From f59ed3a176a865032e0f7cfaa549d19ddeeb4deb Mon Sep 17 00:00:00 2001 From: "Miguel (Comet)" Date: Thu, 8 Apr 2021 20:59:42 +0200 Subject: added admin stuff --- git_backup/git_backup.sh | 15 +++++ miguel-git-prompt.sh | 17 +++++ nixos/TODO.md | 11 ++++ nixos/configuration.nix | 165 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 208 insertions(+) create mode 100644 git_backup/git_backup.sh create mode 100644 miguel-git-prompt.sh create mode 100644 nixos/TODO.md create mode 100644 nixos/configuration.nix diff --git a/git_backup/git_backup.sh b/git_backup/git_backup.sh new file mode 100644 index 0000000..5082b9b --- /dev/null +++ b/git_backup/git_backup.sh @@ -0,0 +1,15 @@ +# https://git.seveas.net/how-to-back-up-a-git-repository.html + +#But even if you do not have the capability to do snapshots, you can still make consistent backups, as long as you back up objects after refs. You might end up with some dangling objects, but your repository will be consistent and all refs will point to existing objects. With rsync, that could look like: + +TIMESTAMP=$(date +%Y%m%d%H%M%S) +INPUT=comet:/var/lib/gitolite/repositories +OUTPUT=~/comet_git_backup/$TIMESTAMP + +echo BACKING UP REFS etc ... +rsync -av --delete --exclude "*/objects" $INPUT $OUTPUT +echo BACKING UP OBJECTS AFTER REFS +rsync -av --delete --include "*/" --include "*/objects/**" --exclude "*" $INPUT $OUTPUT +#rsync -av --delete --include '/*/objects' --include "/*" --exclude '/*/*' $INPUT $OUTPUT +#rsync -av --delete --include '/*/objects/*' --exclude '/*/*/*' $INPUT $OUTPUT + diff --git a/miguel-git-prompt.sh b/miguel-git-prompt.sh new file mode 100644 index 0000000..031e883 --- /dev/null +++ b/miguel-git-prompt.sh @@ -0,0 +1,17 @@ +miguel_git_prompt () +{ + RED="\[$(tput setaf 1)\]" + GREEN="\[$(tput setaf 2)\]" + RESET="\[$(tput sgr0)\]" + + PS1=" \w" + if git rev-parse --git-dir > /dev/null 2>&1; then + PS1+=" [$RED" + PS1+=`git status --porcelain | awk '{print $1}' | sort | uniq | tr '\n' ' '` + PS1+="$GREEN" + #PS1+=`git branch --show-current` + PS1+=`git status --porcelain -b | head -n1` + PS1+="$RESET]" + fi + PS1+=" $ " +} diff --git a/nixos/TODO.md b/nixos/TODO.md new file mode 100644 index 0000000..329ebea --- /dev/null +++ b/nixos/TODO.md @@ -0,0 +1,11 @@ +# SSH +* ssh: key-only-auth + +# GIT +* selective encrypted files +* fat file storage +* gitolite: ban 'push -f' +* git-app for mobile +* lock gitolite write access and backup (once daily?) +* pull/push backups to other storage +* verify backups diff --git a/nixos/configuration.nix b/nixos/configuration.nix new file mode 100644 index 0000000..30e0175 --- /dev/null +++ b/nixos/configuration.nix @@ -0,0 +1,165 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: + +{ + # Automatic Upgrades + system.autoUpgrade.enable = true; + system.autoUpgrade.allowReboot = true; + + imports = + [ # Include the results of the hardware scan. + /etc/nixos/hardware-configuration.nix + ]; + + # SYS PACKAGES + environment.systemPackages = [pkgs.vim pkgs.openssl pkgs.mc pkgs.highlight]; + + # SSH + services.openssh.enable = true; + services.openssh.permitRootLogin = "yes"; + + users.extraUsers.root.openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpDKWgowf2Gl83b7LsLzwpeKteLWeEE+B3ukE23XAiPmrYnD552ufUnYmid4yItWhNRY4SVsLMCfrdQj8+wftVHNXwx+Y559djAYjkm7qmtBFTvUNPSgtHkX4eoLA79nCPXzd69SS3qkqM2oLGaNKJV9lqxUcaTo0KzKOy5wy7oxQau3w5zCN/kHtxU2ktXGKB6oGocfLi87jefelmoruxo604itpduq78cAhd5fcZy/uZLzNTWf1GdLuqy7ep68txfeRknJ3TKpbaAk+YOlv4AvA23nD7V1GAn757fwv6JpiGe6/VvzkrR8YFLA8sA3kC7Ev8QD1dAkK9S0jMuLzRdAtMWezr7SXNHVEFZ1MLXAbECVkqXOkM0toK8F5ulMfY5E40RWKkawZOr6iB+tHa199WphSgjhtm9frywBMBE/3J5i4purOhZHemmmxJyv4fmSKW42toyc+d6lj0fWBFo3QYWSZPOIpsYhAo4jRw+LHlYwJr7bNIPxKEjutSM5sbacM2Om0GYU+SfHnX4+P5GYaSoFY5SfsjWCpSaK98ngKuKHlBuK2oQczhmFJAFQsBQinpoTF63qfzDpUyfmquvOaDtV9GVMn3AsZemVS+yVXWHHT4ZdXYvSsbgujlM/bUyH/eGLBQnkWBU74W2OxusyFkyp8k7zLwxgj0/hfWew== Miguel_User@DESKTOP-4NH8M69" ]; + + + # XMPP + services.ejabberd.enable = true; + services.ejabberd.configFile = "/etc/ejabberd.yaml"; + + # GITOLITE + services.gitolite.enable = true; + services.gitolite.extraGitoliteRc = "$RC{UMASK} = 0027;"; + services.gitolite.adminPubkey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpDKWgowf2Gl83b7LsLzwpeKteLWeEE+B3ukE23XAiPmrYnD552ufUnYmid4yItWhNRY4SVsLMCfrdQj8+wftVHNXwx+Y559djAYjkm7qmtBFTvUNPSgtHkX4eoLA79nCPXzd69SS3qkqM2oLGaNKJV9lqxUcaTo0KzKOy5wy7oxQau3w5zCN/kHtxU2ktXGKB6oGocfLi87jefelmoruxo604itpduq78cAhd5fcZy/uZLzNTWf1GdLuqy7ep68txfeRknJ3TKpbaAk+YOlv4AvA23nD7V1GAn757fwv6JpiGe6/VvzkrR8YFLA8sA3kC7Ev8QD1dAkK9S0jMuLzRdAtMWezr7SXNHVEFZ1MLXAbECVkqXOkM0toK8F5ulMfY5E40RWKkawZOr6iB+tHa199WphSgjhtm9frywBMBE/3J5i4purOhZHemmmxJyv4fmSKW42toyc+d6lj0fWBFo3QYWSZPOIpsYhAo4jRw+LHlYwJr7bNIPxKEjutSM5sbacM2Om0GYU+SfHnX4+P5GYaSoFY5SfsjWCpSaK98ngKuKHlBuK2oQczhmFJAFQsBQinpoTF63qfzDpUyfmquvOaDtV9GVMn3AsZemVS+yVXWHHT4ZdXYvSsbgujlM/bUyH/eGLBQnkWBU74W2OxusyFkyp8k7zLwxgj0/hfWew== Miguel_User@DESKTOP-4NH8M69"; + + # GITWEB + services.gitweb.projectroot = "/var/lib/gitolite/repositories"; + services.gitweb.gitwebTheme = true; + services.gitweb.extraConfig = '' + $site_name = "Gitweb of the Fools"; + $logo_label = "Gitweb of the Fools"; + $logo_url = "/gitweb"; + $feature{'highlight'}{'default'} = [1]; + $projects_list = "/var/lib/gitolite/projects.list"; + $strict_export = true; + $per_request_config = 1; + our %highlight_basename; + $highlight_basename{'Dockerfile'} = 'Dockerfile'; + $highlight_basename{'Makefile'} = 'Makefile'; + our %highlight_ext; + $highlight_ext{'hs'} = 'haskell'; + $highlight_ext{'go'} = 'go'; + $highlight_ext{'yaml'} = 'yaml'; + $highlight_ext{'md'} = 'markdown'; + $highlight_ext{'lua'} = 'lua'; + $highlight_ext{'modinfo'} = 'xml'; + push @stylesheets, "/highlight.css"; + ''; + + # CERTS + security.acme.acceptTerms = true; + security.acme.email = "m.i@gmx.at"; + + # NGINX + services.nginx.enable = true; + + services.nginx.gitweb.enable = true; + services.nginx.gitweb.group = "gitolite"; + services.nginx.gitweb.virtualHost = "comet.softwarefools.com"; + + services.nginx.virtualHosts."comet.softwarefools.com" = { + forceSSL = true; + enableACME = true; + root = "/var/www/comet.softwarefools.com"; + locations."/gitweb/static/" = { + extraConfig = "expires 5m;"; + }; + }; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + networking.hostName = "comet.softwarefools.com"; # Define your hostname. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + # The global useDHCP flag is deprecated, therefore explicitly set to false here. + # Per-interface useDHCP will be mandatory in the future, so this generated config + # replicates the default behaviour. + networking.useDHCP = false; + networking.interfaces.ens3.useDHCP = true; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + # i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # }; + + # Set your time zone. + time.timeZone = "Europe/Warsaw"; + + # List packages installed in system profile. To search, run: + # $ nix search wget + # environment.systemPackages = with pkgs; [ + # wget vim + # ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # pinentryFlavor = "gnome3"; + # }; + + # FIREWALL + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ 80 443 5222 5223 5269 ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + # services.xserver.layout = "us"; + # services.xserver.xkbOptions = "eurosign:e"; + + # Enable touchpad support. + # services.xserver.libinput.enable = true; + + # Enable the KDE Desktop Environment. + # services.xserver.displayManager.sddm.enable = true; + # services.xserver.desktopManager.plasma5.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.jane = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "20.03"; # Did you read the comment? +} -- cgit v1.2.3