ahayzen · ahayzen · Apr 21, 2024 · Apr 14, 2024 · Apr 21, 2024 · Apr 14, 2024
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -36,9 +36,19 @@ jobs:
       - name: git diff
         run: git diff --exit-code
 
+  shellcheck:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      # Shellcheck should already be installed on github runners
+      - name: install shellcheck
+        run: sudo apt install --yes shellcheck
+      - name: shellcheck
+        run: shellcheck scripts/*.sh
+
   nix-flake-check:
     # Run after pre checks
-    needs: [license-check, flake-checker, nix-fmt]
+    needs: [license-check, flake-checker, nix-fmt, shellcheck]
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4

diff --git a/docs/commands/testing.md b/docs/commands/testing.md
@@ -4,8 +4,27 @@ SPDX-FileCopyrightText: Andrew Hayzen <[email protected]>
 SPDX-License-Identifier: MPL-2.0
 -->
 
+# Test with flake check
+
+We need the sandbox disabled as we need network access
+
+```console
+$ nix flake --option sandbox false check -L --show-trace
+```
+
 # Test in a VM
 
+Ensure that you add the following snippet to the configuration of the machine you want to test in a VM.
+
+```nix
+{
+    ahayzen.testing = true;
+}
+```
+
+> Note that if you are testing http update any `Caddyfile.vm` to use `http://localhost`
+> rather than `http://mydomain.com` to access locally.
+
 ## `nixos-build`
 
 ```console
@@ -31,11 +50,3 @@ $ result/bin/run-<machine>-vm
 ```console
 $ ssh -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=no admin@localhost -p 2221
 ```
-
-## Flake check
-
-We need the sandbox disabled as we need network access
-
-```console
-$ nix flake --option sandbox false check -L --show-trace
-```
diff --git a/nixos/modules/headless/docker.nix b/nixos/modules/headless/docker.nix
@@ -58,10 +58,40 @@
     };
 
     # Define the unpriv user for docker
-    users.users.unpriv = {
-      isNormalUser = true;
+    #
+    # Set this to a high id so that we remain stable
+    users = {
+      groups.unpriv = {
+        gid = 2000;
+      };
+      users.unpriv = {
+        isNormalUser = true;
+        group = "unpriv";
+        uid = 2000;
 
-      openssh.authorizedKeys.keys = config.ahayzen.publicKeys.group.user.developers;
+        # Map the root sub id to the same as the user (as it is unpriviledged)
+        # then map the remaining uids high
+        subGidRanges = [
+          {
+            count = 1;
+            startGid = 2000;
+          }
+          {
+            count = 65535;
+            startGid = 200001;
+          }
+        ];
+        subUidRanges = [
+          {
+            count = 1;
+            startUid = 2000;
+          }
+          {
+            count = 65535;
+            startUid = 200001;
+          }
+        ];
+      };
     };
 
     virtualisation.docker = {
@@ -75,7 +105,7 @@
       daemon.settings = {
         dns = [ "9.9.9.9" ];
         no-new-privileges = true;
-        userns-remap = "unpriv:users";
+        userns-remap = "unpriv:unpriv";
       };
 
       # rootless is too problematic as it requires services to run as user services

diff --git a/scripts/backup.sh b/scripts/backup.sh
@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+#
+# SPDX-FileCopyrightText: Andrew Hayzen <[email protected]>
+#
+# SPDX-License-Identifier: MPL-2.0
+
+set -e
+
+#
+# backup <machine-name> <user@host> <backup-dest>
+#
+
+# Check that rsync exists
+if [ ! -x "$(command -v rsync)" ]; then
+    echo "rsync command not found, cannot backup"
+    exit 1
+fi
+RSYNC_ARGS=(--archive --human-readable --partial --progress --rsync-path="sudo rsync")
+
+HEADLESS_SYSTEM=false
+USER_HOST=$2
+
+# Check that the machine name is known
+case $1 in
+    vps)
+        HEADLESS_SYSTEM=true
+        ;;
+    *)
+        echo "Unknown machine name"
+        exit 1
+        ;;
+esac
+
+# Check that the target folder exists
