diff --git a/applications/restic.nix b/applications/restic.nix index e410a5f..15a8d19 100644 --- a/applications/restic.nix +++ b/applications/restic.nix @@ -83,6 +83,9 @@ with lib; let )); in { imports = [ + ./dns.nix + ./nginx.nix + ./acme.nix ]; # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base @@ -142,6 +145,20 @@ in { default = false; }; }; + + nuked = { + enable = mkEnableOption "Nuked Backup server"; + + port = mkOption { + type = types.port; + default = 8765; + }; + + appendOnly = mkOption { + type = types.bool; + default = false; + }; + }; }; config = mkMerge [ @@ -195,5 +212,58 @@ in { } ]; }) + + # restic -r rest:https://skynet:testing@nuked.skynet.ie/ init + (mkIf cfg.nuked.enable { + assertions = [ + { + assertion = !cfg.server.enable; + message = "Our backup and Nuked backup cannot co-exist"; + } + ]; + + services.skynet.acme.domains = [ + "nuked.skynet.ie" + ]; + + services.skynet.dns.records = [ + { + record = "nuked"; + r_type = "CNAME"; + value = config.services.skynet.host.name; + } + ]; + + services.nginx.virtualHosts = { + "nuked.skynet.ie" = { + forceSSL = true; + useACMEHost = "skynet"; + locations."/" = { + proxyPass = "http://${config.services.restic.server.listenAddress}"; + proxyWebsockets = true; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + cfg.nuked.port + ]; + + age.secrets.restic_pw = { + file = ../secrets/backup/nuked.age; + path = "${config.services.restic.server.dataDir}/.htpasswd"; + symlink = false; + mode = "770"; + owner = "restic"; + group = "restic"; + }; + + services.restic.server = { + enable = true; + listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}"; + appendOnly = cfg.nuked.appendOnly; + privateRepos = true; + }; + }) ]; } diff --git a/flake.nix b/flake.nix index 397f721..d28548c 100644 --- a/flake.nix +++ b/flake.nix @@ -164,6 +164,8 @@ # Public Services calculon = import ./machines/calculon.nix; + + deepthought = import ./machines/deepthought.nix; }; }; } diff --git a/machines/deepthought.nix b/machines/deepthought.nix new file mode 100644 index 0000000..fb2cfc5 --- /dev/null +++ b/machines/deepthought.nix @@ -0,0 +1,42 @@ +/* + +Name: https://hitchhikers.fandom.com/wiki/Deep_Thought +Why: Our home(page) +Type: VM +Hardware: - +From: 2023 +Role: Public Backup +Notes: +*/ +{ + pkgs, + lib, + nodes, + inputs, + ... +}: let + name = "deepthought"; + ip_pub = "193.1.99.112"; + hostname = "${name}.skynet.ie"; + host = { + ip = ip_pub; + name = name; + hostname = hostname; + }; +in { + imports = [ + ]; + + deployment = { + targetHost = ip_pub; + targetPort = 22; + targetUser = null; + + tags = ["active-core"]; + }; + + services.skynet = { + host = host; + backup.nuked.enable = true; + }; +} diff --git a/secrets/backup/nuked.age b/secrets/backup/nuked.age new file mode 100644 index 0000000..a340718 Binary files /dev/null and b/secrets/backup/nuked.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 80ee5e8..12e4cc4 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -109,6 +109,10 @@ let bitwarden = [ kitt ]; + + nuked = [ + optimus + ]; in { # nix run github:ryantm/agenix -- -e secret1.age @@ -136,6 +140,7 @@ in { # everyone has access to this "backup/restic.age".publicKeys = users ++ systems; "backup/restic_pw.age".publicKeys = users ++ restic; + "backup/nuked.age".publicKeys = users ++ nuked; # discord bot and discord "discord/ldap.age".publicKeys = users ++ ldap ++ discord;