Compare commits
2 commits
main
...
update-inp
| Author | SHA1 | Date | |
|---|---|---|---|
|
60cfe99039 | ||
301a211624
|
9 changed files with 167 additions and 47 deletions
|
|
@ -59,3 +59,9 @@ creation_rules:
|
|||
- *emily
|
||||
age:
|
||||
- *florp
|
||||
- path_regex: secrets/restic/zh3485s1.yaml
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *emily
|
||||
age:
|
||||
- *florp
|
||||
|
|
|
|||
|
|
@ -12,6 +12,15 @@
|
|||
domain = lib.mkForce "social";
|
||||
};
|
||||
kyouma.nginx.defaultForbidden = "florp.social";
|
||||
|
||||
kyouma.restic = {
|
||||
enable = true;
|
||||
remoteUser = "zh3485s1";
|
||||
paths = [
|
||||
"/var/lib/akkoma"
|
||||
"/var/lib/postgresql"
|
||||
];
|
||||
};
|
||||
systemd.network.networks."98-eth-default" = {
|
||||
address = [
|
||||
"2a0f:be01:0:100::171/128"
|
||||
|
|
@ -19,7 +28,7 @@
|
|||
};
|
||||
|
||||
services.postgresql.settings = {
|
||||
max_connections = 30;
|
||||
max_connections = 128;
|
||||
shared_buffers = "4GB";
|
||||
effective_cache_size = "12GB";
|
||||
maintenance_work_mem = "1GB";
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
{ lib, inputs, ... }: {
|
||||
imports = [
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
"${inputs.nixpkgs}/nixos/modules/installer/sd-card/sd-image-aarch64.nix"
|
||||
./configuration.nix
|
||||
];
|
||||
|
|
|
|||
|
|
@ -242,11 +242,12 @@
|
|||
services.nginx = {
|
||||
clientMaxBodySize = "256m";
|
||||
commonHttpConfig = ''
|
||||
proxy_cache_path /var/cache/nginx/akkoma-media-cache
|
||||
levels= keys_zone=akkoma_media_cache:32m max_size=32g
|
||||
inactive=1y use_temp_path=off;
|
||||
access_log /var/log/nginx/access.log;
|
||||
error_log /var/log/nginx/err.log warn;
|
||||
|
||||
access_log off;
|
||||
proxy_cache_path /var/cache/nginx/akkoma-media-cache
|
||||
levels= keys_zone=akkoma_media_cache:32m max_size=64g
|
||||
inactive=1y use_temp_path=off;
|
||||
'';
|
||||
};
|
||||
kyouma.nginx.virtualHosts = let
|
||||
|
|
|
|||
81
flake.lock
81
flake.lock
|
|
@ -12,11 +12,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730257295,
|
||||
"narHash": "sha256-OQl+aAsKiyygvpzck1u0sZf/R4T9zM903CgNDFmmzA8=",
|
||||
"lastModified": 1730906442,
|
||||
"narHash": "sha256-tBuyb8jWBSHHgcIrOfiyQJZGY1IviMzH2V74t7gWfgI=",
|
||||
"owner": "zhaofengli",
|
||||
"repo": "attic",
|
||||
"rev": "48c8b395bfbc6b76c7eae74df6c74351255a095c",
|
||||
"rev": "d0b66cf897e4d55f03d341562c9821dc4e566e54",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -156,11 +156,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730675461,
|
||||
"narHash": "sha256-Mhqz3p/HEiI/zxBJWO57LYQf6gGlJB0tci6fiVXLjd8=",
|
||||
"lastModified": 1731060864,
|
||||
"narHash": "sha256-aYE7oAYZ+gPU1mPNhM0JwLAQNgjf0/JK1BF1ln2KBgk=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "380847d94ff0fedee8b50ee4baddb162c06678df",
|
||||
