From cb7f7182a626d5d3ca99a970e53d8012c7953500 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Tue, 3 Sep 2024 13:22:11 -0700 Subject: [PATCH 1/4] add vscode by default --- provision/hosts/default/home-configuration.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/provision/hosts/default/home-configuration.nix b/provision/hosts/default/home-configuration.nix index 2d605666..8aa754ee 100644 --- a/provision/hosts/default/home-configuration.nix +++ b/provision/hosts/default/home-configuration.nix @@ -11,6 +11,11 @@ nix-direnv.enable = true; }; + programs.vscode = { + enable = true; + package = pkgs.vscode.fhs; + }; + home.packages = with pkgs; [ ]; From 547070ca33a5cb924d8a645c578a593d54e8c712 Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Tue, 3 Sep 2024 14:22:48 -0700 Subject: [PATCH 2/4] updates for gitea backup --- provision/hosts/torus/gitea.nix | 52 ++++++++++++++++++++++----------- 1 file changed, 35 insertions(+), 17 deletions(-) diff --git a/provision/hosts/torus/gitea.nix b/provision/hosts/torus/gitea.nix index 06384dd8..91b854c3 100644 --- a/provision/hosts/torus/gitea.nix +++ b/provision/hosts/torus/gitea.nix @@ -1,23 +1,47 @@ { config, lib, pkgs, user, ... }: -{ +let + stateDir = "/var/lib/gitea"; + dumpFolder = "/engi/backup/dumps/gitea"; + domain = "git.tstarr.us"; +in { + + # Main gitea service + systemd.tmpfiles.rules = [ + "d ${dumpFolder} 0775 gitea gitea -" + ]; + + environment.systemPackages = [ + (pkgs.writeScriptBin "backup-dump-gitea" '' + #!/bin/sh + cd ${dumpFolder} + [ -e gitea-dump.zip ] && rm gitea-dump.zip + exec ${pkgs.gitea}/bin/gitea dump --type zip -c ${stateDir}/custom/conf/app.ini --file "gitea-dump.zip" + '') + ]; + services.gitea = { enable = true; lfs.enable = true; - dump = { - enable = true; - interval = "23:05"; + stateDir = "${stateDir}"; + customDir = "${stateDir}/custom"; + settings.server = { + DOMAIN = "${domain}"; + HTTP_PORT = 3001; + ROOT_URL = "https://${domain}"; }; settings.service = { DISABLE_REGISTRATION = true; }; - settings.server = { - DOMAIN = "git.tstarr.us"; - HTTP_PORT = 3001; - ROOT_URL = "https://git.tstarr.us"; - }; }; - # gitea runner secrets + # Gitea runners + users.users.gitea-runner = { + createHome = false; + isSystemUser = true; + group = "gitea-runner"; + }; + users.groups.gitea-runner = {}; + age.secrets."git/gitea-runner-1" = { file = ../../secrets/git/gitea-runner-1.age; owner = "gitea-runner"; @@ -27,7 +51,7 @@ services.gitea-actions-runner.instances = { runner1 = { enable = true; - url = "https://git.tstarr.us"; + url = "https://${domain}"; tokenFile = "/run/agenix/git/gitea-runner-1"; name = "runner1"; labels = [ @@ -47,10 +71,4 @@ ]; }; }; - users.users.gitea-runner = { - createHome = false; - isSystemUser = true; - group = "gitea-runner"; - }; - users.groups.gitea-runner = {}; } From 45b63d0aebe9706d878bb880bdb19281ce77a82d Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Fri, 6 Sep 2024 22:44:16 -0700 Subject: [PATCH 3/4] password-less ssh for torus to kestrel/bulwark --- home/private_dot_ssh/config.tmpl | 9 +++++++++ provision/modules/system/secrets.nix | 10 ++++++++++ provision/secrets/secrets.nix | 2 ++ provision/secrets/ssh/torus/id_ed25519.age | 12 ++++++++++++ provision/secrets/ssh/torus/id_ed25519.pub.age | 11 +++++++++++ 5 files changed, 44 insertions(+) create mode 100644 provision/secrets/ssh/torus/id_ed25519.age create mode 100644 provision/secrets/ssh/torus/id_ed25519.pub.age diff --git a/home/private_dot_ssh/config.tmpl b/home/private_dot_ssh/config.tmpl index c554250a..0b9e5a54 100644 --- a/home/private_dot_ssh/config.tmpl +++ b/home/private_dot_ssh/config.tmpl @@ -10,3 +10,12 @@ Host bulwark AddKeysToAgent yes IdentityFile /run/agenix/ssh/kestrel/id_ed25519 {{- end }} +{{ if eq .chezmoi.hostname "torus" }} +Host kestrel + AddKeysToAgent yes + IdentityFile /run/agenix/ssh/torus/id_ed25519 + +Host bulwark + AddKeysToAgent yes + IdentityFile /run/agenix/ssh/torus/id_ed25519 +{{- end }} diff --git a/provision/modules/system/secrets.nix b/provision/modules/system/secrets.nix