From 75c4b4d44492ab5f109ccdea631ebdfbd041018c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= Date: Mon, 15 May 2023 23:49:16 +0200 Subject: [PATCH] server8: add restic-server --- hosts/server8/default.nix | 40 +++++++++++++++++++++--- hosts/server8/hardware-configuration.nix | 2 +- hosts/server8/secrets.yaml | 8 +++-- 3 files changed, 42 insertions(+), 8 deletions(-) diff --git a/hosts/server8/default.nix b/hosts/server8/default.nix index 594bb026..8de3cd38 100644 --- a/hosts/server8/default.nix +++ b/hosts/server8/default.nix @@ -32,7 +32,29 @@ }; services = { + nginx = { + enable = true; + virtualHosts."server8.cluster.zentralwerk.org" = { + default = true; + forceSSL = true; + enableACME = true; + locations."/restic/" = { + proxyPass = "http://${config.services.restic.server.listenAddress}/"; + extraConfig = '' + client_max_body_size 20M; + ''; + }; + }; + }; + openssh.enable = true; + + restic.server = { + enable = true; + listenAddress = "127.0.0.1:8080"; + privateRepos = true; + }; + smartd.enable = true; }; @@ -40,12 +62,20 @@ sops = { defaultSopsFile = ./secrets.yaml; - secrets."machine-id" = { - mode = "444"; - path = "/etc/machine-id"; + secrets = { + "ceph/osd.1/keyfile" = {}; + "ceph/osd.2/keyfile" = {}; + "machine-id" = { + mode = "444"; + path = "/etc/machine-id"; + }; + "restic/htpasswd" = { + group = config.systemd.services.restic-rest-server.serviceConfig.Group; + mode = "400"; + owner = config.systemd.services.restic-rest-server.serviceConfig.User; + path = "/var/lib/restic/.htpasswd"; + }; }; - secrets."ceph/osd.1/keyfile" = {}; - secrets."ceph/osd.2/keyfile" = {}; }; skyflake.nomad.client.meta."c3d2.cpuSpeed" = "3"; diff --git a/hosts/server8/hardware-configuration.nix b/hosts/server8/hardware-configuration.nix index b920108a..452cd706 100644 --- a/hosts/server8/hardware-configuration.nix +++ b/hosts/server8/hardware-configuration.nix @@ -25,7 +25,7 @@ options = [ "zfsutil" ]; }; - fileSystems."/var/lib/resitc" = + fileSystems."/var/lib/restic" = { device = "server8_hdd/restic"; fsType = "zfs"; options = [ "zfsutil" ]; diff --git a/hosts/server8/secrets.yaml b/hosts/server8/secrets.yaml index de17e88b..a147d878 100644 --- a/hosts/server8/secrets.yaml +++ b/hosts/server8/secrets.yaml @@ -4,6 +4,10 @@ ceph: keyfile: ENC[AES256_GCM,data:p6ic3dssOo45ArTtX1HfbxO1NrpGjDIGrQHgcAouwucUP+oSWU3ZPw==,iv:g7mzt74BJ7I19QmwYmdeN2dlB+WSkC0Enn3odvU/nKY=,tag:Q0bf4yEkbvYbuT1A6gRTcw==,type:str] osd.2: keyfile: ENC[AES256_GCM,data:PwOm1GNXLUYVhjoTQB1Ne/X0J1OUeUBk3ucGJv2qgbgpJUH6sXR/Ng==,iv:q7JUhvn2jeyT55/DTepQTa4ocXl1zN9SdzKz1CO/XEE=,tag:lPsfERwCcfyjvaCWEd4e7w==,type:str] +restic: + password: ENC[AES256_GCM,data:70U8dS3ho2t0IJP4PkAX+tYHxHLI/dYjTQsQ8/g6r/eAhstU7zKmoiOgm8SnQfVdnyDh1RYHhWBCyEUW4oUCA0ooybUTANigkIOsD2zaMWc=,iv:33zrYCT6eMleWkswFBlX06L1lwOvUMPlSRA2jPYv3RI=,tag:jSwuD8d74yFOevoeGTJ4tQ==,type:str] + #ENC[AES256_GCM,data:wKIykk+mVh3I2Hyo2TZVftZxuPZzlAmPEIX41WO7eLka/03P01cTZQl6bmElMRprwWFY,iv:B1ujyiHpdDeNLFjntmRKaAEFknLVNzsxv52kTMx9hVw=,tag:hzyRxamPe7nSUoKFaUKJKw==,type:comment] + htpasswd: ENC[AES256_GCM,data:bZNDezRAChy6Szbuk5hq4NwqlGAqhyZifazlou2w057/q5aCCflu9yTubPSp/ytnerOnRk1joBBcoZBU56yB40P3XlxXsgXh+ZIlHPPmucacHQMh+Ue8HTZM1p0RLVD0qBGanEchwH1SDEJ5VTvQ0Fk6bgwRCZBlQxL5YO23kOhnIArwtrSQrg==,iv:pQxH4zuXJfuFJaa4lCYjI8tfjZateadxVnWlsUYRLXM=,tag:zDymWrPbtn54sKdWwP2y5A==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +32,8 @@ sops: bWl4MTZUak1Bb0JWRXhRQkR4ZUFnNHMKvKQnoxb3IC7jW0P/zewbR68yJI8Uzz7U iPaL8MoOlmXPu5dHBSTwn39CpFR6bPxIDMHUn+y9gtCUrbIIJQAaQQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-07T00:24:35Z" - mac: ENC[AES256_GCM,data:SIUoQ94/cy5Jsi/q3Oft7+tTONl+xyrLaS+QFdFgedQRQPo1VQwFz3ATlescjMkkEl/rrFwaY83D1f1ISRz7wcSwo6Fb9ZAzxYpBlDkC4BKdtTWr/BycFyIXjSD34i8olBSRl9js65J1WHOxtgFWprHn7F12L4y9wasqCCkQXd0=,iv:0lJ2qtO8Q/DjafZNKMYg7f7C+bqp0ylLD2Zscfoefew=,tag:h2o/nuO40CiMUwRYlZvdyg==,type:str] + lastmodified: "2023-05-15T21:48:28Z" + mac: ENC[AES256_GCM,data:ZhanhWQ5RqIAEaUe/HRcEWtUsv5TrjHo99RRPupx6BTrezpJ/0YIv4Sc+72wdA2y2hg3reyUC4pgcGYJnAgk1Hv90J1WK8zAKylc38UtUZJPWtey86fnWIPCjZgKcZf2rg2uI9yL/yK6B01RFB+G0RUdOWEQOwYL13QGpj1rNcY=,iv:mj5ps7Ay6YMWet6GDKu3BkNYfZJbi91AumuL4+Ts2Iw=,tag:ROU0jPhAwp8ItSlsWu1YmA==,type:str] pgp: - created_at: "2022-12-27T23:54:07Z" enc: |