litestream
This commit is contained in:
@@ -1,9 +1,11 @@
|
|||||||
keys:
|
keys:
|
||||||
- &host_tahani age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm
|
- &host_tahani age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm
|
||||||
- &host_jason age1ez6j3r5wdp0tjy7n5qzv5vfakdc2nh2zeu388zu7a80l0thv052syxq5e2
|
- &host_jason age1ez6j3r5wdp0tjy7n5qzv5vfakdc2nh2zeu388zu7a80l0thv052syxq5e2
|
||||||
|
- &host_michael age187jl7e4k9n4guygkmpuqzeh0wenefwrfkpvuyhvwjrjwxqpzassqq3x67j
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: secrets/[^/]+$
|
- path_regex: secrets/[^/]+$
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
- *host_tahani
|
- *host_tahani
|
||||||
- *host_jason
|
- *host_jason
|
||||||
|
- *host_michael
|
||||||
|
|||||||
@@ -17,8 +17,16 @@
|
|||||||
../../profiles/gitea.nix
|
../../profiles/gitea.nix
|
||||||
../../profiles/nixos.nix
|
../../profiles/nixos.nix
|
||||||
inputs.disko.nixosModules.disko
|
inputs.disko.nixosModules.disko
|
||||||
|
inputs.sops-nix.nixosModules.sops
|
||||||
];
|
];
|
||||||
|
|
||||||
|
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
||||||
|
|
||||||
|
sops.secrets.litestream = {
|
||||||
|
sopsFile = ../../secrets/michael-litestream;
|
||||||
|
format = "binary";
|
||||||
|
};
|
||||||
|
|
||||||
home-manager.users.${user} = {
|
home-manager.users.${user} = {
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
{...}: {
|
{pkgs, ...}: {
|
||||||
networking.firewall.allowedTCPPorts = [80 443];
|
networking.firewall.allowedTCPPorts = [80 443];
|
||||||
|
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
@@ -25,6 +25,49 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users.litestream.extraGroups = ["gitea"];
|
||||||
|
|
||||||
|
systemd.services.gitea.serviceConfig.ExecStartPost =
|
||||||
|
"+"
|
||||||
|
+ pkgs.writeShellScript "grant-gitea-permissions" ''
|
||||||
|
timeout=10
|
||||||
|
|
||||||
|
while [ ! -f /var/lib/gitea/data/gitea.db ];
|
||||||
|
do
|
||||||
|
if [ "$timeout" == 0 ]; then
|
||||||
|
echo "ERROR: Timeout while waiting for /var/lib/gitea/data/gitea.db."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
sleep 1
|
||||||
|
|
||||||
|
((timeout--))
|
||||||
|
done
|
||||||
|
|
||||||
|
find /var/lib/gitea -type d -exec chmod -v 775 {} \;
|
||||||
|
find /var/lib/gitea -type f -exec chmod -v 660 {} \;
|
||||||
|
'';
|
||||||
|
|
||||||
|
services.litestream = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = "/run/secrets/litestream";
|
||||||
|
settings = {
|
||||||
|
dbs = [
|
||||||
|
{
|
||||||
|
path = "/var/lib/gitea/data/gitea.db";
|
||||||
|
replicas = [
|
||||||
|
{
|
||||||
|
