Merge branch 'master' of github.com:starr-dusT/dotfiles

2025-02-18 10:47:31 -08:00 · 2024-09-08 19:38:41 -07:00 · 2024-09-08 19:38:41 -07:00 · 4a5585be62
commit 4a5585be62
parent da685c3e1a 50cdb40912
9 changed files with 120 additions and 17 deletions
--- a/home/dot_config/borgmatic.d/private_torus.yaml
+++ b/home/dot_config/borgmatic.d/private_torus.yaml
@ -0,0 +1,21 @@
+source_directories:
+    - .
+
+exclude_patterns:
+    - 'code-server/config/*'
+    - 'code-server/workspace/*'
+    - 'immich/library/*'
+
+archive_name_format: 'apps-{now}'
+repositories:
+    #- path: ssh://user@backupserver/./sourcehostname.borg
+    #  label: backupserver
+    - path: /engi/backup/borg/borg-apps
+      label: local
+
+    
+keep_daily: 7
+keep_weekly: 4
+keep_monthly: 6
+
+encryption_passphrase: "***REMOVED***"
--- a/home/private_dot_ssh/config.tmpl
+++ b/home/private_dot_ssh/config.tmpl
@ -10,3 +10,12 @@ Host bulwark
  AddKeysToAgent yes
  IdentityFile /run/agenix/ssh/kestrel/id_ed25519 
 {{- end }}
+{{- if eq .chezmoi.hostname "torus" }}
+Host kestrel
+  AddKeysToAgent yes
+  IdentityFile /run/agenix/ssh/torus/id_ed25519 
+
+Host bulwark 
+  AddKeysToAgent yes
+  IdentityFile /run/agenix/ssh/torus/id_ed25519 
+{{- end }}
--- a/provision/hosts/default/backup.nix
+++ b/provision/hosts/default/backup.nix
@ -3,10 +3,25 @@
  # Password-less logins for backup
  users.users."${user}".openssh.authorizedKeys.keyFiles = [
    config.age.secrets."ssh/kestrel/id_ed25519.pub".path
+    config.age.secrets."ssh/torus/id_ed25519.pub".path
  ];

  services.borgmatic.enable = true;
  environment.systemPackages = with pkgs; [
    borgbackup # Deduplicating backup program 
+    (pkgs.writeScriptBin "stop-docker-containers" ''
+      #!/bin/sh
+      [ -e /tmp/docker_images ] && rm /tmp/docker_images
+      images=$(docker ps -a -q)
+      echo "$images" > /tmp/docker_images
+      docker stop $images
+    '')
+    (pkgs.writeScriptBin "restore-docker-containers" ''
+      #!/bin/sh
+      [ ! -e /tmp/docker_images ] && exit 0
+      docker start $(cat /tmp/docker_images)
+      rm /tmp/docker_images
+    '')
  ];
 }
+          
--- a/provision/hosts/default/home-configuration.nix
+++ b/provision/hosts/default/home-configuration.nix
@ -11,6 +11,11 @@
      nix-direnv.enable = true;
    };

+    programs.vscode = {
+      enable = true;
+      package = pkgs.vscode.fhs;
+    };
+
    home.packages = with pkgs; [
    ];

--- a/provision/hosts/torus/gitea.nix
+++ b/provision/hosts/torus/gitea.nix
@ -1,23 +1,47 @@
 { config, lib, pkgs, user, ... }:
-{
+let
+  stateDir = "/var/lib/gitea";
+  dumpFolder = "/engi/backup/dumps/gitea";
+  domain = "git.tstarr.us";
+in {
+
+  # Main gitea service
+  systemd.tmpfiles.rules = [
+    "d ${dumpFolder} 0775 gitea gitea -"
+  ];
+
+  environment.systemPackages = [
+    (pkgs.writeScriptBin "backup-dump-gitea" ''
+      #!/bin/sh
+      cd ${dumpFolder}
+      [ -e gitea-dump.zip ] && rm gitea-dump.zip
+      exec ${pkgs.gitea}/bin/gitea dump --type zip -c ${stateDir}/custom/conf/app.ini --file "gitea-dump.zip"
+    '')
+  ];
+
  services.gitea = {
    enable = true;
    lfs.enable = true;
-    dump = {
-      enable = true;
-      interval = "23:05";
+    stateDir = "${stateDir}";
+    customDir = "${stateDir}/custom"; 
+    settings.server = {
+      DOMAIN = "${domain}";
+      HTTP_PORT = 3001;
+      ROOT_URL = "https://${domain}";
    };
    settings.service = {
        DISABLE_REGISTRATION = true;
    };
-    settings.server = {
-      DOMAIN = "git.tstarr.us";
-      HTTP_PORT = 3001;
-      ROOT_URL = "https://git.tstarr.us";
-    };
  };

-  # gitea runner secrets
+  # Gitea runners
+  users.users.gitea-runner = {
+    createHome = false;
+    isSystemUser = true;
+    group = "gitea-runner";
+  };
+  users.groups.gitea-runner = {};
+
  age.secrets."git/gitea-runner-1" = {
    file = ../../secrets/git/gitea-runner-1.age;
    owner = "gitea-runner";
@ -27,7 +51,7 @@
  services.gitea-actions-runner.instances = {
    runner1 = {
      enable = true;
-      url = "https://git.tstarr.us";
+      url = "https://${domain}";
      tokenFile = "/run/agenix/git/gitea-runner-1";
      name = "runner1";
      labels = [
@ -47,10 +71,4 @@
      ];
    };
  };
-  users.users.gitea-runner = {
-    createHome = false;
-    isSystemUser = true;
-    group = "gitea-runner";
-  };
-  users.groups.gitea-runner = {};
 }
--- a/provision/modules/system/secrets.nix
+++ b/provision/modules/system/secrets.nix
@ -27,6 +27,16 @@ in {
      owner = "${user}";
      group = "users";
    };
+    age.secrets."ssh/torus/id_ed25519" = {
+      file = ../../secrets/ssh/torus/id_ed25519.age;
+      owner = "${user}";
+      group = "users";
+    };
+    age.secrets."ssh/torus/id_ed25519.pub" = {
+      file = ../../secrets/ssh/torus/id_ed25519.pub.age;
+      owner = "${user}";
+      group = "users";
+    };

