diff --git a/flake.nix b/flake.nix index 1cbc4c3..1c23e61 100644 --- a/flake.nix +++ b/flake.nix @@ -88,6 +88,7 @@ pkgs.home-manager pkgs.sops pkgs.git + pkgs.git-crypt pkgs.just pkgs.nh ]; diff --git a/home/hosts/y2q.nix b/home/hosts/y2q.nix index 56c8d04..43bcf83 100644 --- a/home/hosts/y2q.nix +++ b/home/hosts/y2q.nix @@ -4,6 +4,7 @@ imports = [ inputs.nixvim.homeModules.nixvim + ../modules/runit ../modules/cli/git.nix ../modules/cli/ripgrep.nix ../modules/cli/btop.nix diff --git a/home/modules/runit/default.nix b/home/modules/runit/default.nix new file mode 100644 index 0000000..478700f --- /dev/null +++ b/home/modules/runit/default.nix @@ -0,0 +1,87 @@ +{ config, lib, ... }: + +{ + imports = ( + let + servicesPath = ./services; + serviceModules = builtins.attrNames (builtins.readDir (servicesPath)); + in + map (module: servicesPath + "/${module}") serviceModules + ); + + options.runit = { + services = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: { + options = { + script = lib.mkOption { + type = lib.types.str; + description = "Shell commands executed as the service's main process"; + }; + log.enable = lib.mkEnableOption "Enable logging"; + environment = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + default = {}; + description = "Environment variables passed to the service's processes"; + }; + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + description = "Environment file passed to the service"; + }; + }; + })); + }; + default = {}; + description = "User-level runit services under ~/runit/services/"; + }; + + config = { + home.file = lib.mkMerge ( + lib.mapAttrsToList (serviceName: sCfg: + let + envExports = lib.concatStringsSep "\n" ( + lib.mapAttrsToList (k: v: "export ${k}='${v}'") sCfg.environment + ); + envFile = lib.mkIf (sCfg.environmentFile != null) { + "runit/services/${serviceName}/.env" = { + source = sCfg.environmentFile; + }; + }; + envFileSetup = if sCfg.environmentFile != null then '' + set -a + source .env + set +a + '' else ""; + stderrToStdout = if sCfg.log.enable then "exec 2>&1" else ""; + in + lib.mkMerge [ + { + # run script + "runit/services/${serviceName}/run" = { + text = '' + #!/usr/bin/env bash + ${stderrToStdout} + ${envExports} + ${envFileSetup} + ${sCfg.script} + ''; + executable = true; + }; + + # logging + "runit/services/${serviceName}/log/run" = lib.mkIf sCfg.log.enable { + text = '' + #!