feat: db & git backups, bots on matrix, proxmox monitors, ...

2025-11-19 22:01:27 +01:00
parent 4035967f21
commit e7aa43acaf
17 changed files with 116 additions and 21 deletions
--- a/config/db-postgres.nix
+++ b/config/db-postgres.nix
@@ -15,4 +15,13 @@
    checkConfig = true;
    initialScript = config.age.secrets.db-postgres-initscript.path;
  };
+
+  # TODO: Manually add /mnt/backups mountpoint => NAS backup folder (with rotation on the NAS)
+  services.postgresqlBackup = {
+    enable = true;
+    backupAll = true;
+    compression = "gzip";
+    compressionLevel = 6;
+    location = "/mnt/backups/postgresql";
+  };
 }
--- a/config/git-gitea.nix
+++ b/config/git-gitea.nix
@@ -16,11 +16,16 @@
        host = tools.build_ip "db";
        createDatabase = false;
      };
-      # TODO: dump ...
      settings = {
        server.HTTP_PORT = 3000;
      };
-      # user = "git";
+      dump = {
+        enable = true;
+        # TODO: Manual mountpoint /mnt/backups => NAS
+        backupDir = "/mnt/backups/gitea";
+        interval = "1:42";
+        type = "tar.gz";
+      };
    };
    # gitea-actions-runner.instances.default = {
    #   enable = true;
--- a/config/matrix-maubot.nix
+++ b/config/matrix-maubot.nix
@@ -0,0 +1,23 @@
+{
+  pkgs,
+  config,
+  tools,
+  ...
+}:
+{
+  nixpkgs.config.permittedInsecurePackages = [
+    "olm-3.2.16"
+  ];
+
+  environment.etc."maubot/config.base.yaml".source = config.age.secrets.matrix-maubot-cfg.path;
+  services.maubot = {
+    enable = true;
+    plugins = with config.services.maubot.package.plugins; [
+      rss
+      hasswebhookbot
+    ];
+    configMutable = true;
+    # RIP the auto configuration ... Built a base yaml, written in agenix, and manually copying this to the config.yaml file + adapting as needed...
+    extraConfigFile = "/etc/maubot/config.yaml";
+  };
+}
--- a/config/metrics-prometheus.nix
+++ b/config/metrics-prometheus.nix
@@ -15,6 +15,20 @@ in
      "--web.enable-remote-write-receiver"
      "--storage.tsdb.retention.time=${config.globals.retention}"
    ];
+    exporters.pve = {
+      enable = true;
+      collectors = {
+        cluster = true;
+        config = false;
+        node = true;
+        replication = false;
+        resources = true;
+        status = true;
+        version = true;
+      };
+      configFile = config.age.secrets.metrics-pve.path;
+      port = 9221;
+    };
    globalConfig = {
      scrape_interval = "30s";
    };
@@ -30,6 +44,14 @@ in
              service = "prometheus";
            };
          }
+          {
+            targets = [ "localhost:9221" ];
+            labels = {
