Compare commits

...

34 commits

Author SHA1 Message Date
d734274b8a increase multipart chunk size 2024-12-29 18:48:16 -05:00
a112972009 add gnutar to path 2024-12-29 18:38:11 -05:00
4fac3bcb0c fix User declaration 2024-12-29 18:37:38 -05:00
975199d535 fix sed command 2024-12-29 18:34:53 -05:00
87eaff16c4 add backup user to groups 2024-12-29 18:32:53 -05:00
374fb3a756 use systemd timer 2024-12-29 18:29:03 -05:00
b814af9ac3 fix shellcheck 3 2024-12-25 15:48:17 -05:00
d5b92c037f fix shellcheck 2 2024-12-25 15:46:58 -05:00
037257b5e2 fix shellcheck 2024-12-25 15:45:39 -05:00
aa193bf423 encrypt backups 2024-12-25 15:41:55 -05:00
9606a755d0 take config file via cmd line 2024-12-25 15:35:47 -05:00
24094cad31 use bash function to upload 2024-12-25 15:33:20 -05:00
983f47440f use object storage directory instead of tar 2024-12-25 15:28:15 -05:00
3aff383a2c backup redis db and config dir 2024-12-25 00:40:24 -05:00
67c1f553fb better escape prefix 2024-12-19 22:49:47 -05:00
652c1b5778 change config file location 2024-12-19 22:40:52 -05:00
336b840fcd ignore shellcheck warning 2024-12-19 22:33:47 -05:00
72a4be3c5d flake update 2024-12-19 22:25:03 -05:00
aff2d5ab64 add backup job 2024-12-19 22:25:03 -05:00
6bb66f3e21 listen for ssl connections to reject 2024-10-10 01:43:48 -04:00
17aa3246df intermediate redirect to ogdo.run 2024-10-10 01:27:26 -04:00
da6919a997 add ꙮ.run check 2024-10-10 01:24:18 -04:00
dd41dfb7d9 flake update 2024-10-10 01:23:38 -04:00
a0fb0388c8 switch to pnpm package 2024-09-22 18:49:31 -04:00
e86c411aca flake update 2024-09-22 18:49:00 -04:00
1cb4864c7c open nebula firewall 2024-08-07 20:04:43 -07:00
096d89956e open firewall ports 2024-08-07 19:58:23 -07:00
24b4fa2c8e move nebula certs 2024-08-07 18:27:29 -07:00
13642fbbab add nebula 2024-08-07 18:23:56 -07:00
cc26134518 flake update 2024-08-07 18:23:01 -07:00
7d6c9faba2 flake update 2024-08-03 01:38:19 -07:00
a055679544 Make egirls.gay the default 2024-08-03 01:37:36 -07:00
dfc43c0ed4 serve local files 2024-07-30 21:10:35 -07:00
316bd3e9a2 flake update 2024-07-30 20:49:46 -07:00
6 changed files with 151 additions and 35 deletions

76
backup.nix Normal file
View file

@ -0,0 +1,76 @@
{ config, pkgs, ... }:
#necessary prep work:
# GRANT CONNECT ON DATABASE misskey TO "misskey-backup";
# GRANT SELECT ON ALL TABLES IN SCHEMA public TO "misskey-backup";
# GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO "misskey-backup";
#
# TODO: automate this cause it needs to be done whenever db schema changes
let
user = "misskey-backup";
group = user;
backupConfigFile = "/etc/misskey-backup/conf";
s3Cfg = "/etc/misskey-backup/s3cfg";
in {
users.users."${user}" = {
isSystemUser = true;
inherit group;
extraGroups = [ "misskey" "redis-misskey" ];
};
users.groups."${group}" = { };
services.postgresql.ensureUsers = [{ name = user; }];
systemd.services.misskey-backup = {
description = "Misskey backup";
restartIfChanged = false;
unitConfig.X-StopOnRemoval = false;
serviceConfig.User = user;
serviceConfig.Type = "oneshot";
startAt = "weekly";
path = with pkgs; [
gzip
config.services.postgresql.package
s3cmd
coreutils
gnutar
age
];
script = ''
ageRecipient="age17ckyc69njpryytc63ynn545jswyucg28k5xg3043g3j6q38dxqwq0wzhm2"
bucket="$(grep 'bucket=' < "${backupConfigFile}" | sed 's/bucket \?= \?//g')"
prefix="$(grep 'prefix=' < "${backupConfigFile}" | sed 's/prefix \?= \?//g')"
s3Dir="s3://$bucket/$prefix""misskey-$(date +'%d-%m-%YT%H.%M.%S')"
echo "Uploading backups to '$s3Dir'"
function upload () {
name="$1"
age -r "$ageRecipient" | s3cmd put --config "${s3Cfg}" - "$s3Dir/$name.age" --multipart-chunk-size-mb=100
}
echo "Uploading config"
tar -cz -C /srv/misskey/.config . | upload "config.tar.gz"
echo "Dumping postgres database..."
pg_dump misskey | gzip | upload "pg_dump.sql.gz"
echo "Uploading redis database..."
tar -cz -C /var/lib/redis-misskey . | upload "redis.tar.gz"
echo "Backup complete to '$s3Dir'"
'';
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
requires = [ "postgresql.service" ];
};
systemd.timers.misskey-backup = { timerConfig.Persistent = true; };
}

