Move syncthing to system service on NAS

Restic based backup to b2
2023-09-10 12:04:55 +01:00 · 2023-09-10 12:04:39 +01:00
6 changed files with 50 additions and 10 deletions
--- a/nix/london/configuration.nix
+++ b/nix/london/configuration.nix
@ -58,8 +58,8 @@
      enable = true;
      allowedUDPPortRanges = [ { from = 27031; to = 27036; } ];
      allowedTCPPortRanges = [ { from = 27036; to = 27037; } ];
-      allowedTCPPorts = [ 7000 7100 ];
-      allowedUDPPorts = [ 6000 6001 7011 41641 3478 ];
+      allowedTCPPorts = [ 7000 7100 22000 ];
+      allowedUDPPorts = [ 6000 6001 7011 41641 3478 22000 21027 ];
      trustedInterfaces = [ "tailscale0" ];
      checkReversePath = "loose";
    };
--- a/nix/nas/configuration.nix
+++ b/nix/nas/configuration.nix
@ -7,7 +7,16 @@
    ];

  age.secrets.action-token.file = ../../secrets/vancouver-action-runner.age;
-
+  age.secrets.restic-b2-credentials = {
+    file = ../../secrets/vancouver-restic-b2.age;
+    group = "users";
+    mode = "770";
+  };
+  age.secrets.restic-password = {
+    file = ../../secrets/vancouver-restic-password.age;
+    group = "users";
+    mode = "770";
+  };
  nix = {
    settings = {
      auto-optimise-store = true;
@ -26,6 +35,29 @@
  };

  services = {
+    restic = {
+      backups = {
+        "gsimmer" = {
+          user = "gsimmer";
+          environmentFile = config.age.secrets.restic-b2-credentials.path;
+          repository = "s3:s3.us-west-000.backblazeb2.com/gsimmer-backup";
+          paths = [
+            "/Primary/gabriel/projects"
+          ];
+          passwordFile = config.age.secrets.restic-password.path;
+          initialize = true;
+        };
+      };
+    };
+    syncthing = {
+      enable = true;
+      overrideDevices = false;
+      overrideFolders = false;
+      user = "gsimmer";
+      dataDir = "/Primary/gabriel";
+      #configDir = "/Primary/gsimmer/.config/syncthing";
+      guiAddress = "100.116.48.47:8384";
+    };
    prometheus.exporters = {
      blackbox = {
        enable = true;
@ -287,8 +319,8 @@
      trustedInterfaces = ["tailscale0" "virbr0"];
      checkReversePath = "loose";
      enable = true;
-      allowedTCPPorts = [ 22 53 80 443 2049 4328 5432 9100 ];
-      allowedUDPPorts = [ 53 41641 ];
+      allowedTCPPorts = [ 22 53 80 443 2049 4328 5432 9100 22000 ];
+      allowedUDPPorts = [ 53 41641 22000 21027 ];
    };
    useDHCP = false;
    bridges = {
--- a/nix/nas/home.nix
+++ b/nix/nas/home.nix
@ -52,11 +52,6 @@ end
      }
    ];
  };
-
-  services.syncthing = {
-    enable = true;
-    extraOptions = [ "--gui-address=100.116.48.47:8384" ];
-  };
  
  programs.direnv = {
    enable = true;
--- a/secrets.nix
+++ b/secrets.nix
@ -7,4 +7,6 @@ let
 in
 {
  "secrets/vancouver-action-runner.age".publicKeys = [ vancouver gsimmer ];
+  "secrets/vancouver-restic-b2.age".publicKeys = [ vancouver gsimmer ];
+  "secrets/vancouver-restic-password.age".publicKeys = [ vancouver gsimmer ];
 }
--- a/secrets/vancouver-restic-b2.age
+++ b/secrets/vancouver-restic-b2.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 oN6OTQ PC5ymJfXdL7Sl6t9CZTHICM97yfL3HixOR+OM2y7WQU
+DPMKLTO/jNLd/u4Noy1tHE4iel93UlMEbDdmg1T8nJE
+-> ssh-ed25519 qbziOw djby2UiTzKMppoToJxKXsocO1P/S8nKf4pQhble2JHY
+Ww4VtVRPS57GFYNBaIo72zVJCsQb4+WQiJLw/OztB4I
+-> Rf?-grease oTgL3-F LWSk
+M/o0QQ7c488WiXoMDNwRbV2ZGwRTS7KfYIXpIbOkFC9q1+QRk6OWtki19GVcrcYX
+diOQleh7G0fSkQxbz+5rqgS+sFRw
+--- BEqzzXxyIsyQMepZGMa/eG439AjU4yazzjaJD7gsWs4
+´TÛü´°0“OQŒÍ•î¢Ö9¯žEAêm3
+søW¹:—„ô¥8v¤5Æñ=kò'4g+¹°ÜÄXz&Êš‚¦^ô°öÙ…–bËctªÔYâªzhâ8ázÖ÷žÞñ=S´KBŒwûO<C3BB>êYåÚú	ž7^NŸÁ[€áG¬®ð8
--- a/secrets/vancouver-restic-password.age
+++ b/secrets/vancouver-restic-password.age
Author	SHA1	Message	Date
Gabriel Simmer	f74470e5ff	Move syncthing to system service on NAS All checks were successful Lint / lint (push) Successful in 18s Details	2023-09-10 12:04:55 +01:00
Gabriel Simmer	e12c0312bb	Restic based backup to b2	2023-09-10 12:04:39 +01:00