Compare commits

..

28 commits

Author SHA1 Message Date
b814af9ac3 fix shellcheck 3 2024-12-25 15:48:17 -05:00
d5b92c037f fix shellcheck 2 2024-12-25 15:46:58 -05:00
037257b5e2 fix shellcheck 2024-12-25 15:45:39 -05:00
aa193bf423 encrypt backups 2024-12-25 15:41:55 -05:00
9606a755d0 take config file via cmd line 2024-12-25 15:35:47 -05:00
24094cad31 use bash function to upload 2024-12-25 15:33:20 -05:00
983f47440f use object storage directory instead of tar 2024-12-25 15:28:15 -05:00
3aff383a2c backup redis db and config dir 2024-12-25 00:40:24 -05:00
67c1f553fb better escape prefix 2024-12-19 22:49:47 -05:00
652c1b5778 change config file location 2024-12-19 22:40:52 -05:00
336b840fcd ignore shellcheck warning 2024-12-19 22:33:47 -05:00
72a4be3c5d flake update 2024-12-19 22:25:03 -05:00
aff2d5ab64 add backup job 2024-12-19 22:25:03 -05:00
6bb66f3e21 listen for ssl connections to reject 2024-10-10 01:43:48 -04:00
17aa3246df intermediate redirect to ogdo.run 2024-10-10 01:27:26 -04:00
da6919a997 add ꙮ.run check 2024-10-10 01:24:18 -04:00
dd41dfb7d9 flake update 2024-10-10 01:23:38 -04:00
a0fb0388c8 switch to pnpm package 2024-09-22 18:49:31 -04:00
e86c411aca flake update 2024-09-22 18:49:00 -04:00
1cb4864c7c open nebula firewall 2024-08-07 20:04:43 -07:00
096d89956e open firewall ports 2024-08-07 19:58:23 -07:00
24b4fa2c8e move nebula certs 2024-08-07 18:27:29 -07:00
13642fbbab add nebula 2024-08-07 18:23:56 -07:00
cc26134518 flake update 2024-08-07 18:23:01 -07:00
7d6c9faba2 flake update 2024-08-03 01:38:19 -07:00
a055679544 Make egirls.gay the default 2024-08-03 01:37:36 -07:00
dfc43c0ed4 serve local files 2024-07-30 21:10:35 -07:00
316bd3e9a2 flake update 2024-07-30 20:49:46 -07:00
6 changed files with 145 additions and 35 deletions

70
backup.nix Normal file
View file

@ -0,0 +1,70 @@
{ config, pkgs, ... }:
#necessary prep work:
# GRANT CONNECT ON DATABASE misskey TO "misskey-backup";
# GRANT SELECT ON ALL TABLES IN SCHEMA public TO "misskey-backup";
# GRANT SELECT ON ALL SEQUENCES IN SCHEMA public TO "misskey-backup";
#
# TODO: automate this cause it needs to be done whenever db schema changes
let
user = "misskey-backup";
group = user;
backupConfigFile = "/etc/misskey-backup/conf";
s3Cfg = "/etc/misskey-backup/s3cfg";
backupScript = pkgs.writeShellApplication {
name = "misskey-backup";
runtimeInputs = with pkgs; [
gzip
config.services.postgresql.package
s3cmd
coreutils
age
];
text = ''
configFile="$1"
s3cfg="$2"
ageRecipient="age17ckyc69njpryytc63ynn545jswyucg28k5xg3043g3j6q38dxqwq0wzhm2"
bucket="$(grep 'bucket=' < "$configFile" | sed 's/bucket \?= \?')"
prefix="$(grep 'prefix=' < "$configFile" | sed 's/prefix \?= \?')"
s3Dir="s3://$bucket/$prefix""misskey-$(date --iso-8601)"
echo "Uploading backups to '$s3Dir'"
function upload () {
name="$1"
age -r "$ageRecipient" | s3cmd put --config "$s3cfg" - "$s3Dir/$name.age"
}
echo "Uploading config"
tar -cz -C /srv/misskey/.config . | upload "config.tar.gz"
echo "Dumping postgres database..."
pg_dump misskey | gzip | upload "pg_dump.sql.gz"
echo "Uploading redis database..."
tar -cz -C /var/lib/redis-misskey . | upload "redis.tar.gz"
echo "Backup complete to '$s3Dir'"
'';
};
in {
users.users."${user}" = {
isSystemUser = true;
inherit group;
};
users.groups."${group}" = { };
services.postgresql.ensureUsers = [{ name = user; }];
services.cron = {
enable = true;
systemCronJobs = [
# run every monday at ass in the morning, EST"
"0 8 0 0 1 ${user} ${backupScript} ${backupConfigFile} ${s3Cfg}"
];
};
}

