From 6d54aec60c95dee8af6b1e1c43549c00a153527d Mon Sep 17 00:00:00 2001 From: Dennis <52411861+DerDennisOP@users.noreply.github.com> Date: Tue, 30 Jan 2024 18:37:13 +0100 Subject: [PATCH] add dynamic system generation (#46) --- flake.lock | 24 +++---- flake.nix | 44 ++++-------- modules/backup.nix | 90 ++++++++++++++++--------- systems/jeeves-jr/default.nix | 8 +++ systems/palatine-hill/default.nix | 8 +++ systems/programs.nix | 1 + users/alice/systems/testtop/default.nix | 5 ++ 7 files changed, 105 insertions(+), 75 deletions(-) create mode 100644 systems/jeeves-jr/default.nix create mode 100644 systems/palatine-hill/default.nix create mode 100644 users/alice/systems/testtop/default.nix diff --git a/flake.lock b/flake.lock index 4e9da08..99d2767 100644 --- a/flake.lock +++ b/flake.lock @@ -59,11 +59,11 @@ ] }, "locked": { - "lastModified": 1706221476, - "narHash": "sha256-T4b8YafVjHXvtDY8ARec1WrXO8uyyNZOpNgv9yoQy2M=", + "lastModified": 1706473109, + "narHash": "sha256-iyuAvpKTsq2u23Cr07RcV5XlfKExrG8gRpF75hf1uVc=", "owner": "nix-community", "repo": "home-manager", - "rev": "c7ce343d9bf1a329056a4dd5b32ea8cc43b55e15", + "rev": "d634c3abafa454551f2083b054cd95c3f287be61", "type": "github" }, "original": { @@ -152,11 +152,11 @@ ] }, "locked": { - "lastModified": 1705314364, - "narHash": "sha256-MtYY3Labc/Sc1UtULrum3GKJ1H5ClrY9GyvNeVSxkEA=", + "lastModified": 1706608774, + "narHash": "sha256-kbMofnGXCRPInXWm7UAfMYcvIAuHIZO0vBytNhWt+nc=", "owner": "SuperSandro2000", "repo": "nixos-modules", - "rev": "03ebaa1bcbac8daa6709beccb43312806e9173fc", + "rev": "2dae76c258451a2c98e3dee5d1144f5061878e2a", "type": "github" }, "original": { @@ -167,11 +167,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705856552, - "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", + "lastModified": 1706371002, + "narHash": "sha256-dwuorKimqSYgyu8Cw6ncKhyQjUDOyuXoxDTVmAXq88s=", "owner": "nixos", "repo": "nixpkgs", - "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", + "rev": "c002c6aa977ad22c60398daaa9be52f2203d0006", "type": "github" }, "original": { @@ -204,11 +204,11 @@ ] }, "locked": { - "lastModified": 1706130372, - "narHash": "sha256-fHZxKH1DhsXPP36a2vJ91Zy6S+q6+QRIFlpLr9fZHU8=", + "lastModified": 1706410821, + "narHash": "sha256-iCfXspqUOPLwRobqQNAQeKzprEyVowLMn17QaRPQc+M=", "owner": "Mic92", "repo": "sops-nix", - "rev": "4606d9b1595e42ffd9b75b9e69667708c70b1d68", + "rev": "73bf36912e31a6b21af6e0f39218e067283c67ef", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a95270c..1f9b830 100644 --- a/flake.nix +++ b/flake.nix @@ -143,47 +143,27 @@ ++ map (user: { home-manager.users.${user} = import ./users/${user}/home.nix; }) users; }; in - { - jeeves-jr = constructSystem { - hostname = "jeeves-jr"; - users = [ - "alice" - "dennis" - "richie" - ]; - }; - - palatine-hill = constructSystem { - hostname = "palatine-hill"; - users = [ - "alice" - "dennis" - "richie" - ]; - }; - - photon = constructSystem { - hostname = "photon"; - users = [ - "alice" - "dennis" - "richie" - ]; - }; - } // (builtins.listToAttrs (builtins.concatMap + (builtins.listToAttrs (map + (system: { + name = system; + value = constructSystem { hostname = system; } // (import ./systems/${system} { }); + }) + (lsdir "systems"))) // + (builtins.listToAttrs (builtins.concatMap (user: map - (system: { + (system: rec { name = "${user}.${system}"; + cfg = import ./users/${user}/systems/${system} { }; value = lib.nixosSystem { - system = "x86_64-linux"; + system = cfg.system ? "x86_64-linux"; modules = [ nixos-modules.nixosModule - home-manager.nixosModules.home-manager sops-nix.nixosModules.sops ./users/${user}/systems/${system}/configuration.nix ./users/${user}/systems/${system}/hardware.nix { config.networking.hostName = "${system}"; } - ] ++ fileList "modules"; + ] ++ fileList "modules" + ++ lib.optional (cfg.home-manager ? false) home-manager.nixosModules.home-manager; }; }) (lsdir "users/${user}/systems")) diff --git a/modules/backup.nix b/modules/backup.nix index d976e62..2642a28 100644 --- a/modules/backup.nix +++ b/modules/backup.nix @@ -7,6 +7,12 @@ in options.services.backup = { enable = lib.mkEnableOption "backup"; + offsite = lib.mkOption { + type = with lib.types; listOf str; + default = [ ]; + description = "Offsite backup hostnames."; + }; + paths = lib.mkOption { type = with lib.types; listOf str; default = [ ]; @@ -18,19 +24,31 @@ in default = [ ]; description = "Extra paths to exclude in backup."; }; + + backup_at = lib.mkOption { + type = lib.types.int; + default = 2; + description = "Time to run backup."; + }; }; config = { - assertions = [{ - assertion = cfg.paths != [ ] -> cfg.enable; - message = "Configuring backup services.backup.paths without enabling services.backup.enable is useless!"; - }]; + assertions = [ + { + assertion = cfg.paths != [ ] -> cfg.enable; + message = "Configuring backup services.backup.paths without enabling services.backup.enable is useless!"; + } + { + assertion = cfg.backup_at < 24; + message = "Backup time must be less than 24 hours!"; + } + ]; services = { postgresqlBackup = { inherit (config.services.postgresql) enable; backupAll = true; - startAt = "*-*-* 04:00:00"; + startAt = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:00:00"; }; restic.backups = @@ -39,6 +57,7 @@ in extraBackupArgs = [ "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" ]; + initialize = true; passwordFile = config.sops.secrets."restic/password".path; paths = [ @@ -46,6 +65,8 @@ in "/etc/machine-id" "/etc/passwd" "/etc/shadow" + "/etc/ssh/ssh_host_ecdsa_key" + "/etc/ssh/ssh_host_ecdsa_key.pub" "/etc/ssh/ssh_host_ed25519_key" "/etc/ssh/ssh_host_ed25519_key.pub" "/etc/ssh/ssh_host_rsa_key" @@ -55,53 +76,59 @@ in "/var/lib/nixos/" ] ++ cfg.paths ++ lib.optional config.services.postgresql.enable "/var/backup/postgresql/" + ++ lib.optional config.services.mysql.enable "/var/lib/mysql/" ++ lib.optional (config.security.acme.certs != { }) "/var/lib/acme/" - ++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/"; + ++ lib.optional config.security.dhparams.enable "/var/lib/dhparams/" + ++ lib.optional config.mailserver.enable config.mailserver.mailDirectory; + pruneOpts = [ "--group-by host" "--keep-daily 7" "--keep-weekly 4" "--keep-monthly 12" ]; + timerConfig = { - OnCalendar = "*-*-* 04:30:00"; + OnCalendar = "*-*-* ${lib.fixedWidthString 2 "0" (toString cfg.backup_at)}:30:00"; RandomizedDelaySec = "5m"; }; }; in lib.mkIf cfg.enable { - server9 = commonOpts // { - repositoryFile = config.sops.secrets."restic/repositories/server9".path; + local = commonOpts // { + repository = "/var/backup"; }; - offsite = commonOpts // { + + offsite = lib.mkIf (cfg.offsite != [ ]) commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; }; }; }; - sops.secrets = lib.mkIf cfg.enable { - "restic/offsite/private" = { - owner = "root"; - path = "/root/.ssh/id_offsite-backup"; - sopsFile = ./backup.yaml; - }; - "restic/offsite/public" = { - owner = "root"; - path = "/root/.ssh/id_offsite-backup.pub"; - sopsFile = ./backup.yaml; - }; - "restic/offsite/ssh-config" = { - owner = "root"; - path = "/root/.ssh/config"; - sopsFile = ./backup.yaml; - }; + sops.secrets = lib.mkIf (cfg.enable && cfg.offsite != [ ]) + { + "restic/offsite/private" = { + owner = "root"; + path = "/root/.ssh/id_offsite-backup"; + sopsFile = ./backup.yaml; + }; - # relies on defaultSopsFile + "restic/offsite/public" = { + owner = "root"; + path = "/root/.ssh/id_offsite-backup.pub"; + sopsFile = ./backup.yaml; + }; + + "restic/offsite/ssh-config" = { + owner = "root"; + path = "/root/.ssh/config"; + sopsFile = ./backup.yaml; + }; + } // lib.mkIf cfg.enable { "restic/password".owner = "root"; - "restic/repositories/server9".owner = "root"; }; - system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf cfg.enable '' + system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf (cfg.enable && cfg.offsite != [ ]) '' echo "Linking restic ssh config..." mkdir -m700 -p /home/root/.ssh/ ln -fs {,/home}/root/.ssh/id_offsite-backup @@ -111,9 +138,10 @@ in systemd = lib.mkIf cfg.enable { services = { - restic-backups-server9.serviceConfig.Environment = "RESTIC_PROGRESS_FPS=0.016666"; - restic-backups-offsite.serviceConfig.Environment = "RESTIC_PROGRESS_FPS=0.016666"; + restic-backups-local.serviceConfig.Environment = "RESTIC_PROGRESS_FPS=0.016666"; + restic-backups-offsite.serviceConfig.Environment = lib.mkIf (cfg.offsite != [ ]) "RESTIC_PROGRESS_FPS=0.016666"; }; + timers = lib.mkIf config.services.postgresqlBackup.enable { postgresqlBackup.timerConfig.RandomizedDelaySec = "5m"; }; diff --git a/systems/jeeves-jr/default.nix b/systems/jeeves-jr/default.nix new file mode 100644 index 0000000..340dfca --- /dev/null +++ b/systems/jeeves-jr/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + users = [ + "alice" + "dennis" + "richie" + ]; +} diff --git a/systems/palatine-hill/default.nix b/systems/palatine-hill/default.nix new file mode 100644 index 0000000..340dfca --- /dev/null +++ b/systems/palatine-hill/default.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + users = [ + "alice" + "dennis" + "richie" + ]; +} diff --git a/systems/programs.nix b/systems/programs.nix index b96912e..51e4322 100644 --- a/systems/programs.nix +++ b/systems/programs.nix @@ -34,6 +34,7 @@ unzip ventoy wget + zip zoxide zsh-nix-shell ]; diff --git a/users/alice/systems/testtop/default.nix b/users/alice/systems/testtop/default.nix new file mode 100644 index 0000000..06627e5 --- /dev/null +++ b/users/alice/systems/testtop/default.nix @@ -0,0 +1,5 @@ +{ ... }: +{ + system = "x86_64-linux"; + home-manager = true; +}