+              host = tools.build_hostname "proxmox";
+              host_ip = tools.build_ip "proxmox";
+              service = "proxmox";
+            };
+          }
        ];
      }
    ]
--- a/containers/matrix.nix
+++ b/containers/matrix.nix
@@ -18,8 +18,10 @@ in
      additionalPorts = [
        80 # element web
        5173 # synapse admin
+        29316 # maubot
      ];
      importConfig = [
+        ../config/matrix-maubot.nix
        ../config/matrix-synapse.nix
        ../config/matrix-nginx.nix
      ];
@@ -27,6 +29,9 @@ in
    db = {
      enable = true;
      password = db_pass.matrix;
+      additionalDB = [
+        "maubot"
+      ];
    };
    logging = {
      enable = true;
@@ -47,6 +52,12 @@ in
        private = true;
        auth = false;
      }
+      {
+        subdomain = "maubot";
+        port = 29316;
+        private = true;
+        auth = false;
+      }
    ];
  };
 }
--- a/modules/tools.nix
+++ b/modules/tools.nix
@@ -19,12 +19,23 @@ let
  build_ip_cidr = arg: "${build_ip arg}/${toString config.globals.cidr}";
  mask_cidr = build_ip_cidr 0;
  build_hostname = arg: "${arg}${config.globals.domains.external}";
+  build_db_uri =
+    container: base:
+    let
+      db_user = container;
+      db_pass = config.my-lxc.${container}.db.password;
+      db_host = build_ip "db";
+      db_port = "5432";
+      db_name = base;
+    in
+    "postgresql://${db_user}:${db_pass}@${db_host}:${db_port}/${db_name}";
 in
 {
  build_ip = build_ip;
  build_ip_cidr = build_ip_cidr;
  mask_cidr = mask_cidr;
  build_hostname = build_hostname;
+  build_db_uri = build_db_uri;

  loki_addr = "${build_ip "monitoring"}:3100";
  metrics_addr = "${build_ip "metrics"}:9090";
--- a/secrets/auth-authentik-ldap-secrets.age
+++ b/secrets/auth-authentik-ldap-secrets.age
--- a/secrets/auth-authentik-proxy-secrets.age
+++ b/secrets/auth-authentik-proxy-secrets.age
--- a/secrets/auth-authentik-secrets.age
+++ b/secrets/auth-authentik-secrets.age
--- a/secrets/db-postgres-initscript.age
+++ b/secrets/db-postgres-initscript.age
--- a/secrets/finances-app-key.age
+++ b/secrets/finances-app-key.age
@@ -1,8 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 jxhkLg aQoOlZUoNaXXxfkMlkGx9zJDKQh+zlLyYrXuX+LEcFw
-9c/dFd+LYdnb2TUm5+lxcPmFW8STMq6UALHlClL85jc
-> ssh-ed25519 UJuwpQ hnsSFl7MIkaG0DmCzZKoUtDLj/ey+YZ7Af4gEiPNtkc
-2bmkqUGoh2kAW03X//iq/mlzOZeoS1PpmAmLWcAR48k
--- yMItyu2jgirF9YB+u26yykPuqEVz7T46oi6EDZ8rXYs
-•û6v%aÇKFÛÞ1×49<$kHüC²bÄvÊ#dÜ¿$ë‰4
-õF5k*Ct¯±qUH%¶¶~ÇÓEíŒú³Å:e:÷d½¶èä<C3A8>·´k
+-> ssh-ed25519 jxhkLg cwOIK3+fKR+hwY0ffpXmoRlvEzisaqJKph9KAz1tjgE
+M7ZSm185WYRIyVFBtdhqUSSevkPrWUU+oO1pWyvBL6c