"rev": "5e40e02978e3bd63c2a6a9fa6fa8ba0e310e747f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -483,11 +483,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730302582,
|
||||
"narHash": "sha256-W1MIJpADXQCgosJZT8qBYLRuZls2KSiKdpnTVdKBuvU=",
|
||||
"lastModified": 1730814269,
|
||||
"narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
|
||||
"owner": "cachix",
|
||||
"repo": "git-hooks.nix",
|
||||
"rev": "af8a16fe5c264f5e9e18bcee2859b40a656876cf",
|
||||
"rev": "d70155fdc00df4628446352fc58adc640cd705c2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -542,11 +542,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730633670,
|
||||
"narHash": "sha256-ZFJqIXpvVKvzOVFKWNRDyIyAo+GYdmEPaYi1bZB6uf0=",
|
||||
"lastModified": 1730837930,
|
||||
"narHash": "sha256-0kZL4m+bKBJUBQse0HanewWO0g8hDdCvBhudzxgehqc=",
|
||||
"owner": "nix-community",
|
||||
"repo": "home-manager",
|
||||
"rev": "8f6ca7855d409aeebe2a582c6fd6b6a8d0bf5661",
|
||||
"rev": "2f607e07f3ac7e53541120536708e824acccfaa8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -593,16 +593,16 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729544999,
|
||||
"narHash": "sha256-YcyJLvTmN6uLEBGCvYoMLwsinblXMkoYkNLEO4WnKus=",
|
||||
"lastModified": 1729958008,
|
||||
"narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=",
|
||||
"owner": "NuschtOS",
|
||||
"repo": "ixx",
|
||||
"rev": "65c207c92befec93e22086da9456d3906a4e999c",
|
||||
"rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NuschtOS",
|
||||
"ref": "v0.0.5",
|
||||
"ref": "v0.0.6",
|
||||
"repo": "ixx",
|
||||
"type": "github"
|
||||
}
|
||||
|
|
@ -693,11 +693,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730448474,
|
||||
"narHash": "sha256-qE/cYKBhzxHMtKtLK3hlSR3uzO1pWPGLrBuQK7r0CHc=",
|
||||
"lastModified": 1730779758,
|
||||
"narHash": "sha256-5WI9AnsBwhLzVRnQm3Qn9oAbROnuLDQTpaXeyZCK8qw=",
|
||||
"owner": "lnl7",
|
||||
"repo": "nix-darwin",
|
||||
"rev": "683d0c4cd1102dcccfa3f835565378c7f3cbe05e",
|
||||
"rev": "0e3f3f017c14467085f15d42343a3aaaacd89bcb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -795,11 +795,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1730537918,
|
||||
"narHash": "sha256-GJB1/aaTnAtt9sso/EQ77TAGJ/rt6uvlP0RqZFnWue8=",
|
||||
"lastModified": 1730919458,
|
||||
"narHash": "sha256-yMO0T0QJlmT/x4HEyvrCyigGrdYfIXX3e5gWqB64wLg=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "f6e0cd5c47d150c4718199084e5764f968f1b560",
|
||||
"rev": "e1cc1f6483393634aee94514186d21a4871e78d7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -926,11 +926,11 @@
|
|||
},
|
||||
"nixpkgs_4": {
|
||||
"locked": {
|
||||
"lastModified": 1730531603,
|
||||
"narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=",
|
||||
"lastModified": 1730785428,
|
||||
"narHash": "sha256-Zwl8YgTVJTEum+L+0zVAWvXAGbWAuXHax3KzuejaDyo=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d",
|
||||
"rev": "4aa36568d413aca0ea84a1684d2d46f55dbabad7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -957,11 +957,11 @@
