diff --git a/lxc-metrics.nix b/lxc-metrics.nix index af0943a..f5db0ef 100644 --- a/lxc-metrics.nix +++ b/lxc-metrics.nix @@ -105,24 +105,32 @@ } ]; } - { job_name = "nut"; + { + job_name = "nut"; metrics_path = "/ups_metrics"; - params = { ups = [ "minirack-1500va" ]; }; - static_configs = [{ - targets = [ - "127.0.0.1:9199" - ]; - labels = { - ups = "minirack-1500va"; - }; - }]; + params = { + ups = [ "minirack-1500va" ]; + }; + static_configs = [ + { + targets = [ + "127.0.0.1:9199" + ]; + labels = { + ups = "minirack-1500va"; + }; + } + ]; } - { job_name = "minecraft"; - static_configs = [{ - targets = [ - "craft01:25585" - ]; - }]; + { + job_name = "minecraft"; + static_configs = [ + { + targets = [ + "craft01:25585" + ]; + } + ]; } ]; }; @@ -131,10 +139,17 @@ enable = true; nutServer = "xalicas"; nutVariables = [ - "battery.charge" "battery.charge.low" "battery.charge.warning" - "battery.runtime" "battery.runtime.low" - "ups.load" "ups.power" "ups.power.nominal" "ups.realpower" - "ups.realpower.nominal" "ups.status" + "battery.charge" + "battery.charge.low" + "battery.charge.warning" + "battery.runtime" + "battery.runtime.low" + "ups.load" + "ups.power" + "ups.power.nominal" + "ups.realpower" + "ups.realpower.nominal" + "ups.status" ]; }; @@ -142,7 +157,7 @@ paths = [ "/var/lib/grafana/data/grafana.db" ]; archiveBaseName = null; encryption.mode = "none"; - environment.BORG_RSH = "ssh -i /home/admin/.ssh/id_ed25519"; + environment.BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key"; repo = "ssh://backup@xalicas/./grafana"; compression = "auto,zstd"; startAt = "daily"; diff --git a/recipes/borg-auth.bash b/recipes/borg-auth.bash index ea9dbd8..f53e7bd 100755 --- a/recipes/borg-auth.bash +++ b/recipes/borg-auth.bash @@ -1,11 +1,12 @@ #!/usr/bin/env bash +set -euo pipefail + get_key() { hostname=$1 ip=$2 - ssh "admin@$ip" -- 'if [ ! -f /home/admin/.ssh/id_ed25519.pub ]; then ssh-keygen -t ed25519; fi' - pubkey=$(ssh "admin@$ip" cat '$HOME/.ssh/id*.pub') - echo 'command="mkdir -p /borg/'"$hostname"'; cd /borg/'"$hostname"'; borg serve --restrict-to-path /borg/'"$hostname"'", restrict '"$pubkey" + pubkey=$(ssh "admin@$ip" sudo cat '/etc/ssh/ssh_host_ed25519_key.pub') + echo 'command="mkdir -p /borg/'"$hostname"'; cd /borg/'"$hostname"'; borg serve --restrict-to-path /borg/'"$hostname"'",restrict '"$pubkey" } put_key() { @@ -15,4 +16,16 @@ put_key() { ssh -t robert@xalicas "sudo -u backup mkdir -p ~backup/.ssh; echo '$line' | sudo -u backup tee -a ~backup/.ssh/authorized_keys" } +manually_debug_borg_command() { + jobname="$1" + service="/etc/systemd/system/borgbackup-job-$jobname.service" + borg_rsh=$(grep BORG_RSH "$service" | cut -d= -f3 | sed 's/"$//') + borg_repo=$(grep BORG_REPO "$service" | cut -d= -f3 | sed 's/"$//') + script1=$(grep ExecStart "$service" | cut -d= -f2 | sed 's/ $//') + script2=$(grep '^exec' "$script1" | cut -d\ -f2) + set -x + sudo env BORG_RSH="$borg_rsh" BORG_REPO="$borg_repo" "$script2" || true + set +x +} + "$@" diff --git a/vm-base.nix b/vm-base.nix index 53c505d..ef5d952 100644 --- a/vm-base.nix +++ b/vm-base.nix @@ -1,4 +1,10 @@ -{ config, pkgs, modulesPath, lib, ... }: +{ + config, + pkgs, + modulesPath, + lib, + ... +}: { imports = [ @@ -27,105 +33,116 @@ }; }; - config = let cfg = config.my.vm; in { - proxmox.qemuConf.name = cfg.name; - # virtualisation.diskSize = 10240; # MiB - proxmox.qemuConf.diskSize = "auto"; + config = + let + cfg = config.my.vm; + in + { + proxmox.qemuConf.name = cfg.name; + virtualisation.diskSize = "auto"; - # Enable QEMU Guest for Proxmox - services.qemuGuest.enable = lib.mkDefault true; + # Enable QEMU Guest for Proxmox + services.qemuGuest.enable = lib.mkDefault true; - # Use the boot drive for grub - boot.loader.grub.enable = lib.mkDefault true; - boot.loader.grub.devices = [ "nodev" ]; + # Use the boot drive for grub + boot.loader.grub.enable = lib.mkDefault true; + boot.loader.grub.devices = [ "nodev" ]; - boot.growPartition = lib.mkDefault true; + boot.growPartition = lib.mkDefault true; - # Allow remote updates with flakes and non-root users - nix.settings.trusted-users = [ "root" "@wheel" ]; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + # Allow remote updates with flakes and non-root users + nix.settings.trusted-users = [ + "root" + "@wheel" + ]; + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; - # Enable mDNS for `hostname.local` addresses - services.avahi.enable = true; - services.avahi.nssmdns4 = true; - services.avahi.publish = { - enable = true; - addresses = true; - }; - - # Some sane packages we need on every system - environment.systemPackages = with pkgs; [ - vim - git # for pulling nix flakes - ]; - - # doing it here opens udp port _and_ installs package - programs.mosh.enable = true; - - # Don't ask for passwords - security.sudo.wheelNeedsPassword = false; - - # Don't use cloud-init - services.cloud-init.network.enable = lib.mkForce false; - networking = { - hostName = cfg.name; - nameservers = ["192.168.0.1"]; - interfaces.