+-> ssh-ed25519 UJuwpQ Rd52L1o0bCbjgudCzJ0qo209c9WOKxqwnWi9oYbpbXA
+6EoyF/9warFja9lKxAAa7M/wIHfFrifJQhg31gNDQeg
+--- dkH7UftAnXBiRRK6xf+c/wBTlgREs8fTBNWPXVhfg/I
+¾7£:V;î®/aˆ*Þ¾µïwÍËý .«Õ<C2AB>\–ÿËÅRëöCz4ÆES9šÏP+ÔÛÞˆl/Q<2ã<32>ÅG¹MN• ™k¯¡l
--- a/secrets/matrix-maubot-cfg.age
+++ b/secrets/matrix-maubot-cfg.age
--- a/secrets/metrics-pve.age
+++ b/secrets/metrics-pve.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 jxhkLg fMyFt2LR3vCmiEBnsa8l+66q41O6so6vIfwwfR0dXVk
+eW719i/+MlQgJVbM9yP95FK+akVScstte2wWYulBGY
+-> ssh-ed25519 hKRBdw DjmDRh5sqxmbSckrYIliu8zFVZDIpzltqK5rCO1qRB8
+8isUMp0G0zE/MK7s3ubTzEZlFh3DSJVYD3hP2cfBODo
+--- JOvIpPS8459oTkMN0OqtifBDC3I5ccn/A64k6WLbWbA
+u¤d´„º’DŠØ#æÃÃÂ«Ñõ<
--- a/secrets/power-password-file.age
+++ b/secrets/power-password-file.age
@@ -1,7 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 jxhkLg +kc3WvRZu+M7FPObE9sUEBrRZUjaKQ3uDX01e30bvH4
-jp7GGPCdUHMFYAdZ6eHlb2Rpjbr7fgxO5i5A4JCuBFQ
-> ssh-ed25519 DVDL4g u3KhmxBa+ycZKj6g9/p9VfdWJe3sXNIYWqvnxS0LOFk
-+6czbSa2PsgCNrsWFYtFJpW6YRttVpC3tlJpvMyKVlo
--- 6giEp6Qr8xXyII1KyBbEtT0a4qUkYtvby2NVshaHvK8
-©³˜Üú+&
+-> ssh-ed25519 jxhkLg oln5ya/9gIVWvlWBE11ZgUQYCN4tZQFa4Fe13q3o81s
+69a7qRWUtQ6KAgT9zH6HzPqmoBx5OPMv8mhoc3F+FlQ
+-> ssh-ed25519 DVDL4g m2lTL6SD1HxqSJelHrpDli1uOCgM6/cjJApBQ0a4UD0
+QhjMpiWQcovOPMxwX/658PkO0hgppG0rs5wQO5OUH78
+--- IW3/EHx3kYU5kLkRt9x2SQtqx/+krXcT4aPv3zh+u+0
+ŽÒ8¨ÎƒPËø‘®óR«Dû°3¾¡7™ãÆdÕR3ëøðÜ‚wï Ž€
--- a/secrets/proxy-dns-provider-config.age
+++ b/secrets/proxy-dns-provider-config.age
@@ -1,7 +1,9 @@
 age-encryption.org/v1
-> ssh-ed25519 jxhkLg anodHENUqRaCT66sUwK09KEUOUsApe5VfLioUKylKGM
-IyzgkxtINRFeRCa5hdvuUruBrE+07vrjsGsns7Ydwx4
-> ssh-ed25519 FOCPAw DLnVp2X2Nu2wB4/F3R0zfZT5ZcSY9TjY0pKyEeA/AHM
-3IQ4Wvl/ei2eOveqXpmk1hZPhgpNn7zb6kjoWXmwZaY
--- oZOshy18oF7M5znbecsTb4np2FAQqU4henZZFTrQUAI
-]‹±Yi1/Ú¸Ò`ˆnÊEþPZ[%SÂ}ŠFËÅU1Q0âkêàƒŠ9ãSóªÒ±íîIÂÍÜ†v¨ùý-
+-> ssh-ed25519 jxhkLg TBe8hP/bpnNG/b5h9YeeBruy3znMSWNhjDUWVvNEd04
+TPuNvPhRlvg+wdLCulhBNu+qbXs7pWhFngcrWwcC2Zs
+-> ssh-ed25519 FOCPAw Hwq5xX/6uL8uVxudKKkwwS+NSJn69dqabFBDQr5o00A
+bz+UUYKhSgrKS4KHFor5XpjZAnuOZrHuNHuvXSP/JR8
+--- VvsmTUj/PZTAwxzT5bFLKhcur6hv7qODo/5L94cW4LY
+dnC»º¡¿ìEŽB©¸×j<1D>*n?èÈ/›üÕýç606®ã9
+ëè‘ºW
+xaOë
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -24,6 +24,12 @@ in
  "finances-app-key.age".publicKeys = users ++ [
    keys.finances
  ];
+  "matrix-maubot-cfg.age".publicKeys = users ++ [
+    keys.matrix
+  ];
+  "metrics-pve.age".publicKeys = users ++ [
+    keys.metrics
+  ];
  "power-password-file.age".publicKeys = users ++ [
    keys.power
  ];
--- a/secrets/yarrr-env.age
+++ b/secrets/yarrr-env.age