`WM8HYu&31U0#3l<{bHTy|Uqh!y?zHeZWoRjrrIoXp_X)}ZHSFjMLwbd_R zV{J3wfHpFfAlSMv2!i0NFffi^;JJ8ie)sRXlOlV~y6bp6=Bn?$-H!#dBEai+UZ$yh z&2A_`Am^8}ZAp9a;uC5oipNN*AY`5@hYwv7_fJv};l0umARD?fO%0}iX@Eo%(xbOx z!YL`8t`>Ccq!%CO1nITcKHqi z2$e9#EjSBVXH27jPU}qIiW|Q@(S<=9*Pb7!AvP8!#uR#xg%jWEBRrIPqB%`m0YMfN z7~9tK3OZisnSl^UicwsysA94z+wevx<@n;{By9scc)+XrW z@unqB3z-Bm39L?R3L*UXOAFm=dSIU(uFf@CSog7 z;SOz_3pzKdxaes+DERdG9Nz`bfob4!n9if_f|B*k%|+ZCikOlmW}0tK%D;_m~P_k1dng&dv9vjlRf-IG0DE&HWwrcoS=`pz`n z5GbC5rFaw5B|tsxsW2a7a(z%^Aat%U@zvUSPXhhKsD4 zI1h|&56l4`jGh+x1x!xAxpM0$-Fxib(mf3GUD( zBz1Y7j?knH>GD6U=P*Fk8;e>j+HrhcH*fdl$;Ow!!`fTQ-qz;>uJ&^V5imJU!svkj z!@LE}hVDGtQM0-+`bN-N6}1vEpu){H9BNfz|BkZufB*G)hem>9OvQ^4Na6|hsE1*$ zxn?I>kKtMhf(u>wTTGv->3GA~xkD*34_A7}YVA{Fm4HVUyMXKUUUX^cM|F8!i9-arsLeqFPs4l=8V z?j9Q(urN?n>mU1gTQJu#NTRp{WsHPKc-qIzfuW{|JJ6ZBImBFH&F-Y+8_6A>9-+9=_sJ7>`T0+7cxV{FS<9QXH>1eVTEgb9v zWju6=&WchqSKy!D{PYih{pcH9_oH7MfBMRAe))?Jvp@gk(@%c)rLX?%kJQ(2{e$;w z^&Ro`AOCCp ssh-ed25519 NID4eA Q3E8hBMDQRxoJx6UGzECMZmkffdgyYlhGaloKFNmxw0 +37DKT5sgmAEritSoPuW+O5dvjCH23pOAdFyJG0TnY6w +-> ssh-ed25519 uYcDNw zgfSabCBntiTnc0fdfDzpkq/AwUXSpyvsA14gkatP3w +tLbZDE6UB/xvC153mSGcGSSWKH+Ph1Ek5D+JTrWjzdk +-> ssh-rsa f5THog +0THw5q/Aa/wCzfqO/9YFBOvSfISS/O2cMHBlQ7NXzF2hlj+hzGjJeL2USmL8iZ7X +YToH0oy8lreVRYxfi/LUMyg14hQf11hTekT/sKc8m5eBm+8WiHbWJsQJKdRg6WVO +B2Ju+3QIZXBk7ajCIcVjgoJQy1JydXm5YQkZnI69icdtAEnYSEoVEpaPHkT7Et65 +UUC/eegltWFSeJl4bzgceVXO3VtszoG/KkL7ToT2WX2Hbnb4R3U8cWLOTr4I6hzM +90h6mNaorm3bd5fysOoU3G531/eAqcC7QZQQGyCOEBBHgx0w32ZKpjqu8q8c/f0M +VMOgE0JfK4/iB5E3dwGqRZ2G8iXu/cx0CQY98YAFCDOYExMsQzFXzqKq8KecVd+g +vaj598KJFxYskwrkGNXwIds2lPCte3HIa9XcGeQ4svaLYdQw5zsSIF32zOwAbxRn +1ABzp/T7V3BYyykJbeJi3UMoHUo3nsq75xClmXRnlTvQ7I0x62DrXdMNE9tJtqAF +lVUeD7gKlDPmYMK0QKbxFHYTVbdJ3d7UbJUgb2SxHpm5I8J7Wx29p6gLN7+swdIg ++y0Z8+qcABkeVHQ9OWwV0XYdMdLFovnc0pDAEvHL4rxv3E8W2Nv2mm0xW7I4HcG0 +h9uJ2lU4mn60YqBtso/cu+LzUHIPcHji5sRK8/qu+Tg +-> ssh-rsa kFDS0A +kXXvKZebwQLFofayT/0SFzdFl0e8xQbUJf+q47YHmPMlJY7nsQBs1fvmQsp7fsfW +TRdh14uVImErEQsuqNYgYDR/jBUVtRkySOXde8Q9QM/CZwwR7NMu8P2vBzZ6uXKL +amlZS8iYXWJKRgmxsgiONFZwfcB9TWhaDYsmeqFxV6ui2LGgtCBllttYzvyVNWZI +NXMg0bbkLd+I2svBSBX/p8rECxq5gUmr8PB2k+yrHuXJvnR8Hop7YjvbrC2qSy5r +6OOTButBV7cILTf03DPvd3f61uUqm/NapxN4UdEZDTmOYud2dF8Eqw+BCNIT2wZr +/KD49ElPlcWM8cCxBGaSTTT66mP3FWwIcCZVfdVrhf//TN/SAo+lcoN7m/p9Uj0i +Y5nM3JR7ZuiLHfXu+fTHBiWnWBtLkPYUDlGIGlFGinMQwi4CMqoUY7jROdjHuPkt +S0VK2ViRxBB5Z5tQSnL02+TNsDd+CDURRiBgWfdmk1kkh9o2SrSiGcxCV03UVEaE +4Q07ZjKJF9HeC6goK+QjSOvLHS2qHyJznUty7nAiAS+yPDlq6m13/dFTvFii7H2h +UJ+5MJcVHLd6VQhzjmwTQXCrbTn/FI2LkZgR4HPRFDElkmnMUV1NU/2gkwm7Z0gu +RaEAuYMoKZNBQ6eQgANst+LFA7ctwpz/d0PB8Gvjf6g +-> piv-p256 vRzPNw AmCpZNeI8ggIr211niro2CalG6ELXYubjXj2J01eSwL+ +IPXLB01UKFj7tptbB7FmNbbjDGrqbEoizjNzzJvNsXs +-> piv-p256 zqq/iw Auwb+rr9JfTX9VoTKaDobEGFPIwJZUFAMolG8SvZ5ix6 ++e5IWW7Sxy1T2F0Ykm1tKQIvGGJFODIrNdvrCKREvrI +-> ssh-ed25519 YFSOsg 5Eeo3PIUgfRgPrY/eR6aps8UB2NNNr9YJswZ5mPj5Fk +cN4Dwp+ZFN8UCptfVsAp3iGesYhry7umwGc77jom2Vo +-> ssh-ed25519 iHV63A RMH4ezLwPxlf9cLgFlWSrGMDdlySpIr22O3Nr4ESgkg +8Ll31aL8PCOFp5+TIhv7qYVzjnBMepWJSlT6PGBMtdM +-> ssh-ed25519 BVsyTA 9yQZMVRpIitqx4ggP9pswC2VBmtKHR8FqIiLAq6wdCs +g/dA5SXBUNyLFGuOEVwsPIu2sEyAS4y+5RlccymLfL0 +-> ssh-ed25519 +3V2lQ unqrENNB2tJvICc/nAi31TZ8c7ilbFreww51f/Mi4nQ +y7QWtFtEUq8elK+Q2HxpGav3nx3dxDQd5ikn9DpIJ20 +--- SJo44grQsKFl8WMnva4kMp88kMZ9D3EWnm3mN0Oe15c +~ڌx̆Il`u@'B#Ra ٣;(厳&G3<QsH~G ) \ No newline at end of file diff --git a/terraform/dns.tf b/terraform/dns.tf index 70d9f15..89674d8 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -24,6 +24,21 @@ resource "namecheap_domain_records" "pub-solar" { type = "A" address = "10.7.6.4" } + record { + hostname = "trinkgenossin.wg" + type = "A" + address = "10.7.6.5" + } + record { + hostname = "delite.wg" + type = "A" + address = "10.7.6.6" + } + record { + hostname = "blue-shell.wg" + type = "A" + address = "10.7.6.7" + } record { hostname = "nachtigall.wg" type = "AAAA" @@ -44,6 +59,21 @@ resource "namecheap_domain_records" "pub-solar" { type = "AAAA" address = "fd00:fae:fae:fae:fae:4::" } + record { + hostname = "trinkgenossin.wg" + type = "AAAA" + address = "fd00:fae:fae:fae:fae:5::" + } + record { + hostname = "delite.wg" + type = "AAAA" + address = "fd00:fae:fae:fae:fae:6::" + } + record { + hostname = "blue-shell.wg" + type = "AAAA" + address = "fd00:fae:fae:fae:fae:7::" + } record { hostname = "flora-6" type = "A" From f236962e17235fb9e401f14e180374a3c3ee2b82 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 25 Aug 2024 00:15:06 +0200 Subject: [PATCH 12/25] garage: add monitoring, connect to grafana + loki https://garagehq.deuxfleurs.fr/documentation/reference-manual/monitoring/ --- hosts/default.nix | 4 +- modules/garage/default.nix | 9 +- modules/grafana/default.nix | 5 + .../grafana-garage-dashboard-prometheus.json | 1048 +++++++++++++++++ modules/prometheus/default.nix | 20 + 5 files changed, 1082 insertions(+), 4 deletions(-) create mode 100644 modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json diff --git a/hosts/default.nix b/hosts/default.nix index a9e0b5a..d523bda 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -96,8 +96,8 @@ self.nixosModules.overlays self.nixosModules.unlock-luks-on-boot self.nixosModules.core - #self.nixosModules.prometheus-exporters - #self.nixosModules.promtail + self.nixosModules.prometheus-exporters + self.nixosModules.promtail self.nixosModules.garage self.nixosModules.nginx diff --git a/modules/garage/default.nix b/modules/garage/default.nix index 21c7ca7..f2e538c 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -27,6 +27,8 @@ 3902 ]; + networking.firewall.interfaces.wg-ssh.allowedTCPPorts = [ 3903 ]; + security.acme = { defaults = { environmentFile = config.age.secrets.acme-namecheap-env.path; @@ -59,7 +61,7 @@ "[::1]:3902" = { }; }; virtualHosts."buckets.${config.pub-solar-os.networking.domain}" = { - serverAliases = ["*.buckets.${config.pub-solar-os.networking.domain}"]; + serverAliases = [ "*.buckets.${config.pub-solar-os.networking.domain}" ]; enableACME = true; forceSSL = true; @@ -72,7 +74,7 @@ }; }; virtualHosts."web.${config.pub-solar-os.networking.domain}" = { - serverAliases = ["*.web.${config.pub-solar-os.networking.domain}"]; + serverAliases = [ "*.web.${config.pub-solar-os.networking.domain}" ]; enableACME = true; forceSSL = true; @@ -103,6 +105,9 @@ root_domain = ".web.${config.pub-solar-os.networking.domain}"; index = "index.html"; }; + admin = { + api_bind_addr = "[::]:3903"; + }; }; }; diff --git a/modules/grafana/default.nix b/modules/grafana/default.nix index b62789e..952661b 100644 --- a/modules/grafana/default.nix +++ b/modules/grafana/default.nix @@ -33,6 +33,11 @@ group = "grafana"; user = "grafana"; }; + "grafana-dashboards/grafana-garage-dashboard-prometheus.json" = { + source = ./grafana-dashboards/grafana-garage-dashboard-prometheus.json; + group = "grafana"; + user = "grafana"; + }; }; services.caddy.virtualHosts."grafana.