index edbaaf8e..ab846bfd 100644 --- a/provision/modules/system/secrets.nix +++ b/provision/modules/system/secrets.nix @@ -27,6 +27,16 @@ in { owner = "${user}"; group = "users"; }; + age.secrets."ssh/torus/id_ed25519" = { + file = ../../secrets/ssh/torus/id_ed25519.age; + owner = "${user}"; + group = "users"; + }; + age.secrets."ssh/torus/id_ed25519.pub" = { + file = ../../secrets/ssh/torus/id_ed25519.pub.age; + owner = "${user}"; + group = "users"; + }; # emu secrets age.secrets."emu/switch/prod.keys" = { diff --git a/provision/secrets/secrets.nix b/provision/secrets/secrets.nix index 8171a6ff..48df7085 100644 --- a/provision/secrets/secrets.nix +++ b/provision/secrets/secrets.nix @@ -19,5 +19,7 @@ in "nextcloud/password.age".publicKeys = systems; "ssh/kestrel/id_ed25519.age".publicKeys = [ tstarr_kestrel ] ++ systems; "ssh/kestrel/id_ed25519.pub.age".publicKeys = [ tstarr_kestrel ] ++ systems; + "ssh/torus/id_ed25519.age".publicKeys = [ tstarr_torus ] ++ systems; + "ssh/torus/id_ed25519.pub.age".publicKeys = [ tstarr_torus ] ++ systems; } diff --git a/provision/secrets/ssh/torus/id_ed25519.age b/provision/secrets/ssh/torus/id_ed25519.age new file mode 100644 index 00000000..3652764b --- /dev/null +++ b/provision/secrets/ssh/torus/id_ed25519.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 6UNP1Q pt+/kwmpzF1ZYUgjfOdR0tCws6Ir/x+WFWQ/u5u2VCM +6vGNiivMqZGMzxsSjiPM1JyuOOoKeINVc5M2EMc5IQs +-> ssh-ed25519 Fz/sQw MNIfMtMO3WeP03UdvEs3Ofb+1Ga4FYB7JHzgQmVQRhw +BnOd8W5SFVtnG42y5z1qWxdBmd/x1bX5K8uz+eJcoEc +-> ssh-ed25519 47GzQA xo6VwtD5f/YQgM8DL/ZyyNNZdO76sy2ECEdyjeYIuBk +eeHqX9CnkOCCPGHGjiHdyPqVeM+Rbei/xyzpfGnB6lo +-> ssh-ed25519 wcI7nQ oviiO/RofHtg7GOuLOgnF0AqTtMvHM/jkaRq2zsPYn4 +7/HQNRTfjZDiDg1rzrAHZ5Ji/Vc/qsHwiioeL5MNkW0 +--- 2pyP4F8yE+BR1xK7mqSC5NdEB9sw/+fyHmrtg3yyiYQ +P@Х}TV=Чk&:r}ڦwhq]wg\v݂A#?,iBdHr\R:e!>n5vu&hYO+ZfLT!NF rH}B/&Hv)7o)H  +.>~7d%[nKyڎDl{DߘڢnSܿZk/O~)Wh¬jFb!_q i dW_Q!/u_ V%?'&qS@[!D \PSsdJ=1bAż"H,V?&Sr>RK +^嚯F]Ub-LY(%W?S(Z!e7{frp½ahfRZָ|L+A^9 \ No newline at end of file diff --git a/provision/secrets/ssh/torus/id_ed25519.pub.age b/provision/secrets/ssh/torus/id_ed25519.pub.age new file mode 100644 index 00000000..aaba7e1a --- /dev/null +++ b/provision/secrets/ssh/torus/id_ed25519.pub.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 6UNP1Q 9MKiiHjqqjYBm+DsgXcpzu4mKdICA4OGpC9KAnYJMyk +/vOtXkev3nXDMlrNx1yDmTf8gLPtSwV+QJfoqs6HVyg +-> ssh-ed25519 Fz/sQw /+NdN1YZtM9t32u6E29IbEQZDOXRt38ahsjoC2g02lU +c8etDhHvv6F9t/mX264vGa3CDkbpRyAW7pEMEj3KR/M +-> ssh-ed25519 47GzQA Uhj4JY9UeGLn8MjK1uqvIsoq69RWY0UeKqeT+sEd7GA +8KmEBgq4CE/kGY+PRnGLEEujIhvdmNGHSViAup4pPJ4 +-> ssh-ed25519 wcI7nQ mCmIzNVQpKtTz+U7GF1ux4vMQJfXH7+p4iZjSPmRNmw +/njWvPmXafs5Sz+FlSmnh049LZMUQHMLrjbIwVxos88 +--- Ee6yH5YKBP97rw4LVpHDKjPPoPeff2xMDigrg7PMXYU +\1+ؼi.ijJmo:_ Q]Qxk#FdATEe~O^%^B7Wg4ic N[!;~ NoL<':6J \ No newline at end of file From ed9ac71b3ff86cdc8a90856c7be644698ca8efaa Mon Sep 17 00:00:00 2001 From: Tyler Starr Date: Fri, 6 Sep 2024 23:37:09 -0700 Subject: [PATCH 4/4] add scripts to stop and restore docker containers --- provision/hosts/default/backup.nix | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/provision/hosts/default/backup.nix b/provision/hosts/default/backup.nix index 34175bd7..5980fe4e 100644 --- a/provision/hosts/default/backup.nix +++ b/provision/hosts/default/backup.nix @@ -3,10 +3,25 @@ # Password-less logins for backup users.users."${user}".openssh.authorizedKeys.keyFiles = [ config.age.secrets."ssh/kestrel/id_ed25519.pub".path + config.age.secrets."ssh/torus/id_ed25519.pub".path ]; services.borgmatic.enable = true; environment.systemPackages = with pkgs; [ borgbackup # Deduplicating backup program + (pkgs.writeScriptBin "stop-docker-containers" '' + #!/bin/sh + [ -e /tmp/docker_images ] && rm /tmp/docker_images + images=$(docker ps -a -q) + echo "$images" > /tmp/docker_images + docker stop $images + '') + (pkgs.writeScriptBin "restore-docker-containers" '' + #!/bin/sh + [ ! -e /tmp/docker_images ] && exit 0 + docker start $(cat /tmp/docker_images) + rm /tmp/docker_images + '') ]; } +