flygrounder/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add backups

Browse source
This commit is contained in:
Артём Белоусов 2026-02-26 08:24:40 +03:00
parent b79d352847
commit a10d48d007
4 changed files with 94 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

105
hosts/server/configuration.nix
View file

@ -1,11 +1,23 @@
{ ... }: { pkgs, config, ... }:
let let
myKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home"; myKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home";
stalwartCaddyCertsDir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru";
stalwartCertsDir = "/var/lib/stalwart-mail/certs";
in in
{ {
age.secrets.stalwart-admin-password = { age.secrets = {
file = ../../secrets/stalwart-admin-password.age; stalwart-admin-password = {
owner = "stalwart-mail"; file = ../../secrets/stalwart-admin-password.age;
owner = "stalwart-mail";
};
restic-environment = {
file = ../../secrets/restic-environment.age;
owner = "root";
};
restic-password = {
file = ../../secrets/restic-password.age;
owner = "root";
};
}; };
users.users = { users.users = {
@ -21,6 +33,8 @@ in
}; };
}; };
environment.systemPackages = with pkgs; [ restic ];
home-manager.users.flygrounder.custom = { home-manager.users.flygrounder.custom = {
catppuccin.enable = true; catppuccin.enable = true;
cli.enable = true; cli.enable = true;
@ -129,37 +143,27 @@ in
}; };
}; };
systemd.paths.stalwart-certs = { systemd = {
wantedBy = [ "multi-user.target" ]; paths.stalwart-certs = {
pathConfig = { wantedBy = [ "multi-user.target" ];
PathModified = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt"; pathConfig = {
PathModified = "${stalwartCaddyCertsDir}/mail.flygrounder.ru.crt";
};
};
services.stalwart-certs = {
serviceConfig = {
Type = "oneshot";
};
script = ''
mkdir -p ${stalwartCertsDir}
cp -L ${stalwartCaddyCertsDir}/*.{key,crt} ${stalwartCertsDir}/
chown stalwart-mail:stalwart-mail ${stalwartCertsDir}/*
chmod 600 ${stalwartCertsDir}/*
systemctl restart stalwart
'';
}; };
}; };
systemd.services.stalwart-certs = {
after = [ "caddy.service" ];
before = [ "stalwart.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
};
script = ''
mkdir -p /var/lib/stalwart-mail/certs
cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt /var/lib/stalwart-mail/certs/
cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.key /var/lib/stalwart-mail/certs/
chown stalwart-mail:stalwart-mail /var/lib/stalwart-mail/certs/*
chmod 600 /var/lib/stalwart-mail/certs/*
'';
postStop = ''
if systemctl is-active --quiet stalwart.service; then
systemctl --no-block restart stalwart.service
fi
'';
};
systemd.services.stalwart.after = [ "stalwart-certs.service" ];
systemd.services.stalwart.requires = [ "stalwart-certs.service" ];
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
./disko-config.nix ./disko-config.nix
@ -192,4 +196,41 @@ in
interface = "ens3"; interface = "ens3";
}; };
}; };
services.restic.backups =
let
mkBackup =
{ service, path }:
{
paths = [
path
];
repository = "s3:https://s3.firstvds.ru/flygrounder-backups/${service}";
initialize = true;
timerConfig = {
OnCalendar = "03:00";
Persistent = true;
RandomizedDelaySec = "10m";
};
environmentFile = "/run/agenix/restic-environment";
passwordFile = "/run/agenix/restic-password";
backupPrepareCommand = "systemctl stop ${service}";
backupCleanupCommand = "systemctl start ${service}";
pruneOpts = [
"--keep-daily 14"
"--keep-weekly 4"
"--keep-monthly 2"
];
};
in
{
stalwart = mkBackup {
service = "stalwart";
path = config.services.stalwart.dataDir;
};
vaultwarden = mkBackup {
service = "vaultwarden";
path = "/var/lib/vaultwarden";
};
};
} }

9
secrets.nix
View file

@ -1,7 +1,10 @@
let let
flygrounder = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home"; myKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home";
server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOO6lKCmpKEarta4hBOcjHWznpf/RbCWuLS88/ZV1OeX root@nixos"; serverKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOO6lKCmpKEarta4hBOcjHWznpf/RbCWuLS88/ZV1OeX root@nixos";
keys = [myKey serverKey];
in in
{ {
"secrets/stalwart-admin-password.age".publicKeys = [ flygrounder server ]; "secrets/stalwart-admin-password.age".publicKeys = keys;
"secrets/restic-password.age".publicKeys = keys;
"secrets/restic-environment.age".publicKeys = keys;
} }

7
secrets/restic-environment.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 hPdT4Q P/PkpF8ZunYU986z3F23eS+Le+9qIpCOrxNtvArjxBA
nRXQMF56aMcYD+917WzQho75/Fxcj0AGvyTDSv+mOow
-> ssh-ed25519 HTO34g 4gI4dU68GE6eJhJqmzNszHPfd1ll0LpTSoxPCBJMq18
vqSq71zfLjHtZOQCE/nUFoTSEAoAMemJTsPCpzIgNOE
--- +DAhJCj0seJziB77lUSxk1e+WOZ8bEdFLBthEDXj66s
£'íÒž,¯´šŽÕªSü²½=5½—z"s#¤e¨—B¥¢\á¡ywÀWú<®V˜ô‡+zÎÁËS ˆiGb‡bŸQW èV¨ŽŒ#d¾¶Ñl2³'vØ<76>—ÃfQàg?\ ;7,geˆP¡Ã^ÂZ/¨c)ø3<<3C>%v>ÞJ{QJà÷VþŸ

8
secrets/restic-password.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 hPdT4Q ZStPwiiUAdNIErKk6D9g/YpjUBfGZgQ/RAwTx5opaVk
erkWmVTtYx3x0a75jqOfj7wCoeytWlWeLNvGYRiLO6M
-> ssh-ed25519 HTO34g ntboG9TiiruRXaoZCou8DvKyAsojKoBMOa3Xguple0A
rcMwGjzc0a0AwBskdtpYB3vV0iNeZjiS5RmeGy2NUrc
--- mcqZgUYYx5jhBoZhLOKNh7kFB/aElVFHtJ7Ww4cPQ5Y
ä $ZøYZg…½dãng17XMdêÞ½Y
ï"ux;~Ȇll:¢fOà2úz`±¸*ío¾½ZK2