${config.pub-solar-os.networking.domain}" = { diff --git a/modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json b/modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json new file mode 100644 index 0000000..33ee163 --- /dev/null +++ b/modules/grafana/grafana-dashboards/grafana-garage-dashboard-prometheus.json @@ -0,0 +1,1048 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "DS_PROMETHEUS", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "9.2.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": null, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 24, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "Bps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 0, + "y": 0 + }, + "id": 10, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum(rate(block_bytes_read{job=\"garage\"}[$__rate_interval]) )", + "hide": false, + "interval": "", + "legendFormat": "Disk bytes read", + "refId": "A" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "-sum(rate(block_bytes_written{job=\"garage\"}[$__rate_interval]) )", + "hide": false, + "interval": "", + "legendFormat": "Disk bytes written", + "refId": "B" + } + ], + "title": "Disk I/O", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 8, + "y": 0 + }, + "id": 3, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": true, + "expr": "sum by (api_endpoint) (rate(api_s3_request_counter {job=\"garage\"}[$__rate_interval]))", + "hide": false, + "interval": "", + "legendFormat": "{{api_endpoint}}", + "range": true, + "refId": "A" + } + ], + "title": "API requests", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 9, + "w": 8, + "x": 16, + "y": 0 + }, + "id": 9, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum(rate(web_request_counter {job=\"garage\"}[$__rate_interval]))", + "hide": false, + "interval": "", + "legendFormat": "Web request rate", + "refId": "A" + } + ], + "title": "Web requests", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 9 + }, + "id": 2, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum by (rpc_endpoint) (rate(rpc_request_counter {job=\"garage\"}[$__rate_interval]))", + "hide": false, + "interval": "", + "legendFormat": "{{rpc_endpoint}}", + "refId": "A" + } + ], + "title": "RPC requests", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 9 + }, + "id": 4, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": true, + "expr": "sum by (api_endpoint, status_code) (rate(api_s3_error_counter {job=\"garage\"}[$__rate_interval]))", + "hide": false, + "interval": "", + "legendFormat": "{{api_endpoint}} {{status_code}}", + "range": true, + "refId": "A" + } + ], + "title": "API errors", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "reqps" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 9 + }, + "id": 11, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum by(status_code) (rate(web_error_counter {job=\"garage\"}[$__rate_interval]))", + "hide": false, + "interval": "", + "legendFormat": "{{status_code}}", + "refId": "A" + } + ], + "title": "Web errors", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 17 + }, + "id": 6, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "block_resync_queue_length{job=\"garage\"}", + "interval": "", + "legendFormat": "{{instance}}", + "refId": "A" + } + ], + "title": "Resync queue length", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 17 + }, + "id": 7, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum by(table_name) (table_gc_todo_queue_length{job=\"garage\"})", + "interval": "", + "legendFormat": "{{ table_name}}", + "refId": "A" + } + ], + "title": "Table GC queue length", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 17 + }, + "id": 8, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "sum by(table_name) (table_merkle_updater_todo_queue_length{job=\"garage\"})", + "interval": "", + "legendFormat": "{{ table_name}}", + "refId": "A" + } + ], + "title": "Table Merkle updater queue length", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 25 + }, + "id": 12, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": true, + "expr": "block_resync_errored_blocks{job=\"garage\"}", + "interval": "", + "legendFormat": "{{instance}}", + "refId": "A" + } + ], + "title": "Resync errored blocks", + "type": "timeseries" + } + ], + "refresh": "30s", + "schemaVersion": 37, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "default", + "value": "default" + }, + "hide": 0, + "includeAll": false, + "multi": false, + "name": "DS_PROMETHEUS", + "label": "Datasource", + "options": [], + "query": "prometheus", + "queryValue": "", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "Garage", + "uid": "ys3pnpZ4k", + "version": 26, + "weekStart": "" +} diff --git a/modules/prometheus/default.nix b/modules/prometheus/default.nix index 709f6a2..5834ee2 100644 --- a/modules/prometheus/default.nix +++ b/modules/prometheus/default.nix @@ -69,6 +69,14 @@ instance = "tankstelle"; }; } + { + targets = [ + "trinkgenossin.wg.${config.pub-solar-os.networking.domain}:${toString config.services.prometheus.exporters.node.port}" + ]; + labels = { + instance = "trinkgenossin"; + }; + } ]; } { @@ -83,6 +91,18 @@ } ]; } + { + job_name = "garage"; + static_configs = [ + { + targets = [ + "trinkgenossin.wg.${config.pub-solar-os.networking.domain}:3903" + "delite.wg.${config.pub-solar-os.networking.domain}:3903" + "blue-shell.wg.${config.pub-solar-os.networking.domain}:3903" + ]; + } + ]; + } ]; ruleFiles = [ From f639fbe050cc9bac84acd9ef5ff064223f5be5d7 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 25 Aug 2024 02:37:36 +0200 Subject: [PATCH 13/25] devshell: add terraform-ls --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index b5473e1..911293b 100644 --- a/flake.nix +++ b/flake.nix @@ -92,6 +92,7 @@ treefmt nixos-generators inputs.nixpkgs-2205.legacyPackages.${system}.terraform + terraform-ls jq ]; }; From 13bf3f5beb9676972b5836bf8f3feebebc3974a7 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 25 Aug 2024 03:27:42 +0200 Subject: [PATCH 14/25] docs: SSH to trinkgenossin for garage command --- docs/garage.