From 8fb947095ee39d5361a5dac8c74534c1da3f9d52 Mon Sep 17 00:00:00 2001
From: Christoph Schmatzler <christoph@schmatzler.com>
Date: Wed, 17 Dec 2025 16:05:04 +0000
Subject: [PATCH] litestream

---
 .sops.yaml                 |  2 ++
 hosts/michael/default.nix  |  8 +++++++
 profiles/gitea.nix         | 45 +++++++++++++++++++++++++++++++++++++-
 secrets/michael-litestream | 22 +++++++++++++++++++
 4 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 secrets/michael-litestream

diff --git a/.sops.yaml b/.sops.yaml
index efa5272..335c499 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,9 +1,11 @@
 keys:
   - &host_tahani age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm
   - &host_jason age1ez6j3r5wdp0tjy7n5qzv5vfakdc2nh2zeu388zu7a80l0thv052syxq5e2
+  - &host_michael age187jl7e4k9n4guygkmpuqzeh0wenefwrfkpvuyhvwjrjwxqpzassqq3x67j
 creation_rules:
   - path_regex: secrets/[^/]+$
     key_groups:
       - age:
         - *host_tahani
         - *host_jason
+        - *host_michael
diff --git a/hosts/michael/default.nix b/hosts/michael/default.nix
index 110886c..8c7db18 100644
--- a/hosts/michael/default.nix
+++ b/hosts/michael/default.nix
@@ -17,8 +17,16 @@
 		../../profiles/gitea.nix
 		../../profiles/nixos.nix
 		inputs.disko.nixosModules.disko
+		inputs.sops-nix.nixosModules.sops
 	];
 
+	sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+
+	sops.secrets.litestream = {
+		sopsFile = ../../secrets/michael-litestream;
+		format = "binary";
+	};
+
 	home-manager.users.${user} = {
 		pkgs,
 		lib,
diff --git a/profiles/gitea.nix b/profiles/gitea.nix
index 5c14b82..9942908 100644
--- a/profiles/gitea.nix
+++ b/profiles/gitea.nix
@@ -1,4 +1,4 @@
-{...}: {
+{pkgs, ...}: {
 	networking.firewall.allowedTCPPorts = [80 443];
 
 	services.gitea = {
@@ -25,6 +25,49 @@
 		};
 	};
 
+	users.users.litestream.extraGroups = ["gitea"];
+
+	systemd.services.gitea.serviceConfig.ExecStartPost =
+		"+"
+		+ pkgs.writeShellScript "grant-gitea-permissions" ''
+			timeout=10
+
+			while [ ! -f /var/lib/gitea/data/gitea.db ];
+			do
+				if [ "$timeout" == 0 ]; then
+					echo "ERROR: Timeout while waiting for /var/lib/gitea/data/gitea.db."
+					exit 1
+				fi
+
+				sleep 1
+
+				((timeout--))
+			done
+
+			find /var/lib/gitea -type d -exec chmod -v 775 {} \;
+			find /var/lib/gitea -type f -exec chmod -v 660 {} \;
+		'';
+
+	services.litestream = {
+		enable = true;
+		environmentFile = "/run/secrets/litestream";
+		settings = {
+			dbs = [
+				{
+					path = "/var/lib/gitea/data/gitea.db";
+					replicas = [
+						{
+							type = "s3";
+							bucket = "gitea-litestream";
+							path = "gitea";
+							endpoint = "s3.eu-central-003.backblazeb2.com";
+						}
+					];
+				}
+			];
+		};
+	};
+
 	services.caddy = {
 		enable = true;
 		virtualHosts."git.schmatzler.com".extraConfig = ''
diff --git a/secrets/michael-litestream b/secrets/michael-litestream
new file mode 100644
index 0000000..5eb8245
--- /dev/null
+++ b/secrets/michael-litestream
@@ -0,0 +1,22 @@
+{
+	"data": "ENC[AES256_GCM,data:YrqKBq2eIlYQcXZJ660/IPDULjudhjuBVYY9y7rIIFLwuL2n7ZxgdyRu/tBuK6RpAjZJKvXLC3dCMzhFfopUUxLXYrG6PTTfdnax2snSD8x7Ph4IRPbOKqM+iyP5nREs4G6hEWe7Pl9VT4oTWQ255g==,iv:sswA9TNXE+8X53xHMwQ6Kq1tl1LAccsyxe22D8sYOUc=,tag:Tu0m6pkn1DFDuDoYfrHxsQ==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6R0IxNFdXSVBnN3ZXSzhM\nZlN0VmFtWFZTdlkzczYwT3dHbWtXc0RXWHo4CnZHRHpxbktTa3lSSkREaTloeVNG\nSkRVMUVKRFlLbXltUUhkd0phNmovQWsKLS0tIHpGTW1SMFRldC82SWdvcHFGWVJK\nOCtDRTBXWVZINFBXMlBXUDhNSDh6MFEKZ74DWHnvRB9gLyT3fqHNdb2VKdUO8QfF\nVoa0aQCOUdUOYiRtR0SKhWRNU2Z55hqRY3En2AEUIQCt670MNNrMCw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1ez6j3r5wdp0tjy7n5qzv5vfakdc2nh2zeu388zu7a80l0thv052syxq5e2",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMeFFDYUo4MXNBWUFTMkxE\nNEVFdDVOY3dYTW05VzZNcERHMUhQaHdsUmtjCitML2Mwd05KMC9meEhYR1l1NG9H\nUjdjYlhveTVJQ3JNS0p2MUV5OHNqYW8KLS0tIHEweGNyUkRpRldmZ2V5ZU9Dak5q\nV2JpSWNsZzBGRDdNa3lVUG5RcXZPT0UKtrbYWaxinIbQjopdgS9/MFyQn0RZ7XR7\nZPw018jJXySoitrX8nwTT7IovajLgfR5bA8aUlD9aAQN0BPL8qfOCQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age187jl7e4k9n4guygkmpuqzeh0wenefwrfkpvuyhvwjrjwxqpzassqq3x67j",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGa1BwRndudWFWVDQ3L29C\nenNlR0JtOTZxK2JLSzl2QUZCemdZZmpnM3ljCjVzZm9nSU5YTmF2OFR2Zk02bEpk\nV2lablBsTzJYbEZHdnE4UDRtd0pScVkKLS0tIHUrNHVYUVpIeEJvZ3hNb0tySitP\nU3U0SldXYURmOUdCVDk0c3NYQmpzcXcKJU/c0Qhx0j8KP0G8YlFzAu7dBmvoQmU8\nAqNNEszD23uB575CxIDK1Bf7fte9DvKU7ZxFX25CyZLR3X2xfcHh7w==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-12-17T16:09:07Z",
+		"mac": "ENC[AES256_GCM,data:iH1rpteK1WaO1OREm5Ze1Gy00u67KFKIQZwqjIJFhmy8CHOsG45ExltkIb41kM+zPE8ofxy3PGBvrqbMTtAh5rM676VMpRPQtTSt5uRHBJ+5uJBlIY/CRcOPkuT3TZRj2/zoNM0nzBsuOjuM7vpp0FDOlR6OaaB73HopfMemlh4=,iv:Uvw1UQtIHMq4mm5I62p23pt20D9kRfYe8ixBbXYAK0k=,tag:Vpdlr7PZZRPNiLVqGRZQpA==,type:str]",
+		"version": "3.11.0"
+	}
+}