lorenzo/servers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Refactor Tailscale and Restic Into Common Nixos Modules.

Browse source
This commit is contained in:
Lorenzo Good 2025-02-07 17:14:52 -06:00
parent 6b3755ca06
commit 9df92651ad
Signed by: lorenzo
GPG key ID: 7FCD64BD81180ED0
5 changed files with 110 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

40
machines/lebesgue/config/backups.nix
View file

@ -1,40 +0,0 @@
{
pkgs,
config,
...
}: let
paths = ["/var/lib/vaultwarden"];
exclude = [];
secrets = config.sops.secrets;
in {
users.groups.restic = {};
users.users.restic = {
isSystemUser = true;
group = "restic";
};
security.wrappers.restic = {
source = "${pkgs.restic.out}/bin/restic";
owner = "restic";
group = "restic";
permissions = "u=rwx,g=,o=";
capabilities = "cap_dac_read_search=+ep";
};
services.restic.backups = {
s3 = {
inherit paths exclude;
user = "restic";
repositoryFile = secrets.restic-repository.path;
environmentFile = secrets.restic-env.path;
passwordFile = secrets.restic-password.path;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
];
};
};
}

14
machines/lebesgue/config/configuration.nix
View file

@ -16,12 +16,21 @@
signups = false; signups = false;
envPath = config.sops.secrets.vaultwarden-env.path; envPath = config.sops.secrets.vaultwarden-env.path;
}; };
backups.restic = {
enable = true;
repositoryFile = config.sops.secrets.restic-repository.path;
environmentFile = config.sops.secrets.restic-env.path;
passwordFile = config.sops.secrets.restic-password.path;
paths = ["/var/lib/vaultwarden"];
}; };
services.tailscale = { tailscale = {
enable = true; enable = true;
authKeyFile = config.sops.secrets.tskey.path; authKeyFile = config.sops.secrets.tskey.path;
openFirewall = true; };
}; };
boot.loader.systemd-boot.enable = true; boot.loader.systemd-boot.enable = true;
@ -30,7 +39,6 @@
i18n.defaultLocale = "en_US.UTF-8"; i18n.defaultLocale = "en_US.UTF-8";
networking.firewall.allowedTCPPorts = [22]; networking.firewall.allowedTCPPorts = [22];
networking.firewall.trustedInterfaces = ["tailscale0"];
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

2
machines/lebesgue/flake.lock generated
View file

@ -7,7 +7,7 @@
}, },
"locked": { "locked": {
"lastModified": 1, "lastModified": 1,
"narHash": "sha256-4RJQyq1PJVInDYTv3WfTig9BDilHndsygEHgIM4DJdY=", "narHash": "sha256-fX+L0Z4YfKPZJdpaosa7INNGnEaVpAswpyqz9mf+oHA=",
"path": "../../nixos", "path": "../../nixos",
"type": "path" "type": "path"
}, },

70
nixos/common/backups/restic.nix Normal file
View file

@ -0,0 +1,70 @@
{
config,
pkgs,
lib,
...
}: let
inherit (lib) mkIf mkEnableOption mkOption types;
cfg = config.foehammer.backups.restic;
in {
options.foehammer.backups.restic = {
enable = mkEnableOption "Enable restic backups";
repositoryFile = mkOption {
type = types.nullOr types.path;
};
environmentFile = mkOption {
type = types.nullOr types.str;
};
passwordFile = mkOption {
type = types.str;
};
paths = mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
default = [];
};
exclude = mkOption {
type = lib.types.nullOr (lib.types.listOf lib.types.str);
default = [];
};
};
config = mkIf cfg.enable {
users.groups.restic = {};
users.users.restic = {
isSystemUser = true;
group = "restic";
};
security.wrappers.restic = {
source = "${pkgs.restic.out}/bin/restic";
owner = "restic";
group = "restic";
permissions = "u=rwx,g=,o=";
capabilities = "cap_dac_read_search=+ep";
};
services.restic.backups = {
remote = {
paths = cfg.paths;
exclude = cfg.exclude;
user = "restic";
initialize = true;
repositoryFile = cfg.repositoryFile;
environmentFile = cfg.environmentFile;
passwordFile = cfg.passwordFile;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
];
};
};
};
}

25
nixos/common/tailscale.nix Normal file
View file

@ -0,0 +1,25 @@
{
config,
lib,
...
}: let
inherit (lib) mkEnableOption mkOption types mkIf;
cfg = config.foehammer.tailscale;
in {
options.foehammer.tailscale = {
enable = mkEnableOption "Enable tailscale";
authKeyFile = mkOption {
type = types.nullOr types.path;
};
};
config = mkIf cfg.enable {
services.tailscale = {
enable = true;
authKeyFile = cfg.authKeyFile;
openFirewall = true;
};
networking.firewall.trustedInterfaces = ["tailscale0"];
};
}