View file

@ -5,6 +5,8 @@
./heartles-xyz-proxy.nix ./heartles-xyz-proxy.nix
./ogdo.nix ./ogdo.nix
./postfix.nix ./postfix.nix
./nebula.nix
./backup.nix
]; ];
nix.settings = { nix.settings = {

View file

@ -2,11 +2,11 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1719838683, "lastModified": 1734529975,
"narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=", "narHash": "sha256-ze3IJksru9dN0keqUxY0WNf8xrwfs8Ty/z9v/keyBbg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69", "rev": "72d11d40b9878a67c38f003c240c2d2e1811e72a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -24,11 +24,11 @@
}, },
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1719848872, "lastModified": 1734424634,
"narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=", "narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8", "rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -142,11 +142,17 @@ in {
rewrite .* $path_full break; rewrite .* $path_full break;
proxy_pass https://s3.us-west-1.wasabisys.com; proxy_pass https://s3.us-west-1.wasabisys.com;
''; '';
locations."/localfiles/" = {
root = "/srv/www";
tryFiles = "$uri =404";
};
}; };
virtualHosts."egirls.gay" = { virtualHosts."egirls.gay" = {
inherit listen; inherit listen;
default = true;
forceSSL = true; forceSSL = true;
useACMEHost = "egirls.gay"; useACMEHost = "egirls.gay";
locations."/" = { locations."/" = {
@ -192,7 +198,7 @@ in {
# #
# pnpm2nix does not work due to misskey using workspaces # pnpm2nix does not work due to misskey using workspaces
environment.systemPackages = environment.systemPackages =
[ nodejs nodePackages.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ]; [ nodejs pkgs.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ];
environment.sessionVariables = { environment.sessionVariables = {
CYPRESS_INSTALL_BINARY = "0"; CYPRESS_INSTALL_BINARY = "0";
CYPRESS_RUN_BINARY = "${pkgs.cypress}/bin/Cypress"; CYPRESS_RUN_BINARY = "${pkgs.cypress}/bin/Cypress";

26
nebula.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = [ pkgs.nebula ];
services.nebula.networks.home = {
enable = true;
isLighthouse = true;
cert = "/var/lib/nebula/node.crt";
key = "/var/lib/nebula/node.key";
ca = "/var/lib/nebula/ca.crt";
firewall.inbound = [{
host = "any";
port = "any";
proto = "any";
}];
firewall.outbound = [{
host = "any";
port = "any";
proto = "any";
}];
};
networking.firewall.allowedTCPPorts = [ 4242 ];
networking.firewall.allowedUDPPorts = [ 4242 ];
}

View file

@ -4,7 +4,7 @@
enable = true; enable = true;
# ꙮ.run # ꙮ.run
virtualHosts."xn--xx8a.run" = { virtualHosts = let
listen = [ listen = [
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
@ -15,42 +15,48 @@
addr = "[::]"; addr = "[::]";
} }
# deliberately avoid listening with https # deliberately avoid listening with https
];
rejectSSL = true;
root = "/srv/ogdo";
extraConfig = ''
error_page 404 /;
access_log /var/log/nginx/ogdo.log combined;
add_header 'Cache-Control' 'no-cache';
'';
locations."/" = { index = "/index.html"; };
locations."~ ^/.+" = {
root = "/srv/ogdo/served-files";
tryFiles = "$uri =404";
extraConfig = ''
default_type application/pdf;
'';
};
};
virtualHosts."ogdo.run" = {
listen = [
{ {
addr = "0.0.0.0"; addr = "0.0.0.0";
port = 80; port = 443;
ssl = true;
} }
{ {
port = 80; port = 443;
ssl = true;
addr = "[::]"; addr = "[::]";
} }
]; ];
rejectSSL = true; rejectSSL = true;
in {
"xn--xx8a.run" = {
inherit listen rejectSSL;
root = "/srv/ogdo";
locations."/".return = "301 http://xn--xx8a.run$request_uri"; extraConfig = ''
error_page 404 /;
access_log /var/log/nginx/ogdo.log combined;
add_header 'Cache-Control' 'no-cache';
'';
locations."/" = { index = "/index.html"; };
locations."~ ^/.+" = {
root = "/srv/ogdo/served-files";
tryFiles = "$uri =404";
extraConfig = ''
default_type application/pdf;
'';
};
};
"ogdo.run" = {
inherit listen rejectSSL;
locations."/".return = "301 http://xn--xx8a.run$request_uri";
};
".run" = {
inherit listen rejectSSL;
locations."/".return = "301 http://ogdo.run$request_uri";
};
}; };
}; };
} }