/bin/sh + mkdir -p main + exec svlogd -tt ./main + ''; + executable = true; + }; + } + envFile + ] + ) config.runit.services + ); + }; +} + diff --git a/home/modules/runit/services/caddy.nix b/home/modules/runit/services/caddy.nix new file mode 100644 index 0000000..34b827c --- /dev/null +++ b/home/modules/runit/services/caddy.nix @@ -0,0 +1,37 @@ +{ pkgs, config, ... }: + +{ + home.file.".config/caddy/Caddyfile".text = '' + { + http_port 8080 + https_port 8443 + auto_https off + } + + # Cloudflare Tunnel + http://gist.toast.name { + # Opengist + reverse_proxy http://localhost:${config.runit.services.opengist.environment.OG_HTTP_PORT} + } + + # Tailscale + http://y2q.ts.toast.name { + # Glances + reverse_proxy http://localhost:61208 + } + + http://grafana.ts.toast.name { + # Grafana + reverse_proxy http://localhost:${config.runit.services.grafana.environment.GF_SERVER_HTTP_PORT} + } + ''; + + runit.services.caddy = { + script = '' + exec ${pkgs.caddy}/bin/caddy run \ + --config "$HOME/.config/caddy/Caddyfile" \ + --adapter caddyfile + ''; + log.enable = true; + }; +} diff --git a/home/modules/runit/services/cloudflared.nix b/home/modules/runit/services/cloudflared.nix new file mode 100644 index 0000000..6e601bf --- /dev/null +++ b/home/modules/runit/services/cloudflared.nix @@ -0,0 +1,30 @@ +{ pkgs, config, rootPath, lib, ... }: + +let + tunnel = "cb0d9c2c-48f9-4bca-9e81-ef92423c5afa"; + subdomains = [ + "gist.toast.name" + ]; +in +{ + home.file.".cloudflared/${tunnel}.json".source = rootPath + /secrets/gitcrypt/cloudflared/${tunnel}.json; + home.file.".cloudflared/cert.pem".source = rootPath + /secrets/gitcrypt/cloudflared/cert.pem; + home.file.".cloudflared/config.yml".text = '' + tunnel: ${tunnel} + credentials-file: ${config.home.homeDirectory}/.cloudflared/${tunnel}.json + + ingress: + ${lib.concatMapStringsSep "\n" (host: '' + ${" "}- hostname: ${host} + ${" "} service: http://localhost:80 + '') subdomains} + ${" "}- service: http_status:404 + ''; + + runit.services.cloudflared = { + script = '' + exec ${pkgs.cloudflared}/bin/cloudflared tunnel run + ''; + log.enable = true; + }; +} diff --git a/home/modules/runit/services/glances.nix b/home/modules/runit/services/glances.nix new file mode 100644 index 0000000..94db540 --- /dev/null +++ b/home/modules/runit/services/glances.nix @@ -0,0 +1,9 @@ +{ pkgs, ... }: + +{ + runit.services.glances = { + script = '' + exec ${pkgs.glances}/bin/glances -w + ''; + }; +} diff --git a/home/modules/runit/services/grafana.nix b/home/modules/runit/services/grafana.nix new file mode 100644 index 0000000..c8d2d73 --- /dev/null +++ b/home/modules/runit/services/grafana.nix @@ -0,0 +1,21 @@ +{ pkgs, config, ... }: + +{ + runit.services.grafana = { + script = '' + HOME_PATH=$HOME/services/grafana + mkdir -p "$HOME_PATH" + + exec ${pkgs.grafana}/bin/grafana server \ + --homepath ${pkgs.grafana}/share/grafana + ''; + + environment = { + GF_SERVER_HTTP_ADDR = "127.0.0.1"; + GF_SERVER_HTTP_PORT = "3000"; + GF_PATHS_DATA = "${config.home.homeDirectory}/services/grafana"; + }; + + log.enable = true; + }; +} diff --git a/home/modules/runit/services/opengist.nix b/home/modules/runit/services/opengist.nix new file mode 100644 index 0000000..d7929c7 --- /dev/null +++ b/home/modules/runit/services/opengist.nix @@ -0,0 +1,20 @@ +{ pkgs, rootPath, ... }: + +{ + runit.services.opengist = { + script = '' + exec ${pkgs.opengist}/bin/opengist start + ''; + + environment = { + OG_HTTP_HOST = "127.0.0.1"; + OG_HTTP_PORT = "6157"; + OG_SSH_HOST = "127.0.0.1"; + OG_SSH_PORT = "6522"; + }; + + environmentFile = rootPath + /secrets/gitcrypt/opengist.env; + + log.enable = true; + }; +} diff --git a/home/modules/runit/services/prometheus.nix b/home/modules/runit/services/prometheus.nix new file mode 100644 index 0000000..fbb5d2c --- /dev/null +++ b/home/modules/runit/services/prometheus.nix @@ -0,0 +1,25 @@ +{ pkgs, config, ... }: + +{ + home.file.".config/prometheus/prometheus.yml".text = '' + global: + scrape_interval: 1m + + scrape_configs: + - job_name: 'restic_rest_server' + static_configs: + - targets: ['${config.runit.services.restic-rest-server.environment.LISTEN_ADDR}'] + ''; + + runit.services.prometheus = { + script = '' + TSDB_PATH=$HOME/services/prometheus + mkdir -p TSDB_PATH + + exec ${pkgs.prometheus}/bin/prometheus \ + --config.file=$HOME/.config/prometheus/prometheus.yml \ + --storage.tsdb.path=$TSDB_PATH \ + --web.listen-address="127.0.0.1:9090" + ''; + }; +} diff --git a/home/modules/runit/services/restic-rest-server.nix b/home/modules/runit/services/restic-rest-server.nix new file mode 100644 index 0000000..0369adf --- /dev/null +++ b/home/modules/runit/services/restic-rest-server.nix @@ -0,0 +1,21 @@ +{ pkgs, ... }: + +{ + runit.services.restic-rest-server = { + script = '' + DATA_DIR=$HOME/services/restic-rest-server + mkdir -p "$DATA_DIR" + + exec ${pkgs.restic-rest-server}/bin/rest-server \ + --listen "$LISTEN_ADDR" \ + --log - \ + --no-auth \ + --path $DATA_DIR \ + --prometheus --prometheus-no-auth + ''; + + environment = { + LISTEN_ADDR = "127.0.0.1:9000"; + }; + }; +} diff --git a/hosts/nixos/modules/services/restic.nix b/hosts/nixos/modules/services/restic.nix index fc8b89a..85c7215 100644 --- a/hosts/nixos/modules/services/restic.nix +++ b/hosts/nixos/modules/services/restic.nix @@ -3,7 +3,7 @@ { sops.secrets = { "restic/password" = {}; - "restic/env/nixos" = {}; + "restic/env" = {}; }; services.restic.backups.y2q = { @@ -15,8 +15,8 @@ "/home/toast/workspace" ]; exclude = [ "node_modules" ]; - repository = "rest:http://restic.ts.700457.xyz/nixos/"; - environmentFile = config.sops.secrets."restic/env/nixos".path; + repository = "rest:http://y2q:9000/nixos/"; + environmentFile = config.sops.secrets."restic/env".path; pruneOpts = [ "--keep-hourly 6" "--keep-daily 7" diff --git a/hosts/vps/modules/services/restic.nix b/hosts/vps/modules/services/restic.nix index 745c0f2..25b5baa 100644 --- a/hosts/vps/modules/services/restic.nix +++ b/hosts/vps/modules/services/restic.nix @@ -1,32 +1,51 @@ { config, ... }: -{ +let + paths = [ + "/var/lib/zipline" + "/var/lib/postgresql" + "/var/lib/forgejo" + "/var/lib/trilium" + "/var/lib/bitwarden_rs" + ]; +in { sops.secrets = { "restic/password" = {}; - "restic/env/vps" = {}; + "restic/env" = {}; + "restic/rclone-config" = {}; }; - services.restic.backups.y2q = { + services.restic.backups.b2 = { initialize = true; inhibitsSleep = true; passwordFile = config.sops.secrets."restic/password".path; - paths = [ - "/var/lib/zipline" - "/var/lib/postgresql" - "/var/lib/forgejo" - "/var/lib/trilium" - "/var/lib/bitwarden_rs" - ]; - repository = "rest:http://restic.ts.700457.xyz/vps/"; - environmentFile = config.sops.secrets."restic/env/vps".path; + paths = paths; + repository = "s3:https://s3.us-east-005.backblazeb2.com/restic-backups-vps"; + environmentFile = config.sops.secrets."restic/env".path; pruneOpts = [ - "--keep-hourly 3" "--keep-daily 7" "--keep-weekly 3" "--keep-monthly 3" ]; timerConfig = { - OnCalendar = "hourly"; + OnCalendar = "daily"; + Persistent = true; + }; + }; + services.restic.backups.nextcloud = { + initialize = true; + inhibitsSleep = true; + passwordFile = config.sops.secrets."restic/password".path; + paths = paths; + repository = "rclone:nextcloud:restic/vps"; + rcloneConfigFile = config.sops.secrets."restic/rclone-config".path; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 6" + ]; + timerConfig = { + OnCalendar = "daily"; Persistent = true; }; }; diff --git a/secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json b/secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json new file mode 100644 index 0000000..46cd7b1 Binary files /dev/null and b/secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json differ diff --git a/secrets/gitcrypt/cloudflared/cert.pem b/secrets/gitcrypt/cloudflared/cert.pem new file mode 100644 index 0000000..230ea54 Binary files /dev/null and b/secrets/gitcrypt/cloudflared/cert.pem differ diff --git a/secrets/gitcrypt/opengist.env b/secrets/gitcrypt/opengist.env new file mode 100644 index 0000000..275e5fc Binary files /dev/null and b/secrets/gitcrypt/opengist.env differ diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 30f27b2..18dcf4a 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -5,9 +5,8 @@ openrouter_api_key: ENC[AES256_GCM,data:c0GHwhX5S4cfOXs6iR8TWVwhW90bvehWdy8lJBmb context7_api_key: ENC[AES256_GCM,data:3fvSGzii2MqlfMCFYIUcC8Fa18KBh2K91rYPtXe04+UzNb/ElBEVMoH4Gw==,iv:4cZlsYZVum/Ui3MNAzSMb8JxOCNchUzuwlh890Lc4vo=,tag:RDjeujPxDQC5eRqDcKfbvA==,type:str] restic: password: ENC[AES256_GCM,data:LhO9evxJ1jO+/jVefT1ImRB7mdQB6VWxMdXPzAX4v9ICy5V+QlPDHdug3fKgZfzZ2EJtxy0LeQqHhyACKvPACA==,iv:Ag5BXn7gViL2J7qALn6WoQ1zwS69/NkjU9iP7pw2g0U=,tag:nUSCMkojdSA3+aJ4OKM8rw==,type:str] - env: - nixos: