diff options
| -rw-r--r-- | home/profiles/minimal.nix | 1 | ||||
| -rw-r--r-- | machines/rivendell.nix | 88 | ||||
| -rw-r--r-- | profiles/storage-media.nix | 61 | ||||
| -rw-r--r-- | secrets/rsync-ssh-nas.age | bin | 0 -> 721 bytes | |||
| -rw-r--r-- | secrets/secrets.nix | 6 |
5 files changed, 110 insertions, 46 deletions
diff --git a/home/profiles/minimal.nix b/home/profiles/minimal.nix index ac0d84f..4bccdb5 100644 --- a/home/profiles/minimal.nix +++ b/home/profiles/minimal.nix @@ -8,6 +8,7 @@ in ]; programs.bat.enable = true; + programs.tmux.enable = true; home.homeDirectory = "/home/${username}"; home.stateVersion = "25.05"; diff --git a/machines/rivendell.nix b/machines/rivendell.nix index 5a19512..83dcb2e 100644 --- a/machines/rivendell.nix +++ b/machines/rivendell.nix @@ -13,6 +13,7 @@ ../profiles/remote-unlock.nix ../profiles/restic-backup.nix ../profiles/server.nix + ../profiles/storage-media.nix ../profiles/users/builder.nix ../profiles/users/fcuny.nix ../profiles/wireguard.nix @@ -23,56 +24,51 @@ networking.useDHCP = lib.mkDefault true; systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP; - services.website = { - enable = true; - openFirewall = true; - }; - - services.restic.backups.local.paths = [ "/var/lib/gitolite/repositories" ]; - services.restic.backups.synology.paths = [ - "/data/archives" - "/data/media/music" - "/var/lib/gitolite/repositories" - ]; - - services.samba = { - enable = true; - openFirewall = true; - settings = { - global = { - security = "user"; - workgroup = "WORKGROUP"; - "server string" = config.networking.hostName; - "netbios name" = config.networking.hostName; - "hosts allow" = "192.168.1.0/24 10.100.0.0/24 localhost"; - "guest account" = "nobody"; - "map to guest" = "bad user"; - "use sendfile" = "yes"; - "load printers" = "no"; - "vfs objects" = "catia fruit streams_xattr"; - "fruit:metadata" = "stream"; - }; + services = { + website = { + enable = true; + openFirewall = true; + }; + restic.backups.local.paths = [ "/var/lib/gitolite/repositories" ]; + restic.backups.synology.paths = [ + "/data/archives" + "/data/media/music" + "/var/lib/gitolite/repositories" + ]; + samba = { + enable = true; + openFirewall = true; + settings = { + global = { + security = "user"; + workgroup = "WORKGROUP"; + "server string" = config.networking.hostName; + "netbios name" = config.networking.hostName; + "hosts allow" = "192.168.1.0/24 10.100.0.0/24 localhost"; + "guest account" = "nobody"; + "map to guest" = "bad user"; + "use sendfile" = "yes"; + "load printers" = "no"; + "vfs objects" = "catia fruit streams_xattr"; + "fruit:metadata" = "stream"; + }; - media = { - path = "/data/media"; - browseable = "yes"; - "read only" = "yes"; - "guest ok" = "yes"; + media = { + path = "/data/media"; + browseable = "yes"; + "read only" = "yes"; + "guest ok" = "yes"; + }; }; }; + avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; }; - services.avahi = { - enable = true; - nssmdns4 = true; - openFirewall = true; - }; - - system.stateVersion = "23.11"; # Did you read the comment? + system.stateVersion = "23.11"; - home-manager.users.fcuny = { - imports = [ - ../home/profiles/minimal.nix - ]; - }; + home-manager.users.fcuny.imports = [ ../home/profiles/minimal.nix ]; } diff --git a/profiles/storage-media.nix b/profiles/storage-media.nix new file mode 100644 index 0000000..30fb9e4 --- /dev/null +++ b/profiles/storage-media.nix @@ -0,0 +1,61 @@ +{ pkgs, config, ... }: +let + syncJobs = [ + { + name = "movies"; + source = "/data/media/movies/"; + destination = "/volume1/media/movies/"; + } + { + name = "videos"; + source = "/data/media/videos/"; + destination = "/volume1/media/videos/"; + } + ]; + remoteHost = "192.168.1.68"; + remoteUser = "nas"; +in +{ + age.secrets.rsync-ssh-key.file = ../secrets/rsync-ssh-nas.age; + + systemd.timers = pkgs.lib.listToAttrs ( + map (job: { + name = "rsync-backup-${job.name}"; + value = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + RandomizedDelaySec = "1h"; + }; + }; + }) syncJobs + ); + + systemd.services = pkgs.lib.listToAttrs ( + map (job: { + name = "rsync-backup-${job.name}"; + value = { + description = "Rsync backup for ${job.name}"; + + serviceConfig = { + Type = "oneshot"; + DynamicUser = true; + LoadCredential = "ssh-key:${config.age.secrets.rsync-ssh-key.path}"; + PrivateTmp = true; + NoNewPrivileges = true; + ProtectSystem = "strict"; + ProtectHome = true; + + ExecStart = pkgs.writeShellScript "rsync-backup-${job.name}" '' + ${pkgs.rsync}/bin/rsync \ + -avz \ + -e "${pkgs.openssh}/bin/ssh -i ''${CREDENTIALS_DIRECTORY}/ssh-key -o StrictHostKeyChecking=accept-new" \ + ${job.source} \ + ${remoteUser}@${remoteHost}:${job.destination} + ''; + }; + }; + }) syncJobs + ); +} diff --git a/secrets/rsync-ssh-nas.age b/secrets/rsync-ssh-nas.age Binary files differnew file mode 100644 index 0000000..b71e4ca --- /dev/null +++ b/secrets/rsync-ssh-nas.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 155a88b..adb15e1 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -25,6 +25,12 @@ in hosts.rivendell ]; + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINE3mdcVS7+DPr7MZzIh3JsuI5t4z83j7ZAdAYxFLW4S rsync-nas + "rsync-ssh-nas.age".publicKeys = [ + users.fcuny + hosts.rivendell + ]; + # this is the SSH key we use to access the remote builder. "ssh-remote-builder.age".publicKeys = [ users.fcuny |