dan/ops-jrz1
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
ops-jrz1/hosts/ops-jrz1.nix
Dan 31d388d21c Add B2 automated backup with restic 
- Add services.postgresqlBackup for daily DB dumps (2 AM)
- New modules/backup-b2.nix: restic backup to B2 (3 AM daily)
- Weekly integrity check (Sunday 4 AM)
- Retention: 7 daily, 4 weekly, 6 monthly
- B2 bucket: ops-jrz1-backup with scoped app key

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-10 13:49:59 -08:00

130 lines
3.3 KiB
Nix
Raw Blame History

{ pkgs, ... }:
{
# ops-jrz1 production VPS configuration
# Imports extracted Matrix modules from ops-base
# Disable built-in NixOS maubot module to use our sops-nix enhanced version
disabledModules = [ "services/matrix/maubot.nix" ];
imports = [
# Hardware configuration
../hardware-configuration.nix
# Matrix platform modules
../modules/matrix-continuwuity.nix
../modules/mautrix-slack.nix
../modules/maubot.nix
../modules/dev-services.nix
../modules/security/fail2ban.nix
../modules/security/ssh-hardening.nix
../modules/matrix-secrets
../modules/backup.nix
../modules/backup-b2.nix
];
# System configuration
networking.hostName = "jrz1";
# sops-nix secrets management
sops = {
defaultSopsFile = ../secrets/secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = {
# Used by dev-services.nix matrix-continuwuity via systemd LoadCredential
# Root ownership is correct for DynamicUser services
matrix-registration-token.mode = "0400";
# Maubot management interface admin password
maubot-admin-password.mode = "0400";
# Maubot session secret key
maubot-secret-key.mode = "0400";
# Slack dev tokens - shared with devs group for learner bot development
slack-bot-token = {
owner = "root";
group = "devs";
mode = "0440";
};
slack-app-token = {
owner = "root";
group = "devs";
mode = "0440";
};
# Forgejo API token for dev user provisioning (root only)
forgejo-api-token.mode = "0400";
};
};
# Matrix homeserver configuration
# NOTE: Disabled in favor of dev-platform.matrix which provides integrated
# bridge coordination and systemd credential-based secrets management
# services.matrix-homeserver = {
# enable = true;
# domain = "clarun.xyz";
# port = 8008;
# enableRegistration = true;
# enableFederation = false;
# };
# Development platform services (Matrix, Forgejo, bridges)
services.dev-platform = {
enable = true;
domain = "clarun.xyz";
matrix = {
enable = true;
serverName = "clarun.xyz";
port = 8008;
};
forgejo = {
enable = true;
subdomain = "git";
port = 3000;
};
slackBridge = {
enable = true;
workspace = "chochacho";
port = 29319;
};
maubot = {
enable = true;
port = 29316;
plugins = [ ../modules/plugins/sna-instagram-bot.mbp ];
};
};
# Local backup service (Phase 1: manual trigger)
services.backup.enable = true;
# B2 offsite backup (daily automated via restic)
services.backup-b2.enable = true;
# Security hardening - DISABLED pending fixes
# security.fail2ban-enhanced.enable = true;
# security.ssh-hardening.enable = true;
# SSH known hosts for git.clarun.xyz (prevents interactive prompt for devs/agents)
programs.ssh.knownHosts = {
"git.clarun.xyz" = {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINs/geVYoQh1ldL2TgyAJy+ErCxaJt91ocgpFRvHDUXl";
};
};
# nix-ld for VS Code Remote-SSH (runs pre-compiled VS Code Server binary)
programs.nix-ld.enable = true;
programs.nix-ld.libraries = with pkgs; [
stdenv.cc.cc.lib
zlib
openssl
];
system.stateVersion = "24.05";
}
Reference in a new issue View git blame Copy permalink