ENC[AES256_GCM,data:l2XnT2zDWriWlicZaKMrU9+QC3nSbGyo10IUrszjIxKH7A2EI9KnTb2wtjZS/aA23tH31QTQ+VUh7Dcn+9jCufEkqH1PGbXRnTBBQ6HByCc=,iv:e1jbtsQ4vftPRf4NqkW529krViBRDkfyQVIR3+pKR0s=,tag:jLIq3FV2IS1OxKcSsizxpA==,type:str] - vps: ENC[AES256_GCM,data:Cn9xC1gQ2p+b50zBkkM5dLgJo3XUUhwfZwxhzb1Wu4kidM3LU1J2Xq56uqPSeJkMn94+5FV/lHfoc70eZgxn8WdJDBJtgtldfRFdgSuM,iv:X29GHc8aBHSW5PihCVAQWMGWXNx/SY1lTK6W4mDx5ms=,tag:tDJxOMWDDql4gVtyIFky7Q==,type:str] + env: ENC[AES256_GCM,data:ZqQ+0b/Wd8NRodjksdMNvl1bRIPfLPiw4NRDtG8tc8pVp9w/Je5WXePIB/8QQ33K2Uagqzfb0Y/pTbo4vQRLBXVWO4uofQ7YKxdiK4efTPr8Ic/uX3NuGyT+Q9hvawkICg==,iv:S9XcbSZewjEty35N0fSksTMT3q8Nnmy0HmgIF7oQ1cU=,tag:12ThSBX5qEIoW9Sp0IrKzA==,type:str] + rclone-config: ENC[AES256_GCM,data:r37TJRvVbjf2EfmF4lYz9WtPpx1VCgryKWSTRWIn1mXIgT5sNFLhcy4pFrAn4duk3D/JHngKS1v9THS6i5o3N7+jOeszbKEF2+XB+UG+ogRSlveN+2ohs0dWWLE1Yhr/sKkO7FKQu338mxssNwF2M7rqA7DiGrBuUXIOkwczBphuJbP8A/LRSvrD0DYj5XakM2R+NVeHGaSNHsmv2tVsMS0i7aHPsTbIp4Wyz+be0YXWMNezM8u5KW8=,iv:OA1IloW5FJ1lFcUh2WUvw5iMxiM55yTy0CnrVOQyr5w=,tag:d0gKGuYLOcIvZmf2ZQFD4g==,type:str] zipline: env: ENC[AES256_GCM,data:HOcqrzXnu+BcpZYgv1yzPOTV4ydJiVa0oIXQWMUNt/X6q2TUGPOTwWg/dOgzoi6jGzFxm+wJzugO4lLQurUV0DiWIWLDSm/PK+zW34yLYwMrwK1bRaF9yl7usAN6BEmpLw==,iv:9IZDQRT2JoXNTuyPZrwRSr2m3SnXaLmJcafpkraCFWA=,tag:+7EoCTiY9f0/C5jgvPQknA==,type:str] token: ENC[AES256_GCM,data:Ke+cJQ6Up5RUGqe/3tG7Nk40PoOQ1Vq1jN5QN4N5LXOFgclXpzN7sjx0bumFVEcgg4B7UkHmjHzjRAPtWheFu+1PaN02aQVLMGzYXgujqmccC+6roxYt4vdN0CLzf0Ii7k5KUwX3QdOV+lrVwyoBjgQyTD839YnODI7zavf+aDMlrE4+BlFjjV8MUQHsJ5G017xN0XLKOBIQsGpMl40YsvVXFrNwkZ+DkN7bXCZBiHI41W44snB1C3wkYOO+a0g4JzVjIhcHXalYgOW4Unuyyah8yDoXRxuSq7aZpQ+/AHRiuIuaHSrE5BUJu/9bJdjojNuk6VTsaLFtngViSjtyztcqMAIHFFq/KXAog8tg16dJH/V6PomrWXY=,iv:H/EcD/oNSw1mIwxsqyMeSRPsY7lnzEzTNJs6OPNfPw4=,tag:FgH9Nwxnq62uhCd/Av2kAA==,type:str] @@ -23,7 +22,7 @@ sops: Z0crWElZcVFMVUd0VytoTHFqbkRDck0KY8nsRThk1hCA/yDNy5JJ0T6pTUwRZhYW j8grD6JYvauuYa+3tSIwqy2RPiKltx696n9nXy9iPnFUO0QY/rQGVg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-17T09:52:45Z" - mac: ENC[AES256_GCM,data:ul33Yr8a5VER09m2DrM+BiZDglSW5w/UrgWCamYEbsO2EtSGX3zg6r1j+++W2dNj3BXDiVD5DIEQ/LGMUtvhFmP5b/EWO6xucCgAekekYPKiafhh3h45db1s7E/PGwpBLzUk4ePoAb9hAvzx4pQvlpHHHIbFMxsTjNjoj7WxbGM=,iv:WrZokFbfu9bkQFq/FwHNAINzTRGBJlBJs54Epmb1Ya8=,tag:GyAiBG5OrS12/GqG/2zTlA==,type:str] + lastmodified: "2025-11-02T05:02:06Z" + mac: ENC[AES256_GCM,data:cj6FoyYzGwOP2hgIf3jhRSdFWR3SLd7eX2L/hrYyMtDKJNr70yyf3V2bzWfspZMGykgkJB3eQskMBxvn9P7s7XDPbjBeQ3ndqH5HBHuOsgManpYZgv5OusxBJfOh4DVGkIYgU/oZ+MjQ/RSBmHb45py15GxytTLs264Kp4o4KyQ=,iv:dQEo2IEkbiA2dt8NFznxxqDX4hCPED59WqMVqatH2/c=,tag:SaecqbewnXcsWNh9+OlWyA==,type:str] unencrypted_suffix: _unencrypted - version: 3.11.0 + version: 3.10.2 diff --git a/shell.nix b/shell.nix index 11a67f0..9df72f3 100644 --- a/shell.nix +++ b/shell.nix @@ -6,6 +6,7 @@ pkgs.mkShell { home-manager git sops + git-crypt just nh ];