+USER_DEST=$3
+if [ ! -d "$USER_DEST" ]; then
+    echo "Failed to find backup target"
+    exit 1
+fi
+BACKUP_DEST="$USER_DEST"
+
+# This is a normal headless system
+if [ $HEADLESS_SYSTEM ]; then
+    export DOCKER_COMPOSE_RUNNER_DEST="$BACKUP_DEST/docker-compose-runner/"
+    mkdir -p "$DOCKER_COMPOSE_RUNNER_DEST"
+
+    # Backup all of the docker data
+    "$(command -v rsync)" "${RSYNC_ARGS[@]}" "$USER_HOST:/var/lib/docker-compose-runner/" "$DOCKER_COMPOSE_RUNNER_DEST"
+fi
+
+# Ensure the filesystem is synced
+sync
+
+echo "Backup complete!"
+date
diff --git a/scripts/restore.sh b/scripts/restore.sh
@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+#
+# SPDX-FileCopyrightText: Andrew Hayzen <[email protected]>
+#
+# SPDX-License-Identifier: MPL-2.0
+
+set -e
+
+#
+# restore <machine-name> <restore-source>
+#
+
+# Check that rsync exists
+if [ ! -x "$(command -v rsync)" ]; then
+    echo "rsync command not found, cannot restore"
+    exit 1
+fi
+RSYNC_ARGS=(--archive --human-readable --partial --progress --rsync-path="sudo rsync")
+
+HEADLESS_SYSTEM=false
+USER_HOST=$2
+
+# Check that the machine name is known
+case $1 in
+    vps)
+        HEADLESS_SYSTEM=true
+        ;;
+    *)
+        echo "Unknown machine name"
+        exit 1
+        ;;
+esac
+
+# Check that the source folder exists
+USER_SRC=$3
+if [ ! -d "$USER_SRC" ]; then
+    echo "Failed to find restore source"
+    exit 1
+fi
+RESTORE_SRC="$USER_SRC"
+
+# This is a normal headless system
+if [ $HEADLESS_SYSTEM ]; then
+    export DOCKER_COMPOSE_RUNNER_SRC="$RESTORE_SRC/docker-compose-runner/"
+    if [ ! -d "$DOCKER_COMPOSE_RUNNER_SRC" ]; then
+        echo "Failed to find docker-compose-runner data to restore"
+        exit 1
+    fi
+
+    # Stop services as we are about to mutate data
+    ssh "$USER_HOST" sudo systemctl stop docker-compose-runner.service
+
+    # Restore all of the docker data
+    "$(command -v rsync)" "${RSYNC_ARGS[@]}" "$DOCKER_COMPOSE_RUNNER_SRC" "$USER_HOST:/var/lib/docker-compose-runner/"
+
+    # Restart services
+    ssh "$USER_HOST" sudo systemctl start docker-compose-runner.service
+fi
+
+echo "Restore complete!"
+date
diff --git a/tests/files/ssh_config b/tests/files/ssh_config
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: Andrew Hayzen <[email protected]>
+#
+# SPDX-License-Identifier: MPL-2.0
+
+Host vps
+    IdentityFile /etc/ssh/test_ssh_id_ed25519
diff --git a/tests/files/test_ssh_id_ed25519 b/tests/files/test_ssh_id_ed25519
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBwClEXAWm/c9/42a0VdvVowOxAkdiJUFyeqUwkNP5ioQAAAIj3ZErF92RK
+xQAAAAtzc2gtZWQyNTUxOQAAACBwClEXAWm/c9/42a0VdvVowOxAkdiJUFyeqUwkNP5ioQ
+AAAEAwbllncNKWZCOFyHkejkA4GZNBl9O6IKQf3pKpMj22SHAKURcBab9z3/jZrRV29WjA
+7ECR2IlQXJ6pTCQ0/mKhAAAABHRlc3QB
+-----END OPENSSH PRIVATE KEY-----
diff --git a/tests/files/test_ssh_id_ed25519.license b/tests/files/test_ssh_id_ed25519.license
@@ -0,0 +1,3 @@
+# SPDX-FileCopyrightText: Andrew Hayzen <[email protected]>
+#
+# SPDX-License-Identifier: CC0-1.0
diff --git a/tests/files/test_ssh_id_ed25519.pub b/tests/files/test_ssh_id_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHAKURcBab9z3/jZrRV29WjA7ECR2IlQXJ6pTCQ0/mKh test
diff --git a/tests/files/test_ssh_id_ed25519.pub.license b/tests/files/test_ssh_id_ed25519.pub.license
@@ -0,0 +1,3 @@
+# SPDX-FileCopyrightText: Andrew Hayzen <[email protected]>
+#
+# SPDX-License-Identifier: CC0-1.0
diff --git a/tests/fixtures/vps/test-page/docker-compose-runner/wagtail-ahayzen/db/db.sqlite3 b/tests/fixtures/vps/test-page/docker-compose-runner/wagtail-ahayzen/db/db.sqlite3
diff --git a/tests/fixtures/vps/test-page/docker-compose-runner/wagtail-ahayzen/db/db.sqlite3.license b/tests/fixtures/vps/test-page/docker-compose-runner/wagtail-ahayzen/db/db.sqlite3.license
@@ -0,0 +1,3 @@
+# SPDX-FileCopyrightText: Andrew Hayzen <[email protected]>
+#
+# SPDX-License-Identifier: CC0-1.0