diff options
Diffstat (limited to 'systems/backup-2/base.nix')
-rw-r--r-- | systems/backup-2/base.nix | 164 |
1 files changed, 164 insertions, 0 deletions
diff --git a/systems/backup-2/base.nix b/systems/backup-2/base.nix new file mode 100644 index 0000000..97a364c --- /dev/null +++ b/systems/backup-2/base.nix | |||
@@ -0,0 +1,164 @@ | |||
1 | { config, pkgs, resources, name, lib, nixpkgs, secrets, ... }: | ||
2 | { | ||
3 | # ssh-keyscan backup-2 | nix-shell -p ssh-to-age --run ssh-to-age | ||
4 | secrets.ageKeys = [ "age1kk3nr27qu42j28mcfdag5lhq0zu2pky7gfanvne8l4z2ctevjpgskmw0sr" ]; | ||
5 | secrets.keys = { | ||
6 | "rsync_backup/identity" = { | ||
7 | user = "backup"; | ||
8 | group = "backup"; | ||
9 | permissions = "0400"; | ||
10 | text = config.myEnv.rsync_backup.ssh_key.private; | ||
11 | }; | ||
12 | "rsync_backup/identity.pub" = { | ||
13 | user = "backup"; | ||
14 | group = "backup"; | ||
15 | permissions = "0444"; | ||
16 | text = config.myEnv.rsync_backup.ssh_key.public; | ||
17 | }; | ||
18 | }; | ||
19 | boot.kernelPackages = pkgs.linuxPackages_latest; | ||
20 | |||
21 | nixpkgs.config.permittedInsecurePackages = [ | ||
22 | "python-2.7.18.6" # for nagios-cli | ||
23 | ]; | ||
24 | |||
25 | imports = | ||
26 | [ | ||
27 | secrets.nixosModules.users-config-backup-2 | ||
28 | (nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") | ||
29 | ./databases/mariadb_replication.nix | ||
30 | ./databases/openldap_replication.nix | ||
31 | ./databases/postgresql_replication.nix | ||
32 | ./databases/redis_replication.nix | ||
33 | ./mail/relay.nix | ||
34 | ./monitoring.nix | ||
35 | ]; | ||
36 | |||
37 | fileSystems = { | ||
38 | "/backup2" = { | ||
39 | fsType = "ext4"; | ||
40 | device = "UUID=b9425333-f567-435d-94d8-b26c22d93426"; | ||
41 | }; | ||
42 | "/" = { device = "/dev/sda1"; fsType = "ext4"; }; | ||
43 | }; | ||
44 | |||
45 | networking = { | ||
46 | firewall.enable = true; | ||
47 | interfaces."ens3".ipv4.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | ||
48 | (n: ips: map (ip: { address = ip; prefixLength = 32; }) (ips.ip4 or [])) | ||
49 | (pkgs.lib.attrsets.filterAttrs (n: v: n != "main") config.hostEnv.ips)); | ||
50 | interfaces."ens3".ipv6.addresses = pkgs.lib.flatten (pkgs.lib.attrsets.mapAttrsToList | ||
51 | (n: ips: map (ip: { address = ip; prefixLength = (if n == "main" && ip == pkgs.lib.head ips.ip6 then 64 else 128); }) (ips.ip6 or [])) | ||
52 | config.hostEnv.ips); | ||
53 | defaultGateway6 = { address = "fe80::1"; interface = "ens3"; }; | ||
54 | }; | ||
55 | |||
56 | boot.loader.grub.device = "nodev"; | ||
57 | |||
58 | security.acme.certs."${name}" = { | ||
59 | group = config.services.nginx.group; | ||
60 | }; | ||
61 | services.nginx = { | ||
62 | enable = true; | ||
63 | recommendedOptimisation = true; | ||
64 | recommendedGzipSettings = true; | ||
65 | recommendedProxySettings = true; | ||
66 | }; | ||
67 | networking.firewall.allowedTCPPorts = [ 80 443 ]; | ||
68 | |||
69 | services.cron = { | ||
70 | mailto = "cron@immae.eu"; | ||
71 | enable = true; | ||
72 | }; | ||
73 | |||
74 | myServices.chatonsProperties.hostings.rsync-backup = { | ||
75 | file.datetime = "2022-08-27T16:00:00"; | ||
