[perso/Immae/Config/Nix.git] / modules / private / system / backup-2.nix

{ config, pkgs, resources, name, ... }:
{
  deployment = {
    targetUser = "root";
    targetHost = config.hostEnv.ips.main.ip4;
    substituteOnDestination = true;
  };
  # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age
  secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ];
  secrets.keys = [
    {
      dest = "rsync_backup/identity";
      user = "backup";
      group = "backup";
      permissions = "0400";
      text = config.myEnv.rsync_backup.ssh_key.private;
    }
    {
      dest = "rsync_backup/identity.pub";
      user = "backup";
      group = "backup";
      permissions = "0444";
      text = config.myEnv.rsync_backup.ssh_key.public;
    }
  ];
  boot.kernelPackages = pkgs.linuxPackages_latest;
  myEnv = import ../../../nixops/secrets/environment.nix;

  imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ] ++ builtins.attrValues (import ../..);

  fileSystems = {
    "/backup2" = {
      fsType = "ext4";
      device = "UUID=b9425333-f567-435d-94d8-b26c22d93426";
    };
    "/" = { device = "/dev/sda1"; fsType = "ext4"; };
  };

  networking = {
    firewall.enable = true;
    interfaces."ens3".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
      (n: ips: { address = ips.ip4; prefixLength = 32; })
      (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
    interfaces."ens3".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
      (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
      config.hostEnv.ips);
    defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
  };

  boot.loader.grub.device = "nodev";

  myServices.certificates.enable = true;
  security.acme.certs."${name}" = {
    user = config.services.nginx.user;
    group = config.services.nginx.group;
  };
  services.nginx = {
    enable = true;
    recommendedOptimisation = true;
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
  };
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.cron = {
    mailto = "cron@immae.eu";
    enable = true;
  };

  services.rsyncBackup = {
    mountpoint = "/backup2";
    profiles = config.myEnv.rsync_backup.profiles;
    ssh_key_public = config.secrets.fullPaths."rsync_backup/identity.pub";
    ssh_key_private = config.secrets.fullPaths."rsync_backup/identity";
  };

  myServices.mailRelay.enable = true;
  myServices.mailBackup.enable = true;
  myServices.monitoring.enable = true;
  myServices.databasesReplication = {
    postgresql = {
      enable = true;
      base = "/backup2";
      mainPackage = pkgs.postgresql;
      hosts = {
        eldiron = {
          slot = "backup_2";
          connection = "postgresql://backup-2:${config.hostEnv.ldap.password}@eldiron.immae.eu";
          package = pkgs.postgresql;
        };
      };
    };
    mariadb = {
      enable = true;
      base = "/backup2";
      hosts = {
        eldiron = {
          serverId = 2;
          # mysql resolves "backup-2" host and checks the ip, but uses /etc/hosts which only contains ip4
          host = config.myEnv.servers.eldiron.ips.main.ip4;
          port = "3306";
          user = "backup-2";
          password = config.hostEnv.ldap.password;
          dumpUser = "root";
          dumpPassword = config.myEnv.databases.mysql.systemUsers.root;
        };
      };
    };
    redis = {
      enable = true;
      base = "/backup2";
      hosts = {
        eldiron = {
          host = "127.0.0.1";
          port = "16379";
        };
      };
    };
    openldap = {
      enable = true;
      base = "/backup2";
      hosts = {
        eldiron = {
          url = "ldaps://${config.myEnv.ldap.host}:636";
          dn = config.myEnv.ldap.replication_dn;
          password = config.myEnv.ldap.replication_pw;
          base = config.myEnv.ldap.base;
        };
      };
    };
  };

