diff --git a/modules/dungflix/default.nix b/modules/dungflix/default.nix index 4e5b70f..90df021 100644 --- a/modules/dungflix/default.nix +++ b/modules/dungflix/default.nix @@ -3,21 +3,21 @@ config, ... }: let - mountdir = "/var/media/dungflix"; + mountdir = "/var/media/danflix"; rclone_config = pkgs.writeText "" '' - [dungflix] - type = b2 + [danflix-storage-box] + type = sftp - [dungflix-vault] + [danflix-crypto] type = crypt - remote = dungflix:dungflix-bucket + remote = danflix-storage-box:danflix ''; in { age.secrets = { - dungflix_bucket_account_id.file = ../../secrets/dungflix_bucket_account_id.age; - dungflix_bucket_account_key.file = ../../secrets/dungflix_bucket_account_key.age; - dungflix_crypt_remote_obscured_pass.file = ../../secrets/dungflix_crypt_remote_obscured_pass.age; + danflix_storage_box_crypt_obscured_pw.file = ../../secrets/danflix_storage_box_crypt_obscured_pw.age; + danflix_hetzner_storage_box_pub_key.file = ../../secrets/danflix_hetzner_storage_box_pub_key.age; + danflix_env_file.file = ../../secrets/danflix_env_file.age; }; services = { @@ -40,27 +40,27 @@ in { MemoryMax = "1G"; }; - systemd.services.dungflix-mount = { - description = "Mount the Backblaze B2 media store"; + systemd.services.danflix-mount = { + description = "Mount the Hetzner Storage Box media store"; wantedBy = ["multi-user.target"]; path = [pkgs.fuse3]; preStart = '' mkdir -p -m 777 ${mountdir} ''; + environment = { + "RCLONE_SFTP_KEY_FILE" = config.age.secrets.danflix_hetzner_storage_box_pub_key.path; + }; script = '' - export RCLONE_B2_ACCOUNT=''$(cat ${config.age.secrets.dungflix_bucket_account_id.path}) - export RCLONE_B2_KEY=''$(cat ${config.age.secrets.dungflix_bucket_account_key.path}) - export RCLONE_CRYPT_PASSWORD=''$(cat ${config.age.secrets.dungflix_crypt_remote_obscured_pass.path}) - ${pkgs.rclone}/bin/rclone --config="${rclone_config}" mount dungflix-vault: ${mountdir} \ - --transfers 32 \ - --vfs-cache-mode full \ - --vfs-cache-max-age 336h \ - --vfs-cache-max-size 120G \ - --allow-other \ - --no-modtime \ - --rc \ - --rc-no-auth \ - -vv + ${pkgs.rclone}/bin/rclone --config="${rclone_config}" mount danflix-crypto: ${mountdir} \ + --vfs-cache-mode full \ + --vfs-cache-max-age 336h \ + --vfs-cache-max-size 60G \ + --allow-other \ + --no-modtime \ + --rc \ + --rc-addr=localhost:5573 \ + --rc-no-auth \ + -v ''; postStart = '' sleep 5 @@ -71,6 +71,7 @@ in { fusermount -u ${mountdir} ''; serviceConfig = { + EnvironmentFile = config.age.secrets.danflix_env_file.path; Restart = "on-failure"; }; }; diff --git a/modules/monitoring/default.nix b/modules/monitoring/default.nix index 86b7231..b61f594 100644 --- a/modules/monitoring/default.nix +++ b/modules/monitoring/default.nix @@ -29,15 +29,15 @@ } ]; } - { - job_name = "caddy"; - scrape_interval = "15s"; - static_configs = [ - { - targets = ["localhost:2019"]; - } - ]; - } + { + job_name = "caddy"; + scrape_interval = "15s"; + static_configs = [ + { + targets = ["localhost:2019"]; + } + ]; + } ]; }; } diff --git a/modules/synapse/default.nix b/modules/synapse/default.nix index 3d75a07..f3319e5 100644 --- a/modules/synapse/default.nix +++ b/modules/synapse/default.nix @@ -29,13 +29,13 @@ in { services.matrix-synapse = { enable = true; - sliding-sync = { - enable = true; - environmentFile = config.age.secrets.sliding_sync_env_file.path; - settings = { - SYNCV3_SERVER = "http://localhost:8008"; - }; - }; + sliding-sync = { + enable = true; + environmentFile = config.age.secrets.sliding_sync_env_file.path; + settings = { + SYNCV3_SERVER = "http://localhost:8008"; + }; + }; settings = { enable_metrics = true; server_name = "broccoli.town"; diff --git a/secrets/danflix_env_file.age b/secrets/danflix_env_file.age new file mode 100644 index 0000000..cb2315f Binary files /dev/null and b/secrets/danflix_env_file.age differ diff --git a/secrets/danflix_hetzner_storage_box_pub_key.age b/secrets/danflix_hetzner_storage_box_pub_key.age new file mode 100644 index 0000000..30a7135 Binary files /dev/null and b/secrets/danflix_hetzner_storage_box_pub_key.age differ diff --git a/secrets/danflix_storage_box_crypt_obscured_pw.age b/secrets/danflix_storage_box_crypt_obscured_pw.age new file mode 100644 index 0000000..2c7541b Binary files /dev/null and b/secrets/danflix_storage_box_crypt_obscured_pw.age differ diff --git a/secrets/danflix_storage_box_crypt_pw.age b/secrets/danflix_storage_box_crypt_pw.age new file mode 100644 index 0000000..6d0ea6e --- /dev/null +++ b/secrets/danflix_storage_box_crypt_pw.age @@ -0,0 +1,18 @@ +age-encryption.org/v1 +-> ssh-ed25519 eYYv1Q olD4OIi8YC5KZN7rVfOcis+OOvmJI27FsXN19tEX5lk +493ZDJgwYbzPsthtQtIzzHpVtj9ocje15w9wq5JtHSI +-> ssh-ed25519 Bp5IaA FbriZLB/tTQflwwqgMrJUgcMibx6vG+UI841ZjiOmlM +l/rutNoo4EnL6qr3wkMNGbDHcIC+CGZgfOcsoSoHCAE +-> ssh-ed25519 T/DpgA M+PqxOvScPQU58bYwQqtQaLykzKW5fIibAfoKNDPUHM +1l2ZBg3naogcGeQhzDgonuPEFA+zjL/tZBCMwa6rIDY +-> ssh-ed25519 qMgRFg e3SJOsknOfqOdyqXvqTJ3+xo6ueWYSEyicj34+ufjDs +oOGb2SzADeydEtCO5eDyYGxJG0ZCLseAwslR3E6LsUs +-> ssh-ed25519 dMZXNw N/D2EAYhGZkwtiDDf+0Krb/pOVjG66PLLBdeSAWqo1k +vs2fnH6CAcyvoDuPTmgjmMkUcIK9VHmQGfHOcpy71hU +-> ssh-ed25519 70Nt2Q tr8TufTCMfU+8KtIdkFjyczVRiKUvFZ6rwGOPYUObVY ++akmkrm1+GIONvR3dR+Sj9d3Ajj+PqzYVn4SWWEKmo8 +-> *_-grease |uf+h +NP9bxjUd03lJnmXKlH7wx0+1E2fQit01FsnXk8MtCzbSzf3DZUi5pHk0KAOUIpOE +uu81CrNA4J7InBlX56qNDqGMuQ +--- vE2U4+bAt/AmUZdwD05PYzzxeVl6IVGHjEOgNfqfAWI + k1Kq_?Tp8w10<hjXQՕ bG \ No newline at end of file diff --git a/secrets/dungflix_bucket_account_id.age b/secrets/dungflix_bucket_account_id.age deleted file mode 100644 index 6e32811..0000000 Binary files a/secrets/dungflix_bucket_account_id.age and /dev/null differ diff --git a/secrets/dungflix_bucket_account_key.age b/secrets/dungflix_bucket_account_key.age deleted file mode 100644 index 41e2412..0000000 --- a/secrets/dungflix_bucket_account_key.age +++ /dev/null @@ -1,20 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 eYYv1Q NfUs85CEft9jTh44fnAnN/PcdOQ2mdEByoNkyUCNrWQ -MvA9BA3RoV2DRovXvlJzbY1E5lXdNSvkV82gtNCh6PA --> ssh-ed25519 Bp5IaA lSrjQhwuY8ZiwVC82azl8rqN0/WasK4ZGRq9ohWDAVQ -CPBY/Eq7MJ6Em+h6ro3HtfRqn9gn5BR3z//dA+SHjxw --> ssh-ed25519 T/DpgA cv9z3Ihe/GydTPMSXXiNFxNFQwVYyZBDO1TVGCygoAo -t4yCcPpM2Z7sqN55GbXUuLE0hvD7jXU1dCqOHcDT400 --> ssh-ed25519 qMgRFg jAcoxq4wyu8rYQGrt/rKUFSwp0Hz4QL4asEuJdA6nl0 -K+bqqoheMofX+iwcZYCE4Y558m/kzqUHyieaDQ8jJgw --> ssh-ed25519 dMZXNw