oluceps · oluceps · Sep 22, 2024 · Sep 22, 2024 · Sep 22, 2024 · Sep 22, 2024
diff --git a/flake.nix b/flake.nix
@@ -141,9 +141,12 @@
           nixosModules =
             let
               shadowedModules = [ "sundial" ];
-              modules = extraLibs.genFilteredDirAttrsV2 ./modules shadowedModules (
-                n: import (./modules + "/${n}.nix")
-              );
+              modules =
+                let
+                  genModule =
+                    dir: extraLibs.genFilteredDirAttrsV2 dir shadowedModules (n: import (dir + "/${n}.nix"));
+                in
+                (genModule ./modules) // { repack = ./repack; };
 
               default =
                 { ... }:

diff --git a/hosts/abhoth/default.nix b/hosts/abhoth/default.nix
@@ -44,7 +44,6 @@ withSystem "x86_64-linux" (
       user = "elen";
     };
     modules = lib.sharedModules ++ [
-      ../../srv
       ../sysvars.nix
       ./hardware.nix
       ./network.nix

diff --git a/hosts/abhoth/spec.nix b/hosts/abhoth/spec.nix
@@ -26,31 +26,29 @@
     "nyaw.key"
   ];
 
-  srv = {
+  repack = {
     openssh.enable = true;
     fail2ban.enable = true;
     dnsproxy = {
       enable = true;
-      override = {
-        settings = {
-          bootstrap = [
-            "1.1.1.1"
-            "8.8.8.8"
-          ];
-          listen-addrs = [ "0.0.0.0" ];
-          listen-ports = [ 53 ];
-          upstream-mode = "load_balance";
-          upstream = [
-            "1.1.1.1"
-            "8.8.8.8"
-            "https://dns.google/dns-query"
-          ];
-        };
-      };
     };
     # rustypaste.enable = true;
   };
   services = {
+    dnsproxy.settings = lib.mkForce {
+      bootstrap = [
+        "1.1.1.1"
+        "8.8.8.8"
+      ];
+      listen-addrs = [ "0.0.0.0" ];
+      listen-ports = [ 53 ];
+      upstream-mode = "load_balance";
+      upstream = [
+        "1.1.1.1"
+        "8.8.8.8"
+        "https://dns.google/dns-query"
+      ];
+    };
     metrics.enable = true;
     trojan-server.enable = true;
     hysteria.instances = [

diff --git a/hosts/azasos/default.nix b/hosts/azasos/default.nix
@@ -43,7 +43,6 @@ withSystem "x86_64-linux" (
       user = "elen";
     };
     modules = lib.sharedModules ++ [
-      ../../srv
       inputs.disko.nixosModules.default
       ./hardware.nix
       ./network.nix

diff --git a/hosts/azasos/spec.nix b/hosts/azasos/spec.nix
@@ -26,7 +26,7 @@
     supportedFilesystems = [ "tcp_bbr" ];
     inherit ((import ../sysctl.nix { inherit lib; }).boot) kernel;
   };
-  srv = {
+  repack = {
     openssh.enable = true;
     fail2ban.enable = true;
     dae.enable = false;

diff --git a/hosts/colour/default.nix b/hosts/colour/default.nix
@@ -43,7 +43,6 @@ withSystem "x86_64-linux" (
       user = "elen";
     };
     modules = lib.sharedModules ++ [
-      ../../srv
       ./hardware.nix
       ./network.nix
       ./rekey.nix

diff --git a/hosts/eihort/default.nix b/hosts/eihort/default.nix
@@ -45,7 +45,6 @@ withSystem "x86_64-linux" (
       ./spec.nix
       ./sysctl.nix
       ../persist.nix
-      ../../srv
       ../../age.nix
       ../../packages.nix
       ../../misc.nix

diff --git a/hosts/eihort/spec.nix b/hosts/eihort/spec.nix
@@ -58,7 +58,7 @@
     supportedFilesystems = [ "tcp_bbr" ];
   };
   # environment.systemPackages = with pkgs;[ zfs ];
-  srv = {
+  repack = {
     openssh.enable = true;
     fail2ban.enable = true;
     phantomsocks.enable = true;

diff --git a/hosts/hastur/default.nix b/hosts/hastur/default.nix
@@ -46,14 +46,12 @@ withSystem "x86_64-linux" (
     modules =
       lib.sharedModules
       ++ [
-        ../../srv
         ./hardware.nix
         ./network.nix
         ./rekey.nix
         ./spec.nix
         ./caddy.nix
-        # ./nginx.nix
-        # ../graphBase.nix
+        ./restic.nix
 
