root/flake
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

overhaul of backup system

Browse source
This commit is contained in:
= 2025-11-08 21:14:34 +00:00
parent 2bdeadfa7a
commit 912308dced
19 changed files with 226 additions and 196 deletions
Download patch file Download diff file Expand all files Collapse all files

38
services/akkoma.nix
View file

@ -40,37 +40,6 @@ in {
};
};
};
borgbackup.jobs."akkoma" = {
repo = "ssh://u506783@u506783.your-storagebox.de:23/./akkoma";
environment = {
BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
};
paths = [
"/var/lib/akkoma"
"/var/backup/postgres/akkoma.sql"
];
encryption = {
mode = "keyfile";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
monthly = -1;
};
readWritePaths = [
"/var/backup/postgres"
];
preHook = ''
mkdir -p /var/backup/postgres
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump akkoma > /var/backup/postgres/akkoma.sql
'';
postHook = ''
rm -f /var/backup/postgres/akkoma.sql
'';
};
};
distrust.services."akkoma" = {
@ -82,5 +51,12 @@ in {
virtualHostConfig = ''
reverse_proxy localhost:${toString fediPort}
'';
backup = {
enable = true;
paths = [
"/var/lib/akkoma"
];
database = "akkoma";
};
};
}

10
services/borg.nix
View file

@ -2,11 +2,9 @@
age.secrets."borg_ed25519".file = ../secrets/borg_ed25519;
age.secrets."borg_pass".file = ../secrets/borg_pass;
systemd.tmpfiles.settings = {
"99-borgdatabasebackups"."/var/backup/postgres".d = {
user = "root";
group = "root";
mode = "0755";
};
distrust.backups = {
borgRepository = "";
borgSSHKey = config.age.secrets."borg_ed25519".path;
borgPassCommand = "cat ${config.age.secrets."borg_pass".path}";
};
}

4
services/default.nix
View file

@ -4,12 +4,12 @@
./borg.nix
./caddy.nix
# Non-Stateful
# Non-stateful services
./ipfs.nix
./site.nix
./tor.nix
# Stateful
# Stateful services (backed up by borg)
./akkoma.nix
./forgejo.nix
./lldap.nix

44
services/forgejo.nix
View file

@ -5,36 +5,14 @@ in {
file = ../secrets/hidden_service/forgejo;
};
services = {
forgejo = {
enable = true;
lfs.enable = false;
settings.server = {
DOMAIN = "git.distrust.network";
HTTP_PORT = forgejoPort;
ROOT_URL = "https://git.distrust.network/";
SSH_PORT = builtins.head config.services.openssh.ports;
};
};
borgbackup.jobs."forgejo" = {
repo = "ssh://u506783@u506783.your-storagebox.de:23/./forgejo";
environment = {
BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
};
paths = [
"/var/lib/forgejo"
];
encryption = {
mode = "keyfile";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
monthly = -1;
};
services.forgejo = {
enable = true;
lfs.enable = false;
settings.server = {
DOMAIN = "git.distrust.network";
HTTP_PORT = forgejoPort;
ROOT_URL = "https://git.distrust.network/";
SSH_PORT = builtins.head config.services.openssh.ports;
};
};
@ -47,5 +25,11 @@ in {
virtualHostConfig = ''
reverse_proxy localhost:${toString forgejoPort}
'';
backup = {
enable = true;
paths = [
"/var/lib/forgejo"
];
};
};
}

1
services/ipfs.nix
View file

@ -1,7 +1,6 @@
{
services = {
kubo.enable = true;
tor.relay.onionServices."site".map = [
4001
8080

46
services/lldap.nix
View file

@ -3,37 +3,15 @@
in {
age.secrets."hidden_service/lldap".file = ../secrets/hidden_service/lldap;
services = {
lldap = {
enable = true;
settings = {
http_url = "https://login.distrust.network";
http_port = lldapPort;
ldap_user_email = "root@distrust.network";
ldap_user_dn = "root";
ldap_base_dn = "dc=distrust,dc=network";
ldap_user_pass = "VERY_SECURE";
};
};
borgbackup.jobs."lldap" = {
repo = "ssh://u506783@u506783.your-storagebox.de:23/./lldap";
environment = {
BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
};
paths = [
"/var/lib/lldap"
];
encryption = {
mode = "keyfile";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
monthly = -1;
};
services.lldap = {
enable = true;
settings = {
http_url = "https://login.distrust.network";
http_port = lldapPort;
ldap_user_email = "root@distrust.network";
ldap_user_dn = "root";
ldap_base_dn = "dc=distrust,dc=network";
ldap_user_pass = "VERY_SECURE";
};
};
@ -46,5 +24,11 @@ in {
virtualHostConfig = ''
reverse_proxy localhost:${toString lldapPort}
'';
backup = {
enable = true;
paths = [
"/var/lib/lldap"
];
};
};
}

6
services/mailserver.nix
View file

@ -17,16 +17,16 @@
};
services.borgbackup.jobs."mailserver" = {
repo = "ssh://u506783@u506783.your-storagebox.de:23/./mailserver";
repo = config.distrust.backups.borgRepository + "/./mailserver";
environment = {
BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
BORG_RSH = "ssh -i ${config.distrust.backups.borgSSHKey} -o 'StrictHostKeyChecking=no'";
};
paths = [
"/var/vmail/ldap"
];
encryption = {
mode = "keyfile";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
passCommand = config.distrust.backups.borgPassCommand;
};
compression = "auto,lzma";
startAt = "daily";