|
|||
"treefmt-nix": "treefmt-nix_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730569492,
|
||||
"narHash": "sha256-NByr7l7JetL9kIrdCOcRqBu+lAkruYXETp1DMiDHNQs=",
|
||||
"lastModified": 1731009822,
|
||||
"narHash": "sha256-VwGfFYHjizs7yQwh8JRlDUVkHLPc34jdqkQ2vyv6ddY=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nixvim",
|
||||
"rev": "6f210158b03b01a1fd44bf3968165e6da80635ce",
|
||||
"rev": "aabbd60633947baba11db44df84f402edc241440",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -980,11 +980,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730515563,
|
||||
"narHash": "sha256-8lklUZRV7nwkPLF3roxzi4C2oyLydDXyAzAnDvjkOms=",
|
||||
"lastModified": 1730760712,
|
||||
"narHash": "sha256-F4H98tjNgySlSLItuOqHYo9LF85rFoS/Vr0uOrq7BM4=",
|
||||
"owner": "NuschtOS",
|
||||
"repo": "search",
|
||||
"rev": "9e22bd742480916ff5d0ab20ca2522eaa3fa061e",
|
||||
"rev": "aa5214c81b904a19f7a54f7a8f288f7902586eee",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -1038,11 +1038,11 @@
|
|||
"nixpkgs-stable": "nixpkgs-stable_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1730605784,
|
||||
"narHash": "sha256-1NveNAMLHbxOg0BpBMSVuZ2yW2PpDnZLbZ25wV50PMc=",
|
||||
"lastModified": 1731047660,
|
||||
"narHash": "sha256-iyp51lPWEQz4c5VH9bVbAuBcFP4crETU2QJYh5V0NYA=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "e9b5eef9b51cdf966c76143e13a9476725b2f760",
|
||||
"rev": "60e1bce1999f126e3b16ef45f89f72f0c3f8d16f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -1072,11 +1072,11 @@
|
|||
"tinted-tmux": "tinted-tmux"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1729963473,
|
||||
"narHash": "sha256-uGjTjvvlGQfQ0yypVP+at0NizI2nrb6kz4wGAqzRGbY=",
|
||||
"lastModified": 1731090365,
|
||||
"narHash": "sha256-ti3gXhgVpIUL/7w6zDJuH+hOnyTZqxrIX/yYqALmiEI=",
|
||||
"owner": "danth",
|
||||
"repo": "stylix",
|
||||
"rev": "04afcfc0684d9bbb24bb1dc77afda7c1843ec93b",
|
||||
"rev": "6863412636c8f2cb3b7360f747fbd020fbfddf68",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -1148,16 +1148,17 @@
|
|||
"tinted-foot": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1696725948,
|
||||
"narHash": "sha256-65bz2bUL/yzZ1c8/GQASnoiGwaF8DczlxJtzik1c0AU=",
|
||||
"lastModified": 1726913040,
|
||||
"narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
|
||||
"owner": "tinted-theming",
|
||||
"repo": "tinted-foot",
|
||||
"rev": "eedbcfa30de0a4baa03e99f5e3ceb5535c2755ce",
|
||||
"rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "tinted-theming",
|
||||
"repo": "tinted-foot",
|
||||
"rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
|
|
|
|||
65
modules/restic/default.nix
Normal file
65
modules/restic/default.nix
Normal file
|
|
@ -0,0 +1,65 @@
|
|||
{ config, lib, pkgs, ... }: let
|
||||
cfg = config.kyouma.restic;
|
||||
in {
|
||||
options.kyouma.restic = let
|
||||
inherit (lib) mkOption types;
