overhaul of backup system

2025-11-08 21:14:34 +00:00 · 2025-11-08 21:14:34 +00:00 · 912308dced
commit 912308dced
parent 2bdeadfa7a
19 changed files with 226 additions and 196 deletions
--- a/services/prosody.nix
+++ b/services/prosody.nix
@ -33,30 +33,34 @@
        ldap_password = os.getenv("LDAP_BIND_PASSWORD")
      '';
    };
-    caddy.virtualHosts."distrust.network".extraConfig = ''
-      handle /.well-known/* {
-        root * /var/lib/acme/
-        file_server
-      }
-    '';

-    caddy.virtualHosts."conference.distrust.network upload.distrust.network".extraConfig = ''
-      handle /.well-known/* {
-        root * /var/lib/acme/
-        file_server
-      }
-    '';
+    # Adjust caddy to serve the ACME challenges for prosody
+    caddy.virtualHosts = {
+      "distrust.network".extraConfig = ''
+        handle /.well-known/* {
+          root * /var/lib/acme/
+          file_server
+        }
+      '';
+      "conference.distrust.network upload.distrust.network".extraConfig = ''
+        handle /.well-known/* {
+          root * /var/lib/acme/
+          file_server
+        }
+      '';
+    };
+
    borgbackup.jobs."prosody" = {
-      repo = "ssh://u506783@u506783.your-storagebox.de:23/./prosody";
+      repo = config.distrust.backups.borgRepository + "/./prosody";
      environment = {
-        BORG_RSH = "ssh -i ${config.age.secrets."borg_ed25519".path} -o 'StrictHostKeyChecking=no'";
+        BORG_RSH = "ssh -i ${config.distrust.backups.borgSSHKey} -o 'StrictHostKeyChecking=no'";
      };
      paths = [
        "/var/lib/prosody"
      ];
      encryption = {
        mode = "keyfile";
-        passCommand = "cat ${config.age.secrets."borg_pass".path}";
+        passCommand = config.distrust.backups.borgPassCommand;
      };
      compression = "auto,lzma";
      startAt = "daily";
@ -88,13 +92,17 @@
    };
  };

-  networking.resolvconf.dnsExtensionMechanism = false;
-  networking.firewall.allowedTCPPorts = [5222 5269 5281 5000];
+  networking = {
+    # This can mess with prosody's DNS resolution, so we disable it
+    resolvconf.dnsExtensionMechanism = false;
+    firewall.allowedTCPPorts = [5222 5269 5281 5000];
+  };

  systemd.services = {
    caddy.serviceConfig.SupplementaryGroups = ["acme"];
    prosody.serviceConfig = {
      SupplementaryGroups = ["acme"];
+      # Slightly hacky way to inject the LDAP password into prosody without builtins.readFile exposing it system-wide
      EnvironmentFile = config.age.secrets."prosody.env".path;
    };
  };