From 223fcb42023a950d36b127db0513fa71a892cfc4 Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Thu, 6 Jun 2024 23:33:54 +0100
Subject: [PATCH 1/3] feat: Gonna use the space left behind Optimus to test
 this out

Relates to #76
---
 applications/restic.nix  |  70 +++++++++++++++++++++++++++++++++++++++
 flake.nix                |   2 ++
 machines/deepthought.nix |  42 +++++++++++++++++++++++
 secrets/backup/nuked.age | Bin 0 -> 849 bytes
 secrets/secrets.nix      |   5 +++
 5 files changed, 119 insertions(+)
 create mode 100644 machines/deepthought.nix
 create mode 100644 secrets/backup/nuked.age

diff --git a/applications/restic.nix b/applications/restic.nix
index e410a5f..15a8d19 100644
--- a/applications/restic.nix
+++ b/applications/restic.nix
@@ -83,6 +83,9 @@ with lib; let
   ));
 in {
   imports = [
+    ./dns.nix
+    ./nginx.nix
+    ./acme.nix
   ];
 
   # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
@@ -142,6 +145,20 @@ in {
         default = false;
       };
     };
+
+    nuked = {
+      enable = mkEnableOption "Nuked Backup server";
+
+      port = mkOption {
+        type = types.port;
+        default = 8765;
+      };
+
+      appendOnly = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
   };
 
   config = mkMerge [
@@ -195,5 +212,58 @@ in {
         }
       ];
     })
+
+    # restic -r rest:https://skynet:testing@nuked.skynet.ie/ init
+    (mkIf cfg.nuked.enable {
+      assertions = [
+        {
+          assertion = !cfg.server.enable;
+          message = "Our backup and Nuked backup cannot co-exist";
+        }
+      ];
+
+      services.skynet.acme.domains = [
+        "nuked.skynet.ie"
+      ];
+
+      services.skynet.dns.records = [
+        {
+          record = "nuked";
+          r_type = "CNAME";
+          value = config.services.skynet.host.name;
+        }
+      ];
+
+      services.nginx.virtualHosts = {
+        "nuked.skynet.ie" = {
+          forceSSL = true;
+          useACMEHost = "skynet";
+          locations."/" = {
+            proxyPass = "http://${config.services.restic.server.listenAddress}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+
+      networking.firewall.allowedTCPPorts = [
+        cfg.nuked.port
+      ];
+
+      age.secrets.restic_pw = {
+        file = ../secrets/backup/nuked.age;
+        path = "${config.services.restic.server.dataDir}/.htpasswd";
+        symlink = false;
+        mode = "770";
+        owner = "restic";
+        group = "restic";
+      };
+
+      services.restic.server = {
+        enable = true;
+        listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}";
+        appendOnly = cfg.nuked.appendOnly;
+        privateRepos = true;
+      };
+    })
   ];
 }
diff --git a/flake.nix b/flake.nix
index 397f721..d28548c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -164,6 +164,8 @@
 
