WIP

base/default.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 
 {
   imports = [
@@ -10,12 +10,17 @@
 
     ./services/acme.nix
     ./services/auto-upgrade.nix
+    ./services/irqbalance.nix
     ./services/logrotate.nix
     ./services/nginx.nix
     ./services/openssh.nix
+    ./services/postfix.nix
+    ./services/smartd.nix
     ./services/thermald.nix
   ];
 
+  boot.tmp.cleanOnBoot = lib.mkDefault true;
+
   time.timeZone = "Europe/Oslo";
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -42,6 +47,11 @@
 
   programs.zsh.enable = true;
 
+  security.sudo.execWheelOnly = true;
+  security.sudo.extraConfig = ''
+    Defaults lecture = never
+  '';
+
   users.groups."drift".name = "drift";
 
   # Trusted users on the nix builder machines

base/nix.nix

@@ -1,17 +1,30 @@
 { inputs, ... }:
 {
-  nix.gc.automatic = true;
-  nix.gc.options = "--delete-older-than 2d";
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  nix = {
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 2d";
+    };
 
-  /* This makes commandline tools like
-  ** nix run nixpkgs#hello
-  ** and nix-shell -p hello
-  ** use the same channel the system
-  ** was built with
-  */
-  nix.registry = {
-    nixpkgs.flake = inputs.nixpkgs;
+    settings = {
+      allow-dirty = true;
+      auto-optimise-store = true;
+      builders-use-substitutes = true;
+      experimental-features = [ "nix-command" "flakes" ];
+      log-lines = 50;
+      use-xdg-base-directories = true;
+    };
+
+    /* This makes commandline tools like
+    ** nix run nixpkgs#hello
+    ** and nix-shell -p hello
+    ** use the same channel the system
+    ** was built with
+    */
+    registry = {
+      "nixpkgs".flake = inputs.nixpkgs;
+      "pvv-nix".flake = inputs.self;
+    };
+    nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
   };
-  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
 }

base/services/irqbalance.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+  services.irqbalance.enable = true;
+}

base/services/openssh.nix

@@ -2,6 +2,7 @@
 {
   services.openssh = {
     enable = true;
+    startWhenNeeded = true;
     extraConfig = ''
       PubkeyAcceptedAlgorithms=+ssh-rsa
       Match Group wheel

base/services/postfix.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.postfix;
+in
+{
+  services.postfix = {
+    enable = true;
+
+    hostname = "${config.networking.hostName}.pvv.ntnu.no";
+    domain = "pvv.ntnu.no";
+
+    relayHost = "smtp.pvv.ntnu.no";
+    relayPort = 465;
+
+    config = {
+      smtp_tls_wrappermode = "yes";
+      smtp_tls_security_level = "encrypt";
+    };
+
+    # Nothing should be delivered to this machine
+    destination = [ ];
+  };
+}

base/services/smartd.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, lib, ... }:
+{
+  services.smartd.enable = lib.mkDefault true;
+
+  environment.systemPackages = lib.optionals config.services.smartd.enable (with pkgs; [
+    smartmontools
+  ]);
+}

hosts/bicep/services/mysql.nix

@@ -1,4 +1,7 @@
 { pkgs, lib, config, values, ... }:
+let
+  backupDir = "/var/lib/mysql/backups";
+in
 {
   sops.secrets."mysql/password" = {
     owner = "mysql";
@@ -36,11 +39,6 @@
     }];
   };
 
-  services.mysqlBackup = {
-    enable = true;
-    location = "/var/lib/mysql/backups";
-  };
-
   networking.firewall.allowedTCPPorts = [ 3306 ];
 
   systemd.services.mysql.serviceConfig = {
@@ -50,4 +48,58 @@
       values.ipv6-space
     ];
   };
+
+  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
+  #       another unit, it was easier to just make one ourselves
+  systemd.services."backup-mysql" = {
+    description = "Backup MySQL data";
+    requires = [ "mysql.service" ];
+
+    path = [
+      pkgs.coreutils
+      pkgs.rsync
+      pkgs.gzip
+      config.services.mysql.package
+    ];
+
+    script = let
+      rotations = 10;
+      # rsyncTarget = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/mysql";
+      rsyncTarget = "/data/backup/mysql";
+    in ''
+      set -eo pipefail
+
+      mysqldump --all-databases | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
+
+      while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
+        rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
+      done
+
+      rsync -avz --delete "${backupDir}" '${rsyncTarget}'
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "mysql";
+      Group = "mysql";
+      UMask = "0077";
+
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [
+        backupDir
+        "/data/backup/mysql" # NOTE: should not be part of this option once rsyncTarget is remote
+      ];
+    };
+
+    startAt = "*-*-* 02:15:00";
+  };
+
+  systemd.tmpfiles.settings."10-mysql-backup".${backupDir}.d = {
+    user = "mysql";
+    group = "mysql";
+    mode = "700";
+  };
 }

hosts/bicep/services/postgres.nix

@@ -1,4 +1,7 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
+let
+  backupDir = "/var/lib/postgresql/backups";
+in
 {
   services.postgresql = {
     enable = true;
@@ -90,9 +93,57 @@
   networking.firewall.allowedTCPPorts = [ 5432 ];
   networking.firewall.allowedUDPPorts = [ 5432 ];
 
-  services.postgresqlBackup = {
-    enable = true;
-    location = "/var/lib/postgres/backups";
-    backupAll = true;
+  # NOTE: instead of having the upstream nixpkgs postgres backup unit trigger
+  #       another unit, it was easier to just make one ourselves
+  systemd.services."backup-postgresql" = {
+    description = "Backup PostgreSQL data";
+    requires = [ "postgresql.service" ];
+
+    path = [
+      pkgs.coreutils
+      pkgs.rsync
+      pkgs.gzip
+      config.services.postgresql.package
+    ];
+
+    script = let
+      rotations = 10;
+      # rsyncTarget = "root@isvegg.pvv.ntnu.no:/mnt/backup1/bicep/postgresql";
+      rsyncTarget = "/data/backup/postgresql";
+    in ''
+      set -eo pipefail
+
+      pg_dumpall -U postgres | gzip -c -9 --rsyncable > "${backupDir}/$(date --iso-8601)-dump.sql.gz"
+
+      while [ $(ls -1 "${backupDir}" | wc -l) -gt ${toString rotations} ]; do
+        rm $(find "${backupDir}" -type f -printf '%T+ %p\n' | sort | head -n 1 | cut -d' ' -f2)
+      done
+
+      rsync -avz --delete "${backupDir}" '${rsyncTarget}'
+    '';
+
+    serviceConfig = {
+      Type = "oneshot";
+      User = "postgres";
+      Group = "postgres";
+      UMask = "0077";
+
+      Nice = 19;
+      IOSchedulingClass = "best-effort";
+      IOSchedulingPriority = 7;
+
+      ReadWritePaths = [
+        backupDir
+        "/data/backup/postgresql" # NOTE: should not be part of this option once rsyncTarget is remote
+      ];
+    };
+
+    startAt = "*-*-* 01:15:00";
+  };
+
+  systemd.tmpfiles.settings."10-postgresql-backup".${backupDir}.d = {
+    user = "postgres";
+    group = "postgres";
+    mode = "700";
   };
 }