create backup store on kestrel

home/dot_config/borgmatic.d/private_torus.yaml

@@ -0,0 +1,31 @@
+source_directories:
+    - /engi/apps # Docker containers and data
+    #- /engi/backup # Static files and service dumps
+    #- /home/tstarr/Sync # Syncthing files on Torus
+
+exclude_patterns:
+    - 'code-server/config/*'
+    - 'code-server/workspace/*'
+    - 'immich/library/*'
+
+archive_name_format: 'borg-torus-{now}'
+repositories:
+    #- path: ssh://user@backupserver/./sourcehostname.borg
+    #  label: backupserver
+    - path: /engi/backup/borg/borg-apps
+      label: local
+
+before_backup:
+  - echo "Running pre-backup scripts! $(date)" >> /engi/test/test.txt
+  - tree /engi > /engi/backup/tree.txt
+  - stop-docker-containers
+  #- sudo -u gitea backup-dump-gitea
+
+after_backup:
+  - restore-docker-containters
+    
+keep_daily: 7
+keep_weekly: 4
+keep_monthly: 6
+
+encryption_passphrase: "***REMOVED***"

home/private_dot_ssh/config.tmpl

@@ -10,3 +10,12 @@ Host bulwark
   AddKeysToAgent yes
   IdentityFile /run/agenix/ssh/kestrel/id_ed25519 
 {{- end }}
+{{- if eq .chezmoi.hostname "torus" }}
+Host kestrel
+  AddKeysToAgent yes
+  IdentityFile /run/agenix/ssh/torus/id_ed25519 
+
+Host bulwark 
+  AddKeysToAgent yes
+  IdentityFile /run/agenix/ssh/torus/id_ed25519 
+{{- end }}

provision/hosts/default/backup.nix

@@ -1,12 +1,21 @@
 { config, pkgs, user, lib, ... }:
 {
-  # Password-less logins for backup
-  users.users."${user}".openssh.authorizedKeys.keyFiles = [
-    config.age.secrets."ssh/kestrel/id_ed25519.pub".path
-  ];
-
   services.borgmatic.enable = true;
   environment.systemPackages = with pkgs; [
     borgbackup # Deduplicating backup program 
+    (pkgs.writeScriptBin "stop-docker-containers" ''
+      #!/bin/sh
+      [ -e /tmp/docker_images ] && rm /tmp/docker_images
+      images=$(docker ps -a -q)
+      echo "$images" > /tmp/docker_images
+      docker stop $images
+    '')
+    (pkgs.writeScriptBin "restore-docker-containers" ''
+      #!/bin/sh
+      [ ! -e /tmp/docker_images ] && exit 0
+      docker start $(cat /tmp/docker_images)
+      rm /tmp/docker_images
+    '')
   ];
 }
+          

provision/hosts/default/home-configuration.nix

@@ -11,6 +11,11 @@
       nix-direnv.enable = true;
     };
 
+    programs.vscode = {
+      enable = true;
+      package = pkgs.vscode.fhs;
+    };
+
     home.packages = with pkgs; [
     ];
 

provision/hosts/kestrel/backup.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, user, lib, ... }:
+{
+  # Password-less logins for backup
+  users.users."${user}".openssh.authorizedKeys.keyFiles = [
+    config.age.secrets."ssh/torus/id_ed25519.pub".path
+  ];
+  systemd.tmpfiles.rules = [
+    "d /store 0775 ${user} users -"
+  ];
+}
+          

provision/hosts/kestrel/configuration.nix

@@ -2,6 +2,7 @@
 {
   imports = [ 
     ./syncthing.nix
+    ./backup.nix
   ];
 
   # Use performance governor for sweet gaming performance!

provision/hosts/torus/backup.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, user, lib, ... }:
+{
+  # Password-less logins for backup
+  users.users."${user}".openssh.authorizedKeys.keyFiles = [
+    config.age.secrets."ssh/kestrel/id_ed25519.pub".path
+  ];
+}
+          

provision/hosts/torus/configuration.nix

@@ -9,6 +9,7 @@
     ./home-assistant
     ./gitea.nix
     ./nextcloud.nix
+    ./backup.nix
   ];
 