View file

@ -5,6 +5,8 @@
./heartles-xyz-proxy.nix
./ogdo.nix
./postfix.nix
./nebula.nix
./backup.nix
];
nix.settings = {

View file

@ -2,11 +2,11 @@
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1719838683,
"narHash": "sha256-Zw9rQjHz1ilNIimEXFeVa1ERNRBF8DoXDhLAZq5B4pE=",
"lastModified": 1734529975,
"narHash": "sha256-ze3IJksru9dN0keqUxY0WNf8xrwfs8Ty/z9v/keyBbg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d032c1a6dfad4eedec7e35e91986becc699d7d69",
"rev": "72d11d40b9878a67c38f003c240c2d2e1811e72a",
"type": "github"
},
"original": {
@ -24,11 +24,11 @@
},
"unstable": {
"locked": {
"lastModified": 1719848872,
"narHash": "sha256-H3+EC5cYuq+gQW8y0lSrrDZfH71LB4DAf+TDFyvwCNA=",
"lastModified": 1734424634,
"narHash": "sha256-cHar1vqHOOyC7f1+tVycPoWTfKIaqkoe1Q6TnKzuti4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "00d80d13810dbfea8ab4ed1009b09100cca86ba8",
"rev": "d3c42f187194c26d9f0309a8ecc469d6c878ce33",
"type": "github"
},
"original": {

View file

@ -142,11 +142,17 @@ in {
rewrite .* $path_full break;
proxy_pass https://s3.us-west-1.wasabisys.com;
'';
locations."/localfiles/" = {
root = "/srv/www";
tryFiles = "$uri =404";
};
};
virtualHosts."egirls.gay" = {
inherit listen;
default = true;
forceSSL = true;
useACMEHost = "egirls.gay";
locations."/" = {
@ -192,7 +198,7 @@ in {
#
# pnpm2nix does not work due to misskey using workspaces
environment.systemPackages =
[ nodejs nodePackages.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ];
[ nodejs pkgs.pnpm pkgs.cypress pkgs.pkg-config pkgs.vips ];
environment.sessionVariables = {
CYPRESS_INSTALL_BINARY = "0";
CYPRESS_RUN_BINARY = "${pkgs.cypress}/bin/Cypress";

26
nebula.nix Normal file
View file

@ -0,0 +1,26 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = [ pkgs.nebula ];
services.nebula.networks.home = {
enable = true;
isLighthouse = true;
cert = "/var/lib/nebula/node.crt";
key = "/var/lib/nebula/node.key";
ca = "/var/lib/nebula/ca.crt";
firewall.inbound = [{
host = "any";
port = "any";
proto = "any";
}];
firewall.outbound = [{
host = "any";
port = "any";
proto = "any";
}];
};
networking.firewall.allowedTCPPorts = [ 4242 ];
networking.firewall.allowedUDPPorts = [ 4242 ];
}

View file

@ -4,7 +4,7 @@
enable = true;
# ꙮ.run
virtualHosts."xn--xx8a.run" = {
virtualHosts = let
listen = [
{
addr = "0.0.0.0";
@ -15,42 +15,48 @@
addr = "[::]";
}
# deliberately avoid listening with https
];
rejectSSL = true;
root = "/srv/ogdo";
extraConfig = ''
error_page 404 /;
access_log /var/log/nginx/ogdo.log combined;
add_header 'Cache-Control' 'no-cache';
'';
locations."/" = { index = "/index.html"; };
locations."~ ^/.+" = {
root = "/srv/ogdo/served-files";
tryFiles = "$uri =404";
extraConfig = ''
default_type application/pdf;
'';
};
};
virtualHosts."ogdo.run" = {
listen = [
{
addr = "0.0.0.0";
port = 80;
port = 443;
ssl = true;
}
{
port = 80;
port = 443;
ssl = true;
addr = "[::]";
}
];
rejectSSL = true;
in {
"xn--xx8a.run" = {
inherit listen rejectSSL;
root = "/srv/ogdo";
locations."/".return = "301 http://xn--xx8a.run$request_uri";
extraConfig = ''
error_page 404 /;
access_log /var/log/nginx/ogdo.log combined;
add_header 'Cache-Control' 'no-cache';
'';
locations."/" = { index = "/index.html"; };
locations."~ ^/.+" = {
root = "/srv/ogdo/served-files";
tryFiles = "$uri =404";
extraConfig = ''
default_type application/pdf;
'';
};
};
"ogdo.run" = {
inherit listen rejectSSL;
locations."/".return = "301 http://xn--xx8a.run$request_uri";
};
".run" = {
inherit listen rejectSSL;
locations."/".return = "301 http://ogdo.run$request_uri";
};
};
};
}