zaatar died, move hass and restic to tahina

2026-03-21 12:21:08 +01:00 · 2024-07-07 14:03:52 +02:00
parent 9f6d1c3dc6
commit 6d16b93530
8 changed files with 48 additions and 49 deletions
--- a/systems/tahina/atuin.nix
+++ b/systems/tahina/atuin.nix
@@ -0,0 +1,16 @@
+{pkgs, ...}: {
+  services.postgresqlBackup = {
+    enable = true;
+    databases = ["atuin"];
+  };
+
+  services.postgresql.package = pkgs.postgresql_14;
+
+  services.atuin = {
+    host = "0.0.0.0";
+    openFirewall = true;
+    openRegistration = true;
+    port = 8888;
+    enable = true;
+  };
+}
--- a/systems/tahina/backup.nix
+++ b/systems/tahina/backup.nix
@@ -0,0 +1,61 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  niveumLib = import ../../lib;
+  inherit (niveumLib) retiolumAddresses restic;
+  firewall = niveumLib.firewall lib;
+  dataDir = "/backup/restic";
+in {
+  services.restic.server = {
+    enable = true;
+    appendOnly = true;
+    inherit dataDir;
+    prometheus = true;
+    extraFlags = ["--no-auth"]; # auth is done via firewall
+    listenAddress = toString restic.port;
+  };
+
+  environment.systemPackages = [
+    (pkgs.writers.writeDashBin "restic-niveum" ''
+      exec ${pkgs.util-linux}/bin/runuser -u restic -g restic -- ${pkgs.restic}/bin/restic -r ${toString dataDir} -p ${config.age.secrets.restic.path} "$@"
+    '')
+  ];
+
+  fileSystems."/backup" = {
+    device = "/dev/disk/by-id/ata-WDC_WD10JPVX-22JC3T0_WD-WXD1E5510MKW";
+    fsType = "ext4";
+  };
+
+  networking.firewall = let
+    dport = restic.port;
+    protocol = "tcp";
+    rules = [
+      (firewall.accept {
+        inherit dport protocol;
+        source = retiolumAddresses.kabsa.ipv4;
+      })
+      (firewall.accept {
+        inherit dport protocol;
+        source = retiolumAddresses.manakish.ipv4;
+      })
+      (firewall.accept {
+        inherit dport protocol;
+        source = retiolumAddresses.makanek.ipv4;
+      })
+      (firewall.accept {
+        inherit dport protocol;
+        source = retiolumAddresses.fatteh.ipv4;
+      })
+      (firewall.accept {
+        inherit dport protocol;
+        source = retiolumAddresses.ful.ipv4;
+      })
+    ];
+  in {
+    extraCommands = firewall.addRules rules;
+    extraStopCommands = firewall.removeRules rules;
+  };
+}
--- a/systems/tahina/configuration.nix
+++ b/systems/tahina/configuration.nix
@@ -3,15 +3,22 @@
  pkgs,
  ...
 }: let
-  inherit (import ../../lib) retiolumAddresses;
+  inherit (import ../../lib) retiolumAddresses restic;
 in {
  imports = [
    ./hardware-configuration.nix
+    ./home-assistant.nix
+    ./backup.nix
+    ./atuin.nix
    ../../configs/spacetime.nix
    ../../configs/sshd.nix
+    ../../configs/printing.nix
+    ../../configs/monitoring.nix
+    ../../configs/tmux.nix
    ../../configs/retiolum.nix
    ../../configs/nix.nix
    ../../configs/admin-essentials.nix
+    ../../configs/wpa_supplicant.nix
  ];

  age.secrets = {
@@ -27,47 +34,40 @@ in {
      owner = "tinc-retiolum";
      group = "tinc-retiolum";
    };
-  };
-
-  console.keyMap = "de";
-  i18n.defaultLocale = "de_DE.UTF-8";
-  services.xserver = {
-    layout = "de";
-    libinput.enable = true;
-  };
-
-  users.users.xenos = {
-    name = "xenos";
-    password = "xenos";
-    isNormalUser = true;
-    extraGroups = ["networkmanager"];
-  };
-
-  services.xserver = {
-    enable = true;
-    desktopManager.pantheon.enable = true;
-    displayManager = {
-      lightdm = {
-        enable = true;
-        greeters.pantheon.enable = true;
-      };
-      autoLogin = {
-        enable = true;
-        user = "xenos";
-      };
+    restic = {
+      file = ../../secrets/restic.age;
+      mode = "400";
+      owner = "restic";
+      group = "restic";
    };
  };
-  boot.plymouth.enable = true;

-  environment.systemPackages = [
-    pkgs.libreoffice
-    pkgs.gimp
-    pkgs.inkscape
-    pkgs.firefox
-    pkgs.audacity
-    pkgs.pidgin
-    pkgs.git
-  ];
+  services.restic.backups.niveum = {
+    initialize = true;
+    inherit (restic) repository;
+    timerConfig = {
+      OnCalendar = "daily";
+      RandomizedDelaySec = "1h";
+    };
+    passwordFile = config.age.secrets.restic.path;
+    paths = [
+      "/var/lib/moodle-dl"
+      "/var/lib/containers/storage/volumes/home-assistant"
+      config.services.postgresqlBackup.location
+    ];
+  };
+
+  services.logind = {
+    lidSwitch = "ignore";
+    lidSwitchDocked = "ignore";
+    lidSwitchExternalPower = "ignore";
+    suspendKey = "ignore";
+    suspendKeyLongPress = "ignore";
+    hibernateKey = "ignore";
+    hibernateKeyLongPress = "ignore";
+  };
+
+  services.illum.enable = true;

  networking = {
    useDHCP = false;
--- a/systems/tahina/home-assistant.nix
+++ b/systems/tahina/home-assistant.nix
@@ -0,0 +1,39 @@
+{config, ...}: let
+  port = 8123;
+  inherit (import ../../lib) restic;
+  volumeName = "home-assistant";
+in {
+  networking.firewall.allowedTCPPorts = [port];
+
+  services.nginx.virtualHosts."home.kmein.r" = {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+    };
+  };
+
+  services.restic.backups.niveum = {
+    initialize = true;
+    inherit (restic) repository;
+    timerConfig = {
+      OnCalendar = "daily";
+      RandomizedDelaySec = "1h";
+    };
+    passwordFile = config.age.secrets.restic.path;
+    paths = [
+      "/var/lib/containers/storage/volumes/${volumeName}"
+    ];
+  };
+
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers.homeassistant = {
+      volumes = ["${volumeName}:/config"];
+      environment.TZ = "Europe/Berlin";
+      image = "ghcr.io/home-assistant/home-assistant:stable";
+      extraOptions = [
+        "--network=host"
+        "--device=/dev/ttyACM0:/dev/ttyACM0" # Example, change this to match your own hardware
+      ];
+    };
+  };
+}