  # This value determines the NixOS release with which your system is
  # to be compatible, in order to avoid breaking some software such as
  # database servers. You should change this only after NixOS release
  # notes say you should.
  # https://nixos.org/nixos/manual/release-notes.html
  system.stateVersion = "20.03"; # Did you read the comment?
}
Commit	Line	Data
258dd18b	1	{ config, pkgs, resources, name, ... }:
8415083e	2	{
34abd6af IB	3	deployment = {
	4	targetUser = "root";
	5	targetHost = config.hostEnv.ips.main.ip4;
	6	substituteOnDestination = true;
	7	};
282c67a1 IB	8	# ssh-keyscan backup-2 \| nix-shell -p ssh-to-age --run ssh-to-age
282c67a1 IB	9	secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ];
bd5c5d4e IB	10	secrets.keys = [
	11	{
	12	dest = "rsync_backup/identity";
	13	user = "backup";
	14	group = "backup";
	15	permissions = "0400";
	16	text = config.myEnv.rsync_backup.ssh_key.private;
	17	}
	18	{
	19	dest = "rsync_backup/identity.pub";
	20	user = "backup";
	21	group = "backup";
	22	permissions = "0444";
	23	text = config.myEnv.rsync_backup.ssh_key.public;
	24	}
	25	];
8415083e	26	boot.kernelPackages = pkgs.linuxPackages_latest;
282c67a1	27	myEnv = import ../../../nixops/secrets/environment.nix;
ab8f306d	28
34abd6af	29	imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ] ++ builtins.attrValues (import ../..);
8415083e	30
ae485806 IB	31	fileSystems = {
	32	"/backup2" = {
	33	fsType = "ext4";
	34	device = "UUID=b9425333-f567-435d-94d8-b26c22d93426";
	35	};
34abd6af	36	"/" = { device = "/dev/sda1"; fsType = "ext4"; };
ae485806 IB	37	};
	38
	39	networking = {
	40	firewall.enable = true;
	41	interfaces."ens3".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList
	42	(n: ips: { address = ips.ip4; prefixLength = 32; })
619e4f46	43	(pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips);
ae485806 IB	44	interfaces."ens3".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList
ae485806 IB	45	(n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or []))
619e4f46	46	config.hostEnv.ips);
dc0e644a	47	defaultGateway6 = { address = "fe80::1"; interface = "ens3"; };
285380fe IB	48	};
285380fe IB	49
34abd6af IB	50	boot.loader.grub.device = "nodev";
34abd6af IB	51
619e4f46	52	myServices.certificates.enable = true;
258dd18b IB	53	security.acme.certs."${name}" = {
	54	user = config.services.nginx.user;
	55	group = config.services.nginx.group;
	56	};
619e4f46 IB	57	services.nginx = {
	58	enable = true;
	59	recommendedOptimisation = true;
	60	recommendedGzipSettings = true;
	61	recommendedProxySettings = true;
	62	};
	63	networking.firewall.allowedTCPPorts = [ 80 443 ];
	64
4227853a IB	65	services.cron = {
	66	mailto = "cron@immae.eu";
	67	enable = true;
	68	};
	69
285380fe IB	70	services.rsyncBackup = {
285380fe IB	71	mountpoint = "/backup2";
ab8f306d	72	profiles = config.myEnv.rsync_backup.profiles;
bd5c5d4e IB	73	ssh_key_public = config.secrets.fullPaths."rsync_backup/identity.pub";
bd5c5d4e IB	74	ssh_key_private = config.secrets.fullPaths."rsync_backup/identity";
ae485806 IB	75	};
ae485806 IB	76
deca5e9b	77	myServices.mailRelay.enable = true;
619e4f46	78	myServices.mailBackup.enable = true;
9f202523	79	myServices.monitoring.enable = true;
ec9b6564 IB	80	myServices.databasesReplication = {
	81	postgresql = {
	82	enable = true;
	83	base = "/backup2";
9f16e659	84	mainPackage = pkgs.postgresql;
ec9b6564 IB	85	hosts = {
	86	eldiron = {
	87	slot = "backup_2";
619e4f46	88	connection = "postgresql://backup-2:${config.hostEnv.ldap.password}@eldiron.immae.eu";
9f16e659	89	package = pkgs.postgresql;
ec9b6564 IB	90	};
	91	};
	92	};
9f6a7862 IB	93	mariadb = {
	94	enable = true;
	95	base = "/backup2";
	96	hosts = {
	97	eldiron = {
	98	serverId = 2;
	99	# mysql resolves "backup-2" host and checks the ip, but uses /etc/hosts which only contains ip4
ab8f306d	100	host = config.myEnv.servers.eldiron.ips.main.ip4;
9f6a7862 IB	101	port = "3306";
9f6a7862 IB	102	user = "backup-2";
619e4f46	103	password = config.hostEnv.ldap.password;
9f6a7862	104	dumpUser = "root";
ab8f306d	105	dumpPassword = config.myEnv.databases.mysql.systemUsers.root;
9f6a7862 IB	106	};
	107	};
	108	};
dded6699 IB	109	redis = {
	110	enable = true;
	111	base = "/backup2";
	112	hosts = {
	113	eldiron = {
	114	host = "127.0.0.1";
	115	port = "16379";
	116	};
	117	};
	118	};
16b80abd IB	119	openldap = {
	120	enable = true;
	121	base = "/backup2";
	122	hosts = {
	123	eldiron = {
ab8f306d IB	124	url = "ldaps://${config.myEnv.ldap.host}:636";
	125	dn = config.myEnv.ldap.replication_dn;
	126	password = config.myEnv.ldap.replication_pw;
	127	base = config.myEnv.ldap.base;
16b80abd IB	128	};
	129	};
	130	};
ec9b6564 IB	131	};
ec9b6564 IB	132
8415083e IB	133	# This value determines the NixOS release with which your system is
	134	# to be compatible, in order to avoid breaking some software such as
	135	# database servers. You should change this only after NixOS release
	136	# notes say you should.
	137	# https://nixos.org/nixos/manual/release-notes.html
d43e0c61	138	system.stateVersion = "20.03"; # Did you read the comment?
8415083e	139	}