From b79acbaf6aa873752297bcfd177e31161fd84fa8 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 21 Dec 2021 13:01:25 +0300 Subject: [PATCH 1/7] Use b2 for backups --- backup/restic.nix | 18 ++++++------------ 1 file changed, 6 insertions(+), 12 deletions(-) diff --git a/backup/restic.nix b/backup/restic.nix index 6c7d5bb..681fbf0 100644 --- a/backup/restic.nix +++ b/backup/restic.nix @@ -4,13 +4,14 @@ let in { services.restic.backups = { - options = { - passwordFile = "/etc/restic/resticPasswd"; - repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}"; + varBackup = { + passwordFile = "/var/lib/restic/pass"; + repository = "rclone:backblaze:${cfg.backblaze.bucket}:/sfbackup"; + extraOptions = [ "rclone.args='serve restic --stdio'" ]; + rcloneConfigFile = "/root/.config/rclone/rclone.conf"; initialize = true; paths = [ - "/var/dkim" - "/var/vmail" + "/var" ]; timerConfig = { OnCalendar = [ "daily" ]; @@ -25,11 +26,4 @@ in isNormalUser = false; isSystemUser = true; }; - environment.etc."restic/resticPasswd".text = '' - ${cfg.resticPassword} - ''; - environment.etc."restic/s3Passwd".text = '' - AWS_ACCESS_KEY_ID=${cfg.backblaze.accountId} - AWS_SECRET_ACCESS_KEY=${cfg.backblaze.accountKey} - ''; } -- 2.42.0 From 9f54887254b526c289276d29dbb5d39906247ac7 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 21 Dec 2021 13:12:27 +0300 Subject: [PATCH 2/7] Fix permissions for restic --- files.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/files.nix b/files.nix index 1b3a66d..435bb56 100644 --- a/files.nix +++ b/files.nix @@ -25,8 +25,9 @@ in (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "") (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "") - "d /var/lib/restic 0600 restic - - -" + "d /var/lib/restic 0700 restic - - -" "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}" + "f+ /var/lib/restic/rclone.conf 0400 restic - - ${rcloneConfig}" "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}" (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" -- 2.42.0 From 84e0ae01f9ca9d7c25d0ac0cc7da8c134fefcef9 Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 21 Dec 2021 16:24:51 +0300 Subject: [PATCH 3/7] Move rclone conf to restic.nix --- backup/restic.nix | 7 ++++++- files.nix | 1 - 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/backup/restic.nix b/backup/restic.nix index 681fbf0..7ebbc0d 100644 --- a/backup/restic.nix +++ b/backup/restic.nix @@ -8,7 +8,12 @@ in passwordFile = "/var/lib/restic/pass"; repository = "rclone:backblaze:${cfg.backblaze.bucket}:/sfbackup"; extraOptions = [ "rclone.args='serve restic --stdio'" ]; - rcloneConfigFile = "/root/.config/rclone/rclone.conf"; + rcloneConfig = { + type = "b2"; + account = cfg.backblaze.accountId; + key = cfg.backblaze.accountKey; + hard_delete = false; + }; initialize = true; paths = [ "/var" diff --git a/files.nix b/files.nix index 435bb56..c39066b 100644 --- a/files.nix +++ b/files.nix @@ -27,7 +27,6 @@ in (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "") "d /var/lib/restic 0700 restic - - -" "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}" - "f+ /var/lib/restic/rclone.conf 0400 restic - - ${rcloneConfig}" "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}" (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" -- 2.42.0 From 2a157271706baa7dd58a1483a8faefbdd746157b Mon Sep 17 00:00:00 2001 From: Inex Code Date: Tue, 21 Dec 2021 16:43:05 +0300 Subject: [PATCH 4/7] Fix repository URI --- backup/restic.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backup/restic.nix b/backup/restic.nix index 7ebbc0d..970f126 100644 --- a/backup/restic.nix +++ b/backup/restic.nix @@ -6,7 +6,7 @@ in services.restic.backups = { varBackup = { passwordFile = "/var/lib/restic/pass"; - repository = "rclone:backblaze:${cfg.backblaze.bucket}:/sfbackup"; + repository = "rclone:${cfg.backblaze.bucket}:/sfbackup"; extraOptions = [ "rclone.args='serve restic --stdio'" ]; rcloneConfig = { type = "b2"; -- 2.42.0 From cccbd177be0d538075ccceaae06a3a120c40d30a Mon Sep 17 00:00:00 2001 From: Illia Chub Date: Thu, 23 Dec 2021 09:26:09 +0200 Subject: [PATCH 5/7] Added common access layer for internal services --- files.nix | 5 +++-- users.nix | 5 +++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/files.nix b/files.nix index c39066b..46bbac8 100644 --- a/files.nix +++ b/files.nix @@ -22,9 +22,10 @@ in ''; in [ - (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "") - (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "") + (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "") + (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "") (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "") + "d /var 0740 root shared - -" "d /var/lib/restic 0700 restic - - -" "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}" "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}" diff --git a/users.nix b/users.nix index a3128b2..8812f8e 100644 --- a/users.nix +++ b/users.nix @@ -21,5 +21,10 @@ in }; }) cfg.users); + groups = { + shared = { + members = [ "restic" ]; + }; + }; }; } -- 2.42.0 From 8878832ff9706090a9aa6330cf31471451c670d9 Mon Sep 17 00:00:00 2001 From: Illia Chub Date: Thu, 23 Dec 2021 09:42:27 +0200 Subject: [PATCH 6/7] Added write permissions for shared group members --- files.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files.nix b/files.nix index 46bbac8..6b95f44 100644 --- a/files.nix +++ b/files.nix @@ -25,7 +25,7 @@ in (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "") (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "") - "d /var 0740 root shared - -" + "d /var 0760 root shared - -" "d /var/lib/restic 0700 restic - - -" "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}" "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}" -- 2.42.0 From d065ea8738bc27339c0e5cf05e1f00c503a40e7e Mon Sep 17 00:00:00 2001 From: Inex Code Date: Thu, 13 Jan 2022 10:50:35 +0300 Subject: [PATCH 7/7] Fix permissions to work with current deployment --- files.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/files.nix b/files.nix index 6b95f44..7ebd2c4 100644 --- a/files.nix +++ b/files.nix @@ -22,10 +22,10 @@ in ''; in [ - (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "") - (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "") + (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "") + (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "") (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "") - "d /var 0760 root shared - -" + "d /var 0755 root shared - -" "d /var/lib/restic 0700 restic - - -" "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}" "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}" -- 2.42.0