diff --git a/hosts/phoenix.st.ts.hillion.co.uk/default.nix b/hosts/phoenix.st.ts.hillion.co.uk/default.nix index 4a093d6..052a5a7 100644 --- a/hosts/phoenix.st.ts.hillion.co.uk/default.nix +++ b/hosts/phoenix.st.ts.hillion.co.uk/default.nix @@ -59,6 +59,32 @@ in interval = "Wed, 02:00"; }; + ## Resilio + custom.resilio = { + enable = true; + backups.enable = true; + + folders = + let + folderNames = [ + "dad" + "joseph" + "projects" + "resources" + "sync" + ]; + mkFolder = name: { + name = name; + secret = { + name = "resilio/plain/${name}"; + file = ../../secrets/resilio/plain/${name}.age; + }; + }; + in + builtins.map (mkFolder) folderNames; + }; + services.resilio.directoryRoot = "/${zpool_name}/users/jake/sync"; + ## Chia age.secrets."chia/farmer.key" = { file = ../../secrets/chia/farmer.key.age; diff --git a/modules/resilio.nix b/modules/resilio.nix index e73f3a6..9a1bf48 100644 --- a/modules/resilio.nix +++ b/modules/resilio.nix @@ -16,56 +16,93 @@ in type = with lib.types; uniq (listOf attrs); default = [ ]; }; + + backups = { + enable = lib.mkEnableOption "resilio.backups"; + }; }; - config = lib.mkIf cfg.enable { - users.users = - let - mkUser = - (user: { - name = user; + config = lib.mkIf cfg.enable (lib.mkMerge [ + { + users.users = + let + mkUser = + (user: { + name = user; + value = { + extraGroups = [ "rslsync" ]; + }; + }); + in + builtins.listToAttrs (builtins.map mkUser cfg.extraUsers); + + age.secrets = + let + mkSecret = (secret: { + name = secret.name; value = { - extraGroups = [ "rslsync" ]; + file = secret.file; + owner = "rslsync"; + group = "rslsync"; }; }); - in - builtins.listToAttrs (builtins.map mkUser cfg.extraUsers); - - age.secrets = - let - mkSecret = (secret: { - name = secret.name; - value = { - file = secret.file; - owner = "rslsync"; - group = "rslsync"; - }; - }); - in - builtins.listToAttrs (builtins.map (folder: mkSecret folder.secret) cfg.folders); - - services.resilio = { - enable = true; - deviceName = lib.mkOverride 999 (lib.strings.concatStringsSep "." (lib.lists.take 2 (lib.strings.splitString "." config.networking.fqdnOrHostName))); - - storagePath = lib.mkOverride 999 "${config.services.resilio.directoryRoot}/.sync"; - - sharedFolders = - let - mkFolder = name: secret: { - directory = "${config.services.resilio.directoryRoot}/${name}"; - secretFile = "${config.age.secrets."