Merge remote-tracking branch 'origin/#76-Nuked-Backup' into #76-Nuked-Backup

# Conflicts: # secrets/backup/nuked.age
admin: add eliza and esy as admins to teh secrets
2024-06-07 19:44:51 +01:00 · 2024-06-07 19:20:52 +01:00 · 2024-06-07 19:19:55 +01:00 · 2024-06-06 23:36:50 +01:00
5 changed files with 136 additions and 0 deletions
--- a/applications/restic.nix
+++ b/applications/restic.nix
@ -83,6 +83,9 @@ with lib; let
  ));
 in {
  imports = [
+    ./dns.nix
+    ./nginx.nix
+    ./acme.nix
  ];

  # using https://github.com/greaka/ops/blob/818be4c4dea9129abe0f086d738df4cb0bb38288/apps/restic/options.nix as a base
@ -142,6 +145,20 @@ in {
        default = false;
      };
    };
+
+    nuked = {
+      enable = mkEnableOption "Nuked Backup server";
+
+      port = mkOption {
+        type = types.port;
+        default = 8765;
+      };
+
+      appendOnly = mkOption {
+        type = types.bool;
+        default = false;
+      };
+    };
  };

  config = mkMerge [
@ -195,5 +212,58 @@ in {
        }
      ];
    })
+
+    # restic -r rest:https://skynet:testing@nuked.skynet.ie/ init
+    (mkIf cfg.nuked.enable {
+      assertions = [
+        {
+          assertion = !cfg.server.enable;
+          message = "Our backup and Nuked backup cannot co-exist";
+        }
+      ];
+
+      services.skynet.acme.domains = [
+        "nuked.skynet.ie"
+      ];
+
+      services.skynet.dns.records = [
+        {
+          record = "nuked";
+          r_type = "CNAME";
+          value = config.services.skynet.host.name;
+        }
+      ];
+
+      services.nginx.virtualHosts = {
+        "nuked.skynet.ie" = {
+          forceSSL = true;
+          useACMEHost = "skynet";
+          locations."/" = {
+            proxyPass = "http://${config.services.restic.server.listenAddress}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+
+      networking.firewall.allowedTCPPorts = [
+        cfg.nuked.port
+      ];
+
+      age.secrets.restic_pw = {
+        file = ../secrets/backup/nuked.age;
+        path = "${config.services.restic.server.dataDir}/.htpasswd";
+        symlink = false;
+        mode = "770";
+        owner = "restic";
+        group = "restic";
+      };
+
+      services.restic.server = {
+        enable = true;
+        listenAddress = "${config.services.skynet.host.ip}:${toString cfg.server.port}";
+        appendOnly = cfg.nuked.appendOnly;
+        privateRepos = true;
+      };
+    })
  ];
 }
--- a/flake.nix
+++ b/flake.nix
@ -164,6 +164,8 @@

