From d8e9c0504226719a131dd7223d00f2d37ba8da8a Mon Sep 17 00:00:00 2001 From: TheWanderingCrow Date: Fri, 3 Jan 2025 14:47:54 -0500 Subject: [PATCH] lets see if this new vault stuff works out --- modules/users/overseer/services.nix | 69 +++++++++++++++++------------ nix-secrets | 2 +- 2 files changed, 42 insertions(+), 29 deletions(-) diff --git a/modules/users/overseer/services.nix b/modules/users/overseer/services.nix index 60eaa83..4ce51d7 100644 --- a/modules/users/overseer/services.nix +++ b/modules/users/overseer/services.nix @@ -7,10 +7,18 @@ in pkgs, ... }: { + # Some scafolding for secrets + sops = { + defaultSopsFile = ../../nix-secrets/secrets/overseer.json; + age.keyFile = "/var/lib/sops-nix/key.txt"; + age.generateKey = true; + }; + # Create the dirs we need systemd.tmpfiles.rules = [ "d ${volumePath}" "d ${volumePath}/vault/data 700 overseer overseer" # Vault says this needs to already exist upon boot + "d ${volumePath}/vault/snapshots 700 overseer overseer" # This is where we put snapshots for restic to backup "d ${volumePath}/paperless/data 700 overseer overseer" "d ${volumePath}/paperless/media 700 overseer overseer" @@ -19,34 +27,39 @@ in "d ${volumePath}/NPM/letsencrypt 700 overseer overseer" ]; + # Define some secrets to use in restic + sops.secrets."vault-backup/location" = {}; + sops.secrets."vault-backup/pass" = {}; # (Arguably) Most Important Service - backups services.restic.backups = { - npm = { + vault = { user = "root"; timerConfig = { OnCalendar = "hourly"; Persistent = true; }; paths = [ - "${volumePath}/NPM/data" - "${volumePath}/NPM/letsencrypt" + "${volumePath}/vault/snapshots" ]; + backupPrepareCommand = "${pkgs.vault}/bin/vault operator raft snapshot save ${volumePath}/vault/snapshots/backup.snap"; + repositoryFile = config.sops.secrets."vault-backup/location".path; + passwordFile = config.sops.secrets."vault-backup/pass".path; }; }; # Vault Service - #services.vault = { - # enable = true; - # package = pkgs.vault-bin; - # storageBackend = "raft"; - # storagePath = "${volumePath}/vault/data"; - # address = "127.0.0.1:8200"; - # extraConfig = '' - # ui = true - # api_addr = "http://127.0.0.1:8200" - # cluster_addr = "http://127.0.0.1:8201" - # ''; - #}; + services.vault = { + enable = true; + package = pkgs.vault-bin; + storageBackend = "raft"; + storagePath = "${volumePath}/vault/data"; + address = "127.0.0.1:8200"; + extraConfig = '' + ui = true + api_addr = "http://127.0.0.1:8200" + cluster_addr = "http://127.0.0.1:8201" + ''; + }; # Paperless-ngx #services.paperless = { @@ -61,18 +74,18 @@ in virtualisation.oci-containers.containers = { ## NGINX Proxy Manager - NPM = { - image = "jc21/nginx-proxy-manager:latest"; - autoStart = true; - ports = [ - "80:80" - "443:443" - "81:81" - ]; - volumes = [ - "${volumePath}/NPM/data:/data" - "${volumePath}/NPM/letsencrypt:/etc/letsencrypt" - ]; - }; + #NPM = { + # image = "jc21/nginx-proxy-manager:latest"; + # autoStart = true; + # ports = [ + # "80:80" + # "443:443" + # "81:81" + # ]; + # volumes = [ + # "${volumePath}/NPM/data:/data" + # "${volumePath}/NPM/letsencrypt:/etc/letsencrypt" + # ]; + #}; }; } diff --git a/nix-secrets b/nix-secrets index a5093d3..d21933c 160000 --- a/nix-secrets +++ b/nix-secrets @@ -1 +1 @@ -Subproject commit a5093d3dca30fc8057c647a423c618e5d90f5028 +Subproject commit d21933c3cc8ec3561ea8769362382272c34ceed4