Migrate danflix to hetzner

2023-11-19 01:07:45 +00:00
parent 34e893bd68
commit 87ce8e0d1c
12 changed files with 62 additions and 99 deletions
--- a/modules/dungflix/default.nix
+++ b/modules/dungflix/default.nix
@@ -3,21 +3,21 @@
  config,
  ...
 }: let
-  mountdir = "/var/media/dungflix";
+  mountdir = "/var/media/danflix";
  rclone_config = pkgs.writeText "" ''
-    [dungflix]
+    [danflix-storage-box]
-    type = b2
+    type = sftp
-    [dungflix-vault]
+    [danflix-crypto]
    type = crypt
-    remote = dungflix:dungflix-bucket
+    remote = danflix-storage-box:danflix
  '';
 in {
  age.secrets = {
-    dungflix_bucket_account_id.file = ../../secrets/dungflix_bucket_account_id.age;
+    danflix_storage_box_crypt_obscured_pw.file = ../../secrets/danflix_storage_box_crypt_obscured_pw.age;
-    dungflix_bucket_account_key.file = ../../secrets/dungflix_bucket_account_key.age;
+    danflix_hetzner_storage_box_pub_key.file = ../../secrets/danflix_hetzner_storage_box_pub_key.age;
-    dungflix_crypt_remote_obscured_pass.file = ../../secrets/dungflix_crypt_remote_obscured_pass.age;
+    danflix_env_file.file = ../../secrets/danflix_env_file.age;
  };
  services = {
@@ -40,27 +40,27 @@ in {
    MemoryMax = "1G";
  };
-  systemd.services.dungflix-mount = {
+  systemd.services.danflix-mount = {
-    description = "Mount the Backblaze B2 media store";
+    description = "Mount the Hetzner Storage Box media store";
    wantedBy = ["multi-user.target"];
    path = [pkgs.fuse3];
    preStart = ''
      mkdir -p -m 777 ${mountdir}
    '';
    environment = {
      "RCLONE_SFTP_KEY_FILE" = config.age.secrets.danflix_hetzner_storage_box_pub_key.path;
    };
    script = ''
-      export RCLONE_B2_ACCOUNT=''$(cat ${config.age.secrets.dungflix_bucket_account_id.path})
+      ${pkgs.rclone}/bin/rclone --config="${rclone_config}" mount danflix-crypto: ${mountdir} \
-      export RCLONE_B2_KEY=''$(cat ${config.age.secrets.dungflix_bucket_account_key.path})
+         --vfs-cache-mode full \
-      export RCLONE_CRYPT_PASSWORD=''$(cat ${config.age.secrets.dungflix_crypt_remote_obscured_pass.path})
+         --vfs-cache-max-age 336h \
-      ${pkgs.rclone}/bin/rclone --config="${rclone_config}" mount dungflix-vault: ${mountdir} \
+         --vfs-cache-max-size 60G \
-        --transfers 32 \
+         --allow-other \
-        --vfs-cache-mode full \
+         --no-modtime \
