stuff

2025-01-09 00:15:30 +01:00 · 2025-01-09 00:15:30 +01:00 · e0f1f5b6fb
commit e0f1f5b6fb
parent f44a65d108
49 changed files with 10 additions and 2 deletions
--- a/hosts/headless/vessel/backup.nix
+++ b/hosts/headless/vessel/backup.nix
@ -0,0 +1,61 @@
+{
+  attrName,
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  backups = {
+    music = "/srv/music";
+    safe = "/srv/safe";
+    storage = "/srv/storage";
+    sync = config.services.syncthing.dataDir;
+  };
+in {
+  systemd = lib.mkMerge (map (
+    backupName: let
+      systemdName = "${backupName}-backup";
+    in {
+      timers.${systemdName} = {
+        description = "Local rsync Backup ${backupName}";
+        wantedBy = ["timers.target"];
+        timerConfig = {
+          OnCalendar = "*-*-* 03:00:00"; # TODO
+          Persistent = true;
+          Unit = "${systemdName}.service"; # TODO
+        };
+      };
+
+      services.${systemdName} = {
+        description = "Local rsync Backup ${backupName}";
+        serviceConfig = {
+          Type = "oneshot";
+          User = "root";
+          Group = "root";
+        };
+        # TODO
+        script = ''
+          ${lib.getExe pkgs.rsync} --verbose --verbose --archive --update --delete --mkpath -- ${backups.${backupName}}/ /srv/backup/${backupName}/
+        '';
+      };
+    }
+  ) (lib.attrNames backups));
+
+  age.secrets = lib.mkSecrets {"restic-${attrName}" = {};};
+
+  services.restic.backups.${attrName} = {
+    repository = "sftp:u385962@u385962.your-storagebox.de:/restic/${attrName}";
+    initialize = true;
+    paths = [
+      backups.safe
+      backups.sync
+    ];
+    passwordFile = config.age.secrets."restic-${attrName}".path;
+    pruneOpts = ["--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12"];
+    timerConfig = {
+      OnCalendar = "*-*-* 03:00:00"; # TODO
+      Persistent = true;
+    };
+    extraOptions = ["sftp.args='-i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null'"];
+  };
+}
--- a/hosts/headless/vessel/blocky.nix
+++ b/hosts/headless/vessel/blocky.nix
@ -0,0 +1,27 @@
+let
+  upstream = "https://one.one.one.one/dns-query";
+in {
+  services = {
+    resolved.extraConfig = "DNSStubListener=no";
+    blocky = {
+      enable = true;
+      settings = {
+        ports.dns = 53;
+        upstreams.groups.default = [upstream];
+        bootstrapDns = {
+          inherit upstream;
+          ips = ["1.1.1.1" "1.0.0.1"];
+        };
+        blocking = {
+          denylists.ads = ["https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"];
+          clientGroupsBlock.default = ["ads"];
+        };
+        caching = {
+          minTime = "5m";
+          maxTime = "30m";
+          prefetching = true;
+        };
+      };
+    };
+  };
+}
--- a/hosts/headless/vessel/fs.nix
+++ b/hosts/headless/vessel/fs.nix
@ -0,0 +1,7 @@
+{
+  fileSystems."/srv/backup" = {
+    label = "backup";
+    fsType = "ext4";
+    options = ["noatime"];
+  };
+}
--- a/hosts/headless/vessel/hardware.nix
+++ b/hosts/headless/vessel/hardware.nix
@ -0,0 +1,22 @@
+{
+  inputs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    "${modulesPath}/installer/scan/not-detected.nix"
+
+    inputs.hardware.nixosModules.common-cpu-intel
+    inputs.hardware.nixosModules.common-gpu-intel
+    inputs.hardware.nixosModules.common-pc-ssd
+  ];
+
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  boot = {
+    initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+    kernelModules = ["kvm-intel"];
+  };
+
+  powerManagement.cpuFreqGovernor = "powersave";
+}
--- a/hosts/headless/vessel/musicomp.nix
+++ b/hosts/headless/vessel/musicomp.nix
@ -0,0 +1,32 @@
+{
+  self,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.musicomp.jobs.main = {
+    music = "/srv/music";
+    comp = "/srv/compmusic";
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = true;
+    };
+    inhibitsSleep = true;
+    post = let
+      remoteDir = self.nixosConfigurations.abacus.config.services.navidrome.settings.MusicFolder;
+      rsyncExe = lib.getExe pkgs.rsync;
+      rsh = "${lib.getExe pkgs.openssh} -i /etc/ssh/ssh_host_ed25519_key -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
+    in ''
+      ${rsyncExe} \
+        --archive \
+        --recursive \
+        --delete \
+        --update \
+        --mkpath \
+        --verbose --verbose \
+        --exclude lost+found \
+        --rsh ${lib.escapeShellArg rsh} \
+        /srv/compmusic/ root@wrz.one:${remoteDir}
+    '';
+  };
+}
--- a/hosts/headless/vessel/storage.nix
+++ b/hosts/headless/vessel/storage.nix
@ -0,0 +1,27 @@
+{
+  systemd.tmpfiles.settings = {
+    "10-safe"."/srv/safe".d = {
+      user = "lukas";
+      group = "users";
+      mode = "0755";
+    };
+
+    "10-storage"."/srv/storage".d = {
+      user = "lukas";
+      group = "users";
+      mode = "0755";
+    };
+
+    "10-music"."/srv/music".d = {
+      user = "lukas";
+      group = "users";
+      mode = "0755";
+    };
+
+    "10-compmusic"."/srv/compmusic".d = {
+      user = "lukas";
+      group = "users";
+      mode = "0755";
+    };
+  };
+}
--- a/hosts/headless/vessel/syncthing.nix
+++ b/hosts/headless/vessel/syncthing.nix
@ -0,0 +1,15 @@
+{lib, ...}: let
+  guiPort = 8384;
+in {
+  services.syncthing = {
+    enable = true;
+    systemService = true;
+    openDefaultPorts = true;
+    guiAddress = lib.formatHostPort {
+      host = "0.0.0.0";
+      port = guiPort;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [guiPort];
+}
--- a/hosts/headless/vessel/system.nix
+++ b/hosts/headless/vessel/system.nix
@ -0,0 +1,3 @@
+{
+  system.stateVersion = "24.11";
+}