increase multipart chunk size

backup.nix

@@ -0,0 +1,76 @@
+{ config, pkgs, ... }:
+
+#necessary prep work:
+# GRANT CONNECT ON DATABASE misskey TO "misskey-backup";
+# GRANT SELECT ON ALL TABLES IN SCHEMA public TO "misskey-backup";
+# GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO "misskey-backup";
+#
+# TODO: automate this cause it needs to be done whenever db schema changes
+let
+  user = "misskey-backup";
+  group = user;
+
+  backupConfigFile = "/etc/misskey-backup/conf";
+  s3Cfg = "/etc/misskey-backup/s3cfg";
+in {
+  users.users."${user}" = {
+    isSystemUser = true;
+    inherit group;
+    extraGroups = [ "misskey" "redis-misskey" ];
+  };
+  users.groups."${group}" = { };
+  services.postgresql.ensureUsers = [{ name = user; }];
+
+  systemd.services.misskey-backup = {
+    description = "Misskey backup";
+
+    restartIfChanged = false;
+    unitConfig.X-StopOnRemoval = false;
+
+    serviceConfig.User = user;
+    serviceConfig.Type = "oneshot";
+
+    startAt = "weekly";
+
+    path = with pkgs; [
+      gzip
+      config.services.postgresql.package
+      s3cmd
+      coreutils
+      gnutar
+      age
+    ];
+
+    script = ''
+      ageRecipient="age17ckyc69njpryytc63ynn545jswyucg28k5xg3043g3j6q38dxqwq0wzhm2"
+      bucket="$(grep 'bucket=' < "${backupConfigFile}" | sed 's/bucket \?= \?//g')"
+      prefix="$(grep 'prefix=' < "${backupConfigFile}" | sed 's/prefix \?= \?//g')"
+
+      s3Dir="s3://$bucket/$prefix""misskey-$(date +'%d-%m-%YT%H.%M.%S')"
+      echo "Uploading backups to '$s3Dir'"
+
+      function upload () {
+        name="$1"
+
+        age -r "$ageRecipient" | s3cmd put --config "${s3Cfg}" - "$s3Dir/$name.age" --multipart-chunk-size-mb=100
+      }
+
+      echo "Uploading config"
+      tar -cz -C /srv/misskey/.config . | upload "config.tar.gz"
+
+      echo "Dumping postgres database..."
+      pg_dump misskey | gzip | upload "pg_dump.sql.gz"
+
+      echo "Uploading redis database..."
+      tar -cz -C /var/lib/redis-misskey . | upload "redis.tar.gz"
+
+      echo "Backup complete to '$s3Dir'"
+    '';
+
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    requires = [ "postgresql.service" ];
+  };
+
+  systemd.timers.misskey-backup = { timerConfig.Persistent = true; };
+}

configuration.nix

@@ -5,6 +5,8 @@
     ./heartles-xyz-proxy.nix
     ./ogdo.nix
     ./postfix.nix
+    ./nebula.nix
+    ./backup.nix
   ];
 
   nix.settings = {

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "nixpkgs": {
       "locked": {
-        "lastModified": 1719838683,
+        "lastModified": 1734529975,
-        "narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=",
+        "narHash": "sha256-ze3IJksru9dN0keqUxY0WNf8xrwfs8Ty/z9v/keyBbg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69",
+        "rev": "72d11d40b9878a67c38f003c240c2d2e1811e72a",
         "type": "github"
       },
       "original": {
@@ -24,11 +24,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1719848872,
+        "lastModified": 1734424634,
-        "narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
+        "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
+        "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33",
         "type": "github"
       },
       "original": {

misskey-service.nix

@@ -142,11 +142,17 @@ in {
         rewrite .* $path_full break;
         proxy_pass https://s3.us-west-1.wasabisys.com;
       '';
+
+      locations."/localfiles/" = {
+        root = "/srv/www";
+        tryFiles = "$uri =404";
+      };
     };
 
     virtualHosts."egirls.gay" = {
       inherit listen;
 
+      default = true;
       forceSSL = true;
       useACMEHost = "egirls.gay";
       locations."/" = {
@@ -192,7 +198,7 @@ in {
   #
   # pnpm2nix does not work due to misskey using workspaces
   environment.systemPackages =
-    [ nodejs nodePackages.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ];
+    [ nodejs pkgs.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ];
   environment.sessionVariables = {
     CYPRESS_INSTALL_BINARY = "0";
     CYPRESS_RUN_BINARY = "${pkgs.cypress}/bin/Cypress";

nebula.nix

@@ -0,0 +1,26 @@
+{ pkgs, lib, ... }:
+
+{
+  environment.systemPackages = [ pkgs.nebula ];
+  services.nebula.networks.home = {
+    enable = true;
+    isLighthouse = true;
+    cert = "/var/lib/nebula/node.crt";
+    key = "/var/lib/nebula/node.key";
+    ca = "/var/lib/nebula/ca.crt";
+
+    firewall.inbound = [{
+      host = "any";
+      port = "any";
+      proto = "any";
+    }];
+    firewall.outbound = [{
+      host = "any";
+      port = "any";
+      proto = "any";
+    }];
+  };
+
+  networking.firewall.allowedTCPPorts = [ 4242 ];
+  networking.firewall.allowedUDPPorts = [ 4242 ];
+}

ogdo.nix

@@ -4,7 +4,7 @@
     enable = true;
 
     # ꙮ.run
-    virtualHosts."xn--xx8a.run" = {
+    virtualHosts = let
       listen = [
         {
           addr = "0.0.0.0";
@@ -15,9 +15,21 @@
           addr = "[::]";
         }
         # deliberately avoid listening with https
+        {
+          addr = "0.0.0.0";
+          port = 443;
+          ssl = true;
+        }
+        {
+          port = 443;
+          ssl = true;
+          addr = "[::]";
+        }
       ];
-
       rejectSSL = true;
+    in {
+      "xn--xx8a.run" = {
+        inherit listen rejectSSL;
         root = "/srv/ogdo";
 
         extraConfig = ''
@@ -36,21 +48,15 @@
         };
       };
 
-    virtualHosts."ogdo.run" = {
+      "ogdo.run" = {
-      listen = [
+        inherit listen rejectSSL;
-        {
-          addr = "0.0.0.0";
-          port = 80;
-        }
-        {
-          port = 80;
-          addr = "[::]";
-        }
-      ];
-
-      rejectSSL = true;
-
         locations."/".return = "301 http://xn--xx8a.run$request_uri";
       };
+
+      "ꙮ.run" = {
+        inherit listen rejectSSL;
+        locations."/".return = "301 http://ogdo.run$request_uri";
+      };
+    };
   };
 }