-        --vfs-cache-max-age 336h \
+         --rc \
-        --vfs-cache-max-size 120G \
+         --rc-addr=localhost:5573 \
-        --allow-other \
+         --rc-no-auth \
-        --no-modtime \
+         -v
        --rc \
        --rc-no-auth \
        -vv
    '';
    postStart = ''
      sleep 5
@@ -71,6 +71,7 @@ in {
      fusermount -u ${mountdir}
    '';
    serviceConfig = {
      EnvironmentFile = config.age.secrets.danflix_env_file.path;
      Restart = "on-failure";
    };
  };
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@@ -29,15 +29,15 @@
          }
        ];
      }
-	  {
+      {
-		job_name = "caddy";
+        job_name = "caddy";
-		scrape_interval = "15s";
+        scrape_interval = "15s";
-		static_configs = [
+        static_configs = [
-		  {
+          {
-			targets = ["localhost:2019"];
+            targets = ["localhost:2019"];
-		  }
+          }
-		];
+        ];
-	  }
+      }
    ];
  };
 }
--- a/modules/synapse/default.nix
+++ b/modules/synapse/default.nix
@@ -29,13 +29,13 @@ in {
  services.matrix-synapse = {
    enable = true;
-	sliding-sync = {
+    sliding-sync = {
-	  enable = true;
+      enable = true;
-	  environmentFile = config.age.secrets.sliding_sync_env_file.path;
+      environmentFile = config.age.secrets.sliding_sync_env_file.path;
-	  settings = {
+      settings = {
-		SYNCV3_SERVER = "http://localhost:8008";
+        SYNCV3_SERVER = "http://localhost:8008";
-	  };
+      };
-	};
+    };
    settings = {
      enable_metrics = true;
      server_name = "broccoli.town";
--- a/secrets/danflix_env_file.age
+++ b/secrets/danflix_env_file.age
--- a/secrets/danflix_hetzner_storage_box_pub_key.age
+++ b/secrets/danflix_hetzner_storage_box_pub_key.age
--- a/secrets/danflix_storage_box_crypt_obscured_pw.age
+++ b/secrets/danflix_storage_box_crypt_obscured_pw.age
--- a/secrets/danflix_storage_box_crypt_pw.age
+++ b/secrets/danflix_storage_box_crypt_pw.age
@@ -0,0 +1,18 @@
 age-encryption.org/v1
 -> ssh-ed25519 eYYv1Q olD4OIi8YC5KZN7rVfOcis+OOvmJI27FsXN19tEX5lk
 493ZDJgwYbzPsthtQtIzzHpVtj9ocje15w9wq5JtHSI
 -> ssh-ed25519 Bp5IaA FbriZLB/tTQflwwqgMrJUgcMibx6vG+UI841ZjiOmlM
 l/rutNoo4EnL6qr3wkMNGbDHcIC+CGZgfOcsoSoHCAE
 -> ssh-ed25519 T/DpgA M+PqxOvScPQU58bYwQqtQaLykzKW5fIibAfoKNDPUHM
 1l2ZBg3naogcGeQhzDgonuPEFA+zjL/tZBCMwa6rIDY
 -> ssh-ed25519 qMgRFg e3SJOsknOfqOdyqXvqTJ3+xo6ueWYSEyicj34+ufjDs
 oOGb2SzADeydEtCO5eDyYGxJG0ZCLseAwslR3E6LsUs
