add backups + fix appservice-irc media proxy

2025-04-07 20:24:53 +02:00 · 2025-04-07 20:24:53 +02:00 · 8129b26c4c
commit 8129b26c4c
parent d672a1d1ee
14 changed files with 214 additions and 8 deletions
--- a/hive.nix
+++ b/hive.nix
@ -17,7 +17,6 @@ let
  nodeNixpkgs = {
    # FIXME discourse est cassé en unstable
    pendragon = nixpkgs2411;
    martagon = nixpkgs2411;
  };
 in
 {
@ -31,10 +30,11 @@ in
  # FIXME
  nixpkgs.config.permittedInsecurePackage = [ "olm-3.2.16" ];
-  defaults = { pkgs, lib, ... }: {
+  defaults = { name, pkgs, lib, ... }: {
    imports = [
      ./profiles/sysadmin.nix
      ./profiles/infra.nix
      ./profiles/backups.nix
      ./profiles/prometheus-node-exporter.nix
      #./profiles/ldap.nix
      "${src.agenix}/modules/age.nix"
@ -52,6 +52,7 @@ in
    networking.nftables.enable = true;
    infra.enabled = true;
    backups.enable = true;
    # Enable system diffs.
    system.activationScripts.system-diff = {
@ -69,7 +70,7 @@ in
    time.timeZone = "Europe/Paris";
  };
-  vogon = { ... }: {
+  vogon = { pkgs, ... }: {
    deployment.tags = [ "hypervisor" ];
    networking.hostId = "1751e2a7";
--- a/profiles/backups.nix
+++ b/profiles/backups.nix
@ -0,0 +1,152 @@
 { pkgs, config, lib, name, ... }:
 let
  cfg = config.backups;
  secrets = config.age.secrets;
  postgresql = config.services.postgresql.package;
  additionalPackages = [
    pkgs.coreutils
    postgresql
    pkgs.sudo
    pkgs.sqlite
  ];
  remotes = {
    memoragon = {
      host = "memoragon.infra.federez.net";
      user = "borgmatic";
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINdqX4I1JyvhC6dySHLnW1IioYk1ZqltFlbDCygozrWx";
      path = "./${name}";
    };
    harpagon = {
      host = "harpagon.infra.federez.net";
      user = "borgmatic";
      publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH1qDEAEJZ0qDRUq4yeHar5LKFTtsvHJIt2a54TBB/Lz";
      path = "./${name}";
    };
  };
 in
 {
  options.backups = lib.mkOption {
    type = lib.types.submodule {
      options = {
        enable = lib.mkEnableOption "Sauvegardes";
        directories = lib.mkOption {
          type = lib.types.listOf lib.types.path;
          default = [ ];
          description = ''
            Répertoires à sauvegarder.
          '';
        };
        # FIXME add user ?
        postgresqlDatabases = lib.mkOption {
          type = lib.types.listOf lib.types.str;
          default = [ ];
          description = ''
            Nom des bases de données PostgreSQL à sauvegarder.
          '';
        };
        sqliteDatabases = lib.mkOption {
          type = lib.types.attrsOf lib.types.path;
          default = { };
          description = ''
            Chemins des bases de données SQLite à sauvegarder.
          '';
        };
      };
    };
    description = ''
      Configuration des sauvegardes.
    '';
  };
  config = lib.mkIf cfg.enable {
    age.secrets.borgmatic-passphrase = {
      file = ../secrets/borgmatic-passphrase.age;
    };
    systemd.services.borgmatic = {
      path = additionalPackages;
      serviceConfig = {
        LoadCredential = "pass:${secrets.borgmatic-passphrase.path}";
        ExecStartPre = ''
          ${lib.getExe' pkgs.borgmatic "borgmatic"} init --encryption repokey
        '';
        # TODO Remove once all hosts are usign NixOS 25.05+
        NoNewPrivileges = false;
        CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_RAW CAP_SETUID CAP_SETGID";
      };
    };
    environment.systemPackages =
      let
        # KillMode=process is required to allow the background SSH session
        # to persist when FUSE mounting a remote repository
        binPath = lib.makeBinPath additionalPackages;
        borgmaticWithCreds = pkgs.writeScriptBin "borgmatic-with-creds" ''
          #!${pkgs.runtimeShell}
          systemd-run --quiet --wait --collect --pipe --pty \
            --service-type=exec \
            --uid=root --gid=root \
            --property=KillMode=none \
            --property=LoadCredential=pass:${secrets.borgmatic-passphrase.path} \
            --property=Environment=${binPath} \
            -- \
            ${lib.getExe' pkgs.borgmatic "borgmatic"} "$@"
        '';
      in
      [ borgmaticWithCreds ];
    services.openssh.knownHosts = lib.mapAttrs
      (_: remote: {
        hostNames = [ remote.host ];
        publicKey = remote.publicKey;
      })
      remotes;
    services.borgmatic = let
      version = pkgs.borgmatic.version;
      hasCredSupport = builtins.compareVersions version "1.9.10" >= 0;
      encryption = if hasCredSupport then
          { encryption_passphrase = "{credential systemd pass}"; }
        else
          { encryption_passcommand = "cat \${CREDENTIALS_DIRECTORY}/pass"; };
      pgCommand = exe: "${lib.getExe' pkgs.sudo "sudo"} -u postgres ${lib.getExe' postgresql exe}";
    in {
      enable = true;
      # $CREDENTIALS_DIRECTORY does not exist when the config check is run
      enableConfigCheck = hasCredSupport;
      settings = {
        source_directories = cfg.directories;
        repositories = lib.mapAttrsToList
          (name: remote: {
            label = name;
            path = "ssh://${remote.user}@${remote.host}/${remote.path}";
          })
          remotes;
        # Required for databases hooks
        read_special = true;
