root/the_prg_server_configuration_old
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Oeh, I am "loving" NixOS right now.

Browse source
This commit is contained in:
Root User 2026-02-07 23:50:44 +01:00
parent d6af466263
commit c4fe904896
Signed by: root
GPG key ID: 087F0A95E5766D72
5 changed files with 51 additions and 63 deletions
Download patch file Download diff file Expand all files Collapse all files

2
nix-system-configs/modules/secrets-config/sops-composesongsheet.nix
View file

@ -20,7 +20,7 @@
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
sops.defaultSopsFile = ../../secrets/songsheet/secrets.yaml; sops.defaultSopsFile = ../../secrets/songsheet/secrets.yaml;
# This will automatically import SSH keys as age keys # This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = ["/home/songsheetprg/.ssh/id_ed25519.pub"]; #sops.age.sshKeyPaths = ["/home/songsheetprg/.ssh/id_ed25519"];
# This is using an age key that is expected to already be in the filesystem # This is using an age key that is expected to already be in the filesystem
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# This will generate a new key if the key specified above does not exist # This will generate a new key if the key specified above does not exist

2
nix-system-configs/modules/secrets-config/sops-database.nix
View file

@ -20,7 +20,7 @@
# sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml";
sops.defaultSopsFile = ../../secrets/songsheet/secrets.yaml; sops.defaultSopsFile = ../../secrets/songsheet/secrets.yaml;
# This will automatically import SSH keys as age keys # This will automatically import SSH keys as age keys
sops.age.sshKeyPaths = ["/home/nixosdd/.ssh/id_ed25519.pub"]; #sops.age.sshKeyPaths = ["/home/nixosdd/.ssh/id_ed25519"];
# This is using an age key that is expected to already be in the filesystem # This is using an age key that is expected to already be in the filesystem
sops.age.keyFile = "/var/lib/sops-nix/key.txt"; sops.age.keyFile = "/var/lib/sops-nix/key.txt";
# This will generate a new key if the key specified above does not exist # This will generate a new key if the key specified above does not exist

23
nix-system-configs/modules/system_scripts/backup_mariadb.zsh
View file

@ -1,23 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
TIMESTAMP=$(date +%Y%m%d%H%M%S)
BACKUP_DIR=$(mktemp -d)
trap 'rm -rf "$BACKUP_DIR"' EXIT
gpg --batch --import "${GPG_KEY_FILE}"
DATABASES=$(mysql -u root -e "SHOW DATABASES;" | grep -Ev "^(Database|information_schema|performance_schema|mysql|sys)$")
for DB in $DATABASES; do
echo "Backing up MariaDB database: $DB"
FILENAME="mariadb_${DB}_${TIMESTAMP}.sql.gz.gpg"
if mysqldump -u root "$DB" | gzip | gpg --batch --encrypt --recipient "${GPG_RECIPIENT}" > "$BACKUP_DIR/$FILENAME"; then
gsutil cp "$BACKUP_DIR/$FILENAME" "gs://${GCS_BUCKET}/mariadb/$FILENAME"
echo "Successfully uploaded encrypted $FILENAME"
else
echo "Failed to backup $DB" >&2
exit 1
fi
done

24
nix-system-configs/modules/system_scripts/backup_postgresql.zsh
View file

@ -1,24 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
TIMESTAMP=$(date +%Y%m%d%H%M%S)
BACKUP_DIR=$(mktemp -d)
trap 'rm -rf "$BACKUP_DIR"' EXIT
# Import GPG key for encryption
gpg --batch --import "${GPG_KEY_FILE}"
DATABASES=$(psql -U postgres -t -c "SELECT datname FROM pg_database WHERE datistemplate = false AND datname != 'postgres';" | grep -v '^$')
for DB in $DATABASES; do
DB=$(echo "$DB" | xargs)
echo "Backing up PostgreSQL database: $DB"
FILENAME="pgsql_${DB}_${TIMESTAMP}.sql.gz.gpg"
if pg_dump -U postgres -d "$DB" | gzip | gpg --batch --encrypt --recipient "${GPG_RECIPIENT}" > "$BACKUP_DIR/$FILENAME"; then
gsutil cp "$BACKUP_DIR/$FILENAME" "gs://${GCS_BUCKET}/postgresql/$FILENAME"
echo "Successfully uploaded encrypted $FILENAME"
else
echo "Failed to backup $DB" >&2
exit 1
fi
done