 -> ssh-ed25519 dMZXNw N/D2EAYhGZkwtiDDf+0Krb/pOVjG66PLLBdeSAWqo1k
 vs2fnH6CAcyvoDuPTmgjmMkUcIK9VHmQGfHOcpy71hU
 -> ssh-ed25519 70Nt2Q tr8TufTCMfU+8KtIdkFjyczVRiKUvFZ6rwGOPYUObVY
 +akmkrm1+GIONvR3dR+Sj9d3Ajj+PqzYVn4SWWEKmo8
 -> *_-grease |uf+h
 NP9bxjUd03lJnmXKlH7wx0+1E2fQit01FsnXk8MtCzbSzf3DZUi5pHk0KAOUIpOE
 uu81CrNA4J7InBlX56qNDqGMuQ
 --- vE2U4+bAt/AmUZdwD05PYzzxeVl6IVGHjEOgNfqfAWI
 <EFBFBD><EFBFBD> <20><>k1K<11>q<EFBFBD><71><EFBFBD>_<EFBFBD>?<3F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Tp8w1<77>0<<3C>hjX<6A>Q<EFBFBD><51><EFBFBD><EFBFBD>Օ<EFBFBD><D595>
--- a/secrets/dungflix_bucket_account_id.age
+++ b/secrets/dungflix_bucket_account_id.age
--- a/secrets/dungflix_bucket_account_key.age
+++ b/secrets/dungflix_bucket_account_key.age
@@ -1,20 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 eYYv1Q NfUs85CEft9jTh44fnAnN/PcdOQ2mdEByoNkyUCNrWQ
 MvA9BA3RoV2DRovXvlJzbY1E5lXdNSvkV82gtNCh6PA
 -> ssh-ed25519 Bp5IaA lSrjQhwuY8ZiwVC82azl8rqN0/WasK4ZGRq9ohWDAVQ
 CPBY/Eq7MJ6Em+h6ro3HtfRqn9gn5BR3z//dA+SHjxw
 -> ssh-ed25519 T/DpgA cv9z3Ihe/GydTPMSXXiNFxNFQwVYyZBDO1TVGCygoAo
 t4yCcPpM2Z7sqN55GbXUuLE0hvD7jXU1dCqOHcDT400
 -> ssh-ed25519 qMgRFg jAcoxq4wyu8rYQGrt/rKUFSwp0Hz4QL4asEuJdA6nl0
 K+bqqoheMofX+iwcZYCE4Y558m/kzqUHyieaDQ8jJgw
 -> ssh-ed25519 dMZXNw imeVQpYX9guxDPulzYYeHedYxZsmTngy+jgpQulRo1Y
 kpYgC6nzrhZsXkYHAl1273fwZ345towB1K84riX+Y+Q
 -> ssh-ed25519 GzHGXw fgC690PsBF/lgRF9zwZqhvRkrK9Pm65tcZUWKzxookE
 haaWg3MNhKl1+CodRS+4MzwRVsKgVaox/Kf2YnmBNVY
 -> ssh-ed25519 70Nt2Q 46a4VTEFv80jOpVl/54J3sJhBUS4G1XqrAoPReb3gjs
 ihr26HDZ40F6WJEqJmQgkjAUnnrz0Tc0ck26yLW0wOY
 -> @c_kw-grease Au)%'xOy C/ A$Rd
 X7eu3QrQyKDn
 --- pqgV/pzN+qsLtrbL2382/1056D925Ko5y5Oe3vwWmoc
 <EFBFBD><EFBFBD><EFBFBD>h<EFBFBD>3<>|<7C><><EFBFBD>wzb<7A><62>I<EFBFBD>0/<2F>:U<>.m(/<<3C>x<EFBFBD>P<03><><19><>o<EFBFBD><19><>U0<>\
 <EFBFBD>'p;
--- a/secrets/dungflix_crypt_remote_obscured_pass.age
+++ b/secrets/dungflix_crypt_remote_obscured_pass.age
@@ -1,21 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 eYYv1Q IGdoQqDAFgxgWVlqEpZJvG9gE2KCKoXpMmvburw8Fhk
 66QE8kwl63xnvYj7nwmT6qR6Jj8fCfrzf/iAB7U+AU4
 -> ssh-ed25519 Bp5IaA n3lgDi3bCV0t/TOjqdsNTRxnAlCs0GxoPPjpnaeIrzQ
 Ip98hCbmz4W8+NY85DWv/nHHmLANfwo0rNaI2N6N0kQ
 -> ssh-ed25519 T/DpgA VGDYHrof8rh7WTZ3DOrTIVcfyKkVbLJTL8bDDSfS4C8
 3o3A3jfTL8L0dbpv9Xe3Oy93U3XkkjhRX0tqQtSZDtw
 -> ssh-ed25519 qMgRFg Jchcic5fvRBviRtbdUyMl76Ea0aGW/7tRWkTt2habAg