        # FIXME pertinent de réutiliser celle-là ?
        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
        keep_daily = 26;
        keep_weekly = 20;
        keep_monthly = 12;
        # add checks
        postgresql_databases = map
          (name: {
            inherit name;
            username = "postgres";
            pg_dump_command = if name == "all" then
                pgCommand "pg_dumpall"
              else
                pgCommand "pg_dump";
            pg_restore_command = pgCommand "pg_restore";
            psql_command = pgCommand "psql";
          })
          cfg.postgresqlDatabases;
        sqlite_databases = lib.mapAttrsToList
          (name: path: { inherit name path; })
          cfg.sqliteDatabases;
      } // encryption;
    };
  };
 }
--- a/profiles/discourse.nix
+++ b/profiles/discourse.nix
@ -1,5 +1,6 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.services.discourse;
  discourse-shared-edits = pkgs.discourse.mkDiscoursePlugin {
    name = "discourse-shared-edits";
    src = pkgs.fetchFromGitHub {
@ -24,6 +25,11 @@ in
    };
  };
  backups = {
    directories = [ "/var/lib/discourse" ];
    postgresqlDatabases = [ cfg.database.name ];
  };
  services.postgresql.package = pkgs.postgresql_13;
  services.discourse = {
--- a/profiles/gitlab.nix
+++ b/profiles/gitlab.nix
@ -17,6 +17,11 @@ in
      gitlab-ldap-password = ../secrets/gitlab-ldap-password.age;
    };
  backups = {
    directories = [ cfg.statePath ];
    postgresqlDatabases = [ cfg.databaseName ];
  };
  services.gitlab = {
    enable = true;
    databasePasswordFile = secrets.gitlab-db-password.path;
--- a/profiles/grafana.nix
+++ b/profiles/grafana.nix
@ -51,6 +51,11 @@ in {
    };
  };
  backups = {
    directories = [ cfg.dataDir ];
    sqliteDatabases.grafana = cfg.settings.database.path;
  };
  services.grafana = {
    enable = true;
--- a/profiles/indico.nix
+++ b/profiles/indico.nix
@ -5,6 +5,10 @@
  ...
 }:
 let
  cfg = config.services.indico;
 in
 {
  imports = [
    ../modules/indico.nix
@ -26,6 +30,11 @@
    };
  };
  backups = {
    directories = [ cfg.stateDir ];
    postgresqlDatabases = [ cfg.user ];
  };
  services.indico = {
    enable = true;
    nginx.domain = "events.federez.net";
--- a/profiles/irc-bot.nix
+++ b/profiles/irc-bot.nix
@ -4,6 +4,8 @@ let
  bindPort = cfg.settings.ircService.mediaProxy.bindPort;
  upstreamUrl  = "127.0.0.1:${toString bindPort}";
 in {
  backups.directories = [ "/var/lib/matrix-appservice-irc" ];
  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
@ -26,7 +28,10 @@ in {
      homeserver.url = "https://matrix.federez.net";
      homeserver.domain = "federez.net";
-      ircService.mediaProxy.publicUrl = "https://matrix-irc.federez.net/media";
+      ircService.mediaProxy = {
        publicUrl = "https://matrix-irc.federez.net/";
        ttlSeconds = 3153600000; # 100 ans
      };
      ircService.servers."irc.rezosup.org" = {
        name = "RezoSup";
--- a/profiles/matrix-server.nix
+++ b/profiles/matrix-server.nix
@ -1,5 +1,6 @@
 { pkgs, lib, config, ... }:
 let
  cfg = config.services.matrix-synapse;
  fqdn = "matrix.federez.net";
  baseUrl = "https://${fqdn}";
 in {
@ -14,6 +15,11 @@ in {
      LC_CTYPE = "C";
  '';
  backups = {
    directories = [ cfg.dataDir ];
    postgresqlDatabases = [ "matrix-synapse" ];
  };
