diff --git a/configs/borg.nix b/configs/borg.nix new file mode 100644 index 0000000..817c3d1 --- /dev/null +++ b/configs/borg.nix @@ -0,0 +1,44 @@ +{config, ...}: { + sops = { + secrets = { + borg-key = { + owner = config.users.users.alex.name; + }; + }; + }; + + services = { + borgbackup.jobs.all = rec { + compression = "auto,zstd"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets.borg-key.path}"; + }; + extraCreateArgs = "--stats --verbose --checkpoint-interval=600 --exclude-caches"; + extraPruneArgs = [ + "--save-space" + "--stats" + ]; + extraCompactArgs = [ + "--cleanup-commits" + ]; + environment = { + BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_ed25519"; + BORG_BASE_DIR = "/persist/borg"; + }; + readWritePaths = ["/persist/borg"]; + paths = ["/home/alex" "/persist"]; + startAt = "daily"; + prune.keep = { + daily = 7; + weekly = 4; + monthly = 6; + }; + exclude = [ + "/home/alex/mounted" + "/home/alex/.cache" + "/persist/borg" + ]; + }; + }; +} diff --git a/configs/common-linux.nix b/configs/common-linux.nix index c51254a..bc693c6 100644 --- a/configs/common-linux.nix +++ b/configs/common-linux.nix @@ -6,7 +6,7 @@ ... }: { imports = [ - ../../configs/common.nix + ./configs/common.nix ]; boot = { @@ -16,7 +16,7 @@ enable = true; device = "nodev"; efiSupport = true; - configurationLimit = 5; + configurationLimit = 10; enableCryptodisk = true; useOSProber = true; }; diff --git a/machine/mini/configuration.nix b/machine/mini/configuration.nix index fec9a9e..f5cf720 100644 --- a/machine/mini/configuration.nix +++ b/machine/mini/configuration.nix @@ -7,31 +7,14 @@ }: { imports = [ ./hardware-configuration.nix + ../../configs/borg.nix ../../configs/docker.nix ../../configs/common-linux.nix ../../configs/user.nix ]; sops = { - defaultSopsFile = ../../secrets/secrets.yaml; - validateSopsFiles = true; - age = { - sshKeyPaths = ["/persist/etc/ssh/ssh_host_ed25519_key"]; - keyFile = "/var/lib/sops-nix/key.txt"; - generateKey = true; - }; - - secrets = { - borg-key = { - sopsFile = ../../secrets/secrets-mini.yaml; - owner = config.users.users.alex.name; - group = config.users.users.alex.group; - }; - - hashedPassword = { - neededForUsers = true; - }; - }; + defaultSopsFile = ../../secrets-mini.yaml; }; boot = { @@ -72,34 +55,6 @@ }; nftables.enable = true; - # wireguard.interfaces = { - # wg0 = { - # ips = [ "10.100.0.3/24" ]; - # privateKey = secrets.wireguard-mini-private; - - # postSetup = '' - # ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o enp3s0 -j MASQUERADE - # ''; - - # # This undoes the above command - # postShutdown = '' - # ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o enp3s0 -j MASQUERADE - # ''; - # }; - # }; - - # nat = { - # enable = true; - # enableIPv6 = true; - # # externalInterface = "enp3s0"; - # # internalInterfaces = [ "tailscale0" ]; - # }; - - # wireless = { - # enable = true; - # networks.Skynet.psk = secrets.wifipassword; - # interfaces = [ "wlp0s20u1u1" ]; - # }; }; environment = { @@ -126,123 +81,14 @@ # openFirewall = true; }; - # hostapd = { - # enable = true; - # radios = { - # wlp0s20u1u2 = { - # # wifi4.enable = false; - # # wifi5.enable = false; - # # settings.ieee80211n = true; # otherwise enabled by wifi4.enable - # networks.wlp0s20u1u2 = { - # ssid = "Skynet-Tor"; - # authentication.saePasswords = [ - # { password = "REMOVED_OLD_PASSWORD_FROM_HISTORY"; } - # ]; - # }; - - # }; - # }; - # }; - - # dnsmasq = { - # enable = true; - # extraConfig = '' - # interface=wlp0s20u1u2 - # bind-interfaces - # dhcp-range=192.168.12.10,192.168.12.254,24h - # ''; - # }; - - # kea.dhcp4 = { - # enable = true; - # # interfaces = [ "wlp0s20u1u2" ]; - # settings = { - # interfaces-config = { - # interfaces = [ - # "wlp0s20u1u2" - # ]; - # }; - # lease-database = { - # name = "/var/lib/kea/dhcp4.leases"; - # persist = true; - # type = "memfile"; - # }; - # rebind-timer = 2000; - # renew-timer = 1000; - # subnet4 = [ - # { - # pools = [ - # { - # pool = "192.168.12.100 - 192.168.12.240"; - # } - # ]; - # subnet = "192.168.12.0/24"; - # } - # ]; - # valid-lifetime = 4000; - # }; - # }; - - # haveged.enable = true; - - # k3s = { - # enable = true; - # role = "server"; - # }; - - # printing = { - # enable = true; - # drivers = [ pkgs.brlaser ]; - # browsing = true; - # listenAddresses = [ - # "*:631" - # ]; # Not 100% sure this is needed and you might want to restrict to the local network - # allowFrom = [ - # "all" - # ]; # this gives access to anyone on the interface you might want to limit it see the official documentation - # defaultShared = true; # If you want - # }; - - # avahi = { - # enable = true; - # publish.enable = true; - # publish.userServices = true; - # }; - tailscale = { enable = true; useRoutingFeatures = "both"; extraUpFlags = "--advertise-exit-node --login-server=https://headscale.szczepan.ski"; }; - borgbackup.jobs.home = rec { + borgbackup.jobs.all = rec { repo = "ssh://u278697-sub8@u278697.your-storagebox.de:23/./borg-backup-mini"; - - compression = "auto,zstd"; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat ${config.sops.secrets.borg-key.path}"; - }; - extraCreateArgs = "--stats --verbose --checkpoint-interval=600 --exclude-caches"; - extraPruneArgs = [ - "--save-space" - "--stats" - ]; - extraCompactArgs = [ - "--cleanup-commits" - ]; - environment = { - BORG_RSH = "ssh -i /home/alex/.ssh/id_ed55129"; - BORG_BASE_DIR = "/persist/borg"; - }; - readWritePaths = ["/persist/borg"]; - paths = ["/home/alex" "/persist"]; - startAt = "daily"; - prune.keep = { - daily = 7; - weekly = 4; - monthly = 6; - }; exclude = [ "/home/alex/mounted" "/home/alex/.cache" @@ -251,6 +97,27 @@ }; }; + virtualisation = { + libvirtd = { + enable = true; + qemu = { + package = pkgs.qemu_kvm; + swtpm.enable = true; + ovmf = { + enable = true; + packages = [ + (pkgs.OVMF.override { + secureBoot = true; + tpmSupport = true; + }) + .fd + ]; + }; + }; + }; + spiceUSBRedirection.enable = true; + }; + powerManagement = { enable = true; powertop.enable = true;