         ../persist.nix
         ../secureboot.nix
@@ -69,7 +67,6 @@ withSystem "x86_64-linux" (
         inputs.niri.nixosModules.niri
         ../../users.nix
 
-        ./misskey.nix
         ../dev.nix
       ]
       ++ (with inputs; [

diff --git a/hosts/hastur/nginx.nix b/hosts/hastur/nginx.nix
@@ -6,5 +6,5 @@
     "nyaw.key"
   ];
 
-  srv.nginx.enable = true;
+  repack.nginx.enable = true;
 }
diff --git a/hosts/hastur/restic.nix b/hosts/hastur/restic.nix
@@ -0,0 +1,63 @@
+{ config, lib, ... }:
+{
+  systemd.services = lib.listToAttrs (
+    map (name: {
+      name = "restic-backups-${name}";
+      value = {
+        serviceConfig.Environment = [ "GOGC=20" ];
+      };
+    }) (lib.attrNames config.services.restic.backups)
+  );
+
+  services.restic = {
+    backups = {
+      # solid = {
+      #   passwordFile = config.age.secrets.wg.path;
+      #   repositoryFile = config.age.secrets.restic-repo.path;
+      #   environmentFile = config.age.secrets.restic-envs.path;
+      #   paths = [
+      #     "/persist"
+      #     "/var"
+      #   ];
+      #   extraBackupArgs = [
+      #     "--one-file-system"
+      #     "--exclude-caches"
+      #     "--no-scan"
+      #     "--retry-lock 2h"
+      #   ];
+      #   timerConfig = {
+      #     OnCalendar = "daily";
+      #     RandomizedDelaySec = "4h";
+      #     FixedRandomDelay = true;
+      #     Persistent = true;
+      #   };
+      # };
+      critic = {
+        #### CLOUDFLARE R2 but connectivity bad
+        #   passwordFile = config.age.secrets.wg.path;
+        #   repositoryFile = config.age.secrets.restic-repo-crit.path;
+        #   environmentFile = config.age.secrets.restic-envs-crit.path;
+        passwordFile = config.age.secrets.wg.path;
+        repository = "s3:http://10.0.1.3:3900/crit";
+        environmentFile = config.age.secrets.restic-envs-dc3.path;
+        ####
+        paths = [
+          "/var/.snapshots/latest/lib/backup"
+          "/var/.snapshots/latest/lib/private/matrix-conduit"
+        ];
+        extraBackupArgs = [
+          "--exclude-caches"
+          "--no-scan"
+          "--retry-lock 2h"
+        ];
+        pruneOpts = [ "--keep-daily 3" ];
+        timerConfig = {
+          OnCalendar = "daily";
+          RandomizedDelaySec = "4h";
+          FixedRandomDelay = true;
+          Persistent = true;
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/hastur/spec.nix b/hosts/hastur/spec.nix
@@ -32,20 +32,7 @@
     ${pkgs.openssh}/bin/ssh-add ${config.age.secrets.id.path}
   '';
   systemd = {
-    services = {
-      alertmanager.serviceConfig.LoadCredential = [
-        "notifychan:${config.age.secrets.notifychan.path}"
-      ];
-
-      atuin.serviceConfig.Environment = [ "RUST_LOG=debug" ];
-
-      prometheus.serviceConfig.LoadCredential = (map (lib.genCredPath config)) [
-        "prom"
-      ];
-    };
-
     enableEmergencyMode = false;
-
     watchdog = {
       runtimeTime = "20s";
       rebootTime = "30s";
@@ -65,7 +52,7 @@
   ] ++ [ config.services.photoprism.port ];
 