       # Public Services
       calculon = import ./machines/calculon.nix;
+
+      deepthought = import ./machines/deepthought.nix;
     };
   };
 }
diff --git a/machines/deepthought.nix b/machines/deepthought.nix
new file mode 100644
index 0000000..fb2cfc5
--- /dev/null
+++ b/machines/deepthought.nix
@@ -0,0 +1,42 @@
+/*
+
+Name:     https://hitchhikers.fandom.com/wiki/Deep_Thought
+Why:      Our home(page)
+Type:     VM
+Hardware: -
+From:     2023
+Role:     Public Backup
+Notes:
+*/
+{
+  pkgs,
+  lib,
+  nodes,
+  inputs,
+  ...
+}: let
+  name = "deepthought";
+  ip_pub = "193.1.99.112";
+  hostname = "${name}.skynet.ie";
+  host = {
+    ip = ip_pub;
+    name = name;
+    hostname = hostname;
+  };
+in {
+  imports = [
+  ];
+
+  deployment = {
+    targetHost = ip_pub;
+    targetPort = 22;
+    targetUser = null;
+
+    tags = ["active-core"];
+  };
+
+  services.skynet = {
+    host = host;
+    backup.nuked.enable = true;
+  };
+}
diff --git a/secrets/backup/nuked.age b/secrets/backup/nuked.age
new file mode 100644
index 0000000000000000000000000000000000000000..a340718907163520cb7173d3b819fa2752ed5c08
GIT binary patch
literal 849
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Gb||gb5wA5i!}Ff
z_Vr51_4P0;F;8<hv8?pS@klJs&Q8zt%P9}{OiME}HZk`N_T<t|^)+$I%J48r4#){L
zPYbIk_4Fw+%gS=Ds3^1aNwz4>HMel7sC3OtOh>oPB%mrPKV89JU)wCPFejx<zt}jU
zEFjRyAUiK4FV$5)!bjWKx5UXX-NHA|(#R*@C7;XF+cMldDmTA4%p@x_y~@x#t=QGV
z%&^iV(73Fmu*fmBAk8y1&(Sc#-4)$7Q@<2T<8p<P)QmFc(xhZROP}B@eT%eWPd_Km
zoI(#5ZSAxa3pc|c1IwIzQ|Hn!_eic{<H#syvmnn3udJdfBNG$HjH1e*uweg?2-AS{
z9McHr5TgpWiX@-%5Ce4E3N2E-($f`6lM2g=%soSrwT+7kEK>?h!+p#wEDM9YQX&mf
z9kcVxL&6OGLQ9jiogKNf!z10o^()enjFXMBDpGTtjSb9PqkK#Q(kp%3A}Wmo6D`Vo
zLJIRjN*vK`a|x>o&P-QG^ehWEj|@u5jmUQ`iF9-H*0=O=EHBIm2+J@jbWF80kIM5h
zHuCj#br0myPBIBe^!E*p%uDf2DGA65a!C%2sLaVu%g8s*&du}oFm*|B4$7!XH7@7U
z)zwufbIr|3c5)6Y3G*r}uW~kbHw<#p4=@jo(hth=baxC0D>4aAvMdkGaEau4`&~os
zNNWSPgY1ry=UxmfLNgDPZJ99bPvw8>)duIXyLKEs-Buml*L+H@T$A_xP18(Mr7v@g
zuJcz<lPwNX5&mlx?LPN;LJ7m+{YPiicZhuP__A$J_Q@lH*SL=fWlp`YJMBis^fSzk
z{b>^}-TzjhmGY`ln*Xj|W!7mi7MH_GU%y;_?tRkYYuJgCy84;i>!0vdzFk~0?LolS
zy`PzkG8ap$C|eaeM;`fhW8-DtiZ!~We^mIznKoYjI8pP|ht!C_W^D$iF5l~@T&(<<
h`4Mk=&^+s#M#p6Cdk3et%>G*vAMV)8Bb|}50010uHID!Q

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 80ee5e8..12e4cc4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -109,6 +109,10 @@ let
   bitwarden = [
     kitt
   ];
+
+  nuked = [
+    optimus
+  ];
 in {
   # nix run github:ryantm/agenix -- -e secret1.age
 
@@ -136,6 +140,7 @@ in {
   # everyone has access to this
   "backup/restic.age".publicKeys = users ++ systems;
   "backup/restic_pw.age".publicKeys = users ++ restic;
+  "backup/nuked.age".publicKeys = users ++ nuked;
 
   # discord bot and discord
   "discord/ldap.age".publicKeys = users ++ ldap ++ discord;

From 3e10c14a4b7b505bfdcf2449bd542c8364195a59 Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Thu, 6 Jun 2024 23:33:54 +0100
Subject: [PATCH 2/3] feat: Gonna use the space left behind Optimus to test
 this out

Relates to #76
---
 applications/restic.nix  |  70 +++++++++++++++++++++++++++++++++++++++
 flake.nix                |   2 ++
 machines/deepthought.nix |  42 +++++++++++++++++++++++
 secrets/backup/nuked.age | Bin 0 -> 849 bytes
 secrets/secrets.nix      |   5 +++
 5 files changed, 119 insertions(+)
 create mode 100644 machines/deepthought.nix
 create mode 100644 secrets/backup/nuked.age

diff --git a/applications/restic.nix b/applications/restic.nix
index e410a5f..15a8d19 100644
--- a/applications/restic.nix
+++ b/applications/restic.nix
@@ -83,6 +83,9 @@ with lib; let
   ));
 in {
   imports = [
+    ./dns.nix
+    ./nginx.nix
+    ./acme.nix
   ];
 
   # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
@@ -142,6 +145,20 @@ in {
         default = false;
       };
     };
+
+    nuked = {
+      enable = mkEnableOption "Nuked Backup server";
+
+      port = mkOption {
+        type = types.port;
+        default = 8765;
+      };
+
+      appendOnly = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
   };
 
   config = mkMerge [
@@ -195,5 +212,58 @@ in {
         }
       ];
     })
+
+    # restic -r rest:https://skynet:testing@nuked.skynet.ie/ init
+    (mkIf cfg.nuked.enable {
+      assertions = [
+        {
+          assertion = !cfg.server.enable;
+          message = "Our backup and Nuked backup cannot co-exist";
+        }
+      ];
+
+      services.skynet.acme.domains = [
+        "nuked.skynet.ie"
+      ];
+
+      services.skynet.dns.records = [
+        {
+          record = "nuked";
+          r_type = "CNAME";
+          value = config.services.skynet.host.name;
+        }
+      ];
+
+      services.nginx.virtualHosts = {
+        "nuked.skynet.ie" = {
+          forceSSL = true;
+          useACMEHost = "skynet";
+          locations."/" = {
+            proxyPass = "http://${config.services.restic.server.listenAddress}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+
+      networking.firewall.allowedTCPPorts = [
+        cfg.nuked.port
+      ];
+
+      age.secrets.restic_pw = {
+        file = ../secrets/backup/nuked.age;
+        path = "${config.services.restic.server.dataDir}/.htpasswd";
+        symlink = false;
+        mode = "770";
+        owner = "restic";
+        group = "restic";
+      };
+
+      services.restic.server = {
+        enable = true;
+        listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}";
+        appendOnly = cfg.nuked.appendOnly;
+        privateRepos = true;
+      };
+    })
   ];
 }
diff --git a/flake.nix b/flake.nix
index 397f721..d28548c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -164,6 +164,8 @@
 
       # Public Services
       calculon = import ./machines/calculon.nix;
+
+      deepthought = import ./machines/deepthought.nix;
     };
   };
 }
diff --git a/machines/deepthought.nix b/machines/deepthought.nix
new file mode 100644
index 0000000..fb2cfc5
--- /dev/null
+++ b/machines/deepthought.nix
@@ -0,0 +1,42 @@
+/*
+
+Name:     https://hitchhikers.fandom.com/wiki/Deep_Thought
+Why:      Our home(page)
+Type:     VM
+Hardware: -
+From:     2023
+Role:     Public Backup
+Notes:
+*/
+{
+  pkgs,
+  lib,
+  nodes,
+  inputs,
+  ...
+}: let
+  name = "deepthought";
+  ip_pub = "193.1.99.112";
+  hostname = "${name}.skynet.ie";
+  host = {
+    ip = ip_pub;
+    name = name;
+    hostname = hostname;
+  };
+in {
+  imports = [
+  ];
+
+  deployment = {
+    targetHost = ip_pub;
+    targetPort = 22;
+    targetUser = null;
+
+    tags = ["active-core"];
+  };
+
+  services.skynet = {
+    host = host;
+    backup.nuked.enable = true;
+  };
+}
diff --git a/secrets/backup/nuked.age b/secrets/backup/nuked.age
new file mode 100644
index 0000000000000000000000000000000000000000..a340718907163520cb7173d3b819fa2752ed5c08
GIT binary patch
literal 849
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Gb||gb5wA5i!}Ff
z_Vr51_4P0;F;8<hv8?pS@klJs&Q8zt%P9}{OiME}HZk`N_T<t|^)+$I%J48r4#){L
zPYbIk_4Fw+%gS=Ds3^1aNwz4>HMel7sC3OtOh>oPB%mrPKV89JU)wCPFejx<zt}jU
zEFjRyAUiK4FV$5)!bjWKx5UXX-NHA|(#R*@C7;XF+cMldDmTA4%p@x_y~@x#t=QGV
z%&^iV(73Fmu*fmBAk8y1&(Sc#-4)$7Q@<2T<8p<P)QmFc(xhZROP}B@eT%eWPd_Km
zoI(#5ZSAxa3pc|c1IwIzQ|Hn!_eic{<H#syvmnn3udJdfBNG$HjH1e*uweg?2-AS{
z9McHr5TgpWiX@-%5Ce4E3N2E-($f`6lM2g=%soSrwT+7kEK>?h!+p#wEDM9YQX&mf
z9kcVxL&6OGLQ9jiogKNf!z10o^()enjFXMBDpGTtjSb9PqkK#Q(kp%3A}Wmo6D`Vo
zLJIRjN*vK`a|x>o&P-QG^ehWEj|@u5jmUQ`iF9-H*0=O=EHBIm2+J@jbWF80kIM5h
zHuCj#br0myPBIBe^!E*p%uDf2DGA65a!C%2sLaVu%g8s*&du}oFm*|B4$7!XH7@7U
z)zwufbIr|3c5)6Y3G*r}uW~kbHw<#p4=@jo(hth=baxC0D>4aAvMdkGaEau4`&~os
zNNWSPgY1ry=UxmfLNgDPZJ99bPvw8>)duIXyLKEs-Buml*L+H@T$A_xP18(Mr7v@g
zuJcz<lPwNX5&mlx?LPN;LJ7m+{YPiicZhuP__A$J_Q@lH*SL=fWlp`YJMBis^fSzk
z{b>^}-TzjhmGY`ln*Xj|W!7mi7MH_GU%y;_?tRkYYuJgCy84;i>!0vdzFk~0?LolS
zy`PzkG8ap$C|eaeM;`fhW8-DtiZ!~We^mIznKoYjI8pP|ht!C_W^D$iF5l~@T&(<<
h`4Mk=&^+s#M#p6Cdk3et%>G*vAMV)8Bb|}50010uHID!Q

