WIP

2025-12-16 07:07:14 +01:00 · 2024-08-26 20:57:12 +02:00
6 changed files with 91 additions and 98 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,26 @@
 {
  "nodes": {
    "dibbler": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1693682284,
        "narHash": "sha256-FvVCkHH80YyUiqQlnGNr49rZRBniihF6YRpytguEkFQ=",
        "ref": "refs/heads/master",
        "rev": "8a6a0c12ba37e239684d2de1be12fd73903cfb2c",
        "revCount": 193,
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
      },
      "original": {
        "type": "git",
        "url": "https://git.pvv.ntnu.no/Projects/dibbler.git"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": [
@@ -22,7 +43,7 @@
    },
    "fix-python": {
      "inputs": {
-        "flake-utils": "flake-utils",
+        "flake-utils": "flake-utils_2",
        "nixpkgs": [
          "grzegorz",
          "nixpkgs"
@@ -46,6 +67,24 @@
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1692799911,
        "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1689068808,
        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
@@ -229,6 +268,7 @@
    },
    "root": {
      "inputs": {
        "dibbler": "dibbler",
        "disko": "disko",
        "grzegorz": "grzegorz",
        "grzegorz-clients": "grzegorz-clients",
@@ -276,6 +316,21 @@
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -17,6 +17,9 @@
    pvv-calendar-bot.url = "git+https://git.pvv.ntnu.no/Projects/calendar-bot.git";
    pvv-calendar-bot.inputs.nixpkgs.follows = "nixpkgs";
    dibbler.url = "git+https://git.pvv.ntnu.no/Projects/dibbler.git";
    dibbler.inputs.nixpkgs.follows = "nixpkgs";
    matrix-next.url = "github:dali99/nixos-matrix-modules/v0.6.0";
    matrix-next.inputs.nixpkgs.follows = "nixpkgs";
@@ -124,6 +127,13 @@
        ];
      };
      buskerud = stableNixosConfig "buskerud" { };
      skrott = stableNixosConfig "skrott" {
        system = "aarch64-linux";
        modules = [
          (nixpkgs + "/nixos/modules/installer/sd-card/sd-image-aarch64.nix")
          inputs.dibbler.nixosModules.default
        ];
      };
    };
    nixosModules = {
@@ -147,6 +157,7 @@
        simplesamlphp = pkgs.callPackage ./packages/simplesamlphp { };
        skrot = self.nixosConfigurations.skrott.config.system.build.sdImage;
      } //
      (nixlib.pipe null [
        (_: pkgs.callPackage ./packages/mediawiki-extensions { })
--- a/hosts/bicep/services/mysql.nix
+++ b/hosts/bicep/services/mysql.nix
@@ -1,7 +1,4 @@
 { pkgs, lib, config, values, ... }:
 let
  backupDir = "/var/lib/mysql/backups";
 in
 {
  sops.secrets."mysql/password" = {
    owner = "mysql";
@@ -39,6 +36,11 @@ in
    }];
  };
  services.mysqlBackup = {
    enable = true;
    location = "/var/lib/mysql/backups";
  };
  networking.firewall.allowedTCPPorts = [ 3306 ];
  systemd.services.mysql.serviceConfig = {
@@ -48,51 +50,4 @@ in
      values.ipv6-space
    ];
  };
  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
  #       another unit, it was easier to just make one ourselves
  systemd.services."backup-mysql" = {
    description = "Backup MySQL data";
    requires = [ "mysql.service" ];
    path = [
      pkgs.coreutils
      pkgs.rsync
      pkgs.gzip
      config.services.mysql.package
    ];
    script = let
      rotations = 10;
      sshTarget1 = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/mysql";
      sshTarget2 = "root@isvegg.pvv.ntnu.no:/mnt/backup2/bicep/mysql";
    in ''
      set -eo pipefail
      mysqldump | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
      while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
        rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
      done
      rsync -avz --delete "${backupDir}" '${sshTarget1}'
      rsync -avz --delete "${backupDir}" '${sshTarget2}'
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "mysql";
      Group = "mysql";
      UMask = "0077";
      ReadWritePaths = [ backupDir ];
    };
    startAt = "*-*-* 02:15:00";
  };
  systemd.tmpfiles.settings."10-mysql-backup".${backupDir}.d = {
    user = "mysql";
    group = "mysql";
    mode = "700";
  };
 }
--- a/hosts/bicep/services/postgres.nix
+++ b/hosts/bicep/services/postgres.nix
@@ -1,7 +1,6 @@
-{ config, pkgs, lib, ... }:
+{ config, pkgs, ... }:
 let
  sslCert = config.security.acme.certs."postgres.pvv.ntnu.no";
  backupDir = "/var/lib/postgresql/backups";
 in
 {
  services.postgresql = {
@@ -90,50 +89,9 @@ in
  networking.firewall.allowedTCPPorts = [ 5432 ];
  networking.firewall.allowedUDPPorts = [ 5432 ];
-  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
+  services.postgresqlBackup = {
-  #       another unit, it was easier to just make one ourselves
+    enable = true;
-  systemd.services."backup-postgresql" = {
+    location = "/var/lib/postgres/backups";
-    description = "Backup PostgreSQL data";
+    backupAll = true;
    requires = [ "postgresql.service" ];
    path = [
      pkgs.coreutils
      pkgs.rsync
      pkgs.gzip
      config.services.postgresql.package
    ];
    script = let
      rotations = 10;
      sshTarget1 = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/postgresql";
      sshTarget2 = "root@isvegg.pvv.ntnu.no:/mnt/backup2/bicep/postgresql";
    in ''
      set -eo pipefail
      pg_dumpall -U postgres | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
      while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
        rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
      done
      rsync -avz --delete "${backupDir}" '${sshTarget1}'
      rsync -avz --delete "${backupDir}" '${sshTarget2}'
    '';
    serviceConfig = {
      Type = "oneshot";
      User = "postgres";
      Group = "postgres";
      UMask = "0077";
      ReadWritePaths = [ backupDir ];
    };
    startAt = "*-*-* 01:15:00";
  };
  systemd.tmpfiles.settings."10-postgresql-backup".${backupDir}.d = {
    user = "postgres";
    group = "postgres";
    mode = "700";
  };
 }
--- a/hosts/skrott/configuration.nix
+++ b/hosts/skrott/configuration.nix
@@ -0,0 +1,10 @@
 { lib, values, ... }: {
  system.stateVersion = "22.05";
  systemd.network.networks."30-all" = values.defaultNetworkConfig // {
    matchConfig.Name = "eth0";
    address = with values.hosts.skrott; [ (ipv4 + "/25") (ipv6 + "/64") ];
  };
  networking.hostName = lib.mkForce "skrot";
 }
--- a/values.nix
+++ b/values.nix
@@ -63,6 +63,10 @@ in rec {
      ipv4 = pvv-ipv4 231;
      ipv6 = pvv-ipv6 231;
    };
    skrott = {
      ipv4 = pvv-ipv4 235;
      ipv6 = pvv-ipv6 235;
    };
  };
  defaultNetworkConfig = {