|
||||
in {
|
||||
enable = lib.mkEnableOption "Enable restic backup";
|
||||
paths = mkOption {
|
||||
description = "paths to backup";
|
||||
type = with types; listOf path;
|
||||
default = [];
|
||||
};
|
||||
pruneOpts = mkOption {
|
||||
description = "paths to backup";
|
||||
type = with types; listOf str;
|
||||
default = [
|
||||
"--keep-hourly 24"
|
||||
"--keep-daily 14"
|
||||
"--keep-weekly 8"
|
||||
"--keep-monthly 12"
|
||||
];
|
||||
};
|
||||
remote = mkOption {
|
||||
description = "restic remote to use";
|
||||
type = types.nonEmptyStr;
|
||||
default = "zh3485.rsync.net";
|
||||
};
|
||||
remoteUser = mkOption {
|
||||
description = "remote ssh user";
|
||||
type = types.nonEmptyStr;
|
||||
default = "";
|
||||
};
|
||||
user = mkOption {
|
||||
description = "user who runs the backup job";
|
||||
type = types.nonEmptyStr;
|
||||
default = "root";
|
||||
};
|
||||
repo = mkOption {
|
||||
description = "restic repo";
|
||||
type = types.nonEmptyStr;
|
||||
default = "${config.networking.hostName}-backup";
|
||||
};
|
||||
};
|
||||
config = lib.mkIf cfg.enable {
|
||||
sops.secrets."restic/${cfg.remoteUser}/password" = {
|
||||
sopsFile = ../../secrets/restic/${cfg.remoteUser}.yaml;
|
||||
};
|
||||
sops.secrets."restic/${cfg.remoteUser}/id_ed25519" = {
|
||||
sopsFile = ../../secrets/restic/${cfg.remoteUser}.yaml;
|
||||
};
|
||||
|
||||
services.restic.backups."${config.networking.hostName}-${cfg.remote}" = {
|
||||
inherit (cfg) paths user pruneOpts;
|
||||
initialize = true;
|
||||
repository = "sftp:${cfg.remoteUser}@${cfg.remote}:${cfg.repo}";
|
||||
passwordFile = config.sops.secrets."restic/${cfg.remoteUser}/password".path;
|
||||
extraOptions = let
|
||||
knownHost = pkgs.writeText "${cfg.remote}-known-host" (builtins.readFile ./${cfg.remote}/ssh_host_ed25519_key.pub);
|
||||
sshKey = config.sops.secrets."restic/${cfg.remoteUser}/id_ed25519".path;
|
||||
in [
|
||||
"sftp.command='ssh ${cfg.remoteUser}@${cfg.remote} -i ${sshKey} -o UserKnownHostsFile=${knownHost} -s sftp'"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
1
modules/restic/zh3485.rsync.net/ssh_host_ed25519_key.pub
Normal file
1
modules/restic/zh3485.rsync.net/ssh_host_ed25519_key.pub
Normal file
|
|
@ -0,0 +1 @@
|
|||
zh3485.rsync.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtclizeBy1Uo3D86HpgD3LONGVH0CJ0NT+YfZlldAJd
|
||||
|
|
@ -6,7 +6,6 @@ BRANCH="update-inputs-$(date +%Y-%m-%d-%H-%M)"
|
|||
HYDRA_URL="https://hydra.kyouma.net"
|
||||
JOBSET_URL="${HYDRA_URL}/jobset/nixfiles/update-inputs"
|
||||
ROOT="$(mktemp -d)"
|
||||
START_TIME="$(date +%s)"
|
||||
|
||||
gitin () {
|
||||
git -C "${ROOT}/nixfiles" "$@"
|
||||
|
|
@ -24,6 +23,8 @@ merge_theirs () {
|
|||
test_build () {
|
||||
local last_error
|
||||
local build_jobs
|
||||
local start_time
|
||||
start_time="$(date +%s)"
|
||||
|
||||
build_jobs="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}/latest-eval" | jq -r ".builds | .[]")"