imeVQpYX9guxDPulzYYeHedYxZsmTngy+jgpQulRo1Y -kpYgC6nzrhZsXkYHAl1273fwZ345towB1K84riX+Y+Q --> ssh-ed25519 GzHGXw fgC690PsBF/lgRF9zwZqhvRkrK9Pm65tcZUWKzxookE -haaWg3MNhKl1+CodRS+4MzwRVsKgVaox/Kf2YnmBNVY --> ssh-ed25519 70Nt2Q 46a4VTEFv80jOpVl/54J3sJhBUS4G1XqrAoPReb3gjs -ihr26HDZ40F6WJEqJmQgkjAUnnrz0Tc0ck26yLW0wOY --> @c_kw-grease Au)%'xOy C/ A$Rd -X7eu3QrQyKDn ---- pqgV/pzN+qsLtrbL2382/1056D925Ko5y5Oe3vwWmoc -h3|wzbI0/:U.m(/ ssh-ed25519 eYYv1Q IGdoQqDAFgxgWVlqEpZJvG9gE2KCKoXpMmvburw8Fhk -66QE8kwl63xnvYj7nwmT6qR6Jj8fCfrzf/iAB7U+AU4 --> ssh-ed25519 Bp5IaA n3lgDi3bCV0t/TOjqdsNTRxnAlCs0GxoPPjpnaeIrzQ -Ip98hCbmz4W8+NY85DWv/nHHmLANfwo0rNaI2N6N0kQ --> ssh-ed25519 T/DpgA VGDYHrof8rh7WTZ3DOrTIVcfyKkVbLJTL8bDDSfS4C8 -3o3A3jfTL8L0dbpv9Xe3Oy93U3XkkjhRX0tqQtSZDtw --> ssh-ed25519 qMgRFg Jchcic5fvRBviRtbdUyMl76Ea0aGW/7tRWkTt2habAg -91DpFYKWqA4rawbzkEEkLNRay352vkuU0srVBwYFkco --> ssh-ed25519 dMZXNw Sa+BZdY+YLrlQkX7G7VSF/k6oVAVo17zSgXbq1OiqR8 -xu894gtzqTFNDyvzwtejNw3WkMnVQLcpIaVF0CgVODI --> ssh-ed25519 GzHGXw 2WNPWILkiCseWMN5GHpfNs9T566GV6dUxqse+YVXTSA -W1MT/CHcZKefKb+7UK8PWwDP0cDCOU1JKpiXTk0vY10 --> ssh-ed25519 70Nt2Q QnL9dyxLSG64ncFRCoLOEWtBI1y0qRDj0a0TESW4bXY -kHHQA72guLb7YYbU7/CTawylq1uNzcgNRwpS2z2WzeA --> hg3-grease -O2O1JT79k6zrpiuexN5i/1eP5cTzjOPjHS3BCvprA/JxSxUNrV+a1RFFmLb6OTad -8cR0wG66tw6xaYQLvxWiKCzh2AqXkQ ---- tkk6rwRnFGtrrl6Z0kDoqS/NPV4hFhlKvwJ52zGuy+U -B]$Soe(kV8caLG(ȗFYmɒh1ďyLѩzJ!gD{nU -N0 \ No newline at end of file diff --git a/secrets/dungflix_crypt_remote_pass.age b/secrets/dungflix_crypt_remote_pass.age deleted file mode 100644 index bdb1132..0000000 --- a/secrets/dungflix_crypt_remote_pass.age +++ /dev/null @@ -1,19 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 eYYv1Q HzNRL7zq6Lrum/2tHKjacsv1Y0LlXmgOZNWLXAk2lWg -no6sDeinVG3TPu3UVOEDauVrHqmJGzMgHB6Dr6UNrDE --> ssh-ed25519 Bp5IaA 9UvpQHut2BFiXIkR+q1A/Ik4AYvwghddk9Fi5+rw4mM -Zs/ggJfYh/epVFRiJEnvICceCnlZBifeGLRDI/Eosj0 --> ssh-ed25519 T/DpgA k40Cb32UbfjsApxi0ccO4u8xP12uWpTot02BSCUvP08 -LfXJLsRtNklus14Pg3TsDt9MMbRi9SrH7uvefK9Hxso --> ssh-ed25519 qMgRFg iS9incss6tduf58gxdA8R5dqnwpXFy9PB8ZwNVWbvyc -e4KTD8Z4fUeaLAiqKGQXi/AIkyjlYEUNraHSB+TFhiM --> ssh-ed25519 dMZXNw DKMC+uCWkUEOF2fFL6o41UuggAzcWHwM5TwYzw+5sjQ -zu/YdI+pzudPH7azRqwmDvf81m48EZYK9c3UcVPTaVI --> ssh-ed25519 GzHGXw OX7ylQzBuyzErkhOpiUrBPhlGx/TrAgK5KuI6yEo4EY -DxeylfaVBkDEWxxRz3KCr5UZsREfqXwoAnC5tAdyFL4 --> ssh-ed25519 70Nt2Q pcGNeTUV7utxnH5a4H78YOvr8cpORGkQ7p8hh569zz4 -STlbScxYbWXV3B8T+2PSiLfGkjKudkXwkRG67ZHlwtE --> s-grease -FHLY7TFsme9Wd43MaAzpXiolSX0 ---- b2uVM8dc8IXnmG4fb/DjApdEJ3yngTDN8d7J0mbYYYw -BљVEMNM=ݫ?]A%52/Xv5`[ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 4a4b4c7..bf2fbad 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -29,4 +29,8 @@ in { "sendmail_email_key_gitea.age".publicKeys = users ++ [system4]; "gitea_actions_runner_token.age".publicKeys = users ++ [system4]; "sliding_sync_env_file.age".publicKeys = users ++ [system4]; + "danflix_hetzner_storage_box_pub_key.age".publicKeys = users ++ [system4]; + "danflix_storage_box_crypt_pw.age".publicKeys = users ++ [system4]; + "danflix_storage_box_crypt_obscured_pw.age".publicKeys = users ++ [system4]; + "danflix_env_file.age".publicKeys = users ++ [system4]; }