| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
It creates the user, ensure sftp is configured correctly, and rsync the
backups to rsync.net once a day.
|
|
|
|
|
|
|
|
|
|
Get rid of configuration that was duplicated (a lot of things are
already handled by the upstream module).
|
|
I need to set a password.
|
|
Both tahoe and carmel are using nginx, and we can simplify the
configuration by moving common parts to the profile and have these hosts
import it.
|
|
Add the API key for gandi to the secrest, create a profile for acme with
my defaults.
The profile is loaded by tahoe since that's where our services are
running on.
Update all the servers in nginx to listen on their wireguard interface.
|
|
|
|
Backups are not synchronized with rclone to gcloud, but instead with
rsync to rsync.net.
|
|
The path to the restic repository has changed, and we are a bit more
specific about the paths we want to backup.
|
|
The dedicated account for backup should be named 'backup', as it's more
generic.
While it's a system account, I still need to be able to log in the host
remotely with sftp, so we give it a UID (991).
The account needs to be able to sftp to tahoe in order to store the
backups from remote hosts. However we don't want this user to get a
shell and be able to browse the host, so we configure sshd to chroot the
user to where the backups are stored.
|
|
I don't want to have to deal with authentication and TLS certificates
for these endpoints. If they are only listening on the wireguard
interface I can trust that only authorized hosts are sending traffic to
these endpoints. I trust what's running on these machines.
|
|
This will help to organize and structure monitoring modules a bit
better.
|
|
|
|
To prevent the unit to be triggered multiple times if the host has
already rebooted, we create a gate file when we're done running, and
before running, we check if the file exists.
Enable the service on tahoe.
Don't restart the unit when its definition has changed.
|
|
It's not working as I want, let's fix it first then we can enable it
again later.
|
|
Replace gitea with gitolite + cgit. I don't need a whole git forge for
myself, especially since I don't use most of the features.
The main thing I'm losing with this change is CI (via drone), but this
is not really a big loss for now.
|
|
|
|
I don't need to backup videos, and the cache of my home directory. I
also don't need to keep that many snapshots around.
|
|
This is a broken unit and I don't need it (see
https://github.com/nixos/nixpkgs/issues/72394).
|
|
|
|
The URL for drone changed to https://ci.fcuny.net. The secrets also
changed (and we remove the unencrypted file with secrets).
|
|
|
|
Since I'm moving everything back to GitHub I don't need to run these
services anymore.
|
|
I don't need to backup these directories in my home.
Change-Id: Ia2302f2ebe74033090b86b52864787d2a63ecb4b
Reviewed-on: https://cl.fcuny.net/c/world/+/620
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>
|
|
This was done by running `nixpkgs-fmt .'.
Change-Id: I4ea6c1e759bf468d08074be2111cbc7af72df295
Reviewed-on: https://cl.fcuny.net/c/world/+/404
Tested-by: CI
Reviewed-by: Franck Cuny <franck@fcuny.net>
|
|
Change-Id: I12cc741bdfb074f7d2a006547860362176afe372
Reviewed-on: https://cl.fcuny.net/c/world/+/169
Reviewed-by: Franck Cuny <franck@fcuny.net>
|
|
I will not be using drone anymore, and will likely replace it with
buildkite.
Change-Id: I45d91c43090aaba119855158e071dae377c1897f
Reviewed-on: https://cl.fcuny.net/c/world/+/162
Reviewed-by: Franck Cuny <franck@fcuny.net>
|
|
Change-Id: I3b00408d7550d7660fb33940ae2cd0806076f4d2
Reviewed-on: https://cl.fcuny.net/c/world/+/62
Reviewed-by: Franck Cuny <franck.cuny@gmail.com>
|
|
|
|
|
|
|
|
From the laptop I only backup /home/fcuny, as the rest should be
straightforward to rebuild with nix.
I run that backup as my own user, since I need my ssh key to use the
remote repository (which is on the NAS). I also need a new secret for
it (I might have been able to use `pass' for this, but well, that's easy
enough).
For the NAS, I update the list of directories to backup to include home,
this will be on the systems backup.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This will ultimately replace traefik.
|
|
|
|
Refactor a bit the configuration, which should simplify the management
and usage of secrets from now on.
|
|
Do a single backup for the host, instead of running multiple ones.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The list of public share is configurable too.
|
|
We also don't need the music-organizer anymore since we're switching to
beets.
|
|
|
|
|
|
|
|
|
|
Profiles contain a collection of modules.
|
|
|
|
|
|
Instead of rsync-ing these folders to a GCS bucket, I should instead do
a backup. If I screw up something, the content will be sync-ed, and I
won't be able to restore it. It's better (maybe more expensive, but
that's OK) to keep snapshots and be able to restore.
|
|
|
|
Create a user and group 'nas' so we can run tranmission in it. This will
also help us to enable some specific permissions on some directories.
|
|
|
|
I want to run traefik on the NAS, so I can reach grafana and other
future services running on that host.
To manage TLS, we use let's encrypt with a DNS challenge. For this to
work we need a service account configuration, that is encrypted with
age.
|
|
This will be run via a timer once a day, to perform maintenance on my
backups on the nas.
|
|
|
|
Run prometheus via systemd, and configure to pull node-exporter's
metrics from two hosts.
The retention is set for 3 years.
|
|
|
|
For now we only want samba on it.
|
