phoenix: enable resilio sync and backups

2024-10-21 08:54:19 +01:00 · 2024-10-21 08:54:19 +01:00 · e03ce4e26c
commit e03ce4e26c
parent b18ae44ccb
8 changed files with 154 additions and 86 deletions
--- a/hosts/phoenix.st.ts.hillion.co.uk/default.nix
+++ b/hosts/phoenix.st.ts.hillion.co.uk/default.nix
@ -59,6 +59,32 @@ in
      interval = "Wed, 02:00";
    };

+    ## Resilio
+    custom.resilio = {
+      enable = true;
+      backups.enable = true;
+
+      folders =
+        let
+          folderNames = [
+            "dad"
+            "joseph"
+            "projects"
+            "resources"
+            "sync"
+          ];
+          mkFolder = name: {
+            name = name;
+            secret = {
+              name = "resilio/plain/${name}";
+              file = ../../secrets/resilio/plain/${name}.age;
+            };
+          };
+        in
+        builtins.map (mkFolder) folderNames;
+    };
+    services.resilio.directoryRoot = "/${zpool_name}/users/jake/sync";
+
    ## Chia
    age.secrets."chia/farmer.key" = {
      file = ../../secrets/chia/farmer.key.age;
--- a/modules/resilio.nix
+++ b/modules/resilio.nix
@ -16,56 +16,93 @@ in
      type = with lib.types; uniq (listOf attrs);
      default = [ ];
    };
+
+    backups = {
+      enable = lib.mkEnableOption "resilio.backups";
+    };
  };

-  config = lib.mkIf cfg.enable {
-    users.users =
-      let
-        mkUser =
-          (user: {
-            name = user;
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      users.users =
+        let
+          mkUser =
+            (user: {
+              name = user;
+              value = {
+                extraGroups = [ "rslsync" ];
+              };
+            });
+        in
+        builtins.listToAttrs (builtins.map mkUser cfg.extraUsers);
+
+      age.secrets =
+        let
+          mkSecret = (secret: {
+            name = secret.name;
            value = {
-              extraGroups = [ "rslsync" ];
+              file = secret.file;
+              owner = "rslsync";
+              group = "rslsync";
            };
          });
-      in
-      builtins.listToAttrs (builtins.map mkUser cfg.extraUsers);
-
-    age.secrets =
-      let
-        mkSecret = (secret: {
-          name = secret.name;
-          value = {
-            file = secret.file;
-            owner = "rslsync";
-            group = "rslsync";
-          };
-        });
-      in
-      builtins.listToAttrs (builtins.map (folder: mkSecret folder.secret) cfg.folders);
-
-    services.resilio = {
-      enable = true;
-      deviceName = lib.mkOverride 999 (lib.strings.concatStringsSep "." (lib.lists.take 2 (lib.strings.splitString "." config.networking.fqdnOrHostName)));
-
-      storagePath = lib.mkOverride 999 "${config.services.resilio.directoryRoot}/.sync";
-
-      sharedFolders =
-        let
-          mkFolder = name: secret: {
-            directory = "${config.services.resilio.directoryRoot}/${name}";