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 07213ca..b3aac1b 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -113,6 +113,10 @@ let
   bitwarden = [
     kitt
   ];
+
+  nuked = [
+    optimus
+  ];
 in {
   # nix run github:ryantm/agenix -- -e secret1.age
 
@@ -140,6 +144,7 @@ in {
   # everyone has access to this
   "backup/restic.age".publicKeys = users ++ systems;
   "backup/restic_pw.age".publicKeys = users ++ restic;
+  "backup/nuked.age".publicKeys = users ++ nuked;
 
   # discord bot and discord
   "discord/ldap.age".publicKeys = users ++ ldap ++ discord;

From 097fa21af86991c2b43762f6defd6a3ab0a72a56 Mon Sep 17 00:00:00 2001
From: Brendan Golden <git@brendan.ie>
Date: Fri, 7 Jun 2024 19:20:52 +0100
Subject: [PATCH 3/3] admin: add eliza and esy as admins to teh secrets

Actually add the keys this time....
---
 secrets/backup/nuked.age | Bin 849 -> 1069 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)

diff --git a/secrets/backup/nuked.age b/secrets/backup/nuked.age
index a340718907163520cb7173d3b819fa2752ed5c08..3a888658a1e1577aca1865f4249297b41941cdda 100644
GIT binary patch
delta 982
zcmcb}ww7apPJK$cmsg0pXO&ZgPpY?}c~V+>YGi6egr8|-kyE9Ue@IeBrDt}9c9c<w
zCs$Q^X;!dVP-H=bYgJNcWK^=DOHh?TP)@j`dufrIUzMX*o~ucgNmWKxB$uw8LUD11
zZfc5=si~o*f=NJCRDQZbsJUxsShA0{kz;b1ajsKAm79e{iBVK}m{+bzWTjtDc|=u2
zL2!0dT2{6NmydT~VWwNMmvMn-xR<-BOK_4?QnG7Rx<QI(fSZ3>W_hx=b7_!KRa%DQ
z#E;_PLB&}~mD-l&UPUGWd5M`7F6p7!#zw}5mce;xUd|QidCnGTftK#c29>^C=2^KF
z0VU~0o>7)jZl=iwCP}_k>5)!8J^}fK-fn5-xuN=n?q(To+LpzW;~B;43rw|Bd<?>z
zGP45wLoze`qe@)@Q(W~ceF7b|ojh_}!-5M9jnab>GpowEe5(SJ-F-q5Lo?D7i>k`J
z%ro>O(mXsX145IuGtDBilhU)3$};@@{ao|WL&-a=$fBrRA>2|s#UQ`L*udDV&>%9v
zFS0%{($F_p-^4XDB-Fq+&nLIg)GVbeG%?rJfUCUJ(?2NRz0B3!BB!t@vnb8LyfWF-