   # Use normal kernel
@@ -23,7 +24,6 @@
   networking.firewall.checkReversePath = "loose";
   networking.firewall.allowedTCPPorts = [ 80 443 ];
   networking.firewall.allowedUDPPorts = [ 80 443 ];
-  networking.nameservers = [ "8.8.8.8" "8.8.4.4" ];
   boot.kernel.sysctl = {
     "net.ipv4.conf.all.forwarding" = true; # Needed for wireguard-server
   };
@@ -33,13 +33,12 @@
     enable = true;
     package = pkgs.docker_27;
     storageDriver = "btrfs";
-    enableNvidia = true;
   };
-  services.xserver.videoDrivers = [ "nvidia" ];
+
+  services.xserver.videoDrivers = ["nvidia"];
+  hardware.nvidia.open = false;
 
   environment.systemPackages = with pkgs; [
-    docker-compose # Tool for defining and running multi-container Docker applications.
-    python3 # Interpreted, high-level programming language known for its simplicity and versatility.
   ];
 
   security.acme = {

provision/hosts/torus/gitea.nix

@@ -1,23 +1,47 @@
 { config, lib, pkgs, user, ... }:
-{
+let
+  stateDir = "/var/lib/gitea";
+  dumpFolder = "/engi/backup/dumps/gitea";
+  domain = "git.tstarr.us";
+in {
+
+  # Main gitea service
+  systemd.tmpfiles.rules = [
+    "d ${dumpFolder} 0775 gitea gitea -"
+  ];
+
+  environment.systemPackages = [
+    (pkgs.writeScriptBin "backup-dump-gitea" ''
+      #!/bin/sh
+      cd ${dumpFolder}
+      [ -e gitea-dump.zip ] && rm gitea-dump.zip
+      exec ${pkgs.gitea}/bin/gitea dump --type zip -c ${stateDir}/custom/conf/app.ini --file "gitea-dump.zip"
+    '')
+  ];
+
   services.gitea = {
     enable = true;
     lfs.enable = true;
-    dump = {
+    stateDir = "${stateDir}";
-      enable = true;
+    customDir = "${stateDir}/custom"; 
-      interval = "23:05";
+    settings.server = {
+      DOMAIN = "${domain}";
+      HTTP_PORT = 3001;
+      ROOT_URL = "https://${domain}";
     };
     settings.service = {
         DISABLE_REGISTRATION = true;
     };
-    settings.server = {
-      DOMAIN = "git.tstarr.us";
-      HTTP_PORT = 3001;
-      ROOT_URL = "https://git.tstarr.us";
-    };
   };
 
-  # gitea runner secrets
+  # Gitea runners
+  users.users.gitea-runner = {
+    createHome = false;
+    isSystemUser = true;
+    group = "gitea-runner";
+  };
+  users.groups.gitea-runner = {};
+
   age.secrets."git/gitea-runner-1" = {
     file = ../../secrets/git/gitea-runner-1.age;
     owner = "gitea-runner";
@@ -27,7 +51,7 @@
   services.gitea-actions-runner.instances = {
     runner1 = {
       enable = true;
-      url = "https://git.tstarr.us";
+      url = "https://${domain}";
       tokenFile = "/run/agenix/git/gitea-runner-1";
       name = "runner1";
       labels = [
@@ -47,10 +71,4 @@
       ];
     };
   };
-  users.users.gitea-runner = {
-    createHome = false;
-    isSystemUser = true;
-    group = "gitea-runner";
-  };
-  users.groups.gitea-runner = {};
 }

provision/hosts/torus/hardware.nix

@@ -20,7 +20,7 @@
     };
 
   fileSystems."/engi" =
-    { device = "/dev/disk/by-uuid/89227565-1b54-41ec-adef-cd4ddd8565c5";
+    { device = "/dev/disk/by-uuid/535012d6-71c2-40e3-85a5-71bb2e971ad0";
       fsType = "btrfs";
     };
 

provision/modules/system/backup.nix

@@ -1,9 +0,0 @@
-{ config, lib, pkgs, user, ... }:
-
-let cfg = config.modules.system.backup;
-in {
-  options.modules.system.backup.enable = lib.mkEnableOption "backup";
-  config = lib.mkIf cfg.enable {
-  };
-
-}