-            secretFile = "${config.age.secrets."${secret.name}".path}";
-            knownHosts = [ ];
-            searchLAN = true;
-            useDHT = true;
-            useRelayServer = true;
-            useSyncTrash = false;
-            useTracker = true;
-          };
        in
-        builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
-    };
+        builtins.listToAttrs (builtins.map (folder: mkSecret folder.secret) cfg.folders);

-    systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
-  };
+      services.resilio = {
+        enable = true;
+        deviceName = lib.mkOverride 999 (lib.strings.concatStringsSep "." (lib.lists.take 2 (lib.strings.splitString "." config.networking.fqdnOrHostName)));
+
+        storagePath = lib.mkOverride 999 "${config.services.resilio.directoryRoot}/.sync";
+
+        sharedFolders =
+          let
+            mkFolder = name: secret: {
+              directory = "${config.services.resilio.directoryRoot}/${name}";
+              secretFile = "${config.age.secrets."${secret.name}".path}";
+              knownHosts = [ ];
+              searchLAN = true;
+              useDHT = true;
+              useRelayServer = true;
+              useSyncTrash = false;
+              useTracker = true;
+            };
+          in
+          builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders;
+      };
+
+      systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders;
+    }
+
+    (lib.mkIf cfg.backups.enable {
+      age.secrets."resilio/restic/128G.key" = {
+        file = ../secrets/restic/128G.age;
+        owner = "rslsync";
+        group = "rslsync";
+      };
+      services.restic.backups."resilio" = {
+        repository = "rest:https://restic.ts.hillion.co.uk/128G";
+        user = "rslsync";
+        passwordFile = config.age.secrets."resilio/restic/128G.key".path;
+
+        timerConfig = {
+          OnBootSec = "10m";
+          OnUnitInactiveSec = "15m";
+          RandomizedDelaySec = "5m";
+        };
+
+        paths = [ config.services.resilio.directoryRoot ];
+        exclude = [
+          "${config.services.resilio.directoryRoot}/.sync"
+          "${config.services.resilio.directoryRoot}/*/.sync"
+
+          "${config.services.resilio.directoryRoot}/resources/media/films"
+          "${config.services.resilio.directoryRoot}/resources/media/iso"
+          "${config.services.resilio.directoryRoot}/resources/media/tv"
+
+          "${config.services.resilio.directoryRoot}/dad/media"
+        ];
+      };
+    })
+  ]);
 }
--- a/secrets/resilio/plain/dad.age
+++ b/secrets/resilio/plain/dad.age
@ -1,21 +1,24 @@
 age-encryption.org/v1
 -> ssh-rsa GxPFJQ
-EPZOBgPiAUU7ZB/+HAU/rrTRY+xYvbUxzWqDE6h58ld4NMG6+eBE7TRvzzfnYyYN
-n97k00+h2ygm52hfoQFuUW7kXOAlZZDd3u9r45ELN9sx3sPM7dmuOyGMWca5VYf/
-jqObPcEdhbcr3SdTocsNM5e3hWYYyEO/bvDgoRWeckOR0WRWflVRUXXrUTfTnty2
-KAaNuTyOtxjJGo0T4GXEOzZrM1Bkhk9nLJPdFhC1JgYV/pjIRSYD5J3ddWYiHFX5
