From 8c02b4a16d4dba7267860b34678cd1f140525fdb Mon Sep 17 00:00:00 2001 From: emily Date: Wed, 13 Nov 2024 16:03:28 +0100 Subject: [PATCH 1/2] crime: add backup --- .sops.yaml | 7 ++++++ config/hosts/crime/configuration.nix | 13 ++++++++--- config/hosts/florp/configuration.nix | 12 +++++----- config/services/arrs/default.nix | 11 ++++----- config/services/jellyfin.nix | 9 +------ modules/nginx/default.nix | 8 ++++--- secrets/restic/zh3485s2.yaml | 35 ++++++++++++++++++++++++++++ 7 files changed, 68 insertions(+), 27 deletions(-) create mode 100644 secrets/restic/zh3485s2.yaml diff --git a/.sops.yaml b/.sops.yaml index bc78ba5..8730ae2 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &emilia age1pjn7q6qs49jenr40dhsxa8x5g4z6elsh0pk0tc5pxg6pl0nzgc6scakynn - &girldick age1r6cmthdk6lhy62wa4pu23l46f5fcqhuu7xrq353pe6c8f0s6ce8s67pdtf - &florp age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t + - &crime age1sky8kccyyxe79ws4rew42r94427v2xnphq2vtxvdlw5xl7yzgs2q599yzs creation_rules: - path_regex: secrets/services/dns-knot.yaml key_groups: @@ -65,3 +66,9 @@ creation_rules: - *emily age: - *florp + - path_regex: secrets/restic/zh3485s2.yaml + key_groups: + - pgp: + - *emily + age: + - *crime diff --git a/config/hosts/crime/configuration.nix b/config/hosts/crime/configuration.nix index 6ed42ac..edbaa22 100644 --- a/config/hosts/crime/configuration.nix +++ b/config/hosts/crime/configuration.nix @@ -14,8 +14,15 @@ "2a0f:be01:0:100::b00b:a/128" ]; }; - - security.acme.defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory"; - kyouma.nginx.defaultForbidden = "fentanyl.trade"; + kyouma.restic = { + enable = true; + remoteUser = "zh3485s2"; + paths = [ + "/var/lib/jellyfin" + "/var/lib/radarr" + "/var/lib/sonarr" + "/var/lib/private/prowlarr" + ]; + }; } diff --git a/config/hosts/florp/configuration.nix b/config/hosts/florp/configuration.nix index fd06c11..4a9d3e1 100644 --- a/config/hosts/florp/configuration.nix +++ b/config/hosts/florp/configuration.nix @@ -11,8 +11,13 @@ hostName = "florp"; domain = lib.mkForce "social"; }; - kyouma.nginx.defaultForbidden = "florp.social"; + systemd.network.networks."98-eth-default" = { + address = [ + "2a0f:be01:0:100::171/128" + ]; + }; + kyouma.nginx.defaultForbidden = "florp.social"; kyouma.restic = let pgBackup = "/var/cache/postgresql.sql"; in { @@ -39,11 +44,6 @@ rm -f -- ${pgBackup} ''; }; - systemd.network.networks."98-eth-default" = { - address = [ - "2a0f:be01:0:100::171/128" - ]; - }; services.postgresql.settings = { max_connections = 128; diff --git a/config/services/arrs/default.nix b/config/services/arrs/default.nix index ebfecb8..b6c36de 100644 --- a/config/services/arrs/default.nix +++ b/config/services/arrs/default.nix @@ -1,16 +1,12 @@ { lib, pkgs, ... }: { - users.groups.crime = {}; - services = { prowlarr.enable = true; } // lib.genAttrs [ "sonarr" "radarr" ] (_: { enable = true; - group = "crime"; }); systemd.services = lib.genAttrs [ "radarr" "sonarr" ] (_: { - wants = [ "rclone-mezzomix.service" ]; - serviceConfig.UMask = "0002"; + wants = [ "mnt-mezzomix.mount" ]; }); systemd.mounts = lib.singleton { @@ -37,9 +33,10 @@ kyouma.nginx.virtualHosts = { "crime.kyouma.net" = { verifyClientCert = true; + disableHttp3 = true; locations = { - "/".root = ./landingPage.html; - "/sonarr/" = { +# "/".root = pkgs.writeTextDir "index.html" (builtins.readFile ./landingPage.html); + "/" = { proxyPass = "http://127.0.0.1:8989"; recommendedProxySettings = true; }; diff --git a/config/services/jellyfin.nix b/config/services/jellyfin.nix index 5452cfe..51f2c3d 100644 --- a/config/services/jellyfin.nix +++ b/config/services/jellyfin.nix @@ -1,13 +1,6 @@ { lib, ... }: { - users.groups.crime = {}; - - services.jellyfin = { - enable = true; - group = "crime"; - }; - - systemd.services.jellyfin.serviceConfig.UMask = lib.mkForce "0002"; + services.jellyfin.enable = true; kyouma.nginx.virtualHosts = { "watch.kyouma.net".redirectTo = "fentanyl.trade"; diff --git a/modules/nginx/default.nix b/modules/nginx/default.nix index e861390..c2707c7 100644 --- a/modules/nginx/default.nix +++ b/modules/nginx/default.nix @@ -22,8 +22,6 @@ ssl_verify_depth 1; ''; forceSSL = true; - http3 = true; - quic = true; } // lib.optionalAttrs (!(vhostCfg ? "useACMEHost")) { enableACME = true; @@ -33,7 +31,11 @@ useACMEHost = vhostCfg.redirectTo; globalRedirect = vhostCfg.redirectTo; } // - (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" "verifyClientCert" ]); + lib.optionalAttrs (!vhostCfg ? "disableHttp3") { + http3 = true; + quic = true; + } // + (builtins.removeAttrs vhostCfg [ "redirectTo" "extraConfig" "verifyClientCert" "disableHttp3" ]); in { options = { diff --git a/secrets/restic/zh3485s2.yaml b/secrets/restic/zh3485s2.yaml new file mode 100644 index 0000000..26236f6 --- /dev/null +++ b/secrets/restic/zh3485s2.yaml @@ -0,0 +1,35 @@ +restic: + zh3485s2: + password: ENC[AES256_GCM,data:GAesjt8CMFKuZk30vJTS7kH0cSg/p6NQCOU9udcVbVCurnUdqjKqZp97KnCcmA/A,iv:bf7trphHgzFzI3Pza8dDOgmKcHsBURsXEHtw0KpGQ7s=,tag:zE1WXaptcqBQMqgk+6SRqQ==,type:str] + id_ed25519: ENC[AES256_GCM,data:hRViIdnq9VNjjqD/X6tERHsCAuxF723bh+oES/Va5KVBJdsEK2LYXWxRQV6/dpYGnmSBNJ2q4eJS0iz2kjfNUTXg1DQZ0uuxSDbhOcKQ+ksE99VrU3Go7196gXQ+rsCuRht6vzgGzIoTcMVDlA+lvJ2EAB0o7EhK4qcKI0pRHziy4/i0JgLJKc2Xw7WwAZajyUToRrroi+oh3LRJiN0+L3B13RWNBDMxfVgSH5KERhPjU40VteKNyXg9YnZxiqRMTmDmpAu/fogXwIDgnfRuWBoDgPsHeSWVN/0IpfEegoXnmdYUGk9vKQmXNJ5z7vj6oIaz8Zuk9PfPaKZHrsUGkPZqBJydvfcUpH74+sn3idDJdQ92mYIn6rorabt6QtN9bbtULmtOU/R7wvZkRSn3SmvR6uo/xShs1pkwGa1oidn8atfoMMYnR973wvuGlDZwFGy0ZJD+Mc108U7o0U153/MervsxxZ3eIpzgmRol+TjoSJINQoPNPHsj6nx65MNfJd+AFw35h5jKUag4xKaPXS5ew/wDCqZ1PFYG,iv:P8VtAFoL0CcO7m7S60JardB95MUWYiABDOUZhLhXEzo=,tag:fLniekA0lMx6wW3u4NZPKQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1sky8kccyyxe79ws4rew42r94427v2xnphq2vtxvdlw5xl7yzgs2q599yzs + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUnFUQlhzYTdyblNOWUt3 + V0daclVOZ0hlSmlJTHlKRDd5eThVSzVOVWh3CkpiaGNJd0hCMlk3MVdsdnY0TVJM + MEtKUXFnSlAwQ0kzd1M0eVA1WG1Bb2sKLS0tIFAvVklzZldkOFpCNHV4YnQ2SDA3 + OW5TcVlqV0p4RThBRGlyaHkreEFMY28KPdgR9WCByJaLZcNophcfW7+7NU9MuI3E + bfWEFgqZLTdAg8y7s/M6ZAyjciflclxVnY8mTIhnERD+ZHHi++z1XA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-13T12:51:05Z" + mac: ENC[AES256_GCM,data:t/gg9SqDfrU+eKU9yw2R7ahLQY6pTgsRVFNk7K+zxTBiqUG2Rx0wm0bclkrkSKeHAVSJkc8OOWJvvRCMxaE980mknPM6721xNDV90Pt0ZsJvFXdOYKIaPQHC29klJKO60lsMsuup3BiF94O8+wIavLvYuc3jKFcaA4b9xAPRveM=,iv:TJhR1NzPVYIysghFAbjWB5lBpMhhkvwJdszkWGSLDPI=,tag:TCnewzN2qwFyG4Xio2JatQ==,type:str] + pgp: + - created_at: "2024-11-13T12:49:09Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D1GtNSlou/HkSAQdArN4L/MZSZoKwk/RKgA56OQMyt7IhW15qa7+Utie4/TQw + 0xKauGLJEMp7cnpmEvpBW8sy3hZRj1K4vLv2NKHzoXBuWGBer1Hf+CDZJ71ta6J9 + 0l4B9f4L9AIRHO3ncb4IPyVprr+sFyhVJJAI7bo9mbFUqH0yfM5EmFiXWg5d9zO6 + NfXbbfpW4ISEXFa//SuVl3h/HHxwDd83qA13OnhrlCjjwPfdA32kKM3CS/81JHNd + =4L7O + -----END PGP MESSAGE----- + fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5 + unencrypted_suffix: _unencrypted + version: 3.9.1 From 19d07a5e4562140c0a09f655677fd096403b652a Mon Sep 17 00:00:00 2001 From: Update Bot Date: Thu, 14 Nov 2024 04:20:18 +0100 Subject: [PATCH 2/2] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc' (2024-11-10) → 'github:nix-community/disko/5fd852c4155a689098095406500d0ae3d04654a8' (2024-11-14) • Updated input 'flake-utils': 'github:numtide/flake-utils/c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a' (2024-09-17) → 'github:numtide/flake-utils/11707dc2f618dd54ca8739b309ec4fc024de578b' (2024-11-13) • Updated input 'home-manager': 'github:nix-community/home-manager/60bb110917844d354f3c18e05450606a435d2d10' (2024-11-10) → 'github:nix-community/home-manager/35b055009afd0107b69c286fca34d2ad98940d57' (2024-11-13) • Updated input 'nixvim': 'github:nix-community/nixvim/7dc65b2d9873b6bbb6ef90234b3db6546e4ed9af' (2024-11-12) → 'github:nix-community/nixvim/f11a877bcc1d66cc8bd7990c704f91c1e99c7d08' (2024-11-13) • Updated input 'stylix': 'github:danth/stylix/6863412636c8f2cb3b7360f747fbd020fbfddf68' (2024-11-08) → 'github:danth/stylix/be94701ce7b746cb020e667f71492e398ed470f4' (2024-11-13) --- flake.lock | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/flake.lock b/flake.lock index d397a31..5369a18 100644 --- a/flake.lock +++ b/flake.lock @@ -156,11 +156,11 @@ ] }, "locked": { - "lastModified": 1731274291, - "narHash": "sha256-cZ0QMpv5p2a6WEE+o9uu0a4ma6RzQDOQTbm7PbixWz8=", + "lastModified": 1731549112, + "narHash": "sha256-c9I3i1CwZ10SoM5npQQVnfwgvB86jAS3lT4ZqkRoSOI=", "owner": "nix-community", "repo": "disko", - "rev": "486250f404f4a4f4f33f8f669d83ca5f6e6b7dfc", + "rev": "5fd852c4155a689098095406500d0ae3d04654a8", "type": "github" }, "original": { @@ -345,11 +345,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1726560853, - "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", "owner": "numtide", "repo": "flake-utils", - "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", "type": "github" }, "original": { @@ -562,11 +562,11 @@ ] }, "locked": { - "lastModified": 1731235328, - "narHash": "sha256-NjavpgE9/bMe/ABvZpyHIUeYF1mqR5lhaep3wB79ucs=", + "lastModified": 1731535640, + "narHash": "sha256-2EckCJn4wxran/TsRiCOFcmVpep2m9EBKl99NBh2GnM=", "owner": "nix-community", "repo": "home-manager", - "rev": "60bb110917844d354f3c18e05450606a435d2d10", + "rev": "35b055009afd0107b69c286fca34d2ad98940d57", "type": "github" }, "original": { @@ -977,11 +977,11 @@ "treefmt-nix": "treefmt-nix_2" }, "locked": { - "lastModified": 1731452383, - "narHash": "sha256-Qht3yghgs5rVaYwGtv3i77b8ILlZPPQEZoi6pU8T1TE=", + "lastModified": 1731527733, + "narHash": "sha256-12OpSgbLDiKmxvBXwVracIfGI9FpjFyHpa1r0Ho+NFA=", "owner": "nix-community", "repo": "nixvim", - "rev": "7dc65b2d9873b6bbb6ef90234b3db6546e4ed9af", + "rev": "f11a877bcc1d66cc8bd7990c704f91c1e99c7d08", "type": "github" }, "original": { @@ -1093,11 +1093,11 @@ "tinted-tmux": "tinted-tmux" }, "locked": { - "lastModified": 1731090365, - "narHash": "sha256-ti3gXhgVpIUL/7w6zDJuH+hOnyTZqxrIX/yYqALmiEI=", + "lastModified": 1731537763, + "narHash": "sha256-dOjxeHAXbQ4KRe5j9uClFp8SyYY2r62bbsdraETtO84=", "owner": "danth", "repo": "stylix", - "rev": "6863412636c8f2cb3b7360f747fbd020fbfddf68", + "rev": "be94701ce7b746cb020e667f71492e398ed470f4", "type": "github" }, "original": {