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/garage.md b/docs/garage.md index de40b05..6517123 100644 --- a/docs/garage.md +++ b/docs/garage.md @@ -1,6 +1,9 @@ ``` +ssh barkeeper@trinkgenossin.wg.pub.solar + export GARAGE_RPC_SECRET= +# Uses the default config /etc/garage.toml garage node id garage node connect @@ -17,3 +20,5 @@ garage layout assign 73da -z NL-1 -c 800G -t delite garage layout show garage layout apply --version 1 ``` + +Source: https://garagehq.deuxfleurs.fr/documentation/cookbook/real-world/#creating-a-cluster-layout From 711347abe68b690497d8fc9fc84f45b1f41e609b Mon Sep 17 00:00:00 2001 From: teutat3s Date: Mon, 26 Aug 2024 11:00:42 +0200 Subject: [PATCH 15/25] docs: add how-to create garage bucket + key add new hosts to WireGuard example config --- docs/administrative-access.md | 33 +++++++++++++++++++++++++++++++++ docs/garage.md | 25 +++++++++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/docs/administrative-access.md b/docs/administrative-access.md index 5c58e79..169f087 100644 --- a/docs/administrative-access.md +++ b/docs/administrative-access.md @@ -85,6 +85,39 @@ Example NixOS snippet for WireGuard client config #endpoint = "80.244.242.5:51820"; persistentKeepalive = 15; } + { + # trinkgenossin.pub.solar + publicKey = "QWgHovHxtqiQhnHLouSWiT6GIoQDmuvnThYL5c/rvU4="; + allowedIPs = [ + "10.7.6.5/32" + "fd00:fae:fae:fae:fae:5::/96" + ]; + #endpoint = "85.215.152.22:51820"; + endpoint = "[2a01:239:35d:f500::1]:51820"; + persistentKeepalive = 15; + } + { + # delite.pub.solar + publicKey = "ZT2qGWgMPwHRUOZmTQHWCRX4m14YwOsiszjsA5bpc2k="; + allowedIPs = [ + "10.7.6.6/32" + "fd00:fae:fae:fae:fae:6::/96" + ]; + #endpoint = "5.255.119.132:51820"; + endpoint = "[2a04:52c0:124:9d8c::2]:51820"; + persistentKeepalive = 15; + } + { + # blue-shell.pub.solar + publicKey = "bcrIpWrKc1M+Hq4ds3aN1lTaKE26f2rvXhd+93QrzR8="; + allowedIPs = [ + "10.7.6.7/32" + "fd00:fae:fae:fae:fae:7::/96" + ]; + #endpoint = "194.13.83.205:51820"; + endpoint = "[2a03:4000:43:24e::1]:51820"; + persistentKeepalive = 15; + } ]; }; }; diff --git a/docs/garage.md b/docs/garage.md index 6517123..e1e82fb 100644 --- a/docs/garage.md +++ b/docs/garage.md @@ -1,3 +1,28 @@ +# Garage + +### How-To create a new bucket + keys + +Requirements: + +- [Setup WireGuard](./administrative-access.md#ssh-access) for hosts: `trinkgenossin`, optionally: `delite`, `blue-shell` + +``` +ssh barkeeper@trinkgenossin.wg.pub.solar + +export GARAGE_RPC_SECRET= + +garage bucket create +garage key create -key +garage bucket allow --read --write --key -key +``` + +Docs: https://garagehq.deuxfleurs.fr/documentation/quick-start/#creating-buckets-and-keys + +Then [setup your favourite S3 client](https://garagehq.deuxfleurs.fr/documentation/connect/cli/) +or use the bucket with any [S3 compatible software](https://garagehq.deuxfleurs.fr/documentation/connect/). + +### Notes on manual setup steps + ``` ssh barkeeper@trinkgenossin.wg.pub.solar From 751d82f7e3099aa264c7c7df14aa32ab3a70d168 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 28 Aug 2024 16:53:06 +0200 Subject: [PATCH 16/25] backups: rename pub-solar-os.backups.backups -> pub-solar-os.backups.restic --- modules/backups/default.nix | 10 +++++----- modules/keycloak/default.nix | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/backups/default.nix b/modules/backups/default.nix index 379309a..54c0bf0 100644 --- a/modules/backups/default.nix +++ b/modules/backups/default.nix @@ -61,7 +61,7 @@ in }; }; - backups = mkOption { + restic = mkOption { description = '' Periodic backups to create with Restic. ''; @@ -174,7 +174,7 @@ in runCheck = mkOption { type = types.bool; - default = (builtins.length config.pub-solar-os.backups.backups.${name}.checkOpts > 0); + default = (builtins.length config.pub-solar-os.backups.restic.${name}.checkOpts > 0); defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0''; description = "Whether to run the `check` command with the provided `checkOpts` options."; example = true; @@ -256,16 +256,16 @@ in services.restic.backups = let repos = config.pub-solar-os.backups.repos; - backups = config.pub-solar-os.backups.backups; + restic = config.pub-solar-os.backups.restic; storeNames = builtins.attrNames repos; - backupNames = builtins.attrNames backups; + backupNames = builtins.attrNames restic; createBackups = backupName: map (storeName: { name = "${backupName}-${storeName}"; - value = repos."${storeName}" // backups."${backupName}"; + value = repos."${storeName}" // restic."${backupName}"; }) storeNames; in diff --git a/modules/keycloak/default.nix b/modules/keycloak/default.nix index 59d924b..38da6cf 100644 --- a/modules/keycloak/default.nix +++ b/modules/keycloak/default.nix @@ -58,7 +58,7 @@ }; }; - pub-solar-os.backups.backups.keycloak = { + pub-solar-os.backups.restic.keycloak = { paths = [ "/tmp/keycloak-backup.sql" ]; timerConfig = { OnCalendar = "*-*-* 03:00:00 Etc/UTC"; From 1d92ef53caf8b65cece4b9f22f52601f660d0912 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 28 Aug 2024 16:58:35 +0200 Subject: [PATCH 17/25] backups: storeName -> repoName --- modules/backups/default.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/backups/default.nix b/modules/backups/default.nix index 54c0bf0..5c286ef 100644 --- a/modules/backups/default.nix +++ b/modules/backups/default.nix @@ -258,15 +258,15 @@ in repos = config.pub-solar-os.backups.repos; restic = config.pub-solar-os.backups.restic; - storeNames = builtins.attrNames repos; + repoNames = builtins.attrNames repos; backupNames = builtins.attrNames restic; createBackups = backupName: - map (storeName: { - name = "${backupName}-${storeName}"; - value = repos."${storeName}" // restic."${backupName}"; - }) storeNames; + map (repoName: { + name = "${backupName}-${repoName}"; + value = repos."${repoName}" // restic."${backupName}"; + }) repoNames; in builtins.listToAttrs (lib.lists.flatten (map createBackups backupNames)); From c0a3d90d63bb5358f626223698ce4b21ee4a8696 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 28 Aug 2024 16:59:06 +0200 Subject: [PATCH 18/25] backups: add environmentFile option --- modules/backups/default.