diff options
author | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 01:35:06 +0200 |
---|---|---|
committer | Ismaël Bouya <ismael.bouya@normalesup.org> | 2023-10-04 02:11:48 +0200 |
commit | 1a64deeb894dc95e2645a75771732c6cc53a79ad (patch) | |
tree | 1b9df4838f894577a09b9b260151756272efeb53 /modules/private/system/backup-2.nix | |
parent | fa25ffd4583cc362075cd5e1b4130f33306103f0 (diff) | |
download | Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.gz Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.tar.zst Nix-1a64deeb894dc95e2645a75771732c6cc53a79ad.zip |
Squash changes containing private information
There were a lot of changes since the previous commit, but a lot of them
contained personnal information about users. All thos changes got
stashed into a single commit (history is kept in a different place) and
private information was moved in a separate private repository
Diffstat (limited to 'modules/private/system/backup-2.nix')
-rw-r--r-- | modules/private/system/backup-2.nix | 137 |
1 files changed, 0 insertions, 137 deletions
diff --git a/modules/private/system/backup-2.nix b/modules/private/system/backup-2.nix deleted file mode 100644 index c01a666..0000000 --- a/modules/private/system/backup-2.nix +++ /dev/null | |||
@@ -1,137 +0,0 @@ | |||
1 | { config, pkgs, resources, name, ... }: | ||
2 | { | ||
3 | deployment = { | ||
4 | targetUser = "root"; | ||
5 | targetHost = config.hostEnv.ips.main.ip4; | ||
6 | substituteOnDestination = true; | ||
7 | }; | ||
8 | # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age | ||
9 | secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; | ||
10 | secrets.keys = { | ||
11 | "rsync_backup/identity" = { | ||
12 | user = "backup"; | ||
13 | group = "backup"; | ||
14 | permissions = "0400"; | ||
15 | text = config.myEnv.rsync_backup.ssh_key.private; | ||
16 | }; | ||
17 | "rsync_backup/identity.pub" = { | ||
18 | user = "backup"; | ||
19 | group = "backup"; | ||
20 | permissions = "0444"; | ||
21 | text = config.myEnv.rsync_backup.ssh_key.public; | ||
22 | }; | ||
23 | }; | ||
24 | boot.kernelPackages = pkgs.linuxPackages_latest; | ||
25 | myEnv = import ../../../nixops/secrets/environment.nix; | ||
26 | |||
27 | imports = [ <nixpkgs/nixos/modules/profiles/qemu-guest.nix> ] ++ builtins.attrValues (import ../..); | ||
28 | |||
29 | fileSystems = { | ||
30 | "/backup2" = { | ||
31 | fsType = "ext4"; | ||
32 | device = "UUID=b9425333-f567-435d-94d8-b26c22d93426"; | ||
33 | }; | ||
34 | "/" = { device = "/dev/sda1"; fsType = "ext4"; }; | ||
35 | }; | ||
36 | |||
37 | networking = { | ||
38 | firewall.enable = true; | ||
39 | interfaces."ens3".ipv4.addresses = pkgs.lib.attrsets.mapAttrsToList | ||
40 | (n: ips: { address = ips.ip4; prefixLength = 32; }) | ||
41 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips); | ||
42 | interfaces."ens3".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | ||
43 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | ||
44 | config.hostEnv.ips); | ||
45 | defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; | ||
46 | }; | ||
47 | |||
48 | boot.loader.grub.device = "nodev"; | ||
49 | |||
50 | myServices.certificates.enable = true; | ||
51 | security.acme.certs."${name}" = { | ||
52 | user = config.services.nginx.user; | ||
53 | group = config.services.nginx.group; | ||
54 | }; | ||
55 | services.nginx = { | ||
56 | enable = true; | ||
57 | recommendedOptimisation = true; | ||
58 | recommendedGzipSettings = true; | ||
59 | recommendedProxySettings = true; | ||
60 | }; | ||
61 | networking.firewall.allowedTCPPorts = [ 80 443 ]; | ||
62 | |||
63 | services.cron = { | ||
64 | mailto = "cron@immae.eu"; | ||
65 | enable = true; | ||
66 | }; | ||
67 | |||
68 | services.rsyncBackup = { | ||
69 | mountpoint = "/backup2"; | ||
70 | profiles = config.myEnv.rsync_backup.profiles; | ||
71 | ssh_key_public = config.secrets.fullPaths."rsync_backup/identity.pub"; | ||
72 | ssh_key_private = config.secrets.fullPaths."rsync_backup/identity"; | ||
73 | }; | ||
74 | |||
75 | myServices.mailRelay.enable = true; | ||
76 | myServices.mailBackup.enable = true; | ||
77 | myServices.monitoring.enable = true; | ||
78 | myServices.databasesReplication = { | ||
79 | postgresql = { | ||
80 | enable = true; | ||
81 | base = "/backup2"; | ||
82 | mainPackage = pkgs.postgresql; | ||
83 | hosts = { | ||
84 | eldiron = { | ||
85 | slot = "backup_2"; | ||
86 | connection = "postgresql://backup-2:${config.hostEnv.ldap.password}@eldiron.immae.eu"; | ||
87 | package = pkgs.postgresql; | ||
88 | }; | ||
89 | }; | ||
90 | }; | ||
91 | mariadb = { | ||
92 | enable = true; | ||
93 | base = "/backup2"; | ||
94 | hosts = { | ||
95 | eldiron = { | ||
96 | serverId = 2; | ||
97 | # mysql resolves "backup-2" host and checks the ip, but uses /etc/hosts which only contains ip4 | ||
98 | host = config.myEnv.servers.eldiron.ips.main.ip4; | ||
99 | port = "3306"; | ||
100 | user = "backup-2"; | ||
101 | password = config.hostEnv.ldap.password; | ||
102 | dumpUser = "root"; | ||
103 | dumpPassword = config.myEnv.databases.mysql.systemUsers.root; | ||
104 | }; | ||
105 | }; | ||
106 | }; | ||
107 | redis = { | ||
108 | enable = true; | ||
109 | base = "/backup2"; | ||
110 | hosts = { | ||
111 | eldiron = { | ||
112 | host = "127.0.0.1"; | ||
113 | port = "16379"; | ||
114 | }; | ||
115 | }; | ||
116 | }; | ||
117 | openldap = { | ||
118 | enable = true; | ||
119 | base = "/backup2"; | ||
120 | hosts = { | ||
121 | eldiron = { | ||
122 | url = "ldaps://${config.myEnv.ldap.host}:636"; | ||
123 | dn = config.myEnv.ldap.replication_dn; | ||
124 | password = config.myEnv.ldap.replication_pw; | ||
125 | base = config.myEnv.ldap.base; | ||
126 | }; | ||
127 | }; | ||
128 | }; | ||
129 | }; | ||
130 | |||
131 | # This value determines the NixOS release with which your system is | ||
132 | # to be compatible, in order to avoid breaking some software such as | ||
133 | # database servers. You should change this only after NixOS release | ||
134 | # notes say you should. | ||
135 | # https://nixos.org/nixos/manual/release-notes.html | ||
136 | system.stateVersion = "20.03"; # Did you read the comment? | ||
137 | } | ||