Add backups

hosts/server/configuration.nix

@@ -1,12 +1,24 @@
-{ ... }:
+{ pkgs, config, ... }:
 let
   myKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home";
+  stalwartCaddyCertsDir = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru";
+  stalwartCertsDir = "/var/lib/stalwart-mail/certs";
 in
 {
-  age.secrets.stalwart-admin-password = {
+  age.secrets = {
+    stalwart-admin-password = {
       file = ../../secrets/stalwart-admin-password.age;
       owner = "stalwart-mail";
     };
+    restic-environment = {
+      file = ../../secrets/restic-environment.age;
+      owner = "root";
+    };
+    restic-password = {
+      file = ../../secrets/restic-password.age;
+      owner = "root";
+    };
+  };
 
   users.users = {
     flygrounder = {
@@ -21,6 +33,8 @@ in
     };
   };
 
+  environment.systemPackages = with pkgs; [ restic ];
+
   home-manager.users.flygrounder.custom = {
     catppuccin.enable = true;
     cli.enable = true;
@@ -129,36 +143,26 @@ in
     };
   };
 
-  systemd.paths.stalwart-certs = {
+  systemd = {
+    paths.stalwart-certs = {
       wantedBy = [ "multi-user.target" ];
       pathConfig = {
-      PathModified = "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt";
+        PathModified = "${stalwartCaddyCertsDir}/mail.flygrounder.ru.crt";
       };
     };
-
-  systemd.services.stalwart-certs = {
-    after = [ "caddy.service" ];
-    before = [ "stalwart.service" ];
-    wantedBy = [ "multi-user.target" ];
+    services.stalwart-certs = {
       serviceConfig = {
         Type = "oneshot";
       };
       script = ''
-      mkdir -p /var/lib/stalwart-mail/certs
-      cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.crt /var/lib/stalwart-mail/certs/
-      cp -L /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/mail.flygrounder.ru/mail.flygrounder.ru.key /var/lib/stalwart-mail/certs/
-      chown stalwart-mail:stalwart-mail /var/lib/stalwart-mail/certs/*
-      chmod 600 /var/lib/stalwart-mail/certs/*
-    '';
-    postStop = ''
-      if systemctl is-active --quiet stalwart.service; then
-        systemctl --no-block restart stalwart.service
-      fi
+        mkdir -p ${stalwartCertsDir}
+        cp -L ${stalwartCaddyCertsDir}/*.{key,crt} ${stalwartCertsDir}/
+        chown stalwart-mail:stalwart-mail ${stalwartCertsDir}/*
+        chmod 600 ${stalwartCertsDir}/*
+        systemctl restart stalwart
       '';
     };
-
-  systemd.services.stalwart.after = [ "stalwart-certs.service" ];
-  systemd.services.stalwart.requires = [ "stalwart-certs.service" ];
+  };
 
   imports = [
     ./hardware-configuration.nix
@@ -192,4 +196,41 @@ in
       interface = "ens3";
     };
   };
+
+  services.restic.backups =
+    let
+      mkBackup =
+        { service, path }:
+        {
+          paths = [
+            path
+          ];
+          repository = "s3:https://s3.firstvds.ru/flygrounder-backups/${service}";
+          initialize = true;
+          timerConfig = {
+            OnCalendar = "03:00";
+            Persistent = true;
+            RandomizedDelaySec = "10m";
+          };
+          environmentFile = "/run/agenix/restic-environment";
+          passwordFile = "/run/agenix/restic-password";
+          backupPrepareCommand = "systemctl stop ${service}";
+          backupCleanupCommand = "systemctl start ${service}";
+          pruneOpts = [
+            "--keep-daily 14"
+            "--keep-weekly 4"
+            "--keep-monthly 2"
+          ];
+        };
+    in
+    {
+      stalwart = mkBackup {
+        service = "stalwart";
+        path = config.services.stalwart.dataDir;
+      };
+      vaultwarden = mkBackup {
+        service = "vaultwarden";
+        path = "/var/lib/vaultwarden";
+      };
+    };
 }

secrets.nix

@@ -1,7 +1,10 @@
 let
-  flygrounder = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home";
-  server = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOO6lKCmpKEarta4hBOcjHWznpf/RbCWuLS88/ZV1OeX root@nixos";
+  myKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArRfRumAbMcRypGundddfVg7t+VOwVeQ+HUQfI9AFbX flygrounder@home";
+  serverKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOO6lKCmpKEarta4hBOcjHWznpf/RbCWuLS88/ZV1OeX root@nixos";
+  keys = [myKey serverKey];
 in
 {
-  "secrets/stalwart-admin-password.age".publicKeys = [ flygrounder server ];
+  "secrets/stalwart-admin-password.age".publicKeys = keys;
+  "secrets/restic-password.age".publicKeys = keys;
+  "secrets/restic-environment.age".publicKeys = keys;
 }

secrets/restic-environment.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPdT4Q P/PkpF8ZunYU986z3F23eS+Le+9qIpCOrxNtvArjxBA
+nRXQMF56aMcYD+917WzQho75/Fxcj0AGvyTDSv+mOow
+-> ssh-ed25519 HTO34g 4gI4dU68GE6eJhJqmzNszHPfd1ll0LpTSoxPCBJMq18
+vqSq71zfLjHtZOQCE/nUFoTSEAoAMemJTsPCpzIgNOE
+--- +DAhJCj0seJziB77lUSxk1e+WOZ8bEdFLBthEDXj66s
+£'íÒž,–¯´šŽÕªS
ü²½=5½—z"s#¤e¨—B¥¢\á¡ywÀWú<
›®V˜ô‡+zÎÁËSˆiGb‡bŸQW
èV¨ŽŒ#d¾¶Ñl2³’'vØ<76>‚—ÃfQàg?\;7,geˆP¡Ã^ÂZ/¨c)ø3<<3C>%v
>ÞJ{QJà÷VþŸ

secrets/restic-password.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPdT4Q ZStPwiiUAdNIErKk6D9g/YpjUBfGZgQ/RAwTx5opaVk
+erkWmVTtYx3x0a75jqOfj7wCoeytWlWeLNvGYRiLO6M
+-> ssh-ed25519 HTO34g ntboG9TiiruRXaoZCou8DvKyAsojKoBMOa3Xguple0A
+rcMwGjzc0a0AwBskdtpYB3vV0iNeZjiS5RmeGy2NUrc
+--- mcqZgUYYx5jhBoZhLOKNh7kFB/aElVFHtJ7Ww4cPQ5Y
+ä$ZøYZg…½dãng17XMdêÞ½Y
+ï"u<Êx;~Ȇll:¢fOà2úz`±¸*ío¾½ZK2