${secret.name}".path}"; - knownHosts = [ ]; - searchLAN = true; - useDHT = true; - useRelayServer = true; - useSyncTrash = false; - useTracker = true; - }; in - builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders; - }; + builtins.listToAttrs (builtins.map (folder: mkSecret folder.secret) cfg.folders); - systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders; - }; + services.resilio = { + enable = true; + deviceName = lib.mkOverride 999 (lib.strings.concatStringsSep "." (lib.lists.take 2 (lib.strings.splitString "." config.networking.fqdnOrHostName))); + + storagePath = lib.mkOverride 999 "${config.services.resilio.directoryRoot}/.sync"; + + sharedFolders = + let + mkFolder = name: secret: { + directory = "${config.services.resilio.directoryRoot}/${name}"; + secretFile = "${config.age.secrets."${secret.name}".path}"; + knownHosts = [ ]; + searchLAN = true; + useDHT = true; + useRelayServer = true; + useSyncTrash = false; + useTracker = true; + }; + in + builtins.map (folder: mkFolder folder.name folder.secret) cfg.folders; + }; + + systemd.services.resilio.unitConfig.RequiresMountsFor = builtins.map (folder: "${config.services.resilio.directoryRoot}/${folder.name}") cfg.folders; + } + + (lib.mkIf cfg.backups.enable { + age.secrets."resilio/restic/128G.key" = { + file = ../secrets/restic/128G.age; + owner = "rslsync"; + group = "rslsync"; + }; + services.restic.backups."resilio" = { + repository = "rest:https://restic.ts.hillion.co.uk/128G"; + user = "rslsync"; + passwordFile = config.age.secrets."resilio/restic/128G.key".path; + + timerConfig = { + OnBootSec = "10m"; + OnUnitInactiveSec = "15m"; + RandomizedDelaySec = "5m"; + }; + + paths = [ config.services.resilio.directoryRoot ]; + exclude = [ + "${config.services.resilio.directoryRoot}/.sync" + "${config.services.resilio.directoryRoot}/*/.sync" + + "${config.services.resilio.directoryRoot}/resources/media/films" + "${config.services.resilio.directoryRoot}/resources/media/iso" + "${config.services.resilio.directoryRoot}/resources/media/tv" + + "${config.services.resilio.directoryRoot}/dad/media" + ]; + }; + }) + ]); } diff --git a/secrets/resilio/plain/dad.age b/secrets/resilio/plain/dad.age index 5eadf39..ce97b85 100644 --- a/secrets/resilio/plain/dad.age +++ b/secrets/resilio/plain/dad.age @@ -1,21 +1,24 @@ age-encryption.org/v1 -> ssh-rsa GxPFJQ -EPZOBgPiAUU7ZB/+HAU/rrTRY+xYvbUxzWqDE6h58ld4NMG6+eBE7TRvzzfnYyYN -n97k00+h2ygm52hfoQFuUW7kXOAlZZDd3u9r45ELN9sx3sPM7dmuOyGMWca5VYf/ -jqObPcEdhbcr3SdTocsNM5e3hWYYyEO/bvDgoRWeckOR0WRWflVRUXXrUTfTnty2 -KAaNuTyOtxjJGo0T4GXEOzZrM1Bkhk9nLJPdFhC1JgYV/pjIRSYD5J3ddWYiHFX5 -uih9bOq2TK/HdNTw2Y+c37XywQjacxqWvrk32tlf270hy4a5+xIYmuwJW/njcFXd -7rkeEhpr6/vGftAZLhlLDw +W/JpTGL3h9Ie2UIPRhJ5l3KyR/TbWlgHgJY/XZNafW/mlMyZSKrA2imwyoq+vh5L +nztzl52lpvq8qQyF5jlfPsKJG/0bAPHhon63RPPj8fgh9Txp+lDVZpt8IMv3GT7v +j/wmQ1/6wTTDar2XDxn8Rz/Spn8EBnHvGNgNUEKrs6xwcWylX+dVwwobm8OsazMY +tLiw+NGC/ctQPJNKAUfgGrcovoOpsnYgbT5bi3NU5hma2oogMSAAL/O7LcxLy5ta +yccw6E+Uwy20FDccvZcUCpuceKa3UT8tFBS3mjH/CmCpcPpoT+Wnx8iguwPzsEE7 +5KDSNBjTnK9OmexEeJcVHw -> ssh-rsa K9mW1w -oRU8fuhEhxnLcbKB9XWZXcG41GFSfInyI+D3RP+Nvk0NV39rDiNZNUV25drZvAxo -iphA7XuHDxAP5ropBjtZLNpIQDVwQynRoPmtvJmz74bYOxSRtGBvN1U9R0LOBgBz -6Sd/DRuXKEmFBhNoaGbyi+s7RBalJaGfncHWdWSt58Pr7yVVlgX7hxk/YJ4fTLDv -pXFUnvfO6VeCUVzowTXEZ62vh72L4+lNETBcJOx/ckJveee8kWrY0WAaxKEOXiC5 -IVHjWHXXhXic56ShaDUOcjICoBlQMg9OgYf0lRLOAN1gCAN5DXbQOMsFl3S7VSsF -YhdmaKTuV6IJ7cy5RIIdLg --> ssh-ed25519 rjda/A 6iDdTEocgv06P/3+L1iWwq7Gm7a1b7T6lZShSM5EJRs -m/S+62etPaEeHwtlFBtzUfnx2nkOgiQgIgBKceAJHeQ --> ssh-ed25519 iWiFbA pfQMsGLDsG++Xm/fD818zYDmRAa2nC0k549NX2OxiA0 -Dmlw+2WwBdVWzr13OTy6cjZAQVQRm9RVHFF5LsM5EBo ---- JUB1zhbUjh1AMqVohboNnNqsPBvv0fCaVqMgcyVpPH8 -h܍f$o,8A`뙚H f\_y0ݠwcPƀ1$[!tv \ No newline at end of file +E8ZznY4+Ku09sNlUqrnk0V0KXdlouRDVgEipNhnlH/comEtU41DsnIminGO3fw2R +9WS43TRzys0VOJasXN/f+nUJoc24S0RMfOCbm+S5yacr5hSctXobR8h7tJwkjchU +nh4LXpbMC9RZIPNEmlvi6ft1hvay1UARgEeLOmxXohg6i9dZN9PCgwuXhLi7LyyY +Xp+Dp8qTV8Z47wj4drkt5xo8CRADpK2gmaJM1gsKVHhiYw9YG0HDP4HnHj2eDX42 +Ub9fonGVe7qAtOcdGwvfE5asI7oRV0vMNWVXVeCpVJz4HnOS9j3KmBsIjqjYhtbd +GYmbj433+djDi7pkyuUAUg +-> ssh-ed25519 RR/L5A uX9nKtJKe5+S9h0xKahI20M5IbKhrhIPcrjSLquuW1c +Kkds3meVksyqjrn2Tz8LjowfFLqPlvlvK3/eyG1DbWw +-> ssh-ed25519 rjda/A f//WHnXa7eTJryZXEZHn3RMaEahT/MwG5Y5i2lQwuls +Iqw8M/kxiJPUOVuAIucFeY+fo9CBK9oGbLXtuz99eB4 +-> ssh-ed25519 iWiFbA 5IkM2IPNwhwgW5fTiaiaIyAi2BgBPHDgdL/5C/Qt2QA +AJ4wLzu6fAJ3R+PayHAyIZZgutWSO2zZddq4H6g4qRs +--- VyVB3OASslBK+4eWM2toRNwpKgpOn0qOs+F3e8MgEUs +)r>:Ƿ霸][8*ɋ%9"ӧ/` +f bHS_x \ No newline at end of file diff --git a/secrets/resilio/plain/joseph.age b/secrets/resilio/plain/joseph.age index 204c162..d87ad1f 100644 Binary files a/secrets/resilio/plain/joseph.age and b/secrets/resilio/plain/joseph.age differ diff --git a/secrets/resilio/plain/projects.age b/secrets/resilio/plain/projects.age index 76fd851..e11710e 100644 Binary files a/secrets/resilio/plain/projects.age and b/secrets/resilio/plain/projects.age differ diff --git a/secrets/resilio/plain/resources.age b/secrets/resilio/plain/resources.age index 25c20ad..f0e99cd 100644 Binary files a/secrets/resilio/plain/resources.age and b/secrets/resilio/plain/resources.age differ diff --git a/secrets/resilio/plain/sync.age b/secrets/resilio/plain/sync.age index 4129562..0ef924f 100644 --- a/secrets/resilio/plain/sync.age +++ b/secrets/resilio/plain/sync.age @@ -1,21 +1,23 @@ age-encryption.org/v1 -> ssh-rsa GxPFJQ -ZVcJQCHZVc/K9KaJTDRPCFJJCb9OAg6WYKLiS3hbBA2NhARsvw6plBu9WBrlExMj -n++ZCx6Jl1n0yq2+6rSaThHf7c7SoGRdO77rclK6ILhZ2uar49fRbjiJyhIEaH9g -g2pMwdvlqh4CyQBdyFigriXDpxhKPLBnNVZrlHknFNeEy+oMnrFgZXaEZMvsgzmD -T+laML8uH6dodxW48P7kOwKX0ya9WKrBAcEZ+XXEeTpwgGD0vXJmizRpCs6DrJl/ -FDy1p65vLIfZYzgxVBsoutdJKQP1h+Zu1ykVYm4JKwprD/hrK9vP9MBc5nSNRD0P -kYOcTkmueSh4S8tQGaf3lA +D0Idk3mWqB1Xnv/ovfhrhxigYg4iYpIVUv4Xq6mz3E/kf1aM1KMH+vOfdDpf6eg6 +ufriFO51HPAEN1nqq3bFteOxLq7B3RkbonDjgq90i+1er3bSNxrzlC+f440mmB6w +nc2UvqqN3UTGuQqrHWCUp7HQ/RBToASgz8SCqim96UY86Df2BPTY7P+EsMraO2Zw +bHTDNyLZB6hZZQfoCpUz4J7Hq5x7cBpLH+S2No1xWMHDy11LkgS9DDFGL6/lDGMm +GcoQv0V14iQyb0KHYwkJKd4q4Vx20LMwAYqSFt33XN2SAbqKgo8p2nJQnCBZkn/P +fl61Tqiiy5NEya2hc9bELQ -> ssh-rsa K9mW1w -PTIieqZ31cNjwUSHCXny/5botfCJt0X4ot1kzkDOXt402ZxrmSh7Lt+Zf3Avjvbs -+Q2jfSvh6Oj8bubBZdCgYADI7OOAAUGSFGjG9ctTVnoORUGF2P0xaVGv/EShO+2W -1gDUEJXfkDXW8GN7NmOlt7Yh0NNOndzsMhjxo+iqd8e4Ux8J6L7CV/Yg25v9Zs8W -ocwFYCngeFTZmvlTe7hsd+26BlvHSMOqKXZUDfjzsMX+bWTxzIgS4lAjNDCYDNan -vIXSktu051Q0aQ5bdGJtnWYx8xRz8/S+K9Xs7WgP9TEENd0kAcxQhn6dd2AUZYSD -4SqV4SgKsGpdNv6ceHI9qA --> ssh-ed25519 rjda/A WkxHtfUpVL2AE1eLn0Zp0qVr191/umWcGJl7KUGfURE -FBhE2Qwib+n3x9XL/GM1HzWMeeznPJw0gPZ/ALjGtJA --> ssh-ed25519 iWiFbA +5PSAc60g3QsJ3rPaz1a1S2A79Vew85c1uCn0ajLbyQ -IUcm6BA1kH8ZcvCBRoyR1HJ2GJEXaOrUH6JCIGAzKRE ---- OZtfOD2pDRkjgPMMFYErZfyAozBLBKzmUndxfKBcewI -Oj) 9Ԯ. b 萀LB{k+4dYC/  ssh-ed25519 RR/L5A Jd+CAknpb/VluTjp1rmyzyOaLBPWFXApespITJpc+2Q +UqrPrFFvG/4qA4VT4TvJSWQ1wPTsGpkn9141ob5yizY +-> ssh-ed25519 rjda/A AGNRQXks1E2i+in4IcTVCxv7sU+W6aWPqPxzMe2lig8 +/w+iid2fSic4HwjuU9wNvyL3O5KLeQBiRFFO+8HOda4 +-> ssh-ed25519 iWiFbA RxKG7+5QYBMxf/5GOlLkJtmxRIGrHZ0fNRT+SlIM33g +ejBO6/qUF2CGa6FiVutpjdTlakIoSSklfg6+ykgzo1U +--- CocYhJAFnI9XN+CU/AieVbBL1USYo1VydYANS35DASw + 73# /'e|rvf|{2h.?=inPdx \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 7a65131..0b0267a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -70,11 +70,11 @@ in "resilio/encrypted/sync.age".publicKeys = jake_users ++ [ ]; ## Read/Write Resilio Sync Secrets - "resilio/plain/dad.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.cx.boron ]; - "resilio/plain/joseph.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.cx.boron ]; - "resilio/plain/projects.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.cx.boron ]; - "resilio/plain/resources.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.cx.boron ]; - "resilio/plain/sync.age".publicKeys = jake_users ++ [ ts.terminals.jakehillion.gendry ts.cx.boron ]; + "resilio/plain/dad.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.terminals.jakehillion.gendry ts.cx.boron ]; + "resilio/plain/joseph.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.terminals.jakehillion.gendry ts.cx.boron ]; + "resilio/plain/projects.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.terminals.jakehillion.gendry ts.cx.boron ]; + "resilio/plain/resources.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.terminals.jakehillion.gendry ts.cx.boron ]; + "resilio/plain/sync.age".publicKeys = jake_users ++ [ ts.st.phoenix ts.terminals.jakehillion.gendry ts.cx.boron ]; # Matrix Secrets "matrix/matrix.hillion.co.uk/macaroon_secret_key.age".publicKeys = jake_users ++ [ ts.cx.boron ];