-uih9bOq2TK/HdNTw2Y+c37XywQjacxqWvrk32tlf270hy4a5+xIYmuwJW/njcFXd
-7rkeEhpr6/vGftAZLhlLDw
+W/JpTGL3h9Ie2UIPRhJ5l3KyR/TbWlgHgJY/XZNafW/mlMyZSKrA2imwyoq+vh5L
+nztzl52lpvq8qQyF5jlfPsKJG/0bAPHhon63RPPj8fgh9Txp+lDVZpt8IMv3GT7v
+j/wmQ1/6wTTDar2XDxn8Rz/Spn8EBnHvGNgNUEKrs6xwcWylX+dVwwobm8OsazMY
+tLiw+NGC/ctQPJNKAUfgGrcovoOpsnYgbT5bi3NU5hma2oogMSAAL/O7LcxLy5ta
+yccw6E+Uwy20FDccvZcUCpuceKa3UT8tFBS3mjH/CmCpcPpoT+Wnx8iguwPzsEE7
+5KDSNBjTnK9OmexEeJcVHw
 -> ssh-rsa K9mW1w
-oRU8fuhEhxnLcbKB9XWZXcG41GFSfInyI+D3RP+Nvk0NV39rDiNZNUV25drZvAxo
-iphA7XuHDxAP5ropBjtZLNpIQDVwQynRoPmtvJmz74bYOxSRtGBvN1U9R0LOBgBz
-6Sd/DRuXKEmFBhNoaGbyi+s7RBalJaGfncHWdWSt58Pr7yVVlgX7hxk/YJ4fTLDv
-pXFUnvfO6VeCUVzowTXEZ62vh72L4+lNETBcJOx/ckJveee8kWrY0WAaxKEOXiC5
-IVHjWHXXhXic56ShaDUOcjICoBlQMg9OgYf0lRLOAN1gCAN5DXbQOMsFl3S7VSsF
-YhdmaKTuV6IJ7cy5RIIdLg
-> ssh-ed25519 rjda/A 6iDdTEocgv06P/3+L1iWwq7Gm7a1b7T6lZShSM5EJRs
-m/S+62etPaEeHwtlFBtzUfnx2nkOgiQgIgBKceAJHeQ
-> ssh-ed25519 iWiFbA pfQMsGLDsG++Xm/fD818zYDmRAa2nC0k549NX2OxiA0
-Dmlw+2WwBdVWzr13OTy6cjZAQVQRm9RVHFF5LsM5EBo
--- JUB1zhbUjh1AMqVohboNnNqsPBvv0fCaVqMgcyVpPH8
-¹hÜ<EFBFBD>fÈ$où,8°A`œ÷†¼³<C2BC>™ë™šíH f\_y0Ý éí÷„wcPáÄ”àËÈÆ€1Øúõ$[!tv
+E8ZznY4+Ku09sNlUqrnk0V0KXdlouRDVgEipNhnlH/comEtU41DsnIminGO3fw2R
+9WS43TRzys0VOJasXN/f+nUJoc24S0RMfOCbm+S5yacr5hSctXobR8h7tJwkjchU
+nh4LXpbMC9RZIPNEmlvi6ft1hvay1UARgEeLOmxXohg6i9dZN9PCgwuXhLi7LyyY
+Xp+Dp8qTV8Z47wj4drkt5xo8CRADpK2gmaJM1gsKVHhiYw9YG0HDP4HnHj2eDX42
+Ub9fonGVe7qAtOcdGwvfE5asI7oRV0vMNWVXVeCpVJz4HnOS9j3KmBsIjqjYhtbd
+GYmbj433+djDi7pkyuUAUg
+-> ssh-ed25519 RR/L5A uX9nKtJKe5+S9h0xKahI20M5IbKhrhIPcrjSLquuW1c
+Kkds3meVksyqjrn2Tz8LjowfFLqPlvlvK3/eyG1DbWw
+-> ssh-ed25519 rjda/A f//WHnXa7eTJryZXEZHn3RMaEahT/MwG5Y5i2lQwuls
+Iqw8M/kxiJPUOVuAIucFeY+fo9CBK9oGbLXtuz99eB4
+-> ssh-ed25519 iWiFbA 5IkM2IPNwhwgW5fTiaiaIyAi2BgBPHDgdL/5C/Qt2QA
+AJ4wLzu6fAJ3R+PayHAyIZZgutWSO2zZddq4H6g4qRs
+--- VyVB3OASslBK+4eWM2toRNwpKgpOn0qOs+F3e8MgEUs
+’¬)ôrù°Î><3E> :¸Ç·û’œðãéœ¸][8*É‹%9Ÿ"ßÓ§‚–´/`
+ÿfðŸbH´S_ÒâxÐî²
--- a/secrets/resilio/plain/joseph.age
+++ b/secrets/resilio/plain/joseph.age
--- a/secrets/resilio/plain/projects.age
+++ b/secrets/resilio/plain/projects.age
--- a/secrets/resilio/plain/resources.age
+++ b/secrets/resilio/plain/resources.age
--- a/secrets/resilio/plain/sync.age
+++ b/secrets/resilio/plain/sync.age
@ -1,21 +1,23 @@
 age-encryption.org/v1
 -> ssh-rsa GxPFJQ
-ZVcJQCHZVc/K9KaJTDRPCFJJCb9OAg6WYKLiS3hbBA2NhARsvw6plBu9WBrlExMj
-n++ZCx6Jl1n0yq2+6rSaThHf7c7SoGRdO77rclK6ILhZ2uar49fRbjiJyhIEaH9g
-g2pMwdvlqh4CyQBdyFigriXDpxhKPLBnNVZrlHknFNeEy+oMnrFgZXaEZMvsgzmD
-T+laML8uH6dodxW48P7kOwKX0ya9WKrBAcEZ+XXEeTpwgGD0vXJmizRpCs6DrJl/
-FDy1p65vLIfZYzgxVBsoutdJKQP1h+Zu1ykVYm4JKwprD/hrK9vP9MBc5nSNRD0P
-kYOcTkmueSh4S8tQGaf3lA
+D0Idk3mWqB1Xnv/ovfhrhxigYg4iYpIVUv4Xq6mz3E/kf1aM1KMH+vOfdDpf6eg6
+ufriFO51HPAEN1nqq3bFteOxLq7B3RkbonDjgq90i+1er3bSNxrzlC+f440mmB6w
+nc2UvqqN3UTGuQqrHWCUp7HQ/RBToASgz8SCqim96UY86Df2BPTY7P+EsMraO2Zw
+bHTDNyLZB6hZZQfoCpUz4J7Hq5x7cBpLH+S2No1xWMHDy11LkgS9DDFGL6/lDGMm
