From 6a7ed174aac8ab1583ac4ae62e8a482d3d67ffd7 Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Wed, 29 Nov 2023 23:09:52 +0100 Subject: Serve Git repos over SSH and back them up --- tw/system/lud.scm | 49 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 44 insertions(+), 5 deletions(-) (limited to 'tw/system/lud.scm') diff --git a/tw/system/lud.scm b/tw/system/lud.scm index 2b2b08e1..2c8c7fef 100644 --- a/tw/system/lud.scm +++ b/tw/system/lud.scm @@ -9,6 +9,7 @@ #:use-module (tw services nextcloud) #:use-module (tw services matrix) #:use-module (tw services media) + #:use-module (tw services restic) #:use-module (tw services secrets) #:use-module (tw services web) #:use-module (tw system)) @@ -64,7 +65,9 @@ `(("ira" ; for Duplicity backups ,(local-file "files/kitchen-pc.pub") ,(local-file "files/wilken-laptop.pub")) - ("timo" + ("git" + ,(local-file "files/timo.pub") + ,(local-file "files/timo-phone-gpg.pub") ,(local-file "files/timo-phone-password-store.pub")))) (service tor-service-type) @@ -87,12 +90,16 @@ ;; git://lud.wg/~user/repo.git => /home/user/src/repo.git (user-path "src"))) + ;; Serve public-access git repos over HTTPS and private ones over SSH only. (service cgit-service-type (cgit-configuration (branch-sort "age") + (root-title "Timo Wilken's Git repositories") + (root-desc "Projects written by me, contributed to by me, or \ +that I just want to host somewhere.") ;; (root-readme "") ; TODO - ;; (root-title "") ; TODO (repository-directory "/srv/git") + (strict-export "git-daemon-export-ok") ; require presence of this file to show repo (remove-suffix? #t) ; remove trailing .git in name and URL (clone-prefix '("https://git.twilken.net/" "git@git.twilken.net:")) @@ -111,6 +118,32 @@ (domains '("git.twilken.net")) (deploy-hook %nginx-cert-deploy-hook)))) + (simple-service 'git-backups restic-backup-service-type + (list (restic-scheduled-backup + (schedule #~"0 3 * * *") + (paths '("/srv/git")) + (repo (restic-local-repository + (path "/var/backups/git"))) + (password (restic-password-source + (type 'file) + (name "/etc/restic/lud-git")))))) + + (simple-service 'git-backups-cleanup restic-cleanup-service-type + (list (restic-scheduled-cleanup + (schedule #~"0 4 * * *") + (repo (restic-local-repository + (path "/var/backups/git"))) + (password (restic-password-source + (type 'file) + (name "/etc/restic/lud-git"))) + (keep-daily 30) + (keep-monthly -1)))) + + (simple-service 'git-secrets secrets-service-type + (list (secret + (encrypted-file (local-file "files/restic/lud-git.enc")) + (destination "/etc/restic/lud-git")))) + ;; Transmission (torrents) (service transmission-daemon-service-type (transmission-daemon-configuration @@ -211,12 +244,18 @@ innodb_io_capacity = 4000 (comment "Syncthing service") (group "syncthing") (home-directory "/var/data/syncthing")) + (user-account + (system? #t) + (name "git") + (comment "Git hosting service") + (group "git") + (home-directory "/srv/git")) %server-base-user-accounts)) + ;; Groups are NOT implict from the user-accounts that mention them. (groups - (cons* (user-group ; This is NOT implict from the "syncthing" user. - (system? #t) - (name "syncthing")) + (cons* (user-group (system? #t) (name "syncthing")) + (user-group (system? #t) (name "git")) %base-groups)) ;; Use the UEFI variant of GRUB with the EFI System Partition mounted -- cgit v1.2.3