${cfg.iface} = { - ipv4.addresses = [{ - address = cfg.ip4; - prefixLength = 24; - }]; + # Enable mDNS for `hostname.local` addresses + services.avahi.enable = true; + services.avahi.nssmdns4 = true; + services.avahi.publish = { + enable = true; + addresses = true; }; - defaultGateway = { - address = "192.168.0.1"; - interface = "${cfg.iface}"; + + # Some sane packages we need on every system + environment.systemPackages = with pkgs; [ + vim + git # for pulling nix flakes + ]; + + # doing it here opens udp port _and_ installs package + programs.mosh.enable = true; + + # Don't ask for passwords + security.sudo.wheelNeedsPassword = false; + + # Don't use cloud-init + services.cloud-init.network.enable = lib.mkForce false; + networking = { + hostName = cfg.name; + nameservers = [ "192.168.0.1" ]; + interfaces.${cfg.iface} = { + ipv4.addresses = [ + { + address = cfg.ip4; + prefixLength = 24; + } + ]; + }; + defaultGateway = { + address = "192.168.0.1"; + interface = "${cfg.iface}"; + }; + defaultGateway6 = { + address = "fe80::1"; + interface = "${cfg.iface}"; + }; }; - defaultGateway6 = { - address = "fe80::1"; - interface = "${cfg.iface}"; + + # Enable ssh + services.openssh = { + enable = true; + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; }; + programs.ssh.startAgent = true; + + # Enable prometheus metrics export + networking.firewall.allowedTCPPorts = [ 9100 ]; + services.prometheus.exporters.node = { + enable = true; + port = 9100; + enabledCollectors = [ "systemd" ]; + }; + + # Add an admin user + users.users.admin = { + isNormalUser = true; + description = "Robert Perce"; + extraGroups = [ "wheel" ]; + }; + + users.users.admin.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFTDd1G3ufe8lCEWMbMN+q83WrrS92+qrI2tOaMtit+q robert@aether" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdReqMvpgCuez7dTeSaMnHU/7gDal6/HH7c8m17M1hb rob@ereshkigal" + ]; + + # Default filesystem + fileSystems."/" = lib.mkDefault { + device = "/dev/disk/by-label/nixos"; + autoResize = true; + fsType = "ext4"; + }; + + fileSystems."/mnt/nfs" = lib.mkDefault { + device = "192.168.0.3:/"; + fsType = "nfs"; + }; + + system.stateVersion = lib.mkDefault "24.11"; }; - - # Enable ssh - services.openssh = { - enable = true; - settings.PasswordAuthentication = false; - settings.KbdInteractiveAuthentication = false; - }; - programs.ssh.startAgent = true; - - # Enable prometheus metrics export - networking.firewall.allowedTCPPorts = [ 9100 ]; - services.prometheus.exporters.node = { - enable = true; - port = 9100; - enabledCollectors = ["systemd"]; - }; - - # Add an admin user - users.users.admin = { - isNormalUser = true; - description = "Robert Perce"; - extraGroups = [ "wheel" ]; - }; - - users.users.admin.openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFTDd1G3ufe8lCEWMbMN+q83WrrS92+qrI2tOaMtit+q robert@aether" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHdReqMvpgCuez7dTeSaMnHU/7gDal6/HH7c8m17M1hb rob@ereshkigal" - ]; - - # Default filesystem - fileSystems."/" = lib.mkDefault { - device = "/dev/disk/by-label/nixos"; - autoResize = true; - fsType = "ext4"; - }; - - fileSystems."/mnt/nfs" = lib.mkDefault { - device = "192.168.0.3:/"; - fsType = "nfs"; - }; - - system.stateVersion = lib.mkDefault "24.11"; - }; } diff --git a/vm-homelab.nix b/vm-homelab.nix index aa2a0e7..8810cbf 100644 --- a/vm-homelab.nix +++ b/vm-homelab.nix @@ -1,5 +1,8 @@ -{ inputs, pkgs, ... }: +{ pkgs, ... }: +let + minidump = pkgs.writeScript "minidump" "exec /run/wrappers/bin/sudo -u postgres /run/current-system/sw/bin/pg_dump miniflux"; +in { imports = [ ./vm-base.nix @@ -87,5 +90,15 @@ mailer.ENABLED = false; }; }; + + services.borgbackup.jobs.miniflux = { + dumpCommand = minidump; + archiveBaseName = null; + encryption.mode = "none"; + environment.BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key"; + repo = "ssh://backup@xalicas/./miniflux"; + compression = "auto,zstd"; + startAt = "daily"; + }; }; }