vivlim
/
snoottube-ops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

finish setting up gts 

backups, smtp, misc
This commit is contained in:
Vivian Lim 2024-02-03 18:48:39 -08:00
parent 5c964c065d
commit 9ba2dc2a77
6 changed files with 108 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.sops.yaml
View File

@ -3,7 +3,7 @@ keys:
- &admin_viv_vix age1rpglc4dtgkfth2prtnqveds63d7wg49x9k2l5atgay6upv36jsjssm9mue
- &admin_viv_sky-reflected-in-mirrors age1eajejvws0qkqvs9qfp2cfxy77agtndr6xudl2h5afgx0k3ulysys4vqdxc
- &machine_mastodon-snoottube age1ywn8lhj9vxp44454gty6jskevr5ugje5pzjv5nqt7rdglra8j4qqfn3qvd
- &machine_wob age1066v49zugv9fuakq0wgp5d3swmdav480kwv3nvl2pnm8qsgehq9sf83l9w
- &machine_wob age1ehyc0lekpzadd0gwue2h4pn87g5r56ea6jjklcf7jx4fzwn6gvfsvupyp8
creation_rules:
- path_regex: ^secrets/backend.yaml$

4
configs/firewall.nix
View File

@ -16,10 +16,8 @@ in {
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 6922 ];
allowedUDPPorts = [ 51869 ];
checkReversePath = "loose";
checkReversePath = "loose"; # for tailscale
};
boot.kernel.sysctl = {

6
configs/frontend.nix
View File

@ -12,6 +12,12 @@ let
'';
};
in {
networking.firewall = {
enable = true;
allowedTCPPorts = [ 80 443 6922 ]; # Expose 6922 for management because this machine isn't behind tailscale.
allowedUDPPorts = [ 51869 ];
};
fileSystems."/" = {
autoResize = true; # embiggen
};

71
configs/wob.nix
View File

@ -2,6 +2,15 @@
{ config, pkgs, nixpkgs, modulesPath, ... }:
{
networking.firewall = {
enable = true;
interfaces."ens2".allowedTCPPorts = [ 80 443 6922 ];
interfaces."tailscale0".allowedTCPPorts = [ 80 443 6922 ];
interfaces."tailscale0".allowedUDPPorts = [ 51869 ];
checkReversePath = "loose"; # for tailscale
};
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
@ -86,6 +95,11 @@
'';
};
# use local 3proxy for http requests
networking.proxy.httpProxy = "http://127.0.0.1:3128";
networking.proxy.httpsProxy = "http://127.0.0.1:3128";
services.tailscale.enable = true;
services.dnscrypt-proxy2 = {
enable = true;
settings = {
@ -198,28 +212,41 @@
(modulesPath + "/profiles/qemu-guest.nix")
];
#sops.defaultSopsFile = ../secrets/wob.yaml;
#config.sops.secrets.borg_backup_repo_passphrase = { };
#config.sops.secrets.borgbase_ssh_private_key =
# { }; # it is extremely important for this to have a trailing newline, or connecting will fail
sops.defaultSopsFile = ../secrets/wob.yaml;
sops.secrets.gtsEnvironment = { };
sops.secrets.borg_backup_repo_passphrase = { };
sops.secrets.borgbase_ssh_private_key =
{ }; # it is extremely important for this to have a trailing newline, or connecting will fail
# services.borgbackup.jobs."borgbase" = {
#
# paths = [ "/var/lib" ];
# exclude = [
# "/var/lib/systemd"
# ];
#
# repo = "h5g87o5w@h5g87o5w.repo.borgbase.com:repo";
# encryption = {
# mode = "repokey-blake2";
# passCommand =
# "cat ${config.sops.secrets.borg_backup_repo_passphrase.path}";
# };
# environment.BORG_RSH =
# "ssh -i ${config.sops.secrets.borgbase_ssh_private_key.path}";
# compression = "auto,lzma";
# startAt = "daily";
# };
services.borgbackup.jobs."borgbase" = {
paths = [ "/var/lib" "/var/backup" ];
exclude = [
"/var/lib/systemd"
];
repo = "j4n0ylkc@j4n0ylkc.repo.borgbase.com:repo";
encryption = {
mode = "repokey-blake2";
passCommand =
"cat ${config.sops.secrets.borg_backup_repo_passphrase.path}";
};
environment.BORG_RSH =
"ssh -i ${config.sops.secrets.borgbase_ssh_private_key.path}";
compression = "auto,lzma";
startAt = "daily";
};
programs.ssh.knownHosts = {
# obtain with ssh-keyscan, e.g. `ssh-keyscan j4n0ylkc.repo.borgbase.com`
"j4n0ylkc.repo.borgbase.com".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGU0mISTyHBw9tBs6SuhSq8tvNM8m9eifQxM+88TowPO";
};
services.postgresqlBackup = {
enable = true;
databases = [ "gotosocial" ];
startAt = "*-*-* 04:15:00";
location = "/var/backup/postgresql";
};
}

1
modules/gotosocial.nix
View File

@ -69,6 +69,7 @@ in {
accounts-registration-open = false;
accounts-allow-custom-css = true;
};
environmentFile = config.sops.secrets.gtsEnvironment.path;
};
environment.systemPackages = [
goToSocialPkg

50
secrets/wob.yaml Normal file
View File

@ -0,0 +1,50 @@
borgbase_ssh_private_key: ENC[AES256_GCM,data:G6sC8zdV5parUTah0tjgstIoczLo/ARb3l/jl/Vy4p7xqYN/JHzDTZgUG0tHeneim85VZyHxom63zhSZsblLeMgg90eRKPMyImB4H1tNzEDx4E2+UHtu3/gG17uKr7vbIQDX3Y2sOtrQRfTC4harvNZbFWaTSU20C63c+XtD+0ikw2LoT72oTrWIHp9T68uD2snOn/IYOQtVgmY7CCBSyoyoafwVQQd3y6yjySFbrkGxFXneJ9nXlzNvx1LiqB+ZbLAc4Y74BGe7ONklFodeqiCvMuqjMkyPkko80Cu485GuwJxKrhMJB+p4bZPMzWKzAS/KAgkWJyJh0cYt5fiKLHqZX3GwHMPhhVUxLzAv6M8b41mQnUcDfqMSeHsMjlpVWKeC/pNkgRMO266sxqXAS+yUrPhTO89igHLZXCHNeEbA0YsxM+FP46RqEgumPTbc0LnY84FIPZZSLxyW2DedJMAm1aX04JlWGVr3MD8YZ6Quto9AwCDid/W6CG92C0z0fBzNs/yziHBCN/FpaKo4dDUOr7hdIv2og28O,iv:WkCqLEVETft1Une91+i7dRkd6Y4zgx4e2kNLERMdkIA=,tag:idyIMcEO5kShXFP6GVO6EQ==,type:str]
borg_backup_repo_passphrase: ENC[AES256_GCM,data:8zHnNw48P9WZjP7fTulTHurUXEJ217gKmbJOLUsfk8PYAyJnIYIEdL6dbP5lRNMzdU/1,iv:1yma8xCI47dCvhxTkCVlSLGGSu+SpfATFdIg7Wrs010=,tag:LhDtLqSvUarqGJ8xEPwn6w==,type:str]
gtsEnvironment: ENC[AES256_GCM,data:SUpH1Pk/pPWCZ/TPgYeVB2JrUzxOFOXU8vXGiRLfU6klMSNG7/ESKEg/mYThq1gtOeTsEJuFv1CKeYfbReAbXcSUubVdfa5JnUITkVoat8TRA57mtMuMkP5trQn2OCDZkef6DpkiwUh/JbcXefu9cH/34/ojFwCTcH6iQcf/SpSFYEBvNIKJAxTUBhj0bMLisy+bZ47B7NHeREhXIF+9HVfU1qK2HY97IJVpqbKLhJbXeKMu/QjpSK34W7PvgFjEdDDmBTc=,iv:1yGEq9zjsGcR4f+ZUAi8YSAKWWKzaaJbRcOfrbffwp4=,tag:ZAl9bMLz1Gwo9RDaDzJXxg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1rpglc4dtgkfth2prtnqveds63d7wg49x9k2l5atgay6upv36jsjssm9mue
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDRXA5QkV0N210SC9jcmc4
bzR0VjlBbHZJMVljZGJ0Q280UHJ6YlZqRDBvCnZXZkVmQURDcWdKc2FFNXdRUndN
Mi9GNEttT3Azd1JzWlNlYW4yS3NkNUEKLS0tIExXbnptUTYyenJaZWxTMUd4K284
