feat: Gonna use the space left behind Optimus to test this out

Relates to #76
2024-06-06 23:33:54 +01:00 · 2024-06-06 23:33:54 +01:00 · 3e10c14a4b
commit 3e10c14a4b
parent 69bd2be07c
5 changed files with 119 additions and 0 deletions
--- a/applications/restic.nix
+++ b/applications/restic.nix
@ -83,6 +83,9 @@ with lib; let
  ));
 in {
  imports = [
+    ./dns.nix
+    ./nginx.nix
+    ./acme.nix
  ];

  # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
@ -142,6 +145,20 @@ in {
        default = false;
      };
    };
+
+    nuked = {
+      enable = mkEnableOption "Nuked Backup server";
+
+      port = mkOption {
+        type = types.port;
+        default = 8765;
+      };
+
+      appendOnly = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
  };

  config = mkMerge [
@ -195,5 +212,58 @@ in {
        }
      ];
    })
+
+    # restic -r rest:https://skynet:testing@nuked.skynet.ie/ init
+    (mkIf cfg.nuked.enable {
+      assertions = [
+        {
+          assertion = !cfg.server.enable;
+          message = "Our backup and Nuked backup cannot co-exist";
+        }
+      ];
+
+      services.skynet.acme.domains = [
+        "nuked.skynet.ie"
+      ];
+
+      services.skynet.dns.records = [
+        {
+          record = "nuked";
+          r_type = "CNAME";
+          value = config.services.skynet.host.name;
+        }
+      ];
+
+      services.nginx.virtualHosts = {
+        "nuked.skynet.ie" = {
+          forceSSL = true;
+          useACMEHost = "skynet";
+          locations."/" = {
+            proxyPass = "http://${config.services.restic.server.listenAddress}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+
+      networking.firewall.allowedTCPPorts = [
+        cfg.nuked.port
+      ];
+
+      age.secrets.restic_pw = {
+        file = ../secrets/backup/nuked.age;
+        path = "${config.services.restic.server.dataDir}/.htpasswd";
+        symlink = false;
+        mode = "770";
+        owner = "restic";
+        group = "restic";
+      };
+
+      services.restic.server = {
+        enable = true;
+        listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}";
+        appendOnly = cfg.nuked.appendOnly;
+        privateRepos = true;
+      };
+    })
  ];
 }
--- a/flake.nix
+++ b/flake.nix
@ -164,6 +164,8 @@

      # Public Services
      calculon = import ./machines/calculon.nix;
+
+      deepthought = import ./machines/deepthought.nix;
    };
  };
 }
--- a/machines/deepthought.nix
+++ b/machines/deepthought.nix
@ -0,0 +1,42 @@
+/*
+
+Name:     https://hitchhikers.fandom.com/wiki/Deep_Thought
+Why:      Our home(page)
+Type:     VM
+Hardware: -
+From:     2023
+Role:     Public Backup
+Notes:
+*/
+{
+  pkgs,
+  lib,
+  nodes,
+  inputs,
+  ...
+}: let
+  name = "deepthought";
+  ip_pub = "193.1.99.112";
+  hostname = "${name}.skynet.ie";
+  host = {
+    ip = ip_pub;
+    name = name;
+    hostname = hostname;
+  };
+in {
+  imports = [
+  ];
+
+  deployment = {
+    targetHost = ip_pub;
+    targetPort = 22;
+    targetUser = null;
+
+    tags = ["active-core"];
+  };
+
+  services.skynet = {
+    host = host;
+    backup.nuked.enable = true;
+  };
+}
--- a/secrets/backup/nuked.age
+++ b/secrets/backup/nuked.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -113,6 +113,10 @@ let
  bitwarden = [
    kitt
  ];
+
+  nuked = [
+    optimus
+  ];
 in {
  # nix run github:ryantm/agenix -- -e secret1.age

@ -140,6 +144,7 @@ in {
  # everyone has access to this
  "backup/restic.age".publicKeys = users ++ systems;
  "backup/restic_pw.age".publicKeys = users ++ restic;
+  "backup/nuked.age".publicKeys = users ++ nuked;

  # discord bot and discord
  "discord/ldap.age".publicKeys = users ++ ldap ++ discord;