Compare commits
8 Commits
master
...
aws-to-bac
Author | SHA1 | Date |
---|---|---|
Illia Chub | 67c1e93cdb | |
Illia Chub | 33c1744ec0 | |
Illia Chub | 83f604739e | |
Illia Chub | fa756b2441 | |
Illia Chub | 64d12982be | |
Illia Chub | 24f2e83cf1 | |
Illia Chub | 4ab97f0318 | |
Illia Chub | 4db2ea3920 |
|
@ -3,33 +3,30 @@ let
|
|||
cfg = config.services.userdata;
|
||||
in
|
||||
{
|
||||
services.restic.backups = {
|
||||
options = {
|
||||
passwordFile = "/etc/restic/resticPasswd";
|
||||
repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}";
|
||||
initialize = true;
|
||||
paths = [
|
||||
"/var/dkim"
|
||||
"/var/vmail"
|
||||
];
|
||||
timerConfig = {
|
||||
OnCalendar = [ "daily" ];
|
||||
|
||||
systemd = {
|
||||
services = {
|
||||
"restic-backup" = {
|
||||
description = "Userdata restic backup trigger";
|
||||
serviceConfig = {
|
||||
Type = "simple";
|
||||
User = "restic";
|
||||
ExecStart = "${pkgs.restic}/bin/restic -o rclone.args="serve restic --stdio" -r rclone:backblaze:${cfg.backblaze.bucket}:/sfbackup --verbose --json backup /var";
|
||||
};
|
||||
};
|
||||
};
|
||||
timers = {
|
||||
"restic-scheduled-backup" = {
|
||||
wantedBy = [ "timers.target" ];
|
||||
partOf = [ "restic-backup.service" ];
|
||||
timerConfig = {
|
||||
OnCalendar = "daily";
|
||||
};
|
||||
};
|
||||
user = "restic";
|
||||
pruneOpts = [
|
||||
"--keep-daily 5"
|
||||
];
|
||||
};
|
||||
};
|
||||
users.users.restic = {
|
||||
isNormalUser = false;
|
||||
isSystemUser = true;
|
||||
};
|
||||
environment.etc."restic/resticPasswd".text = ''
|
||||
${cfg.resticPassword}
|
||||
'';
|
||||
environment.etc."restic/s3Passwd".text = ''
|
||||
AWS_ACCESS_KEY_ID=${cfg.backblaze.accountId}
|
||||
AWS_SECRET_ACCESS_KEY=${cfg.backblaze.accountKey}
|
||||
'';
|
||||
}
|
||||
|
|
29
files.nix
29
files.nix
|
@ -14,17 +14,24 @@ in
|
|||
CLOUDFLARE_DNS_API_TOKEN=${cfg.cloudflare.apiKey}
|
||||
CLOUDFLARE_ZONE_API_TOKEN=${cfg.cloudflare.apiKey}
|
||||
'';
|
||||
rcloneConfig = builtins.replaceStrings [ "\n" "\"" "\\" ] [ "\\n" "\\\"" "\\\\" ] ''
|
||||
[backblaze]
|
||||
type = b2
|
||||
account = ${cfg.backblaze.accountId}
|
||||
key = ${cfg.backblaze.accountKey}
|
||||
'';
|
||||
in
|
||||
[
|
||||
"d /var/restic 0660 restic - - -"
|
||||
"d /var/bitwarden 0777 bitwarden_rs bitwarden_rs -"
|
||||
"d /var/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -"
|
||||
"d /var/lib/pleroma 0600 pleroma pleroma - -"
|
||||
"f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -"
|
||||
"f /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
||||
"f /var/restic/restic-repo-password 0660 restic - - ${resticPass}"
|
||||
"f /var/nextcloud-db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}"
|
||||
"f /var/nextcloud-admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}"
|
||||
"f /var/cloudflareCredentials.ini 0440 nginx acmerecievers - ${cloudflareCredentials}"
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "")
|
||||
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "")
|
||||
(if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "")
|
||||
"d /var/lib/restic 0600 restic - - -"
|
||||
"f+ /var/lib/restic/pass 0400 restic - - ${resticPass}"
|
||||
"f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}"
|
||||
(if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "")
|
||||
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
|
||||
(if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/db-pass 0440 nextcloud nextcloud - ${nextcloudDBPass}" else "")
|
||||
(if cfg.nextcloud.enable then "f+ /var/lib/nextcloud/admin-pass 0440 nextcloud nextcloud - ${nextcloudAdminPass}" else "")
|
||||
"f+ /var/lib/cloudflare/Credentials.ini 0440 nginx acmerecievers - ${cloudflareCredentials}"
|
||||
];
|
||||
}
|
||||
}
|
|
@ -1,4 +1,4 @@
|
|||
{ pkgs, config, ... }:
|
||||
{ pkgs, config, lib, ... }:
|
||||
let
|
||||
domain = config.services.userdata.domain;
|
||||
in
|
||||
|
@ -11,6 +11,7 @@ in
|
|||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
clientMaxBodySize = "1024m";
|
||||
sslProtocols = lib.mkForce "TLSv1.2 TLSv1.3";
|
||||
|
||||
virtualHosts = {
|
||||
"${domain}" = {
|
||||
|
|
Loading…
Reference in New Issue