provision/modules/system/default.nix

@@ -1,4 +1,4 @@
 { ... }:
 {
-  imports = [ ./nipr.nix ./secrets.nix ./ssh.nix ./backup.nix ./terminal.nix ./wireguard-client.nix ];
+  imports = [ ./nipr.nix ./secrets.nix ./ssh.nix ./terminal.nix ./wireguard-client.nix ];
 }

provision/modules/system/secrets.nix

@@ -27,6 +27,16 @@ in {
       owner = "${user}";
       group = "users";
     };
+    age.secrets."ssh/torus/id_ed25519" = {
+      file = ../../secrets/ssh/torus/id_ed25519.age;
+      owner = "${user}";
+      group = "users";
+    };
+    age.secrets."ssh/torus/id_ed25519.pub" = {
+      file = ../../secrets/ssh/torus/id_ed25519.pub.age;
+      owner = "${user}";
+      group = "users";
+    };
 
     # emu secrets
     age.secrets."emu/switch/prod.keys" = {

provision/secrets/git/gitea-runner-1.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw VMO7Bf8TC+D8W8+NdPFMixkcU2b4uz4DSf6Zx9aU4iU
+-> ssh-ed25519 Fz/sQw eWmbN5fQHK2Af4PsSY24Yo4rviqcMc1841KZEdn/ezQ
-DzvAcsQvylSrTLDOfKppfPz5nWIobeKSJpU4F16s1L8
+/N3I6mOuUShNlzr2c/TnB6ax6TtkrFJQxFIaJ4STrXQ
--> ssh-ed25519 47GzQA 2rBejKxWVg+epKWeIpfiQOFmeX+7AGXVLccLtJYDHwk
+-> ssh-ed25519 47GzQA 7ut3vn6lXxz58Tj/OXWuueqaxRGckhpVj4Z/N8b34XU
-dQiRj9XXxalBtypbLBB5h3zht22FTpWAGtUt8sfW+Vo
+SBecD52O2UsCOOLQrxA/+E7VcXOj88Sdg0yA+i7bQ7s
--> ssh-ed25519 wcI7nQ ZRNWo76nAjRB4uXL+53nigH0AcoC8PoK4swkECOQBDo
+-> ssh-ed25519 wcI7nQ isqztqV9KZjY/CUW4+I2yHfCeZmo2IKG9g5lfQkB/V4
-EchMzDePnEc1gEBBJOWfySem1GMKTQxZ7ZOQPlM9kGg
+ppd2WJLTLyoEp5bS+oP6bT2gVkc+J3e7tlInx5326d4
---- 2SXiHLzyN/kLfeuju2Sv37lZ6ZSOc1rBsE44zioTo70
+--- 4n4s3HSUR089Q2VqEmoxUnqrhlZ+cSvl9FXvrwTAkqc
-‚Ž'đ-Ń褟‡5ˇ`î3GMłhCHőŔÔU+?ŠP'‰>~Ž&“j}•­ą
+Ççc)¼ù?à‹÷ÿ7»2,g‘õ™Ñ… Mc’1ü&éûÍH’€–—_‹®!¶g.[»•eTs%’Åó­løFд®]
-ŇßÔ‡ŽőîüFtąźÄsź˘˛&7"

provision/secrets/secrets.nix

@@ -18,6 +18,8 @@ in
   "git/gitea-runner-1.age".publicKeys = systems;
   "nextcloud/password.age".publicKeys = systems;
   "ssh/kestrel/id_ed25519.age".publicKeys = [ tstarr_kestrel ] ++ systems;
-  "ssh/kestrel/id_ed25519.pub.age".publicKeys = [ tstarr_kestrel ] ++ systems;
+  "ssh/kestrel/id_ed25519.pub.age".publicKeys = users ++ systems;
+  "ssh/torus/id_ed25519.age".publicKeys = [ tstarr_torus ] ++ systems;
+  "ssh/torus/id_ed25519.pub.age".publicKeys = users ++ systems;
 }
 