MlFMZTVkdEJrNVBodXlOK3RhSmxZcVEKYNUkZBSPSNkVdUvjq4wK51fwr2yLHytf
Z7jqxJhk7enkjGZRafPsAZ6zXoKU6TjifMX5XHeo5Jk0y9jDFVBPxQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1eajejvws0qkqvs9qfp2cfxy77agtndr6xudl2h5afgx0k3ulysys4vqdxc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVWZhU29PQVJQb1R0S0VL
aE4zQ3MzdmxYdHhyM0J2ZUJ4Tmw1bit1OEY4CmVuQkxPZXJTTjk4VEp0b2lTNFp1
bHZ2Ukp1UTZJYXVFMCt0R3NtSm80cjQKLS0tIDIvQkdTQW5ZQ1hiMmxQeHBHcng4
d0VxaGoxVlE4ekx2aUdpVXVxZUx1TFkKwIK5W26S0ATX4BYjZJoDoj08RTa6CdX4
Ku27bUE/ht52FXRG0aR15xZgxw6YDW2nqNLYF9A1JbMjbeu8ruonoA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1rj45xn7emem7dv5rqpe6lea4mhxrja4fag9xfywtz80hgz24n42qnx3eae
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSSEdqejdmVVhxMEhxVFdV
RkpyeWFKODJXRkN0blM5UVVQNkpYa3V3a1JZCnFuZ1NhZTdoUHlVdWJSVGJaWm1Z
aUJQRk9VeTFRRjlBMDlsWEh5M1pBVTAKLS0tIFU0a1J2elBDN1BOTTFBNkNsSUpv
YVZoVTFzY0dXRytjWDVvT1FvOVdPbnMKvrqXktPBmGvuO09VuS7tkofa7fcAIi5v
+XuUMeKbnv9QsJyB6M0SpQBPUptrrOCU26wEBDvSTj4W+Uo3LFH8CA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ehyc0lekpzadd0gwue2h4pn87g5r56ea6jjklcf7jx4fzwn6gvfsvupyp8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrYWpDanBFZDYwQXVPK2d2
VG56ZEwxWldaWWEraDF1U0xSSU1sbE9UZ0hrCkZaQWFJK2YwSFBQNmxKSW51VW1o
ZFpiTGdzUFlQNlRHOWIrZXU1d2tCeTgKLS0tIE5lSVpVRlBwU09mVjVna0F6Vk90
NGhseHVJalAxZEpzT1Ntb2x6ZHhzcDQKHp6M0qb0dE2OyeYNSeO/WXntWFyyvRl7
i/7vPvPuE+dd/ld884UJtZUO1K7qHkXraXjHx8p27uUnN8ruNUn0bQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-02-04T01:58:51Z"
mac: ENC[AES256_GCM,data:QzO+EOejyPh0H64Cmf62Nv+7s41RmNwO4xNn3RLBYksQyqG/Em36rbBD4haLHv+fAXgWIzVCg4u5B2YJ3TMosggUwxH/5alLuH+hKKDLEiGMtvs2iO8q/AfYugn9/NRLnUvU19PGXaGJm2kEqoEE1fpMhuf6TK3o7drUQP3/95I=,iv:VJQqbuAMPrEMHLZA4sDGdDKwGz+AQa07UzMhWQMuOBA=,tag:IFyUGkcTsfC+2Sv0eYygBw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1