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/backups/default.nix b/modules/backups/default.nix index 5c286ef..04b8324 100644 --- a/modules/backups/default.nix +++ b/modules/backups/default.nix @@ -39,6 +39,15 @@ in example = "/etc/nixos/restic-password"; }; + environmentFile = mkOption { + type = with types; nullOr str; + default = null; + description = '' + Read repository secrets as environment variables from a file. + ''; + example = "/etc/nixos/restic-env"; + }; + repository = mkOption { type = with types; nullOr str; default = null; @@ -57,6 +66,7 @@ in remotebackup = { repository = "sftp:backup@host:/backups/home"; passwordFile = "/etc/nixos/secrets/restic-password"; + environmentFile = "/etc/nixos/secrets/restic-env"; }; }; }; From 4626fd85c0b6d84f6c667095d3df8e3e0a7f87fe Mon Sep 17 00:00:00 2001 From: teutat3s Date: Wed, 28 Aug 2024 17:10:17 +0200 Subject: [PATCH 19/25] mediawiki: add backups to garage bucket + storagebox Restic backups to garage S3 bucket nachtigall-backups https://garagehq.deuxfleurs.fr/documentation/connect/backup/#restic --- hosts/nachtigall/backups.nix | 23 +++++++++- hosts/nachtigall/configuration.nix | 5 -- modules/mediawiki/default.nix | 23 ++++++++++ secrets/restic-repo-garage-nachtigall-env.age | Bin 0 -> 2582 bytes secrets/restic-repo-garage-nachtigall.age | 43 ++++++++++++++++++ secrets/secrets.nix | 2 + 6 files changed, 90 insertions(+), 6 deletions(-) create mode 100644 secrets/restic-repo-garage-nachtigall-env.age create mode 100644 secrets/restic-repo-garage-nachtigall.age diff --git a/hosts/nachtigall/backups.nix b/hosts/nachtigall/backups.nix index c5bf79b..46757bc 100644 --- a/hosts/nachtigall/backups.nix +++ b/hosts/nachtigall/backups.nix @@ -1,4 +1,4 @@ -{ flake, ... }: +{ config, flake, ... }: { age.secrets."restic-repo-droppie" = { file = "${flake.self}/secrets/restic-repo-droppie.age"; @@ -10,4 +10,25 @@ mode = "400"; owner = "root"; }; + age.secrets.restic-repo-garage-nachtigall = { + file = "${flake.self}/secrets/restic-repo-garage-nachtigall.age"; + mode = "400"; + owner = "root"; + }; + age.secrets.restic-repo-garage-nachtigall-env = { + file = "${flake.self}/secrets/restic-repo-garage-nachtigall-env.age"; + mode = "400"; + owner = "root"; + }; + + pub-solar-os.backups.repos.storagebox = { + passwordFile = config.age.secrets."restic-repo-storagebox".path; + repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; + }; + + pub-solar-os.backups.repos.garage = { + passwordFile = config.age.secrets."restic-repo-garage-nachtigall".path; + environmentFile = config.age.secrets."restic-repo-garage-nachtigall-env".path; + repository = "s3:https://buckets.pub.solar/nachtigall-backups"; + }; } diff --git a/hosts/nachtigall/configuration.nix b/hosts/nachtigall/configuration.nix index cdc8243..c226ed0 100644 --- a/hosts/nachtigall/configuration.nix +++ b/hosts/nachtigall/configuration.nix @@ -59,11 +59,6 @@ database-password-file = config.age.secrets.keycloak-database-password.path; }; - pub-solar-os.backups.repos.storagebox = { - passwordFile = config.age.secrets."restic-repo-storagebox".path; - repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; - }; - systemd.services.postgresql = { after = [ "var-lib-postgresql.mount" ]; requisite = [ "var-lib-postgresql.mount" ]; diff --git a/modules/mediawiki/default.nix b/modules/mediawiki/default.nix index 4512b55..63367ab 100644 --- a/modules/mediawiki/default.nix +++ b/modules/mediawiki/default.nix @@ -232,4 +232,27 @@ in }; }; }; + + pub-solar-os.backups.restic.mediawiki = { + paths = [ + "/var/lib/mediawiki/images" + "/var/lib/mediawiki/uploads" + "/tmp/mediawiki-backup.sql" + ]; + timerConfig = { + OnCalendar = "*-*-* 00:30:00 Etc/UTC"; + }; + initialize = true; + backupPrepareCommand = '' + ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mediawiki > /tmp/mediawiki-backup.sql + ''; + backupCleanupCommand = '' + rm /tmp/mediawiki-backup.sql + ''; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; + }; } diff --git a/secrets/restic-repo-garage-nachtigall-env.age b/secrets/restic-repo-garage-nachtigall-env.age new file mode 100644 index 0000000000000000000000000000000000000000..fc0c27bf224954b5a815f520dc31661704ade5b0 GIT binary patch literal 2582 zcmZXV*~|0>8O5cgQgYE!uoo`Ki=u+V_hp+*5{i~&l1yf@O!iDtMKW0@$t06~5rryf zEm9E$6$PbO#n$Db2$fQ$F1;*56_?A3D59cJ3RSVb2w#!<7o2A~=Xbm~yb%_DJzd&U zS==n^80=x-#`~|DCb zNge0&3X*bcQP4+Qfz&t`u~b3MUy3CAog zg-sn!_<6NVMKed`06c6&z$;>~9@NW>#M*M*FmN@)U@6WDGc32HR2qxb?kqI3Y^6}x zTBbW$7q8AhF(EL4Gch16F>dG16Id~jIqD~eGnS-x0gbRzGSbw@)2eby&YD3QIw6bG zOb!-ZlT1+J3TK%FfWpwe6F3@Kmnds%3N%orYX9OLOn^iOe+T5-m}xiRvUBZdK18c)YOZi6UC}-u{?6~3um$I z_1k=O-5$mQ=nAq2^JH;RO9`wp=;DASs#qmIQH%x4qXJ%p89DFmAt44VZ)bex!HIVy z9U-A=oCdsexL3MK^SX1V4he>t1Pf`EuczB;gxRW-^DsU5Xub$^lGygGcI-C2W2dOU z%=e2P;E(+TaTphr417_18SPrRS-EaFq16ia&6DKvCCih1Ed8&KGmgq%0d3V6guLZ_Oek&D#BXwYwsY*hhq*UXdJ~}Go^<# zRL^zk;@zHA261T1b*2|Hi;upPth2+lCF8!wfojU--G=N2Uv&7QaUzUCl{~XAdBc;= z=A^88&IU1@he)_MgK6m2{l$%sF`v7lbcleZ;dfad)@24-nm_I6nm2${exGYI>-FA&=- zBSrII9at5H8!e`}IjV}V(h+H?9>62P>+7^3A}b)HF~+MbPdEQPj@+ik@k< zwm40-tD)U_MPy)Dpu7!cqo z5~Z-`2{!|ob4vzI3~!VO30o8yq@c78SzF&Jjaqt*bhj?KKrJL!uMV=UU%Z_XvT4CU z6uyDP0H)8?HJn*-Dh~eNWrH^4Iqaes$Yd>~9$NKJda_gKuiW(p=zGt7B>d<7zqsRfTtMwV{pv68eBr+LefeMCZomEq z@$>i(zH|G1PdxbGzpEEN`}EDb?%#g&N2}+)|J>bA-CRBK((j|U? ssh-ed25519 iDKjwg yk6WgkJbk16Yqc/aWojwDePfNZN3XgaiacpZqufw1hc +qx3x0zCUB6l7qPS9R9xGO41s6ESGsNd/ixglY4gYDtY +-> ssh-ed25519 uYcDNw nDZXlykiDEZIA+Srg6imZFRLAzhykR3PDVrfWb693Sg +MBJrrXbtLzBozetgfZaE52o1ixsrPK6Ojdp8sXhI3dc +-> ssh-rsa f5THog +WngnjCboeUafoR5NOg/+NFeW/ILxonIrcl7iUQLXoObcFWtmgzEebcogo3kqnkdk +cj7NnqQ/sFiHdPCBr+VyiWcP4BJHJeWF/w+Ht9SYP5+WlHUkC2IPxlcMzJFyy2ro +9PDq8FaPX5ZqarOfBW+U1pQsegxG9wkfoSzoF8NVL0jU5mwubPc+1s0ycbjMcGzP +CSCpWY0OqqRbCXj8gVBNOOoELVhgbNCO0oRWh6Iafqjrx/rO4MNAdZmUF9DiTZML +8QQjBFR7G8/+4ehGHn/9PF/0yVVsnPaJTEo3juS/By+NVcCihwP3b0SgQkjtp73+ +2QZL4XImwR0bBLDla86IjvZWH7GkLzR8iAw75FZ/FGIxZ/XgwRcUqtcI8m105KAD +iX1v7ai0LUYko4RPSqdDItEdGjK31Dl4bCdaLakO+aZdtc+60c7hx8uEoTp7JY9W +Qmyv4rt5bVUUAeH0IyR72vTDpTtXSkbp0vypk6Zq+yhYjbe0wmakAPCF4WbIV9gQ +YIoSyicQ3NYxfrQGcQvmct2dNXXZcCr8BW704/J5w7ngw44FiZDUIC2y562sHD84 +9rFO0obVGERJa55+MnZB4UYMqU3eWs+mkxHgWotx5yEtO0wMpTP9IFk92scJeV8h +bdr6fq1p6gtFlSNlA7P8A0go1SWs+qIoO/PEPyznoss +-> ssh-rsa kFDS0A +RM1VIV11yDWaG7KDnXbVt+Qo9kIC5kPO1JwpROuxbTH8tDGbu7bC2mJ6qsZo1R5x +ewtmDVwv+Gogs2drjQeQgdZH3qN0cMt34micbW2lvBW4NmvAGKEQ+dkkUgIWIhy9 +dNuFBCHAGqfw7FDqvX1Mm3e50CsbIVqpurBXe882seMjm/nSVzGgjOOQVaQKmNSg +04s0gsLzN1f98kQtKuNPlG8Fun9y1bKLzWpBT2iriQInkhcWSwYqg1M0yM7U01j3 +Kcxn4LJmgB9qNkloEKNpHCze5fgIGyOf+MsG4VN90CvwpNxy/EHrEyncXDxSxiCt +A81PVHCZfC7fQTR+hF2s1xGcW9mmtRpPPSEUrGY84cW2k8m4E5A9J7MJZ7FOKe6C +OY3LoU5KCV292ujHqYs1c7JSJRqVq4IMCupsNL6afzB/Fe+cV6GX7bXh1ZUl9HT7 +B6j1QH2xA9OGz+6VDrB+B6cdnxp02zRZpuS19uPTJqpIg4Sgc4vvw7YFQfz8AfUD +/SafkBpVKznEHl1/gO7bOMa1nTkNBicUp6d2Z/zNtJ75NJPb3qYc4aVsaEuyMPts +ieMR/iieeiDOMPhedtibfCWZ+0YrtyIrkkUsPK5yG76VbJgMjSRyEP+bXTedih/b +bTkE78BoV5DmNxGEAva2BJpMKtn3Or8dCgSudoSlI14 +-> piv-p256 vRzPNw Al8mhhyZ/0YFf7OSKeGm3LZhowpCdcITOhtjmky7Ygnq +CxFNUst8+6e6Cra/j7Pa2lZs3lHGLCOWRInb1VZTr2M +-> piv-p256 zqq/iw A+r/W9OhuPjuGXRuhp1vW45k/QzCFO6VLfp1W6l7RJVU +GxunFSBPJnzd5t5Ar42vr06tyJkJvZhljlGkHVZOFOQ +-> ssh-ed25519 YFSOsg e7udSQwtwKETHB0Re59fb1DdiBBPLDbV/JHmUUI4GSU +054wi1iKJm8lnWDjONCk+h2vea0setKqdCpXHuJaecI +-> ssh-ed25519 iHV63A S2sle86zYVPjtCozODRjqtTs6a5GksTpJHkmO/WYzHU +7h5kS8Hc3BiyhiWerEa9xPX6o+D/bxoJLK1fXFq1jWc +-> ssh-ed25519 BVsyTA 7meQJdKDB4JLKsYmBPgDBUnWhil1fKnoijm+uzHDemY +1bxklkYv5KYab9fXjMtz/w5QTUYMlZFTQG/khBftlWo +-> ssh-ed25519 +3V2lQ n1bF6+o/16zx7dEt/Um1gL30mARiuPaE6z3N+qjFZx4 +7ZjmhkuJDYXLcMoUEA0wosWcWZ1T1oR45kVhFyQwN1E +--- TbpcaLv/1jF23nynpaw1XjSKsO2t9hAxovPQHKhXAoQ +P^fE~6O[-cf]9e64El2=sWOQFCzcbT;[a \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ab52663..e49ec68 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -54,6 +54,8 @@ in "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys; "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys; + "restic-repo-garage-nachtigall.age".publicKeys = nachtigallKeys ++ adminKeys; + "restic-repo-garage-nachtigall-env.age".publicKeys = nachtigallKeys ++ adminKeys; "drone-db-secrets.age".publicKeys = flora6Keys ++ adminKeys; "drone-secrets.age".publicKeys = flora6Keys ++ adminKeys; From 27dc20dd04c7398aa0e1ce2fd0dfcac4f7445311 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 25 Aug 2024 03:29:25 +0200 Subject: [PATCH 20/25] obs-portal: add backups to garage bucket + storagebox Restic backups to garage S3 bucket nachtigall-backups --- modules/obs-portal/default.nix | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/modules/obs-portal/default.nix b/modules/obs-portal/default.nix index e2733bf..dfd5793 100644 --- a/modules/obs-portal/default.nix +++ b/modules/obs-portal/default.nix @@ -147,4 +147,26 @@ in }; }; }; + + pub-solar-os.backups.restic.obs-portal = { + paths = [ + "/var/lib/obs-portal/data" + "/tmp/obs-portal-backup.sql" + ]; + timerConfig = { + OnCalendar = "*-*-* 00:30:00 Etc/UTC"; + }; + initialize = true; + backupPrepareCommand = '' + ${pkgs.docker}/bin/docker exec -ti --user postgres obs-portal-db pg_dump obs > /tmp/obs-portal-backup.sql + ''; + backupCleanupCommand = '' + rm /tmp/obs-portal-backup.sql + ''; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; + }; } From e2ba1aacf49a012acf75478c07679c9a778400e1 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 25 Aug 2024 03:45:53 +0200 Subject: [PATCH 21/25] mail: add backups to garage bucket + storagebox Restic backups to garage S3 bucket metronom-backups --- hosts/metronom/backups.nix | 26 +++++++++--- hosts/metronom/configuration.nix | 8 ++++ hosts/metronom/default.nix | 2 +- modules/mail/default.nix | 16 +++++++ secrets/metronom-root-ssh-key.age | Bin 0 -> 2813 bytes secrets/restic-repo-garage-metronom-env.age | 44 ++++++++++++++++++++ secrets/restic-repo-garage-metronom.age | 43 +++++++++++++++++++ secrets/restic-repo-storagebox-metronom.age | 43 +++++++++++++++++++ secrets/restic-repo-storagebox.age | Bin 2467 -> 2576 bytes secrets/secrets.nix | 7 +++- 10 files changed, 182 insertions(+), 7 deletions(-) create mode 100644 secrets/metronom-root-ssh-key.age create mode 100644 secrets/restic-repo-garage-metronom-env.age create mode 100644 secrets/restic-repo-garage-metronom.age create mode 100644 secrets/restic-repo-storagebox-metronom.age diff --git a/hosts/metronom/backups.nix b/hosts/metronom/backups.nix index c5bf79b..3512b7b 100644 --- a/hosts/metronom/backups.nix +++ b/hosts/metronom/backups.nix @@ -1,13 +1,29 @@ -{ flake, ... }: +{ config, flake, ... }: { - age.secrets."restic-repo-droppie" = { - file = "${flake.self}/secrets/restic-repo-droppie.age"; + age.secrets."restic-repo-storagebox-metronom" = { + file = "${flake.self}/secrets/restic-repo-storagebox-metronom.age"; mode = "400"; owner = "root"; }; - age.secrets."restic-repo-storagebox" = { - file = "${flake.self}/secrets/restic-repo-storagebox.age"; + age.secrets.restic-repo-garage-metronom = { + file = "${flake.self}/secrets/restic-repo-garage-metronom.age"; mode = "400"; owner = "root"; }; + age.secrets.restic-repo-garage-metronom-env = { + file = "${flake.self}/secrets/restic-repo-garage-metronom-env.age"; + mode = "400"; + owner = "root"; + }; + + pub-solar-os.backups.repos.storagebox = { + passwordFile = config.age.secrets."restic-repo-storagebox-metronom".path; + repository = "sftp:u377325@u377325.your-storagebox.de:/metronom-backups"; + }; + + pub-solar-os.backups.repos.garage = { + passwordFile = config.age.secrets."restic-repo-garage-metronom".path; + environmentFile = config.age.secrets."restic-repo-garage-metronom-env".path; + repository = "s3:https://buckets.pub.solar/metronom-backups"; + }; } diff --git a/hosts/metronom/configuration.nix b/hosts/metronom/configuration.nix index a43c836..7203746 100644 --- a/hosts/metronom/configuration.nix +++ b/hosts/metronom/configuration.nix @@ -23,6 +23,14 @@ pools = [ "root_pool" ]; }; + # Declarative SSH private key + age.secrets."metronom-root-ssh-key" = { + file = "${flake.self}/secrets/metronom-root-ssh-key.age"; + path = "/root/.ssh/id_ed25519"; + mode = "400"; + owner = "root"; + }; + # Declarative SSH private key #age.secrets."metronom-root-ssh-key" = { # file = "${flake.self}/secrets/metronom-root-ssh-key.age"; diff --git a/hosts/metronom/default.nix b/hosts/metronom/default.nix index a1699f1..581b151 100644 --- a/hosts/metronom/default.nix +++ b/hosts/metronom/default.nix @@ -7,6 +7,6 @@ ./networking.nix ./wireguard.nix - #./backups.nix + ./backups.nix ]; } diff --git a/modules/mail/default.nix b/modules/mail/default.nix index 9b28816..ca26112 100644 --- a/modules/mail/default.nix +++ b/modules/mail/default.nix @@ -67,4 +67,20 @@ }; security.acme.acceptTerms = true; security.acme.defaults.email = "security@pub.solar"; + + pub-solar-os.backups.restic.mail = { + paths = [ + "/var/vmail" + "/var/dkim" + ]; + timerConfig = { + OnCalendar = "*-*-* 02:00:00 Etc/UTC"; + }; + initialize = true; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; + }; } diff --git a/secrets/metronom-root-ssh-key.age b/secrets/metronom-root-ssh-key.age new file mode 100644 index 0000000000000000000000000000000000000000..c07ac8df890795c0be86f4763ad2d14e72b62c7d GIT binary patch literal 2813 zcmZXV`|s-n8HWuT&>AGcTQH(u0Tr!>wp-h+a?#$_^|E$dyWR|X+OF%`b?a?y*J(VW z9Jy$~2&e%>4+;wL7Zegj5IGtz2quW2c#FhHKp=t_NJP}HCK!YN!27)Uy|P>!2xc7&Lx{a8i_t;2*RDXw+v4>y8&hpxz|b(y7s& zjr7D$$=MxU>UKi02d&VuhBt7duef<<;ZcCL@L**nFDKd#ErU*i?kI|3s2vuE3)Ijn zN`o@Hn+M&r9MKfI&Wh3kXJd0qhs{#S9RO`y+eb?*nd)nyoJ)~}#)t%t6l82Ag4V#I zkqQHWF?5G0R;F#tq(qyks;n%SmPdO)q$E-hENZcUgLJgE)i^?oISu!1-5mCHd)VNF z+Do)yR>CU}olY9Qb~1}yYlzFUb__tgmpL1Mh{6+9oNS{Orx)wXZ>3&3FNP;sZKRWT@dcD=u0cPH2AC=_NhGqAQwEQijx z9ji_P4G{rVc3N*sH&QvIC(u|YfWbzd;ZuQ2SccMS5#a|0UMlw1n>F^5fTwBN=yohY ziIp-!IFTYVvLl%!!`+yfWl0NwILlWSX>10ZvY^r7hMaa)Z8?a-g*=ml&CbR9kRk4j zMDFP|6*dcu3n5werY1>YP7XNgc!8zda3*l`T8kqaUyj`hF0phNbd>2BoDhh^vKq}T z|F_4>0i(erFv%MgGtjNuv|xzssHX9x5y!b(-6cl$z-POmj+#vX$7^0^60cbl3OG;`r7)J|eMq`?*a#Y>x zdp3>qWIzf_T-D(+Lsm$MCevTuCMcqp z3k~obGEKM?mql7oys5aaz*c3+NU*5P$v`_8R*3_9*1!Nqybh0aO6YaEHe@A<+fGyt z@R9+zub|q*yTQoj*K>2$5hP-rS~M=TnuXas#bL7B(|oWg(hNcvVXhaX)v&ZTvQ+>j zU?G?cy)AFk6}zsZAvQ=B!$b)jXvNRM?WSSva*MYCp~I{BkWo9)oF}%h(w!r*SpmT? znrmw`>@3B}02Gu;q;VzauZosmE0`WAy$oa)Mh8)10y4$rwnF^bz~sh^k~gb?4p{NF z4?A(SRMF6@rEtZMcROl2CC6!