type = "s3";
|
||||||
|
bucket = "gitea-litestream";
|
||||||
|
path = "gitea";
|
||||||
|
endpoint = "s3.eu-central-003.backblazeb2.com";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
services.caddy = {
|
services.caddy = {
|
||||||
enable = true;
|
enable = true;
|
||||||
virtualHosts."git.schmatzler.com".extraConfig = ''
|
virtualHosts."git.schmatzler.com".extraConfig = ''
|
||||||
|
|||||||
22
secrets/michael-litestream
Normal file
22
secrets/michael-litestream
Normal file
@@ -0,0 +1,22 @@
|
|||||||
|
{
|
||||||
|
"data": "ENC[AES256_GCM,data:YrqKBq2eIlYQcXZJ660/IPDULjudhjuBVYY9y7rIIFLwuL2n7ZxgdyRu/tBuK6RpAjZJKvXLC3dCMzhFfopUUxLXYrG6PTTfdnax2snSD8x7Ph4IRPbOKqM+iyP5nREs4G6hEWe7Pl9VT4oTWQ255g==,iv:sswA9TNXE+8X53xHMwQ6Kq1tl1LAccsyxe22D8sYOUc=,tag:Tu0m6pkn1DFDuDoYfrHxsQ==,type:str]",
|
||||||
|
"sops": {
|
||||||
|
"age": [
|
||||||
|
{
|
||||||
|
"recipient": "age1njjegjjdqzfnrr54f536yl4lduqgna3wuv7ef6vtl9jw5cju0grsgy62tm",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6R0IxNFdXSVBnN3ZXSzhM\nZlN0VmFtWFZTdlkzczYwT3dHbWtXc0RXWHo4CnZHRHpxbktTa3lSSkREaTloeVNG\nSkRVMUVKRFlLbXltUUhkd0phNmovQWsKLS0tIHpGTW1SMFRldC82SWdvcHFGWVJK\nOCtDRTBXWVZINFBXMlBXUDhNSDh6MFEKZ74DWHnvRB9gLyT3fqHNdb2VKdUO8QfF\nVoa0aQCOUdUOYiRtR0SKhWRNU2Z55hqRY3En2AEUIQCt670MNNrMCw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1ez6j3r5wdp0tjy7n5qzv5vfakdc2nh2zeu388zu7a80l0thv052syxq5e2",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMeFFDYUo4MXNBWUFTMkxE\nNEVFdDVOY3dYTW05VzZNcERHMUhQaHdsUmtjCitML2Mwd05KMC9meEhYR1l1NG9H\nUjdjYlhveTVJQ3JNS0p2MUV5OHNqYW8KLS0tIHEweGNyUkRpRldmZ2V5ZU9Dak5q\nV2JpSWNsZzBGRDdNa3lVUG5RcXZPT0UKtrbYWaxinIbQjopdgS9/MFyQn0RZ7XR7\nZPw018jJXySoitrX8nwTT7IovajLgfR5bA8aUlD9aAQN0BPL8qfOCQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age187jl7e4k9n4guygkmpuqzeh0wenefwrfkpvuyhvwjrjwxqpzassqq3x67j",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGa1BwRndudWFWVDQ3L29C\nenNlR0JtOTZxK2JLSzl2QUZCemdZZmpnM3ljCjVzZm9nSU5YTmF2OFR2Zk02bEpk\nV2lablBsTzJYbEZHdnE4UDRtd0pScVkKLS0tIHUrNHVYUVpIeEJvZ3hNb0tySitP\nU3U0SldXYURmOUdCVDk0c3NYQmpzcXcKJU/c0Qhx0j8KP0G8YlFzAu7dBmvoQmU8\nAqNNEszD23uB575CxIDK1Bf7fte9DvKU7ZxFX25CyZLR3X2xfcHh7w==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"lastmodified": "2025-12-17T16:09:07Z",
|
||||||
|
"mac": "ENC[AES256_GCM,data:iH1rpteK1WaO1OREm5Ze1Gy00u67KFKIQZwqjIJFhmy8CHOsG45ExltkIb41kM+zPE8ofxy3PGBvrqbMTtAh5rM676VMpRPQtTSt5uRHBJ+5uJBlIY/CRcOPkuT3TZRj2/zoNM0nzBsuOjuM7vpp0FDOlR6OaaB73HopfMemlh4=,iv:Uvw1UQtIHMq4mm5I62p23pt20D9kRfYe8ixBbXYAK0k=,tag:Vpdlr7PZZRPNiLVqGRZQpA==,type:str]",
|
||||||
|
"version": "3.11.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user