39
services/nextcloud.nix
View file

@ -36,42 +36,12 @@ in {
};
};
# Force disable nginx and adjust permissions as we use caddy
nginx.enable = lib.mkForce false;
phpfpm.pools.nextcloud.settings = {
"listen.owner" = "caddy";
"listen.group" = "caddy";
};
borgbackup.jobs."nextcloud" = {
repo = "ssh://u506783@u506783.your-storagebox.de:23/./nextcloud";
environment = {
BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
};
paths = [
"/var/lib/nextcloud"
"/var/backup/postgres/nextcloud.sql"
];
encryption = {
mode = "keyfile";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
monthly = -1;
};
readWritePaths = [
"/var/backup/postgres"
];
preHook = ''
mkdir -p /var/backup/postgres
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump nextcloud > /var/backup/postgres/nextcloud.sql
'';
postHook = ''
rm -f /var/backup/postgres/nextcloud.sql
'';
};
};
distrust.services."nextcloud" = {
@ -140,5 +110,12 @@ in {
file_server
'';
backup = {
enable = true;
paths = [
"/var/lib/nextcloud"
];
database = "nextcloud";
};
};
}

46
services/paste.nix
View file

@ -3,37 +3,15 @@
in {
age.secrets."hidden_service/microbin".file = ../secrets/hidden_service/microbin;
services = {
microbin = {
enable = true;
settings = {
MICROBIN_PORT = pastePort;
MICROBIN_ENABLE_BURN_AFTER = true;
MICROBIN_QR = true;
MICROBIN_NO_LISTING = true;
MICROBIN_HIGHLIGHTSYNTAX = true;
MICROBIN_PUBLIC_PATH = "https://paste.distrust.network/";
};
};
borgbackup.jobs."microbin" = {
repo = "ssh://u506783@u506783.your-storagebox.de:23/./microbin";
environment = {
BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
};
paths = [
"/var/lib/microbin"
];
encryption = {
mode = "keyfile";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
};
compression = "auto,lzma";
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
monthly = -1;
};
services.microbin = {
enable = true;
settings = {
MICROBIN_PORT = pastePort;
MICROBIN_ENABLE_BURN_AFTER = true;
MICROBIN_QR = true;
MICROBIN_NO_LISTING = true;
MICROBIN_HIGHLIGHTSYNTAX = true;
MICROBIN_PUBLIC_PATH = "https://paste.distrust.network/";
};
};
@ -46,5 +24,11 @@ in {
virtualHostConfig = ''
reverse_proxy localhost:${toString pastePort}
'';
backup = {
enable = true;
paths = [
"/var/lib/microbin"
];
};
};
}

42
services/prosody.nix
View file

@ -33,30 +33,34 @@
ldap_password = os.getenv("LDAP_BIND_PASSWORD")
'';
};
caddy.virtualHosts."distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
# Adjust caddy to serve the ACME challenges for prosody
caddy.virtualHosts = {
"distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
"conference.distrust.network upload.distrust.network".extraConfig = ''
handle /.well-known/* {
root * /var/lib/acme/
file_server
}
'';
};
borgbackup.jobs."prosody" = {
repo = "ssh://u506783@u506783.your-storagebox.de:23/./prosody";
repo = config.distrust.backups.borgRepository + "/./prosody";
environment = {
BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
BORG_RSH = "ssh -i ${config.distrust.backups.borgSSHKey} -o 'StrictHostKeyChecking=no'";
};
paths = [
"/var/lib/prosody"
];
encryption = {
mode = "keyfile";
passCommand = "cat ${config.age.secrets."borg_pass".path}";
passCommand = config.distrust.backups.borgPassCommand;
};
compression = "auto,lzma";
startAt = "daily";
@ -88,13 +92,17 @@
};
};
networking.resolvconf.dnsExtensionMechanism = false;
networking.firewall.allowedTCPPorts = [5222 5269 5281 5000];
networking = {
# This can mess with prosody's DNS resolution, so we disable it
resolvconf.dnsExtensionMechanism = false;
firewall.allowedTCPPorts = [5222 5269 5281 5000];
};
systemd.services = {
caddy.serviceConfig.SupplementaryGroups = ["acme"];
prosody.serviceConfig = {
SupplementaryGroups = ["acme"];
# Slightly hacky way to inject the LDAP password into prosody without builtins.readFile exposing it system-wide
EnvironmentFile = config.age.secrets."prosody.env".path;
};
};

1
services/site.nix
View file

@ -20,5 +20,6 @@ in {
root * ${distrust-homepage.out}
file_server
'';
backup.enable = false;
};
}

1
services/tor.nix
View file

@ -7,6 +7,7 @@
};
settings = {
Nickname = "Distrust";
ContactInfo = "root@distrust.network";
ORPort = 9001;
};
};

6
services/vaultwarden.nix
View file

@ -46,5 +46,11 @@ in {
virtualHostConfig = ''
reverse_proxy localhost:${toString vaultPort}
'';
backup = {
enable = true;
paths = [
"/var/lib/vaultwarden"
];
};
};
}