flygrounder/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add backups

Browse source
This commit is contained in:
Артём Белоусов 2026-02-26 08:24:40 +03:00
parent b79d352847
commit a10d48d007
4 changed files with 94 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

105
hosts/server/configuration.nix
View file

@ -1,11 +1,23 @@
{ ... }:
{ pkgs, config, ... }:
let
myKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home";
stalwartCaddyCertsDir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru";
stalwartCertsDir = "/var/lib/stalwart-mail/certs";
in
{
age.secrets.stalwart-admin-password = {
file = ../../secrets/stalwart-admin-password.age;
owner = "stalwart-mail";
age.secrets = {
stalwart-admin-password = {
file = ../../secrets/stalwart-admin-password.age;
owner = "stalwart-mail";
};
restic-environment = {
file = ../../secrets/restic-environment.age;
owner = "root";
};
restic-password = {
file = ../../secrets/restic-password.age;
owner = "root";
};
};
users.users = {
@ -21,6 +33,8 @@ in
};
};
environment.systemPackages = with pkgs; [ restic ];
home-manager.users.flygrounder.custom = {
catppuccin.enable = true;
cli.enable = true;
@ -129,37 +143,27 @@ in
};
};
systemd.paths.stalwart-certs = {
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathModified = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt";
systemd = {
paths.stalwart-certs = {
wantedBy = [ "multi-user.target" ];
pathConfig = {
PathModified = "${stalwartCaddyCertsDir}/mail.flygrounder.ru.crt";
};
};
services.stalwart-certs = {
serviceConfig = {
Type = "oneshot";
};
script = ''
mkdir -p ${stalwartCertsDir}
cp -L ${stalwartCaddyCertsDir}/*.{key,crt} ${stalwartCertsDir}/
chown stalwart-mail:stalwart-mail ${stalwartCertsDir}/*
chmod 600 ${stalwartCertsDir}/*
systemctl restart stalwart
'';
};
};
systemd.services.stalwart-certs = {
after = [ "caddy.service" ];
before = [ "stalwart.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
};
script = ''
mkdir -p /var/lib/stalwart-mail/certs
cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt /var/lib/stalwart-mail/certs/
cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.key /var/lib/stalwart-mail/certs/
chown stalwart-mail:stalwart-mail /var/lib/stalwart-mail/certs/*
chmod 600 /var/lib/stalwart-mail/certs/*
'';
postStop = ''
if systemctl is-active --quiet stalwart.service; then
systemctl --no-block restart stalwart.service
fi
'';
};
systemd.services.stalwart.after = [ "stalwart-certs.service" ];
systemd.services.stalwart.requires = [ "stalwart-certs.service" ];
imports = [
./hardware-configuration.nix
./disko-config.nix
@ -192,4 +196,41 @@ in
interface = "ens3";
};
};
services.restic.backups =
let
mkBackup =
{ service, path }:
{
paths = [
path
];
repository = "s3:https://s3.firstvds.ru/flygrounder-backups/${service}";
initialize = true;
timerConfig = {
OnCalendar = "03:00";
Persistent = true;
RandomizedDelaySec = "10m";
};
environmentFile = "/run/agenix/restic-environment";
passwordFile = "/run/agenix/restic-password";
backupPrepareCommand = "systemctl stop ${service}";
backupCleanupCommand = "systemctl start ${service}";
pruneOpts = [
"--keep-daily 14"
"--keep-weekly 4"
"--keep-monthly 2"
];
};
in
{
stalwart = mkBackup {
service = "stalwart";
path = config.services.stalwart.dataDir;
};
vaultwarden = mkBackup {
service = "vaultwarden";
path = "/var/lib/vaultwarden";
};
};
}