  # Surgical operations for various databases.
  environment.systemPackages = [ pkgs.matrix-synapse pkgs.sqlite ];
  services.nginx = {
--- a/profiles/monitoring/default.nix
+++ b/profiles/monitoring/default.nix
@ -1,5 +1,6 @@
-{ lib, config, infra, ... }: 
+{ lib, config, network, ... }:
 let
  cfg = config.services.victoriametrics;
  mkScrapeConfig = name: path: port: targets: {
    job_name = name;
    metrics_path = path;
@ -17,7 +18,7 @@ let
  nodePort = 9100;
  vmPort = 8428;
  nodesConfig = mkScrapeConfig "node" "/metrics" nodePort
-    (lib.attrsets.mapAttrsToList (n: _: n) infra.nodes);
+    (lib.attrsets.mapAttrsToList (n: _: n) network.infra.nodes);
  critical = { severity = "critical"; };
  warning = { severity = "warning"; };
  importRules = path: let
@ -32,6 +33,8 @@ in {
    file = ../../secrets/alertbot-matrix-password.age;
  };
  backups.directories = [ "/var/lib/${cfg.stateDir}" ];
  services.alertbot = {
    enable = true;
    listenPort = 8081;
--- a/profiles/sysadmin.nix
+++ b/profiles/sysadmin.nix
@ -6,6 +6,8 @@
    ../pubkeys/jeltz.keys
  ];
  backups.directories = [ "/root" ];
  nix.package = lib.mkDefault pkgs.lix;
  users.motd = (builtins.readFile ./federez.motd);
@ -49,7 +51,6 @@
    "net.ipv4.tcp_fastopen" = 3;
  };
  environment.systemPackages = [
    pkgs.htop
    pkgs.kitty.terminfo
--- a/profiles/telegram-bot.nix
+++ b/profiles/telegram-bot.nix
@ -1,4 +1,8 @@
 { config, lib, ... }: {
  backups.sqliteDatabases = {
    mautrix-telegram = "/var/lib/mautrix-telegram/mautrix-telegram.db";
  };
  systemd.services.mautrix-telegram.serviceConfig.WorkingDirectory = lib.mkForce "/var/lib/mautrix-telegram";
  age.secrets.mautrix-telegram.file = ../secrets/mautrix-telegram.age;
  services.mautrix-telegram = {
@ -16,7 +20,7 @@
        domain = "federez.net";
      };
      bridge = {
-        bridge_notices.exceptions = [ "@klingon:federez.net" ];
+        bridge_notices.exceptions = [ "@alertbot:federez.net" ];
        relay_user_distinguishers = [ "🔴" "🟠" "🟡" "🟢" "🔵" "🟣" "🟤" "⚫" "⚪" "🟧" "🟨" "🟩" "🟦" "🟪" "🟫" "⬜" "🔶" "🔷" ];
        displayname_preference = [
          "username"
--- a/profiles/vaultwarden.nix
+++ b/profiles/vaultwarden.nix
@ -2,6 +2,13 @@
  age.secrets.vaultwarden-secrets.file = ../secrets/vaultwarden-secrets.age;
  networking.firewall.allowedTCPPorts = [ 80 443 ];
  backups = {
    directories = [ "/var/lib/bitwarden_rs" ];
    sqliteDatabases = {
      vaultwarden = "/var/lib/bitwarden_rs/db.sqlite3";
    };
  };
  services.nginx = {
    enable = true;
    recommendedTlsSettings = true;
--- a/secrets/borgmatic-passphrase.age
+++ b/secrets/borgmatic-passphrase.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -27,6 +27,7 @@ let
  grafana-admins = active-admins;
  alertbot-admins = active-admins;
  gitlab-admins = active-admins;
  backups-admins = active-admins;
  servers = [
    estragon
    wagon
@ -62,4 +63,5 @@ in
    "gitlab-db-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
    "gitlab-initial-root-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
    "gitlab-ldap-password.age".publicKeys = [ aragon ] ++ gitlab-admins;
    "borgmatic-passphrase.age".publicKeys = servers ++ backups-admins;
  }