From 223fcb42023a950d36b127db0513fa71a892cfc4 Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Thu, 6 Jun 2024 23:33:54 +0100
Subject: [PATCH] feat: Gonna use the space left behind Optimus to test this
 out

Relates to #76
---
 applications/restic.nix  |  70 +++++++++++++++++++++++++++++++++++++++
 flake.nix                |   2 ++
 machines/deepthought.nix |  42 +++++++++++++++++++++++
 secrets/backup/nuked.age | Bin 0 -> 849 bytes
 secrets/secrets.nix      |   5 +++
 5 files changed, 119 insertions(+)
 create mode 100644 machines/deepthought.nix
 create mode 100644 secrets/backup/nuked.age

diff --git a/applications/restic.nix b/applications/restic.nix
index e410a5f..15a8d19 100644
--- a/applications/restic.nix
+++ b/applications/restic.nix
@@ -83,6 +83,9 @@ with lib; let
   ));
 in {
   imports = [
+    ./dns.nix
+    ./nginx.nix
+    ./acme.nix
   ];
 
   # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
@@ -142,6 +145,20 @@ in {
         default = false;
       };
     };
+
+    nuked = {
+      enable = mkEnableOption "Nuked Backup server";
+
+      port = mkOption {
+        type = types.port;
+        default = 8765;
+      };
+
+      appendOnly = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
   };
 
   config = mkMerge [
@@ -195,5 +212,58 @@ in {
         }
       ];
     })
+
+    # restic -r rest:https://skynet:testing@nuked.skynet.ie/ init
+    (mkIf cfg.nuked.enable {
+      assertions = [
+        {
+          assertion = !cfg.server.enable;
+          message = "Our backup and Nuked backup cannot co-exist";
+        }
+      ];
+
+      services.skynet.acme.domains = [
+        "nuked.skynet.ie"
+      ];
+
+      services.skynet.dns.records = [
+        {
+          record = "nuked";
+          r_type = "CNAME";
+          value = config.services.skynet.host.name;
+        }
+      ];
+
+      services.nginx.virtualHosts = {
+        "nuked.skynet.ie" = {
+          forceSSL = true;
+          useACMEHost = "skynet";
+          locations."/" = {
+            proxyPass = "http://${config.services.restic.server.listenAddress}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+
+      networking.firewall.allowedTCPPorts = [
+        cfg.nuked.port
+      ];
+
+      age.secrets.restic_pw = {
+        file = ../secrets/backup/nuked.age;
+        path = "${config.services.restic.server.dataDir}/.htpasswd";
+        symlink = false;
+        mode = "770";
+        owner = "restic";
+        group = "restic";
+      };
+
+      services.restic.server = {
+        enable = true;
+        listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}";
+        appendOnly = cfg.nuked.appendOnly;
+        privateRepos = true;
+      };
+    })
   ];
 }
diff --git a/flake.nix b/flake.nix
index 397f721..d28548c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -164,6 +164,8 @@
 
       # Public Services
       calculon = import ./machines/calculon.nix;
+
+      deepthought = import ./machines/deepthought.nix;
     };
   };
 }
diff --git a/machines/deepthought.nix b/machines/deepthought.nix
new file mode 100644
index 0000000..fb2cfc5
--- /dev/null
+++ b/machines/deepthought.nix
@@ -0,0 +1,42 @@
+/*
+
+Name:     https://hitchhikers.fandom.com/wiki/Deep_Thought
+Why:      Our home(page)
+Type:     VM
+Hardware: -
+From:     2023
+Role:     Public Backup
+Notes:
+*/
+{
+  pkgs,
+  lib,
+  nodes,
+  inputs,
+  ...
+}: let
+  name = "deepthought";
+  ip_pub = "193.1.99.112";
+  hostname = "${name}.skynet.ie";
+  host = {
+    ip = ip_pub;
+    name = name;
+    hostname = hostname;
+  };
+in {
+  imports = [
+  ];
+
+  deployment = {
+    targetHost = ip_pub;
+    targetPort = 22;
+    targetUser = null;
+
+    tags = ["active-core"];
+  };
+
+  services.skynet = {
+    host = host;
+    backup.nuked.enable = true;
+  };
+}
diff --git a/secrets/backup/nuked.age b/secrets/backup/nuked.age
new file mode 100644
index 0000000000000000000000000000000000000000..a340718907163520cb7173d3b819fa2752ed5c08
GIT binary patch
literal 849
zcmZ9_-HY1<008i@?WyNHoZ=qNjpFXXS-Lb|O|pTQreA53UYh38q<hdd-)WjOX_}Aj
zK}8)yQ0IfE;s?S#D#$=(;6!1!;oU^W4&3%ICn_8WL&e*C*`Yq)?;rT}4K1&^N|262
z%X5!=fdNEdCjU%!GBNX-3ZW=SWJPcsx5#X*Dq{@AHq;SY2SZG+Aw*ht>iu{)G^~~r
zcWGTO!U)E8=uA#yk&<oJ5ruP>F<nfiG!qnUn@W<1U=(~h!tipER;<3UdqcQc&oi=1
zK(5&L9W??buoQ9aQeo%{u2umgCI_=&2{drlB_PHtdl|Y(bg|yZn}~>Q88fh{Pbzp3
zOp!Jmg?>P4W1ZGq5|nC{-5c6c2{_J%ni)~kfzl$Fjt$`Ygl?5+$FG-jIbFr8AYULH
z52dDJP0mbUxknXwI%(L!3_=jn3{qa~EC~|I84fB@0+dvf0TT;_-J6eV4a3Mz2Ywu2
zw4mhRU`(iEw96E6!si>RT+qm&7YicTTAnI7ip=D?a<vO2`T$lSJJB2pE)*+0=Km^X
zs!|HK`*_3%zAJ>}?yW4&I+l^`(@__bd37Xtl~AsdO@Ls?*f%-RM0`>su%6q1A(pMw
z+L_z{5&BDPM|M?K4LO@HE6Y;q40Y3kha<OHN6RY3n==iLGx>Zz8&yV*Qli9AZ20kv
z!fGI20ywPG19+RRk(?MHodFTI&9a=i`_EHH)?R&a?%Bf^!mY-h{RiLsHv0VB%7gUZ
zlb;lR7`}Gl^3^k^PrdQ-#*z5gfj@4c7W(A&2hffA(<_H3{NkfKCr;Hq+<HFTbLpGQ
z@4j&MvF-ZymlucYYmfXmcjch<_O-9{o8~*;?<3#T&t1QBKY3dH{iTKZ+s9M;>f`&%
zmj?H?H@BMW_&xEv^*mtBefHbK>D|?E<!A1Tum9c)S*r_+M^E^aymtTQ`As(YG(UZ?
zIDcsG`OUxHI=1nrChZi@6gD=0I-9N@{dM0j2MqqBleeHNPuyvCj91>@37_kduRpY4
HsvrLc9C0;|

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 80ee5e8..12e4cc4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -109,6 +109,10 @@ let
   bitwarden = [
     kitt
   ];
+
+  nuked = [
+    optimus
+  ];
 in {
   # nix run github:ryantm/agenix -- -e secret1.age
 
@@ -136,6 +140,7 @@ in {
   # everyone has access to this
   "backup/restic.age".publicKeys = users ++ systems;
   "backup/restic_pw.age".publicKeys = users ++ restic;
+  "backup/nuked.age".publicKeys = users ++ nuked;
 
   # discord bot and discord
   "discord/ldap.age".publicKeys = users ++ ldap ++ discord;