 91DpFYKWqA4rawbzkEEkLNRay352vkuU0srVBwYFkco
 -> ssh-ed25519 dMZXNw Sa+BZdY+YLrlQkX7G7VSF/k6oVAVo17zSgXbq1OiqR8
 xu894gtzqTFNDyvzwtejNw3WkMnVQLcpIaVF0CgVODI
 -> ssh-ed25519 GzHGXw 2WNPWILkiCseWMN5GHpfNs9T566GV6dUxqse+YVXTSA
 W1MT/CHcZKefKb+7UK8PWwDP0cDCOU1JKpiXTk0vY10
 -> ssh-ed25519 70Nt2Q QnL9dyxLSG64ncFRCoLOEWtBI1y0qRDj0a0TESW4bXY
 kHHQA72guLb7YYbU7/CTawylq1uNzcgNRwpS2z2WzeA
 -> hg3-grease
 O2O1JT79k6zrpiuexN5i/1eP5cTzjOPjHS3BCvprA/JxSxUNrV+a1RFFmLb6OTad
 8cR0wG66tw6xaYQLvxWiKCzh2AqXkQ
 --- tkk6rwRnFGtrrl6Z0kDoqS/NPV4hFhlKvwJ52zGuy+U
 B<><42><EFBFBD>]$So<><6F>e(kV8ca<63><61><EFBFBD>LG<4C><47>(<28>ȗF<C897><10><><EFBFBD>Y<EFBFBD>mɒ<6D>h<EFBFBD><68>1<10>ď<13>y<15><><EFBFBD><18>L<EFBFBD><1F>ѩzJ!gD<67>{n<>U
 <EFBFBD>N0<1A>
--- a/secrets/dungflix_crypt_remote_pass.age
+++ b/secrets/dungflix_crypt_remote_pass.age
@@ -1,19 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 eYYv1Q HzNRL7zq6Lrum/2tHKjacsv1Y0LlXmgOZNWLXAk2lWg
 no6sDeinVG3TPu3UVOEDauVrHqmJGzMgHB6Dr6UNrDE
 -> ssh-ed25519 Bp5IaA 9UvpQHut2BFiXIkR+q1A/Ik4AYvwghddk9Fi5+rw4mM
 Zs/ggJfYh/epVFRiJEnvICceCnlZBifeGLRDI/Eosj0
 -> ssh-ed25519 T/DpgA k40Cb32UbfjsApxi0ccO4u8xP12uWpTot02BSCUvP08
 LfXJLsRtNklus14Pg3TsDt9MMbRi9SrH7uvefK9Hxso
 -> ssh-ed25519 qMgRFg iS9incss6tduf58gxdA8R5dqnwpXFy9PB8ZwNVWbvyc
 e4KTD8Z4fUeaLAiqKGQXi/AIkyjlYEUNraHSB+TFhiM
 -> ssh-ed25519 dMZXNw DKMC+uCWkUEOF2fFL6o41UuggAzcWHwM5TwYzw+5sjQ
 zu/YdI+pzudPH7azRqwmDvf81m48EZYK9c3UcVPTaVI
 -> ssh-ed25519 GzHGXw OX7ylQzBuyzErkhOpiUrBPhlGx/TrAgK5KuI6yEo4EY
 DxeylfaVBkDEWxxRz3KCr5UZsREfqXwoAnC5tAdyFL4
 -> ssh-ed25519 70Nt2Q pcGNeTUV7utxnH5a4H78YOvr8cpORGkQ7p8hh569zz4
 STlbScxYbWXV3B8T+2PSiLfGkjKudkXwkRG67ZHlwtE
 -> s-grease
 FHLY7TFsme9Wd43MaAzpXiolSX0
 --- b2uVM8dc8IXnmG4fb/DjApdEJ3yngTDN8d7J0mbYYYw
 B<EFBFBD>љ<><13><>V<><56><EFBFBD><19><>EM<45><4D>N<EFBFBD>M<EFBFBD>=ݫ<>?]<5D><>A%<01><><EFBFBD><EFBFBD><EFBFBD>5<05>2/<2F>Xv5`[
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -29,4 +29,8 @@ in {
  "sendmail_email_key_gitea.age".publicKeys = users ++ [system4];
  "gitea_actions_runner_token.age".publicKeys = users ++ [system4];
  "sliding_sync_env_file.age".publicKeys = users ++ [system4];
  "danflix_hetzner_storage_box_pub_key.age".publicKeys = users ++ [system4];
  "danflix_storage_box_crypt_pw.age".publicKeys = users ++ [system4];
  "danflix_storage_box_crypt_obscured_pw.age".publicKeys = users ++ [system4];
  "danflix_env_file.age".publicKeys = users ++ [system4];
 }