76 | hosting = { | ||
77 | name = "Rsync backups"; | ||
78 | description = "Remote initiated rsync backups"; | ||
79 | website = "backup-2.v.immae.eu"; | ||
80 | status.level = "OK"; | ||
81 | status.description = "OK"; | ||
82 | registration.load = "OPEN"; | ||
83 | install.type = "PACKAGE"; | ||
84 | }; | ||
85 | software = { | ||
86 | name = "rsync"; | ||
87 | website = "https://rsync.samba.org/"; | ||
88 | license.url = "https://rsync.samba.org/GPL.html"; | ||
89 | license.name = "GNU General Public License version 3"; | ||
90 | version = pkgs.rsync.version; | ||
91 | source.url = "https://github.com/WayneD/rsync"; | ||
92 | }; | ||
93 | }; | ||
94 | |||
95 | services.rsyncBackup = { | ||
96 | mountpoint = "/backup2"; | ||
97 | profiles = config.myEnv.rsync_backup.profiles; | ||
98 | ssh_key_public = config.secrets.fullPaths."rsync_backup/identity.pub"; | ||
99 | ssh_key_private = config.secrets.fullPaths."rsync_backup/identity"; | ||
100 | }; | ||
101 | |||
102 | myServices.mailRelay.enable = true; | ||
103 | myServices.mailBackup.enable = true; | ||
104 | myServices.monitoring.enable = true; | ||
105 | myServices.databasesReplication = { | ||
106 | postgresql = { | ||
107 | enable = true; | ||
108 | base = "/backup2"; | ||
109 | mainPackage = pkgs.postgresql; | ||
110 | hosts = { | ||
111 | eldiron = { | ||
112 | slot = "backup_2"; | ||
113 | connection = "postgresql://backup-2:${config.hostEnv.ldap.password}@eldiron.immae.eu"; | ||
114 | package = pkgs.postgresql; | ||
115 | }; | ||
116 | }; | ||
117 | }; | ||
118 | mariadb = { | ||
119 | enable = true; | ||
120 | base = "/backup2"; | ||
121 | hosts = { | ||
122 | eldiron = { | ||
123 | serverId = 2; | ||
124 | # mysql resolves "backup-2" host and checks the ip, but uses /etc/hosts which only contains ip4 | ||
125 | host = lib.head config.myEnv.servers.eldiron.ips.main.ip4; | ||
126 | port = config.myEnv.databases.mysql.port; | ||
127 | user = "backup-2"; | ||
128 | password = config.hostEnv.ldap.password; | ||
129 | dumpUser = "root"; | ||
130 | dumpPassword = config.myEnv.databases.mysql.systemUsers.root; | ||
131 | }; | ||
132 | }; | ||
133 | }; | ||
134 | redis = { | ||
135 | enable = true; | ||
136 | base = "/backup2"; | ||
137 | hosts = { | ||
138 | eldiron = { | ||
139 | host = "127.0.0.1"; | ||
140 | port = "16379"; | ||
141 | }; | ||
142 | }; | ||
143 | }; | ||
144 | openldap = { | ||
145 | enable = true; | ||
146 | base = "/backup2"; | ||
147 | hosts = { | ||
148 | eldiron = { | ||
149 | url = "ldaps://${config.myEnv.ldap.host}:636"; | ||
150 | dn = config.myEnv.ldap.replication_dn; | ||
151 | password = config.myEnv.ldap.replication_pw; | ||
152 | base = config.myEnv.ldap.base; | ||
153 | }; | ||
154 | }; | ||
155 | }; | ||
156 | }; | ||
157 | |||
158 | # This value determines the NixOS release with which your system is | ||
159 | # to be compatible, in order to avoid breaking some software such as | ||
160 | # database servers. You should change this only after NixOS release | ||
161 | # notes say you should. | ||
162 | # https://nixos.org/nixos/manual/release-notes.html | ||
163 | system.stateVersion = "23.05"; # Did you read the comment? | ||
164 | } | ||