   services.smartd.notifications.systembus-notify.enable = true;
-  srv = {
+  repack = {
     openssh.enable = true;
     fail2ban.enable = true;
     dae.enable = true;
@@ -80,44 +67,12 @@
     vaultwarden.enable = true;
     matrix-conduit.enable = true;
     # coredns.enable = true;
+    misskey.enable = true;
     dnsproxy.enable = true;
     srs.enable = true;
     grafana.enable = true;
     meilisearch.enable = true;
     radicle.enable = true;
-
-    phantomsocks = {
-      enable = false;
-      override = {
-        settings.interfaces = [
-          {
-            device = "bond0";
-            dns = "tcp://208.67.220.220:5353";
-            hint = "w-seq,https,w-md5";
-            name = "default";
-          }
-          {
-            device = "bond0";
-            dns = "tcp://208.67.220.220:443";
-            hint = "ipv6,w-seq,w-md5";
-            name = "v6";
-          }
-          {
-            device = "bond0";
-            dns = "tcp://208.67.220.220:443";
-            hint = "df";
-            name = "df";
-          }
-          {
-            device = "bond0";
-            dns = "tcp://208.67.220.220:5353";
-            hint = "http,ttl";
-            name = "http";
-            ttl = 15;
-          }
-        ];
-      };
-    };
   };
   services = {
     # ktistec.enable = true;
@@ -174,57 +129,7 @@
     };
 
     sing-box.enable = true;
-    restic = {
-      backups = {
-        # solid = {
-        #   passwordFile = config.age.secrets.wg.path;
-        #   repositoryFile = config.age.secrets.restic-repo.path;
-        #   environmentFile = config.age.secrets.restic-envs.path;
-        #   paths = [
-        #     "/persist"
-        #     "/var"
-        #   ];
-        #   extraBackupArgs = [
-        #     "--one-file-system"
-        #     "--exclude-caches"
-        #     "--no-scan"
-        #     "--retry-lock 2h"
-        #   ];
-        #   timerConfig = {
-        #     OnCalendar = "daily";
-        #     RandomizedDelaySec = "4h";
-        #     FixedRandomDelay = true;
-        #     Persistent = true;
-        #   };
-        # };
-        critic = {
-          #### CLOUDFLARE R2 but connectivity bad
-          #   passwordFile = config.age.secrets.wg.path;
-          #   repositoryFile = config.age.secrets.restic-repo-crit.path;
-          #   environmentFile = config.age.secrets.restic-envs-crit.path;
-          passwordFile = config.age.secrets.wg.path;
-          repository = "s3:http://10.0.1.3:3900/crit";
-          environmentFile = config.age.secrets.restic-envs-dc3.path;
-          ####
-          paths = [
-            "/var/.snapshots/latest/lib/backup"
-            "/var/.snapshots/latest/lib/private/matrix-conduit"
-          ];
-          extraBackupArgs = [
-            "--exclude-caches"
-            "--no-scan"
-            "--retry-lock 2h"
-          ];
-          pruneOpts = [ "--keep-daily 3" ];
-          timerConfig = {
-            OnCalendar = "daily";
-            RandomizedDelaySec = "4h";
-            FixedRandomDelay = true;
-            Persistent = true;
-          };
-        };
-      };
-    };
+
     hysteria.instances = [
       {
         name = "nodens";

diff --git a/hosts/kaambl/default.nix b/hosts/kaambl/default.nix
@@ -43,13 +43,13 @@ withSystem "x86_64-linux" (
       user = "elen";
     };
     modules = lib.sharedModules ++ [
-      ../../srv
       ./hardware.nix
       ./network.nix
       ./rekey.nix
       ./spec.nix
       ../persist.nix
       ../secureboot.nix
+      ./restic.nix
       # inputs.home-manager.nixosModules.default
       # ../../home
       ../sysctl.nix

diff --git a/hosts/kaambl/restic.nix b/hosts/kaambl/restic.nix
@@ -0,0 +1,29 @@
+{ config, ... }:
+{
+  restic = {
+    backups = {
+      # critic = {
+      #   passwordFile = config.age.secrets.wg.path;
+      #   repository = "rclone:sec:crit";
+      #   rcloneConfigFile = config.age.secrets.rclone-conf.path;
+      #   paths = map (n: "/home/${user}/${n}") [
+      #     "Books"
+      #     "Pictures"
+      #     "Music"
+      #   ];
+      #   extraBackupArgs = [
+      #     "--exclude-caches"
+      #     "--no-scan"
+      #     "--retry-lock 2h"
+      #   ];
+      #   pruneOpts = [ "--keep-daily 3" ];
+      #   timerConfig = {
+      #     OnCalendar = "daily";
+      #     RandomizedDelaySec = "4h";
+      #     FixedRandomDelay = true;
+      #     Persistent = true;
+      #   };
+      # };
+    };
+  };
+}