@cmH!U|7Gp+9E$c?dDnCba$_mAo>WUeW2FLOdW+@8Uj&uyVT+w2gehGI zyAF`{$KJjc`dU`!3v!MohS=jpx>I3PTy2!rHCwHS3DV*C=kN3RA8HRYr409Ui5Ju? zYcSJF8WM?^fRJ0Uq}l}%<84}@QY&N1R30psKv;C}jd^GLdmTgq>zV$Ut~C}&up zYUwlu%X&qaaIjl)m>AJb871q8I-RUfc-|Cc1#H9Cp9H?YgL?oU*g+iktgQpARC#iF?(8FLw;u`y&Oz7Z4_X7~UkjdP!0 z?qXY@zY{&r(?5RrqRW#DPPz2_H$1X&9`3ySrt_{m z`j+>c^2n2?|MQ~DxxZz-{*B)$j$U=>wbsE~?|$wt#0^7mv$^EAPc|q0^vI*8{Qd{Y zvnOYq{FHdvrP2D7!B_wG9HM;keSiG>W8c31^v|ka`uT0&_yuBLvyXZHkJ*nWt-UZ_;?mx5n?9)HF>gd&9yY}dD;BCk?#Z@9 z_5D-seBwL5+eOc)7ytI!iywdRWZ>p6T(r6V%)z@)dSHF<*GHObIwwAR0b{(i`SU%$ z|MZ<icg0=t&Og+D&-(Z_B* z_7jKUFMRazXOBDU;-9?h#cEL9ck2U#*Sz=aJMMn ssh-ed25519 UE5Ceg rpN1FsYIOjsiqPAt3iwd6l3ZEDYNomnzcvgowqS1CAI +A5+KU6SOzcZzTQPkEPp1wN6bq9junwauKDPhM1eKi+8 +-> ssh-ed25519 uYcDNw V/zOsw5KmaQUm1YsnJExXJThypfsxOu/CS+EQ2np7RQ +vMGUU/OPOoWiyR70xsXarqWN/AgegeKgTz5lOPa04CI +-> ssh-rsa f5THog +Z3tZv8bK67z15PAp4RgMEi1Ph4y5IFBIVNHdhENVTt2zS2TnzTBoUSypjaioRlGj +YKYuUl7+sFys6QRHOWTrUM6CFF6KQo/hYR5bsFG01xE9xoG7e4V5x0ts6sFp0Xme +0nl8NBfjbORhKYyCEye6p/9EvPwJ7qpRrQt6TUpnShv9BLrZZpEyw9sy7dXS3Sjp +btXgkOiRmIJqkYLyZ3fZF2uDlOiCVVQn/m0Bii+t0vsp4ZoyvMyc/ho3pN8i2GUV +QvUPAWzps4LTIKUf/0IYpHV4adyEfXD09/L/ShPxXJjLrYpT+4JjJqzIg5Gutbyk +QRBP52GFqyt3V6M2yM9THvdk88hhczsIH37VGLmdPH+vHDG1LIabgf9rJk14+FmM +h7/TE7M4EG9YHG//zLVI4WaVf64G9Oxet4y80BhCF4kpILWRm108mpwwzPL48tR3 +VMkiX0NpP0iOe22vV6u5zzugHQYqMvR6dPtrc4yBNUPgHhOLf6GWDhX12y478o91 +ILUM08J0R0PCJhH+8LARfc7wx1fjoxeJq468sw6znHqcqbIh7WPxarKaiTbTA5bj +06oA4YHzFbV53AbiWNHcrKCNvLaGWOw+2vtXRg8UMmbbGr8icqbLMYl7qY9kS7he +wINMQgMKD79Q+V3AweMqLuIn1AyLpqwVmh9Qon3Wzdk +-> ssh-rsa kFDS0A +ZpHhJzIt2oAC5Z/xJabaunnhXCE5Ijx+Uq/s07uow2tpautkMhmP6SbdgR6zGLFV +QJMgHmDgOqybYLhaP6t8KCygmeT9DjOB47H7mmZ8yvWAitPXTpbJzlFUls6YH3Ei +C4lxsEoCjbH+znVTKFd4220Cb4GGvnMS7tXuAnQ9GFMAn/90LFBzYjbqSvkDyv/n +9Ej1Nya5r0RQg/BcTKvppr0sfdk1wCEE5jDrHAR4zMmofFxuFi7V85IcRdsrU8ij +JawhvCYGfDM6G1Yh6j8V4oaqo3gAqki0CYF5gXED42sfPrxXLV2qtYMRJSua9z0i +Zo3SgDa9WVQslqL0VZoDXn/KyDqUYWYsfsVY0kXrMezlN9+Jm77MFVWMdXNI31eG +EIAWMr0f6nsTuXV58lwXoijSLy9Ap45TPjbVbp7+1JkD2X543DuJD3ONiNq01gey +a7aGLS492IByZx0mw6sb9xpTt8jP6enH+ltqcE6gMsEcxwXfmagVKTxtNrK0izWm +g2GdcpGnVqioj42lchUJzNt/PtPqutaraEvo2oq2cw1zxCjY4zxdyNO1RdaFV71b +fFj2JJCm67GFHWdlqbAePTx2SvUoFt3a3N8DMNFKThGQN/1LwOaKEd25ZSTNEuwO +1exQgJfC2kxrfypEmQP/whSrk2kR13NW40bBHvrZgjo +-> piv-p256 vRzPNw Awtb8p5KgsKIBUumqHnVMgux3dRS478DdNpCENgG3frB +wcIPacn7KP7gl0Z5SvtoYK0pnIjWLwUB2UvVQdWJfso +-> piv-p256 zqq/iw AgAk66eJ/xs+PqwTBzazW4HfK8dawj/3jx5opFOaGLSj +xThgJOorp+YXS8DvaULIoszFubEfACcKSy+vwf9KMSA +-> ssh-ed25519 YFSOsg p+/PUojxwOxpfBfaDOfEHMOGS1oVCrl9dskXgo+gOGI +PPYr0WVPDwRiFGo14Mx+Wv+gkZ91S7CKyYslGjCI/lQ +-> ssh-ed25519 iHV63A iXr8vgW9lHnX+rX/E9/NrKNbF+LyRpe0M44P0IxaBHo +/odvSKNzyS8ondJ0Tcuiry09NM4ozFn2qeVMqRgR17w +-> ssh-ed25519 BVsyTA CgGBOj8nDcfP7GBIMnFV89WF1CAoiOFbA/dUOWggmVE +V4CUV5WZbVTPm3AnoW6WfIqIdcMW/Sm/FTljx1awdeo +-> ssh-ed25519 +3V2lQ Jg+gASEMV3bi9eEB86rFfguh6Be/yOO2szI19Mk2BlY +q7vBOf0CFOUfxbpvwD8rpJH3asQqqNqWBJSzwYTBErs +--- KSBDnbS1GMq4I8FXEljleKo/pKvauq9T8vomtInIEOQ +~p +ўhAV>m< 1|Ly ssh-ed25519 UE5Ceg ys38fGOhLJNLg9zx9T3v2VgF2IbOr/Y/rj2+dWkcAlU +QwkMX8WKgcJeGUomDSLjijen2K5UcRnYYwtebrITDqU +-> ssh-ed25519 uYcDNw wF0oWExIUjlP32CQzOvp6MyEvFw33Sm8pHhYn3Sb0zE +RHslJJumyXoCLHLw4sGlSLK++UHmgq97KPkqCu77G3o +-> ssh-rsa f5THog +pFSH+qCW+oM9zn2j+830+bja2rTXFuzATqfMNAq3o38ssW8Nl7+0FpkdMam4iYXu +sw4Pcaj1QPTO8PbhkEvjoOU4f0bUsVuJSIvcour4k8SUOBgEMiW/98AVSTIk6KBX +PvA+4uZn2Is+bB2m9EGCguwLJ9zzzfbur+USMQvwkQexg0YRpSfhJsRbCplLXhE+ +ZU6ut4HjCP0XWwvxgFzKc6sY4X+/PeWFJOd+WkWy5lL6gcMqUz5DXoi1CeG11AR4 +/hQ5KSJBpVsxw/ib3lSkGjA/ktQzwp4hZTI0l/dH9VHOFQflM8/9hPCYT2gsLVpF +7F2N++tMjgqbMI6Jve0gXLixpWFflr7X5UIBFW96k7/Aq2G+WUch/COQA6wTmfqw +OeP1wGd4Ka7YsgGByH5kuL60xDvtHG6+fYlnPXZAB5Fn86Ct6vRmWw9KUvLC7LKU +iBXDccJliY/y4vGFZH74EYlimurEfaBPiT5sxAk0Ke6hoJued3sZ39Qi+wuxMxFH +pleoFR/n1gBq2bu8FqTQaaNXB2Rsy7q4r5Fy1FxRJqDPgHJEmPx1k4rmYPq1VIaP +/ScOstPQgdMNBqVsBGoNYq7vewkzoPl6MkEwh6gP7IjtC1nvYxxwlGh0gESe3RFm +4MRh78EZaY9pmqIRAf/sRzajky26Aw+DkphmWNUjMTA +-> ssh-rsa kFDS0A +XsOTwrszUoHm2k4XSxiLniJZNWYfJOEn7riuDaQSGSW6ZpjMloD8K1FsZ/ZbMoUP +S/QD71rnETAhfQc8JAAHANOarxMXmSw3y1tSmlbL2h+TRnSoq74a1nK4Ble3aszu +y7tlUuUn3vEX6BVPRNOWM3bGW3oWNe5m0sMUAc4YSUXryWF4V48c/GbUp3T0OrRS +jm+5DWOPxt4VcLuCqe4Nv1jrjPnb7oui/7grMuottf3JRJJQxv9qZolRwlhkG2RN +4fuUSuOYnFUuHuaF2cfuTpOPaowLbh5H/Y6ETzOp+z9yNSuxRsdNgA63GrTsAorI +2axdnMakUsP7m3Xxu6YsVu8xP+Sso1xzPZoEQKA+2eol0fZpQvRPrZ59bqaf9p5U +VTIKSqIAIxyr/XN/s8S4ygaNKQZW8yBColG7TlggTth5v3XqAZ8RhcFXUg6z5lSr +RErV6Bio9JIZofvNEiJaqrl8uTo8dU4ymVuYZoEiT/mW3noqBrZlKUh6XZFMplmk +5giRTDThA3mirSTTELFCsc08kJMXqgkOzkPk5xm5kgP7VD6t/0SfGxetVWXOlUNd +dbprg8Oko1hdlO+LePY1n50TTFKBl9TeZWhvcLOhUizc0bTowUcXm+04Taf+MDwa +TMxplrtahOdCTz8k38c/HwBeHtfXRevh8A8Y1qnJXJY +-> piv-p256 vRzPNw AqccwzdKUA4RP2LzIfcTlAN9LsoEB/b7tGYyM8bk39Pn +f0srD9t9HaGY8OIAVImqJSrvHZRhxfMXkYwot4LJGeM +-> piv-p256 zqq/iw Aj8544WraFJMX2S6qyzi6CTal6sRnunmzbMO4KUQhJOO +BFiQSdLgrmgPnynqmSLNBqiWkyBme3KavSbi86HHSck +-> ssh-ed25519 YFSOsg Zece1bOI+mVc6079POREAnnzSG7ZytiTRDm+NzbbhVE +alK4ODfwrgRSDGWzcZmIuyZ88axaiMzSNfeGspsgk70 +-> ssh-ed25519 iHV63A LwfUkisQGB3txmxYYLlZSG6ddxVNVC9+UokxPiXEjRc +yRmtdHT9uM0YkS/s80jetMr1baDjGsaRubVKbJVPpCk +-> ssh-ed25519 BVsyTA +8LVssLl+DiF2f3H0KhAhvzEvTjciIAcRM9ZYwrGQh0 +CcQxWwMBdyXXzDv10vUmXBifYLXsHKOFd2/L95RGT5U +-> ssh-ed25519 +3V2lQ RWquIefIO5crVvrUxdatV7OvTv1Jabyq4IF209Ezkw0 +0SM43tcO7m7FQlNJe9QnhC9J9PwHoVxucRtZGpcACUE +--- xx8BodL5hv2CyeZ8m0tGXNzmH2DGaCveUNobqbAQK8U +)\9ct4ʿ~eJ}<[+*x>;m/&I:ϑ3 \ No newline at end of file diff --git a/secrets/restic-repo-storagebox-metronom.age b/secrets/restic-repo-storagebox-metronom.age new file mode 100644 index 0000000..82e418e --- /dev/null +++ b/secrets/restic-repo-storagebox-metronom.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 UE5Ceg Ut5S3qcz82qT9y6KnUG6WfgvhZ4Cq3akEnw6qkfOkHA +uwaOk4WQxkj/R8rw31ClUm7nS0nz5OFVyyqNdNjSKY0 +-> ssh-ed25519 uYcDNw kwQz6q16sYba+q2r/lH6Z0kSSXSxVrjGpK/3tPj4CT0 +nTo6jrcpQ9niGGxhuS7mZva6KnrYdjqvobW3yiZsYU4 +-> ssh-rsa f5THog +ugWQuX4fXVBJ/MWuVaM9Wj+kUFIpKV/+2C+Hxe4xg05/HmVWH95/TUE7QnhBKu1/ +Dda8oQL8xMSvThxUh0tY9pJjUMa/1ShfYpIAD6zE311bnPObDAZRBtS6fF5m5Vcj +9KL1ILwj7/Vj5/OMDM4BuEL1cmTmX2ohj/ho7hoWpU3ejohQKxpsH/atXAPevAgz +oajzoiQ2+qX18gW4tTLr9MqGuIQYDhj0f1YsPR5gMQEukwGJcQYaZZe78wRV/iGH +n4xbdRJGAxWyBZqKqeNKmh/VxdoC6wxIpAM3h/tchWA7RB2kn5rJBuk+XOF5pJLj +tOjMpoJClHwIgr8hmIMb5eI5bQdBZi8sIuwgaxe8GAjfy1fXt+XcR30pWW9xh/la +yLSEnz7OtjNPmHObWxMLmYkIX16qKXmdA1IMJib74THqboHOIFI08GVKWs6xCAr7 +9Mk4tFejwqPurFskwmX5Ubls8b5hNIO8Cz72RKwvGHwTFTtOR5Lzp/gRmCTD1qlb +aNYOZnduZ/ApxwG0OnNbC60C8+NB8EwRToiHmXLlnFP6WGlYKlSKy/WjJFjreFIJ +9hdiKCcHE87gsD2dEWHW4Hq4oZq/SwVL2FGCHC5dgohkY//i+aQVeSqAtvOR3tsb +CnKVhf+O6dMVZqNUeONGJ1oEaZwZJzBST9XXv6Yi2rY +-> ssh-rsa kFDS0A +EmZCGuxH9lUz/OuZKjKfkeone7oi+AETEpkUH909lc0LoTbk96Z9Q9IsRSxcrXh2 +CuQ9c8zZ3PgpwHRxLwwvCef4VMW2rgu98FLza3C41tww5ceudK/p/vwCPACUAV5e +T8fUGg2OTUFOvMpFtPejoD1fjrTHWahB4DW4r+ODbQM94fQiHjzq1qPDsFf4WpKF +1azagGfB6uejCewpQ+M+GnUZXDjOTi2IgA1+/dqQz5kGhVA9SnykfSxWGZKjcGPh +10EaBdrO5bqIh+Wf/b6GktFWKKTOipD6VzxiMbppMqr4pfRpFYy+okunl29ky+xk +6LTJHw5+19QB2YZMAbHCivmZpX+rfuCI/4JmUMfdAHrdkL56F/OWPx8j+2gFFkTm +qOUVKkuAKWfJFaUgfFbXtwwuE+JH/RuY1flG+PJjMr1xxnttFs3IYP4CVEH1j3Yg +APzd3PYpkW3fkCNT3PUJHDjVhzS3jvAjIgD2qDwc/AsQyMjJuyICSL8ciSb9PQMY +JeGX+4FjDpqgZeNYD1CIEEraAkoHoEBi2puNrsQY11qgnC/XXAfubz2XDtF4NhZS +Lr29oOuqwl9UglQq1yx0rmPyLvb5fstFvN1JELTuArOX9r7uyV4tEjhr1Emjcmlx +20XOvDtSRQNyG0JypayZcng4sXM8yLZngsUR+9kMZjo +-> piv-p256 vRzPNw AjEZFjCMWC+lzG6Mzn+yk1ylhtIS0rr8+uG3pONi8aUB +0dJi7kX8PFsGGo2nKxJ9DAi1Psz/Z93xusQ6hvgfo88 +-> piv-p256 zqq/iw AmPSSktHHwoEtSPexUIp4gro8kbxyiBi1F4I9PZBJXUN +SllB8/hq5mPkqidZnpSCktBs4IKyDn66Rq4Tn1CHjZ4 +-> ssh-ed25519 YFSOsg dQQ89fQbmnEc8ws1Ph1sBcnF9rLeOJHcT5aXzf3wdBQ +7Wve8saqRX4bbskIxPqbN6+danJimre2tNm5Y/nLBkI +-> ssh-ed25519 iHV63A 9Is8lLheIcDBr0A82rW+ercEGb4WOOHYu2ArrNuwWHQ +koc4Tp5KNMWlvqIY2Q5wGo1RV4PLLjbqZDH/te2+9vM +-> ssh-ed25519 BVsyTA SbXK3Qyz2KIN5+SuYQri6oQSVRFTsekvtCRissDF7nQ +EOuZGw1k2Ql6co/WFeEn2TmfGWN1ThCkksa1RD30yTE +-> ssh-ed25519 +3V2lQ HRGVqQxpU9SCs0tD2gSuqKz92HE3paG0JsHru3eliEE +U1z/FTfrf4sb4/gpEjHmpX559JSn7zsaiQUeej8ofpA +--- V+P4YcVeFP56hwKuk4ZLSzE/zCSvYyCTrKKRj48AuMA +%GY5fv]W1t]/M8U=bK[P1iϗ'yPU]6' fmey \ No newline at end of file diff --git a/secrets/restic-repo-storagebox.age b/secrets/restic-repo-storagebox.age index 47a89e538f0369f3c30fd40e3772360fb2019aa1..64252211dbeadfacc3e87550d95245b853eccce8 100644 GIT binary patch literal 2576 zcmZXWxy$?r8OH?+A%!3)tYGn?D6;W2lVoxstR$0UCii_zx=gOgeNHafKfq!IMG(|N z#bfQ=!bU8%6~spD6&7T1LG2WL6;|YD`BWbs_&%TS6K2VC(nQ17O?lgVxg9cShJoid zp2qS1oWux*!PJw(VW%W}GRHIJC5GFmIbv+KN?kU7xT+v`k#KjFTdt8)qNq=}?*Nx= z82X!ADd&Bc&{=lT6bd|YN~2;DhyubCFwc}C7#r?YTFy$vl0Es1X-tln3t?J`aL;F& zEfNHrROEMmmV_tkCu7 zS80!H#Hz~^wyOR(7BO(gf z=BeEjHqB>|$tq$!O`QY^%K_ZtOEhhlP<+k8O$ z7%_>{!@I-fT=Wm*P}v3=WP949RlzLcKn;=r@Rft#r<{sZX%j*geBe7K9i%Q#rS9Yh zX{nJ1kqizSZ_IPPgs+gr}S_yTe@qu&c-@5ZKQwP~OaTSQBp_yHTUG8_|kqoPI z=kxIhV)%`)j;T3V*yQBYEo$K_tCfrg%u;8TIfqaDR97Ky2G%(uXu3h5mWy}am!?cd zg*A&WQnC3nl~3JnUN=iNHGfIP7PwKYwq;B`8Y~^goV)vNt3rC??oq{U=YyAHJ`Xl_ zd*cjt+lk1xyfy@-2ihcI!|s5h@`&%VC`2Qrjz8)}ohPC9kS#3f+76c5<<`=XB=ziU zP_;W(wD4&oDC&pE_zdF$ZpXmax)6w-2Q4WORpO*35{);Zoa#iqACIoPYvT_3GLIN^ z3DKFPOZP{dVdi`zY#?^LgMwxbWOsEAdzpSzq@pTKm7urDJ-BjsuF&{6M(CKW@Z3or z$waC{sl)ZQm{$UD&7u@Es|Ddfwj4Z{GlYvL2Q3uUTH2`yLBr!JFI2Uovs#pN(Wrta zX_ZAU81c}2z|c>Hr;v@AoE_HT&MUGlCu>~bFqy?TnM5t@+bX4_>hQlgE_v2E(7?qK z9BT}SK$KC36mPO+QFodzioDbqb0D12pLRW@s7!mH-Mtl5PcuB0sbrH68_fcO>LG@~ z+;mLA^9wJA9$_V#z-+wL5p1Hwmz`RP2@(xSZ+#6mB$9;aru+86{>(#&^$*$M)uQI=1! zvVY7l*V$mWfhb3=Z9m8l%ZgA)@Z1|W=vNjmoUvM^&=3a{*c;hCU5(CAUgm%{=hR`P zyH08GVIV@9R!JpX2CwLr+3G{XG0CaXCqWUi#z!!<15VyiSyVZFENMj{1HGJI%u*>y z<n~32ZjrMV5FG zm%;EJsr);~T|Pf|2!=n+=B~e}pN4D5)LSu#c4#$eRmNx!K9xmYGwXp!vsNpLi%lJ4 zY>xo!Fb6xesbs~&*GY&n>|xm?b#{xs$d#jXILGKBlp;(2r)mDn+WQ{LUszOW1(lFT z>+yVU?=pQ}aHU4jg>kM4Q3ZL1yEEhx3f;B9afD`unMu3|!{DY2lX%Qmt4edlZim<* z%0TP|jg~kk`tUwKZ0svtli=mNedBv{8PGV+7`BqS)ahT9tDhbF% z0D_Im7No9(kip!1Icvc=m-3wI8TicB)v^SQhg17@kDXU(`NhRi`l%d*p$slK9UP52 za@0kB(m}5yucsA5qKLY3${00jCeRLGkEgol1qR#&WFj`W!p@T%+xu>30y|z*%PjBw zG#ENRzDi@&UdDLq+XF2~KRU8J5lJ{4JJK=vr#10Sq$dwwy6k zr>*Q$%TwBU5zCZs;a0GxrOY^}H4~>P_5b@1K-5JlXK6PO~n&(fWWmD z6dGHwA(y$ERMYVFG3G50&pIWob9)ahoOZoSX)jQQiY@<;=|WQ8}GZ#GON5twnIOVF4)L96$NS7ytD4Z-4Nef4=kf zZ@yk{KRLf1SwHyEFFsxV>V4_gl>3QK{Ucpo``~r$3t#&2_ul>Nd%yhcAAkPN_3h96 z@ZC47zkT(0U#Y(N@t=L;^Yyp>@cY-^`r7q#%18c8yl1}k-S@x$(~ti3FCY6C5bsrj literal 2467 zcmZA3yX*8=83%AtM2L2ah22jtZuC^Lgd%osL8IuI6Ay8ywNCB-kIyC%Z;|^j$95rk` zq5y4a*Y@ml%`)J{91_7Qghs{t;)E3$u9k8LDyq0r96Pr$7K-}?cNTrH@Q-Y5ET>l;g}u3!=PJ5Gm+yi7J9iGZ1pJfekzeNWmMncXvi5g-JAAE+q&Gk)iYlJlx=BHrBXk9c3XTg&Z7Nf)cts*FR^CMaiY=Su+vzQ^zMEa;Q%hj!bYp}sO+M^CF zCyCwwmAin=X}Fp#F?L*sS{b4o^JZ}a8d(_2Gj_kdq@jIh?TQ>QT!qD91@jmeLo0Fd z1>j3w=h&Q;vm47^Px4(jwocE$It(TGMn%@zf{Yy(Ga53$s_a#qv%**$Ndrn%i+7x?u^dDjW1Jg>NPonbgTK*a0mY^hd% zRU(&7iaDn#=P*C;!8^(GtRY|F-lbQ+2pBJe6{~T95YaJ+{&-Fnpk+Ru2Mah$#&31&#Ng@yF zi6RFura3|-!%z^YmYrf{LxZATYq`R28I`aQpg4I~3**&mIsvN}Nft1+`uw9JQUyjB_?9s%Z`-dYJkJI@a+(bRaGaKfRp*~-c zh?cMM7$P6}I+{>QlH)%pD|P z%dAe@c;=l8{19BI3r^%M0Me_1)4ZTi_ftC|>B`58LwV?G>lIsaqRQumn8MwO)p<6R zkv5pPbuBR-WLpQSxdMeeoKsC?7cp*IlP5>Dxp0Q#r^N!5&*cUyW2cREQd|O)T8)sg zBmy}u&(g>SZhLlX=dfVw15<}2xaP(|g`*nE`6aq5V$%!EyedM5`JT&-%7HWUp1SxQ z$dRm$O@KqIM=6l!(ey};6l&6@hA}!jNMmNQcAsvJ=Ugxcoige_Iqu8lMUP;or^Vd$ z=ck`)_=jewYQ@-AiR%~q}v{YTAkrl z$J;RbOj2X^4Nw_pO*owPX(Fy#u(;2N2O_5{2hVBOEuPIT=TvS4j9y>%=gS!y@Rl~^ zPnr@`TYN|*DTgkagZTZR(ih2J7}qWzfkSR=!EwEA3ISkrJu@}9=3lEKQq@}oktcr& z(cbVpT0MuaG$e|?s+FR9I#N$IBgu1`5C+1-gC2(Zx%Kzp`E<==-j1EW>&v#O zhRoUoU|n~prdp?NwMN19?18}ed7rC|n&Yl-yQ^VydB?@XK)kBa?zGv|(}ovKmm{2y zj%7Km>ERGR-~4lwd$-m*b`C&uh{9FBxf0+6$6Ai(F3LpavKA-5K+_D`=rjvxN|mw$Ns zTi@qD^N+(PmQVitwdC_({?|X>{M}Ff_})7oe$M{kPv8FgSHJnG-@9M?!Uu1>`;o7| k|FiDf;p>(0qqqGZy!YDQKK?8Foxi^IXZNjd{PvB11M&(p*Z=?k diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 66221cf..50a5296 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -36,6 +36,8 @@ in { # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall "nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys; + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDeKXqbhNzbXk15h2k8wGBByxMDCC6HE1/fwa4j6ECu root@metronom + "metronom-root-ssh-key.age".publicKeys = metronomKeys ++ adminKeys; "nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; "tankstelle-wg-private-key.age".publicKeys = tankstelleKeys ++ adminKeys; @@ -70,8 +72,11 @@ in "searx-environment.age".publicKeys = nachtigallKeys ++ adminKeys; + "restic-repo-garage-metronom.age".publicKeys = metronomKeys ++ adminKeys; + "restic-repo-garage-metronom-env.age".publicKeys = metronomKeys ++ adminKeys; "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys; - "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys; + "restic-repo-storagebox.age".publicKeys = metronomKeys ++ nachtigallKeys ++ adminKeys; + "restic-repo-storagebox-metronom.age".publicKeys = metronomKeys ++ adminKeys; "restic-repo-garage-nachtigall.age".publicKeys = nachtigallKeys ++ adminKeys; "restic-repo-garage-nachtigall-env.age".publicKeys = nachtigallKeys ++ adminKeys; From 2e16c77956e9c8182f9c1d9df883a93f186c9d63 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 29 Aug 2024 16:22:58 +0200 Subject: [PATCH 22/25] secrets: rename restic-repo-storagebox{,-nachtigall} To use a restic repository per host --- hosts/nachtigall/backups.nix | 6 +++--- hosts/tankstelle/backups.nix | 4 ++-- modules/forgejo/default.nix | 2 +- modules/mailman/default.nix | 2 +- modules/mastodon/default.nix | 2 +- modules/matrix/default.nix | 2 +- modules/nextcloud/default.nix | 2 +- ...ox.age => restic-repo-storagebox-nachtigall.age} | Bin secrets/secrets.nix | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) rename secrets/{restic-repo-storagebox.age => restic-repo-storagebox-nachtigall.age} (100%) diff --git a/hosts/nachtigall/backups.nix b/hosts/nachtigall/backups.nix index 46757bc..e910d0b 100644 --- a/hosts/nachtigall/backups.nix +++ b/hosts/nachtigall/backups.nix @@ -5,8 +5,8 @@ mode = "400"; owner = "root"; }; - age.secrets."restic-repo-storagebox" = { - file = "${flake.self}/secrets/restic-repo-storagebox.age"; + age.secrets."restic-repo-storagebox-nachtigall" = { + file = "${flake.self}/secrets/restic-repo-storagebox-nachtigall.age"; mode = "400"; owner = "root"; }; @@ -22,7 +22,7 @@ }; pub-solar-os.backups.repos.storagebox = { - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; }; diff --git a/hosts/tankstelle/backups.nix b/hosts/tankstelle/backups.nix index c5bf79b..ea42f3b 100644 --- a/hosts/tankstelle/backups.nix +++ b/hosts/tankstelle/backups.nix @@ -5,8 +5,8 @@ mode = "400"; owner = "root"; }; - age.secrets."restic-repo-storagebox" = { - file = "${flake.self}/secrets/restic-repo-storagebox.age"; + age.secrets."restic-repo-storagebox-tankstelle" = { + file = "${flake.self}/secrets/restic-repo-storagebox-tankstelle.age"; mode = "400"; owner = "root"; }; diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix index dee6d12..d99abdd 100644 --- a/modules/forgejo/default.nix +++ b/modules/forgejo/default.nix @@ -182,7 +182,7 @@ OnCalendar = "*-*-* 00:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d gitea > /tmp/forgejo-backup.sql diff --git a/modules/mailman/default.nix b/modules/mailman/default.nix index 3db13b6..e5e2903 100644 --- a/modules/mailman/default.nix +++ b/modules/mailman/default.nix @@ -91,7 +91,7 @@ OnCalendar = "*-*-* 02:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; pruneOpts = [ "--keep-daily 7" diff --git a/modules/mastodon/default.nix b/modules/mastodon/default.nix index 85210e0..a26d7dd 100644 --- a/modules/mastodon/default.nix +++ b/modules/mastodon/default.nix @@ -106,7 +106,7 @@ OnCalendar = "*-*-* 04:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mastodon > /tmp/mastodon-backup.sql diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 66b071f..3165911 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -295,7 +295,7 @@ in OnCalendar = "*-*-* 05:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql diff --git a/modules/nextcloud/default.nix b/modules/nextcloud/default.nix index 0f81781..662d1ce 100644 --- a/modules/nextcloud/default.nix +++ b/modules/nextcloud/default.nix @@ -145,7 +145,7 @@ OnCalendar = "*-*-* 01:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d nextcloud > /tmp/nextcloud-backup.sql diff --git a/secrets/restic-repo-storagebox.age b/secrets/restic-repo-storagebox-nachtigall.age similarity index 100% rename from secrets/restic-repo-storagebox.age rename to secrets/restic-repo-storagebox-nachtigall.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 50a5296..0da7892 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -75,7 +75,7 @@ in "restic-repo-garage-metronom.age".publicKeys = metronomKeys ++ adminKeys; "restic-repo-garage-metronom-env.age".publicKeys = metronomKeys ++ adminKeys; "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys; - "restic-repo-storagebox.age".publicKeys = metronomKeys ++ nachtigallKeys ++ adminKeys; + "restic-repo-storagebox-nachtigall.age".publicKeys = nachtigallKeys ++ adminKeys; "restic-repo-storagebox-metronom.age".publicKeys = metronomKeys ++ adminKeys; "restic-repo-garage-nachtigall.age".publicKeys = nachtigallKeys ++ adminKeys; "restic-repo-garage-nachtigall-env.age".publicKeys = nachtigallKeys ++ adminKeys; From 77b642f64676ac00fa48666475a887028a4ce95c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 29 Aug 2024 16:23:57 +0200 Subject: [PATCH 23/25] garage: increase nginx client_body_size to 64m To make bigger garage uploads work well, avoiding error HTTP 413 Entity Too Large --- modules/garage/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/garage/default.nix b/modules/garage/default.nix index f2e538c..f50d687 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -69,6 +69,7 @@ locations."/" = { proxyPass = "http://s3_backend"; extraConfig = '' + client_max_body_size 64m; proxy_max_temp_file_size 0; ''; }; From 2eb54a331e01fca77c9a23e54eacfda02d5eaa6a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 29 Aug 2024 16:28:17 +0200 Subject: [PATCH 24/25] backups: add storagebox to programs.ssh.knownHosts --- modules/backups/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/backups/default.nix b/modules/backups/default.nix index 04b8324..26549ab 100644 --- a/modules/backups/default.nix +++ b/modules/backups/default.nix @@ -280,5 +280,11 @@ in in builtins.listToAttrs (lib.lists.flatten (map createBackups backupNames)); + + # Used for pub-solar-os.backups.repos.storagebox + programs.ssh.knownHosts = { + "u377325.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw=="; + "[u377325.your-storagebox.de]:23".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs"; + }; }; } From 09804f5c250463f3f924d249bdd5774c9eab906c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 29 Aug 2024 16:29:33 +0200 Subject: [PATCH 25/25] docs: how-to add backups for new hosts --- docs/backups.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 docs/backups.md diff --git a/docs/backups.md b/docs/backups.md new file mode 100644 index 0000000..ccce5f9 --- /dev/null +++ b/docs/backups.md @@ -0,0 +1,36 @@ +# Backups + +We use [Restic](https://restic.readthedocs.io/en/stable/) to create backups and push them to two repositories. +Check `./modules/backups.nix` and `./hosts/nachtigall/backups.nix` for working examples. + +### Hetzner Storagebox + +- Uses SFTP for transfer of backups + +Adding a new host SSH public key to the storagebox: + +First, [SSH to nachtigall](./administrative-access.md#ssh-access), then become root and add the new SSH public key + +``` +sudo -i +echo '' | ssh -p23 u377325@u377325.your-storagebox.de install-ssh-key +``` + +[Link to Hetzner storagebox docs](https://docs.hetzner.com/robot/storage-box/backup-space-ssh-keys). + +### Garage S3 buckets + +- Uses S3 for transfer of backups +- One bucket per host, e.g. `nachtigall-backups`, `metronom-backups` + +To start transfering backups from a new hosts, this is how to create a new bucket: + +First, [SSH to trinkgenossin](./administrative-access.md#ssh-access), then use the `garage` CLI to create a new key and bucket: + +``` +export GARAGE_RPC_SECRET= + +garage bucket create -backups +garage key create -backups-key +garage bucket allow -backups --read --write --key -backups-key +```