+GcoQv0V14iQyb0KHYwkJKd4q4Vx20LMwAYqSFt33XN2SAbqKgo8p2nJQnCBZkn/P
+fl61Tqiiy5NEya2hc9bELQ
 -> ssh-rsa K9mW1w
-PTIieqZ31cNjwUSHCXny/5botfCJt0X4ot1kzkDOXt402ZxrmSh7Lt+Zf3Avjvbs
-+Q2jfSvh6Oj8bubBZdCgYADI7OOAAUGSFGjG9ctTVnoORUGF2P0xaVGv/EShO+2W
-1gDUEJXfkDXW8GN7NmOlt7Yh0NNOndzsMhjxo+iqd8e4Ux8J6L7CV/Yg25v9Zs8W
-ocwFYCngeFTZmvlTe7hsd+26BlvHSMOqKXZUDfjzsMX+bWTxzIgS4lAjNDCYDNan
-vIXSktu051Q0aQ5bdGJtnWYx8xRz8/S+K9Xs7WgP9TEENd0kAcxQhn6dd2AUZYSD
-4SqV4SgKsGpdNv6ceHI9qA
-> ssh-ed25519 rjda/A WkxHtfUpVL2AE1eLn0Zp0qVr191/umWcGJl7KUGfURE
-FBhE2Qwib+n3x9XL/GM1HzWMeeznPJw0gPZ/ALjGtJA
-> ssh-ed25519 iWiFbA +5PSAc60g3QsJ3rPaz1a1S2A79Vew85c1uCn0ajLbyQ
-IUcm6BA1kH8ZcvCBRoyR1HJ2GJEXaOrUH6JCIGAzKRE
--- OZtfOD2pDRkjgPMMFYErZfyAozBLBKzmUndxfKBcewI
-Oj)öùð 9Ô®Ê. <20>±bý ãè<C3A3>€šLüŠBÁ‘™{k½+4dá¹á·ÉYC/ªîù<1A>ñ <ÞÅMãþJe4
+T/A5xeJ+mP8uK+yuhxvqMwvdMqFMIb8ZPB1K4L8gnVk4xTPW3jIYgGqOFVOOtf0I
+4+nBvGxbA9fqi4Mi5q9to0Lg/8vMOOBG7cx5ApqXP+UAhXZEsyAyIZ+TK3pIYTXW
+mj8DBw7AtvvHdEb1rBA7RxWHW1WdjoOlnuz+X9hMSKbBfhhINwuYopn+jGbrAz4B
+5ehpzYMjyGMM0u621A34UaVD6ocVpVzYVMJuXtACAZcY11porzoVtPHDiibX+Ysf
+t2oV16Hw52yEa/QnSxhB3f1XPdzqo6yllLkWk+7kEsMXbGM6snKPjnfzOHpvo47W
+tCjTYVmHDS/maSYKEVMNcg
+-> ssh-ed25519 RR/L5A Jd+CAknpb/VluTjp1rmyzyOaLBPWFXApespITJpc+2Q
+UqrPrFFvG/4qA4VT4TvJSWQ1wPTsGpkn9141ob5yizY
+-> ssh-ed25519 rjda/A AGNRQXks1E2i+in4IcTVCxv7sU+W6aWPqPxzMe2lig8
+/w+iid2fSic4HwjuU9wNvyL3O5KLeQBiRFFO+8HOda4
+-> ssh-ed25519 iWiFbA RxKG7+5QYBMxf/5GOlLkJtmxRIGrHZ0fNRT+SlIM33g
+ejBO6/qUF2CGa6FiVutpjdTlakIoSSklfg6+ykgzo1U
+--- CocYhJAFnI9XN+CU/AieVbBL1USYo1VydYANS35DASw
+Œ<EFBFBD>æƒ 7ÿ“3#”å	ÃÌ/'û‘ëe½€|rÁçÇÒÿv»f®|–ÙµŸ{Íß2Žhç.?æ=øi¿ÉnPdx
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -70,11 +70,11 @@ in
  "resilio/encrypted/sync.age".publicKeys = jake_users ++ [ ];

  ## Read/Write Resilio Sync Secrets
-  "resilio/plain/dad.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.cx.boron ];
-  "resilio/plain/joseph.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.cx.boron ];
-  "resilio/plain/projects.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.cx.boron ];
-  "resilio/plain/resources.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.cx.boron ];
-  "resilio/plain/sync.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.cx.boron ];
+  "resilio/plain/dad.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.terminals.jakehillion.gendry ts.cx.boron ];
+  "resilio/plain/joseph.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.terminals.jakehillion.gendry ts.cx.boron ];
+  "resilio/plain/projects.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.terminals.jakehillion.gendry ts.cx.boron ];
+  "resilio/plain/resources.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.terminals.jakehillion.gendry ts.cx.boron ];
+  "resilio/plain/sync.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.terminals.jakehillion.gendry ts.cx.boron ];

  # Matrix Secrets
  "matrix/matrix.hillion.co.uk/macaroon_secret_key.age".publicKeys = jake_users ++ [ ts.cx.boron ];