      # Public Services
      calculon = import ./machines/calculon.nix;
+
+      deepthought = import ./machines/deepthought.nix;
    };
  };
 }
--- a/machines/deepthought.nix
+++ b/machines/deepthought.nix
@ -0,0 +1,42 @@
+/*
+
+Name:     https://hitchhikers.fandom.com/wiki/Deep_Thought
+Why:      Our home(page)
+Type:     VM
+Hardware: -
+From:     2023
+Role:     Public Backup
+Notes:
+*/
+{
+  pkgs,
+  lib,
+  nodes,
+  inputs,
+  ...
+}: let
+  name = "deepthought";
+  ip_pub = "193.1.99.112";
+  hostname = "${name}.skynet.ie";
+  host = {
+    ip = ip_pub;
+    name = name;
+    hostname = hostname;
+  };
+in {
+  imports = [
+  ];
+
+  deployment = {
+    targetHost = ip_pub;
+    targetPort = 22;
+    targetUser = null;
+
+    tags = ["active-core"];
+  };
+
+  services.skynet = {
+    host = host;
+    backup.nuked.enable = true;
+  };
+}
--- a/secrets/backup/nuked.age
+++ b/secrets/backup/nuked.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA dgJJTGIzBXLeK17bfgeYeXXN5YrByBOTbhyIkx+Z2TI
+zgujS6RYpXEzbUYZc1DRz0RlWAGurFNzAJnE4j4zhjY
+-> ssh-ed25519 4PzZog U7EUVcL+2Acv3mBpz88t2ZwVJm4YyNlwXzXpSkZfjk8
+LKQqiFcJ3pIWJG5DSbBbcEzg0dIPFOfiwcKCuR2zfhA
+-> ssh-ed25519 5Nd93w Rsjby+9wJr4PnaixDgUk32319SnfJCxgnC8fQ9Gc0yM
+7jmxPtgrIZ9ZF5c04bMzgYBLLPoqKFfwmU/qG6hF+9s
+-> ssh-ed25519 q8eJgg p5+dL0VBijPOTihOZuDQdE/yLQA+BHlEVSq12gRaizw
+MzQcGLTaUhgarzvJ7h/XfHIyPUb+i6YkbgkbvhOONEo
+-> ssh-ed25519 KVr8rw W9+d0ot3036q0YPNYaY1MS/4EiTU0MnLmq56dvUamE0
+wuIORoGvEG8lqrirf07ycIHawiw/DsjvTUwZrIEjSjk
+-> ssh-ed25519 fia1eQ c5cadKGZlONyUKivzegA+swGqgpb8oLDe5bk7Sb8XBI
+NNrb+ezMjYuKkaDUGumflNYrKPzxnPULoMslxH5/bFI
+-> ssh-ed25519 DVzSig 6uvtkJC55iEwnCPZGAqMrLzW+IuHX9YDhtCX3eHtxkA
+JNmstGPHqh2if+C4j1S19v2bCpbib+Wthp/OCusCSc8
+--- teGaaxnvHxEkKCtyNsBV/yhl3Ohn9BD3nfjl6jq3OcM
+³Êb_Â^ìòõŠ<C3B5>aX¹&6LFîœ…Ào8Ë˜¯œC.ƒ ~ÿˆŽœž—k3âÃî;¯1Ž²”Iôd*
ÚûV®Ïƒj¦áÖùñÅí?D©´Õd%buš^Øa"Q2„<m<>oãm©œc6Ò¹‚5!…HÂé8Žj9Ä <C384>1º»þ‘àT›@½Îoíâ‹vÂœ¦ß<>&E„áÅË(èˆH©n®}³ÞQÉhe5JãfàåÓ\.,~X<isÅpŽpÆkøb ‘ÿp8aÒfÞ†½0ˆ*‘n¦›»0ù;Øy:hl
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -113,6 +113,10 @@ let
  bitwarden = [
    kitt
  ];
+
+  nuked = [
+    optimus
+  ];
 in {
  # nix run github:ryantm/agenix -- -e secret1.age

@ -140,6 +144,7 @@ in {
  # everyone has access to this
  "backup/restic.age".publicKeys = users ++ systems;
  "backup/restic_pw.age".publicKeys = users ++ restic;
+  "backup/nuked.age".publicKeys = users ++ nuked;

  # discord bot and discord
  "discord/ldap.age".publicKeys = users ++ ldap ++ discord;
Author	SHA1	Message	Date
Brendan Golden	b77f846a33	Merge remote-tracking branch 'origin/#76-Nuked-Backup' into #76-Nuked-Backup # Conflicts: # secrets/backup/nuked.age	2024-06-07 19:44:51 +01:00
Brendan Golden	097fa21af8	admin: add eliza and esy as admins to teh secrets Actually add the keys this time....	2024-06-07 19:20:52 +01:00
Brendan Golden	3e10c14a4b	feat: Gonna use the space left behind Optimus to test this out Relates to #76	2024-06-07 19:19:55 +01:00
Brendan Golden	223fcb4202	feat: Gonna use the space left behind Optimus to test this out Relates to #76	2024-06-06 23:36:50 +01:00