    # emu secrets
    age.secrets."emu/switch/prod.keys" = {
--- a/provision/secrets/secrets.nix
+++ b/provision/secrets/secrets.nix
@ -19,5 +19,7 @@ in
  "nextcloud/password.age".publicKeys = systems;
  "ssh/kestrel/id_ed25519.age".publicKeys = [ tstarr_kestrel ] ++ systems;
  "ssh/kestrel/id_ed25519.pub.age".publicKeys = [ tstarr_kestrel ] ++ systems;
+  "ssh/torus/id_ed25519.age".publicKeys = [ tstarr_torus ] ++ systems;
+  "ssh/torus/id_ed25519.pub.age".publicKeys = [ tstarr_torus ] ++ systems;
 }

--- a/provision/secrets/ssh/torus/id_ed25519.age
+++ b/provision/secrets/ssh/torus/id_ed25519.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 6UNP1Q pt+/kwmpzF1ZYUgjfOdR0tCws6Ir/x+WFWQ/u5u2VCM
+6vGNiivMqZGMzxsSjiPM1JyuOOoKeINVc5M2EMc5IQs
+-> ssh-ed25519 Fz/sQw MNIfMtMO3WeP03UdvEs3Ofb+1Ga4FYB7JHzgQmVQRhw
+BnOd8W5SFVtnG42y5z1qWxdBmd/x1bX5K8uz+eJcoEc
+-> ssh-ed25519 47GzQA xo6VwtD5f/YQgM8DL/ZyyNNZdO76sy2ECEdyjeYIuBk
+eeHqX9CnkOCCPGHGjiHdyPqVeM+Rbei/xyzpfGnB6lo
+-> ssh-ed25519 wcI7nQ oviiO/RofHtg7GOuLOgnF0AqTtMvHM/jkaRq2zsPYn4
+7/HQNRTfjZDiDg1rzrAHZ5Ji/Vc/qsHwiioeL5MNkW0
+--- 2pyP4F8yE+BR1xK7mqSC5NdEB9sw/+fyHmrtg3yyiYQ
+P¼ì@“Ð¥}TV=Ð§žk÷&:Âr<C382>‰}Ú¦whq‰]wg²\vÝ‚ôA#?,<2C>’iÎòBdÁHróõ\R€Û:µíÀÑeè!è>æ“Én´5vô…<C3B4>ÍÑu„í°ˆ&¢h¢ YO+Œ‚¯Zˆf„LT¬«!¸NFØr–HªŠî}ðBà“ž/&ëÇH“ùùvÝ)Ë7<C38B>oï)¤Hœ 
+˜.ù¨>~7dÑ%[nKâyÚŽòèDlÚ{ìDÃÖß˜Ú¢ˆnS¿Ü¿ðËãZ›ú®kú/ÉO~¬¥)×öWþ¸hÂ¬¯j€F˜€ˆbò©!_qîÌÆÛiÕü·³«d†¼W_ûŠQ!äÀ/<2F>u¼<75>‡_•À«
V%®›ÖÐ÷É?'&qS@[!D\–PÅSs†åüdJ=1bAÅ¼Ï"Hñ,V™?&ÀSr>®éÒRKˆ” +ë§”^é åš¯ÄFŠ]©¨ÓU<C393>b-L¬ŠÃY(¹¹•%Wî?Sº(ZËõõ€€!ìe³›æþ<C3A6>7¶{·‰‰frºp<>ÊÂ½„ƒ¯âaŸ<61>Œh’f“RóZÖ¸¯|¶L+Aö^9
--- a/provision/secrets/ssh/torus/id_ed25519.pub.age
+++ b/provision/secrets/ssh/torus/id_ed25519.pub.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 6UNP1Q 9MKiiHjqqjYBm+DsgXcpzu4mKdICA4OGpC9KAnYJMyk
+/vOtXkev3nXDMlrNx1yDmTf8gLPtSwV+QJfoqs6HVyg
+-> ssh-ed25519 Fz/sQw /+NdN1YZtM9t32u6E29IbEQZDOXRt38ahsjoC2g02lU
+c8etDhHvv6F9t/mX264vGa3CDkbpRyAW7pEMEj3KR/M
+-> ssh-ed25519 47GzQA Uhj4JY9UeGLn8MjK1uqvIsoq69RWY0UeKqeT+sEd7GA
+8KmEBgq4CE/kGY+PRnGLEEujIhvdmNGHSViAup4pPJ4
+-> ssh-ed25519 wcI7nQ mCmIzNVQpKtTz+U7GF1ux4vMQJfXH7+p4iZjSPmRNmw
+/njWvPmXafs5Sz+FlSmnh049LZMUQHMLrjbIwVxos88
+--- Ee6yH5YKBP97rw4LVpHDKjPPoPeff2xMDigrg7PMXYU
+ŠÐ·Å\¶<1E>´1+˜Áã…Ø¼i.iÑjJëÄmoØ:<3A>_	Q®]°Qžx€‹ököõ#‡–äFòdßA»T<>E ýeœ~O^%¦^ì“ÈB7±¦ÜWg¯ƒ4ic	´Nèó[!;—~–N×ão‡ñÆL<':6š“òJÎ