zBe6WQT;HWQt1Kk6JgUgkH7htP8{N9J%tXV~K!s$}<ir$j_oy6yzsgYW%(AM~bVu#t
za`(dYf+UN4AD2{9)1++k;3SI(Cr>UvzoI1V)GFVs$Wrg@M3+$a(%iHhzsMr*fU1hT
zfKZ=&-{PDK4^#alH_ypu8O7_(O3O;Jy_`)=GhNH`oCBiV9SePne5%5=Jxe_zEF)bq
zN}MB%Q$0#5vK_g+{Bny++ygucGmJ9Rw4F_|41*0V%Z!qo3z9OEw8Kj>3iSP*ON*U@
zlP$P(b#)a=Qr#01EAq-bDqOR@ol7eHik-srD>HJ8{WJ0`om`Cb(z5Dv%(4oN{gZvU
zHlIq0KO_+MM)1?uuHHn6h@EO?K5i24=CmHjw>Ujx{hWGdz2*gV|2z8T%$qKeZOruO
z@H^}EhJBlOrg(ly(c--&@jGnY`R1%;53l|Fc=WBk%gQZRQ&f|LBuZz+-QZ7D3N&i5
z$?eU5oV#*Pve~7bqOwh<ime`p@?Tmo^<`NeSunwH*Y1B4AB4<y*n2Mj?IWq~GMPh?
zbCxmRpP=U2^6)78X^j^h9xL<K3Ds`C7kDxw)zs^8+JmQ;WAqqx>LP41i;ouc6&%a{
mQJ<tR@qd9u;-xg<du>8{4LY<Y<}I7O+kpS4^^Hoaj2r+a5^C=N

delta 779
zcmZ3>agl9;PQANZq`8l?uUAU0uZLlYd78V4Wu-@sM`C$)c6z2?PI<UzTAG=$iMemE
zCzp1ruZdGuhKEUVKu)N6T3AJ?r%#btR+e)`MVX~fvPEgGxrIwbrE6wlI+w1ULUD11
zZfc5=si~o*f=NJCRDQaGzrMCvVqs27nSQZxL|H(flbb<yUPxZ5tA2!!wy|%ClVQ4r
zZ=R)*Prge&m#4R7xOr4=esP#dR%UvYp?6xbtA&|irAeT1SxI4$V`@Q~XKJ3KVT8Nu
z#E;_PC8-%@&ZSAoewIGLS^5@f#h!jno;igcF522@DHd*qK?asN`KHdLVeXM!#m13Q
z&SpWL6<%3IRYoQzju}OjL1DrEArYnl={cqm&LKt>ZWT#B<sk->;~B;4OOp!Ai_ASk
zlC_PC3M^9!Ov8Q5EG!Fyyiy_!QXRAN%R|Bp{X$EVwVfTgw8JCa!u2cCl8lp$vMN$@
zoQ)04T%&wU1JWyf+#)KC0~0OEd_oHILP{LbL&+tqDmXJ;A<?re+&nTUB{w49wItHb
z(Ys#X(#Ns9Fe4x=!=%tL)zUmF&&$}z*VolOkV`wsBqY(_H#jmc#W$rSAS=ivIW(d&
zCp#@8-#9xr&)dV)CB-=?qbk+7oJ&_%SE0-`Hz(Q2IjkhitFXMv+1%YQ$VorIJUB`}
zD9h8`F(9nSBsj^kJTSv0lI!hv4Y?z&4czq(vO7widoi#G%{)-HWx}*SmH(|*8=TAT
z+Hv%BTXl3_^C`J<P2Tr6O*2iEzRWSY&R;!Ewm3*d_^(y8``qUVB@Bo6ADvO(A@arJ
z%eFn)CyxkT<31*oIrYNsv>O@I&oDdor%kwY|67Gt%Bx0c{=0gWS*OKVTn;CF{c`!a
z_eqPdVR0u;>gs25uYbZ<`F3&1v<CrO_kLzF%3Lh1qHI;@9C_s1jg6OmE7s_i{!!r<
zXWDrA<3!C<A5tU!nzb36x_qyra<TGb=108gLG!F{8Xc3l?;V`pGW%~ye7IvTk90=L
F0sy8nBQ^j4