provision/secrets/wireguard/bulwark.age

@@ -1,10 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw iahBnonr/ERKTaFJtfCCZMRyFGl1IkXkROjk8Pz5A1s
+-> ssh-ed25519 Fz/sQw ahzp1uO9sWV9W3OACxPd4tN6SRpJi9PbKbdzruPFvxA
-TSgBmEB4WNl48drZwBU22oN8+rtFBroFn0sjRjEcd9I
+OeKlZx5L8EEUpKb6kxS33cwTIxwskNiajvSYV1PVzXY
--> ssh-ed25519 47GzQA U3FTe966MQRbXEygRGrsX02oIPHoo8WZR8ZKMxReklU
+-> ssh-ed25519 47GzQA adIA4CJ5oswd6MODdR5LSQ9uHI+aD6wyxoRueK5Wrk0
-YPJLdklpM7ruHes7rJbdvNWoajR9ae/DWiAd5x0OP7g
+21CvXBrll3Lw+VTMpdxUePr58XjZQH0h6W9U2zKZ6DM
--> ssh-ed25519 wcI7nQ b8xHvJrZ7DGaPLI0Z+JEgWxRJRLI8y8BR90xCI5fazk
+-> ssh-ed25519 wcI7nQ f3p3SYJM3pTqYMz2NoajEHqUqKmKs+FM+taI1rpqqzM
-Fx1kHtWXQ5Z+teARWKoRpN8QtPBbrhACc1WEhOisgBs
+PmeupVlX1nRFt3DkPMrx6o2oEtWoc+si2Flwd22D0Vw
---- hbYewYLVVD3sY1BGgc7IRn2SegmQJdQU2uIc8vkUdgA
+--- dxk5xXqB72nPhxw46T6rChktRllWaPqJp4XTTi3IBpU
-]×f5‘{‹9ãjö9©œŠÀO¨ -ɬl×4ÎÞÎå…ûÍã¡1óÃe#šSÈÊ‹ö‘¬ÜT[ºÉ(h[@sÈ÷&™¿
+K ].‡ç©ƒY„,‰Ùâ} ¸Áxÿâfˆ…Ò²!f”×Ú´G½#˜¯*EòΑ6l;cMp.¯âí<C3A2>q˜þ½Ÿ÷AW‰8¨éEFñ
-›^pU

provision/secrets/wireguard/torus.age

@@ -1,9 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 Fz/sQw AXkkcwVYwCwvjyDqWhXtSQSepgVJmboLyXkOfpL5QA4
+-> ssh-ed25519 Fz/sQw sTJYlfFdSBl+xqi0+Yysl6NNWH8IABznrbF1MLi8p0c
-kLMo6pp+8gvatCkIWRrRDxAIvPsFe5S79K3bb2gG/LA
+xp0OvKeTPOK7CEUlPJOF9ZT3G55jYzGx/KI311YXzIM
--> ssh-ed25519 47GzQA FCQoB9UG6NoTzPWh8W0YtE3MpP5TYLirH/WtZYCxnTs
+-> ssh-ed25519 47GzQA Dc5kR+oUGLMcL5V+ul8NQTw4xr/ihd4qItpwlVDcLj8
-YuFjvJybPaI4mflQc8vxIfEoswbXG1s8CPD9rgmJ0ZA
+RZFPMVRFxBaosGvXRLcJA8gLIeaI8i2QIWflcsHY8uQ
--> ssh-ed25519 wcI7nQ PXgOnNP1HAZ5cEtZbxs6SFhqfqN1NLKMsuh4gMPEkzI
+-> ssh-ed25519 wcI7nQ 1lgpi/CuZpYLgjEnWYBD/2x5EMfPLfyR+9xJVqbfGEc
-xZqOgjDSqqWQNz+hXT9jExKTXJqhDNB2rxmHj47Bue4
+wmzNKHObcWs9tbU8nIZ6/iP3cJKusAIRwsoPnszxdbM
---- GNwc1tnzwsYP6WPTCzMtyYJySfdXONBjAd0eFlZrEQg
+--- BAh4R0xMUi7v8eoI6R9aW5YHbGULsZR+lBw6JnGKsbQ
-Q!S.kl÷jńfH¶ź‘feM+.	R[yäe$›ŚµńĐní(>Ř„š#©\5ńŢ
,,EŞo¦çe =—Áŕóţ+•ęK«@ĂË
+
+魺稩3<E7A8A9>S脍镶H璇|v贩假际鴎稾斩l舖ㄈ<E88896>廭b<>V圁C湉gM廤i蕜z;狢|鞄詧桘琓}?fr