From 9bf719ab23ba14f4e51e4a4616dfdaf875c45633 Mon Sep 17 00:00:00 2001 From: Emelie Date: Tue, 28 Sep 2021 11:55:33 +0200 Subject: [PATCH] add rudiger --- config/hosts/rudiger/configuration.nix | 10 ++++++-- config/hosts/rudiger/services/acme.nix | 9 +++++++ config/hosts/rudiger/services/nextcloud.nix | 2 ++ config/hosts/rudiger/services/nginx.nix | 4 ++++ config/hosts/rudiger/services/postgres.nix | 9 +++++++ config/hosts/rudiger/services/redis.nix | 10 ++++++++ config/hosts/rudiger/services/restic.nix | 26 +++++++++++++++++++++ deploy/default.nix | 6 ----- 8 files changed, 68 insertions(+), 8 deletions(-) create mode 100644 config/hosts/rudiger/services/acme.nix create mode 100644 config/hosts/rudiger/services/redis.nix create mode 100644 config/hosts/rudiger/services/restic.nix diff --git a/config/hosts/rudiger/configuration.nix b/config/hosts/rudiger/configuration.nix index 6a54de8..e666c49 100644 --- a/config/hosts/rudiger/configuration.nix +++ b/config/hosts/rudiger/configuration.nix @@ -6,9 +6,12 @@ ./hardware-configuration.nix ./data/secrets/secrets.nix ../../common/services/ssh.nix + ./services/acme.nix ./services/nextcloud.nix ./services/nginx.nix ./services/postgres.nix + ./services/redis.nix + ./services/restic.nix ]; boot.loader.grub.enable = true; @@ -70,10 +73,13 @@ security.sudo.wheelNeedsPassword = false; systemd.services."nextcloud-setup" = { - requires = ["postgresql.service"]; - after = ["postgresql.service"]; + requires = [ "postgresql.service" "redis.service" ]; + after = [ "postgresql.service" "redis.service" ]; }; + users.groups.redis.members = [ "nextcloud" ]; + users.groups.backup.members = [ "nextcloud" "postgres" ]; + networking.firewall.allowedTCPPorts = [ 22 80 443 ]; # networking.firewall.allowedUDPPorts = [ ... ]; system.stateVersion = "21.05"; diff --git a/config/hosts/rudiger/services/acme.nix b/config/hosts/rudiger/services/acme.nix new file mode 100644 index 0000000..62ae467 --- /dev/null +++ b/config/hosts/rudiger/services/acme.nix @@ -0,0 +1,9 @@ +{ config, ... }: + +{ + security.acme = { + acceptTerms = true; + email = "admin+certs@graven.dev"; + }; +} + diff --git a/config/hosts/rudiger/services/nextcloud.nix b/config/hosts/rudiger/services/nextcloud.nix index c2fe3db..fd2a274 100644 --- a/config/hosts/rudiger/services/nextcloud.nix +++ b/config/hosts/rudiger/services/nextcloud.nix @@ -8,11 +8,13 @@ autoUpdateApps.enable = true; maxUploadSize = "10G"; webfinger = true; + caching.redis = true; config = { dbtype = "pgsql"; dbuser = "nextcloud"; dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself dbname = "nextcloud"; + defaultPhoneRegion = "DK"; adminpassFile = builtins.toString config.secrets.files.nc_admin_pass.file; adminuser = "root"; }; diff --git a/config/hosts/rudiger/services/nginx.nix b/config/hosts/rudiger/services/nginx.nix index 57cb8a5..d896bab 100644 --- a/config/hosts/rudiger/services/nginx.nix +++ b/config/hosts/rudiger/services/nginx.nix @@ -1,4 +1,8 @@ { ... }: { imports = [ ../../../common/services/nginx.nix ]; + services.nginx.virtualHosts."cloud.graven.dev" = { + enableACME = true; + forceSSL = true; + }; } diff --git a/config/hosts/rudiger/services/postgres.nix b/config/hosts/rudiger/services/postgres.nix index 92e4732..4651a6e 100644 --- a/config/hosts/rudiger/services/postgres.nix +++ b/config/hosts/rudiger/services/postgres.nix @@ -9,4 +9,13 @@ } ]; }; + + services.postgresqlBackup = { + enable = true; + location = "/var/lib/postgresql/backup"; + databases = [ "synapse" ]; + startAt = "02:30"; + compression = "none"; + }; + } diff --git a/config/hosts/rudiger/services/redis.nix b/config/hosts/rudiger/services/redis.nix new file mode 100644 index 0000000..2db61e7 --- /dev/null +++ b/config/hosts/rudiger/services/redis.nix @@ -0,0 +1,10 @@ +{ config, ... }: +{ + services.redis = { + enable = true; + unixSocket = "/run/redis/redis.sock"; + vmOverCommit = true; + unixSocketPerm = 770; + #requirePassfile = config.secrets.files.redis_pass.file; + }; +} diff --git a/config/hosts/rudiger/services/restic.nix b/config/hosts/rudiger/services/restic.nix new file mode 100644 index 0000000..dc6ad4d --- /dev/null +++ b/config/hosts/rudiger/services/restic.nix @@ -0,0 +1,26 @@ +{ config, ... }: +{ + services.restic.backups = { + "postgres" = { + paths = [ "/var/lib/postgresql/backup" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/postgres"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "04:15"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "postgres"; + }; + "nextcloud" = { + paths = [ "/var/lib/nextcloud/data" ]; + repository = "sftp:restic@despondos.nao.sh:/etheria/backup/rudiger/nextcloud"; + initialize = true; + pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" "--keep-yearly 75" ]; + timerConfig = { "OnCalendar" = "04:30"; }; + extraOptions = [ "sftp.command='ssh restic@despondos.nao.sh -i ${config.secrets.files.ssh_key.file} -s sftp'" ]; + passwordFile = builtins.toString config.secrets.files.restic_pass.file; + user = "nextcloud"; + }; + }; +} + diff --git a/deploy/default.nix b/deploy/default.nix index 6a356cb..9162e24 100644 --- a/deploy/default.nix +++ b/deploy/default.nix @@ -15,20 +15,14 @@ in import "${sources.nixus}" {} ({ config, ... }: { wind = { lib, config, ... }: { host = "emelie@graven.dev"; configuration = ../config/hosts/wind/configuration.nix; - switchTimeout = 300; - successTimeout = 300; }; grondahl = { lib, config, ... }: { host = "emelie@anarkafem.dev"; configuration = ../config/hosts/grondahl/configuration.nix; - switchTimeout = 300; - successTimeout = 300; }; rudiger = { lib, config, ... }: { host = "emelie@cloud.graven.dev"; configuration = ../config/hosts/rudiger/configuration.nix; - switchTimeout = 300; - successTimeout = 300; }; }; })