diff --git a/hosts/Parzival-Live/default.nix b/hosts/Parzival-Live/default.nix index 4a59bf0..03f4868 100644 --- a/hosts/Parzival-Live/default.nix +++ b/hosts/Parzival-Live/default.nix @@ -12,7 +12,7 @@ nix.settings.auto-optimise-store = true; - virtualisation.qemu.guestAgent.enable = true; + services.qemuGuest.enable = true; nixpkgs.hostPlatform = "x86_64-linux"; diff --git a/modules/users/overseer/services.nix b/modules/users/overseer/services.nix index 1b5fd1b..2e1a0d0 100644 --- a/modules/users/overseer/services.nix +++ b/modules/users/overseer/services.nix @@ -7,86 +7,87 @@ in config, pkgs, ... - }: lib.mkIf config.user.overseer.enable { - # Some scafolding for secrets - sops = { + }: + lib.mkIf config.user.overseer.enable { + # Some scafolding for secrets + sops = { defaultSopsFile = inputs.nix-secrets.secrets.overseer; age.keyFile = "/var/lib/sops-nix/key.txt"; age.generateKey = true; - }; - - # Create the dirs we need - systemd.tmpfiles.rules = [ - "d ${volumePath}" - "d ${volumePath}/vault/data 700 overseer overseer" # Vault says this needs to already exist upon boot - "d ${volumePath}/vault/snapshots 700 overseer overseer" # This is where we put snapshots for restic to backup - - "d ${volumePath}/paperless/data 700 overseer overseer" - "d ${volumePath}/paperless/media 700 overseer overseer" - - "d ${volumePath}/NPM/data 700 overseer overseer" - "d ${volumePath}/NPM/letsencrypt 700 overseer overseer" - ]; - - # Define some secrets to use in restic - sops.secrets."vault-backup/location" = {}; - sops.secrets."vault-backup/pass" = {}; - # (Arguably) Most Important Service - backups - services.restic.backups = { - vault = { - user = "root"; - timerConfig = { - OnCalendar = "hourly"; - Persistent = true; - }; - paths = [ - "${volumePath}/vault/snapshots" - ]; - backupPrepareCommand = "${pkgs.vault}/bin/vault operator raft snapshot save ${volumePath}/vault/snapshots/backup.snap"; - repositoryFile = config.sops.secrets."vault-backup/location".path; - passwordFile = config.sops.secrets."vault-backup/pass".path; }; - }; - # Vault Service - services.vault = { + # Create the dirs we need + systemd.tmpfiles.rules = [ + "d ${volumePath}" + "d ${volumePath}/vault/data 700 overseer overseer" # Vault says this needs to already exist upon boot + "d ${volumePath}/vault/snapshots 700 overseer overseer" # This is where we put snapshots for restic to backup + + "d ${volumePath}/paperless/data 700 overseer overseer" + "d ${volumePath}/paperless/media 700 overseer overseer" + + "d ${volumePath}/NPM/data 700 overseer overseer" + "d ${volumePath}/NPM/letsencrypt 700 overseer overseer" + ]; + + # Define some secrets to use in restic + sops.secrets."vault-backup/location" = {}; + sops.secrets."vault-backup/pass" = {}; + # (Arguably) Most Important Service - backups + services.restic.backups = { + vault = { + user = "root"; + timerConfig = { + OnCalendar = "hourly"; + Persistent = true; + }; + paths = [ + "${volumePath}/vault/snapshots" + ]; + backupPrepareCommand = "${pkgs.vault}/bin/vault operator raft snapshot save ${volumePath}/vault/snapshots/backup.snap"; + repositoryFile = config.sops.secrets."vault-backup/location".path; + passwordFile = config.sops.secrets."vault-backup/pass".path; + }; + }; + + # Vault Service + services.vault = { enable = true; package = pkgs.vault-bin; storageBackend = "raft"; storagePath = "${volumePath}/vault/data"; address = "127.0.0.1:8200"; extraConfig = '' - ui = true - api_addr = "http://127.0.0.1:8200" - cluster_addr = "http://127.0.0.1:8201" + ui = true + api_addr = "http://127.0.0.1:8200" + cluster_addr = "http://127.0.0.1:8201" ''; - }; + }; - # Paperless-ngx - #services.paperless = { - # enable = true; - # mediaDir = "${volumePath}/paperless/media"; - # dataDir = "${volumePath}/paperless/data"; - #}; - - # OCI services - virtualisation.podman.enable = true; - virtualisation.oci-containers.backend = "podman"; - - virtualisation.oci-containers.containers = { - ## NGINX Proxy Manager - #NPM = { - # image = "jc21/nginx-proxy-manager:latest"; - # autoStart = true; - # ports = [ - # "80:80" - # "443:443" - # "81:81" - # ]; - # volumes = [ - # "${volumePath}/NPM/data:/data" - # "${volumePath}/NPM/letsencrypt:/etc/letsencrypt" - # ]; + # Paperless-ngx + #services.paperless = { + # enable = true; + # mediaDir = "${volumePath}/paperless/media"; + # dataDir = "${volumePath}/paperless/data"; #}; - }; - } + + # OCI services + virtualisation.podman.enable = true; + virtualisation.oci-containers.backend = "podman"; + + virtualisation.oci-containers.containers = { + ## NGINX Proxy Manager + #NPM = { + # image = "jc21/nginx-proxy-manager:latest"; + # autoStart = true; + # ports = [ + # "80:80" + # "443:443" + # "81:81" + # ]; + # volumes = [ + # "${volumePath}/NPM/data:/data" + # "${volumePath}/NPM/letsencrypt:/etc/letsencrypt" + # ]; + #}; + }; + } diff --git a/modules/users/overseer/user.nix b/modules/users/overseer/user.nix index d03f263..545bcbc 100644 --- a/modules/users/overseer/user.nix +++ b/modules/users/overseer/user.nix @@ -8,7 +8,7 @@ initialPassword = "changeme"; extraGroups = ["wheel" "libvirtd"]; openssh.authorizedKeys.keys = [ - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCBmjkaAWNBQ6NwiK56miuv30pjheNTZfrULRfPRmed" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCBmjkaAWNBQ6NwiK56miuv30pjheNTZfrULRfPRmed" ]; }; }