|
||||
for build in ${build_jobs}; do
|
||||
|
|
@ -44,7 +45,7 @@ test_build () {
|
|||
done
|
||||
|
||||
last_error="$(curl --fail -s -L -H "Accept: application/json" "${JOBSET_URL}" | jq -r ".errortime")"
|
||||
[[ $last_error -gt $START_TIME ]] &&
|
||||
[[ $last_error -gt $start_time ]] &&
|
||||
echo "Evaluation error encountered at $(date +%Y-%m-%d-%H:%M:%S --date="@${last_error}")" &&
|
||||
exit 1
|
||||
}
|
||||
|
|
|
|||
35
secrets/restic/zh3485s1.yaml
Normal file
35
secrets/restic/zh3485s1.yaml
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
restic:
|
||||
zh3485s1:
|
||||
password: ENC[AES256_GCM,data:lDDSSqUH3pewpMA+6SNwGwRz95MBjeaD6I3RWUQNBFXsw/W9RoIY85AcRXxCl7CW,iv:NFF6uCs2FolMe9cgPkoAFmbWdXG2SuVRtoOyQXouEAU=,tag:UeC49xFwFkMh0Wi8p9reFw==,type:str]
|
||||
id_ed25519: ENC[AES256_GCM,data:fe2CAKWSrEOvEPZgGhbigw+DEnDUGtTXEj7nuGaH5enMGDvd7QtRlDYLkM+g9zKrRJ46e2nM6btUZVqqx4rJiUbjJ5B/cBzb259CTxKGgHeMj/cYXPypamIEKFwUrloxzrgxH5JIOoUvj9Ny1P1UPIB//B5Z1Uunqmdqd2XoiAtDwZ/hvyuOfdFyUkKmOnCdF4pheMRXZ6Z51N4f09OIwuZ/xC4LQYAVB2lyycOgrvefPA5YYabMd23yEXn6v/BiP1TWbSInTHvz6Rii2WYqYO3ORCfi1pvWe15kSrTsT9zYRzLvZi5TD+4FMhLmIttZB2OXK7X+h6cHtej7X+v6HKhMKHNJhukRUP7DpcZ0+ArBEdw2j+H7C4q8NdR9rk4we7WpdQlY7tGpJvEzSis+P/Jph/tkzx6xXpKiOeOAXgQUS41qcAy7gmZj7CdsulerUHcfDy4a0y1OEuDmoYW420cGGYOCB9BlvYQbaDhyv5AMSL8sMZfm7mX5qXliE7ZQc20ggKoY2MKH6RjnT8pQhMBWo/NW13PPBDIL,iv:1+aopW183ir5XHMKcDons24A/E61mLuyJGrQTRpPXdE=,tag:s1w+HZdktM0H9FUrz097Cw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age18vc8rcmczlt3r0ee7jr9s8l3yrkthu8wtypt08eh0eskpkw3dg6qxs7t3t
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQeWpKYktzVE1tMkpGU1c5
|
||||
akZZdlBkeFQyUmUrOHZxTGE2V1FUVmV3cG5VCmZvTG1JTS9SUTk1aVl6TnBPQ1Fh
|
||||
clRDTmQzQUJxWlYyV2dmVXNyTDJ2K0kKLS0tIHA3S0dsQzRxRWF4RFdSSzh1aXI5
|
||||
ZFQvWFhZTndubkxaRVh3YXl0V25ZcUEK0/wV9i01kRkphrseSBqAL9f8tUlUtJDO
|
||||
PUZL2Em/QjNEnXJaxxR612ONA94ptK9bsqzRJV5RtGqDwd+oAnr13Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-11-08T13:41:02Z"
|
||||
mac: ENC[AES256_GCM,data:tMatUcv/jbvQ1URp6DrUyuiB9+rgCCdOxEVcM0NBiV5P9DGWE1hWytky4yPE9nFUOWLI7m4nTSEXHuT4yT3LkBd1Ndzhm5wQ0NEAVnZ6Sj7YOQI5CS1q95sviJBv57PBkaajHDNeSJX2hEQeR4qJFUR4fu0hIwadyzeunP/kfKE=,iv:gXRAg4cN43ocQMZm0lL8AnrbDtK+TKGchWpd/TYhnjA=,tag:+HqYuDWjoTdv+CWrJmuwxA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-11-08T13:31:55Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4D1GtNSlou/HkSAQdALVqRZ2qzjR86mEE/MHAR5H3gmIukchY/NSvGg1Ggfmsw
|
||||
uZhnl5puGOO579ItHXbk+BYwBS2koL7jyhnX8E9zmM3d3SZHwzx0mk79fr2jLFj6
|
||||
0l4BLrhhcpUtzfje4/SeTgWFRIA68ON/PUTmW2Lgclh9OpQfbbousFS/JMvvdHaT
|
||||
/3uJEww5MKMPlqWqK7w7z6iwIITRKH0vzQoIZ3hVcDKtKOJrJ/1bWcJorFsazxvT
|
||||
=KZPf
|
||||
-----END PGP MESSAGE-----
|
||||
fp: B04F01A7A98A13020C39B4A68AB7B773A214ACE5
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.9.1
|
||||
Loading…
Reference in a new issue