63
nix-system-configs/modules/system_scripts/gcloud_backup.nix
View file

@ -64,24 +64,59 @@
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----
''; '';
postgresBackupScript = pkgs.writeShellScript "backup-postgresql-wrapper" '' postgresBackupScript = pkgs.writeShellScript "backup-postgresql" ''
export GOOGLE_APPLICATION_CREDENTIALS="${config.sops.secrets.gcloud_bucket.path}" set -euo pipefail
export GCS_BUCKET="${gcsBucket}"
export GPG_RECIPIENT="${gpgRecipient}"
export GPG_PUBLIC_KEY="${gpgPublicKey}"
export PATH="${lib.makeBinPath [pkgs.postgresql pkgs.gzip pkgs.google-cloud-sdk pkgs.gnupg]}:$PATH"
exec ${./backup_postgresql.zsh} export GOOGLE_APPLICATION_CREDENTIALS="${config.sops.secrets.gcloud_bucket.path}"
export PATH="${lib.makeBinPath [pkgs.postgresql pkgs.gzip pkgs.google-cloud-sdk pkgs.gnupg pkgs.coreutils pkgs.gnugrep]}:$PATH"
TIMESTAMP=$(date +%Y%m%d%H%M%S)
BACKUP_DIR=$(mktemp -d)
trap 'rm -rf "$BACKUP_DIR"' EXIT
gpg --batch --import "${gpgPublicKey}"
DATABASES=$(psql -U postgres -t -c "SELECT datname FROM pg_database WHERE datistemplate = false AND datname != 'postgres';" | grep -v '^$')
for DB in $DATABASES; do
DB=$(echo "$DB" | xargs)
echo "Backing up PostgreSQL database: $DB"
FILENAME="pgsql_''${DB}_''${TIMESTAMP}.sql.gz.gpg"
if pg_dump -U postgres -d "$DB" | gzip | gpg --batch --encrypt --recipient "${gpgRecipient}" > "$BACKUP_DIR/$FILENAME"; then
gsutil cp "$BACKUP_DIR/$FILENAME" "gs://${gcsBucket}/postgresql/$FILENAME"
echo "Successfully uploaded encrypted $FILENAME"
else
echo "Failed to backup $DB" >&2
exit 1
fi
done
''; '';
mariadbBackupScript = pkgs.writeShellScript "backup-mariadb-wrapper" '' mariadbBackupScript = pkgs.writeShellScript "backup-mariadb" ''
export GOOGLE_APPLICATION_CREDENTIALS="${config.sops.secrets.gcloud_bucket.path}" set -euo pipefail
export GCS_BUCKET="${gcsBucket}"
export GPG_RECIPIENT="${gpgRecipient}"
export GPG_PUBLIC_KEY="${gpgPublicKey}"
export PATH="${lib.makeBinPath [pkgs.mariadb pkgs.gzip pkgs.google-cloud-sdk pkgs.gnupg]}:$PATH"
exec ${./backup_mariadb.zsh} export GOOGLE_APPLICATION_CREDENTIALS="${config.sops.secrets.gcloud_bucket.path}"
export PATH="${lib.makeBinPath [pkgs.mariadb pkgs.gzip pkgs.google-cloud-sdk pkgs.gnupg pkgs.coreutils pkgs.gnugrep]}:$PATH"
TIMESTAMP=$(date +%Y%m%d%H%M%S)
BACKUP_DIR=$(mktemp -d)
trap 'rm -rf "$BACKUP_DIR"' EXIT
gpg --batch --import "${gpgPublicKey}"
DATABASES=$(mysql -u root -e "SHOW DATABASES;" | grep -Ev "^(Database|information_schema|performance_schema|mysql|sys)$")
for DB in $DATABASES; do
echo "Backing up MariaDB database: $DB"
FILENAME="mariadb_''${DB}_''${TIMESTAMP}.sql.gz.gpg"
if mysqldump -u root "$DB" | gzip | gpg --batch --encrypt --recipient "${gpgRecipient}" > "$BACKUP_DIR/$FILENAME"; then
gsutil cp "$BACKUP_DIR/$FILENAME" "gs://${gcsBucket}/mariadb/$FILENAME"
echo "Successfully uploaded encrypted $FILENAME"
else
echo "Failed to backup $DB" >&2
exit 1
fi
done
''; '';
in { in {
systemd.services.backup-postgresql = { systemd.services.backup-postgresql = {