SelfPrivacy/selfprivacy-nixos-config
1
0
Fork 0
mirror of https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git synced 2024-11-22 19:41:30 +00:00
Code Issues Projects Releases Wiki Activity

move restic to SP module

Browse source
This commit is contained in:
Alexander Tomokhov 2023-12-03 09:45:40 +04:00
parent c7419b3255
commit 4716b9bf19
6 changed files with 83 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
backup/restic.nix
View file

@ -1,29 +0,0 @@
{ config, ... }:
let
cfg = config.selfprivacy;
in
{
services.restic.backups = {
options = {
passwordFile = "/etc/restic/resticPasswd";
repository = "s3:s3.anazonaws.com/${cfg.backup.bucket}";
initialize = true;
paths = [
"/var/dkim"
"/var/vmail"
];
timerConfig = {
OnCalendar = [ "daily" ];
};
user = "restic";
pruneOpts = [
"--keep-daily 5"
];
};
};
users.users.restic = {
isNormalUser = false;
isSystemUser = true;
group = "restic";
};
}

1
configuration.nix
View file

@ -7,7 +7,6 @@
./users.nix ./users.nix
./letsencrypt/acme.nix ./letsencrypt/acme.nix
./letsencrypt/resolve.nix ./letsencrypt/resolve.nix
./backup/restic.nix
./passmgr/bitwarden.nix ./passmgr/bitwarden.nix
./webserver/nginx.nix ./webserver/nginx.nix
./webserver/memcached.nix ./webserver/memcached.nix

20
files.nix
View file

@ -20,7 +20,6 @@ in
[ [
(if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 vaultwarden vaultwarden -" else "")
(if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 vaultwarden vaultwarden -" else "")
"d /var/lib/restic 0600 restic - - -"
"f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}" "f+ /var/domain 0444 selfprivacy-api selfprivacy-api - ${domain}"
(if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "") (if cfg.bitwarden.enable then "f /var/lib/bitwarden/.env 0640 vaultwarden vaultwarden - -" else "")
]; ];
@ -42,25 +41,6 @@ in
chmod 0440 /var/lib/cloudflare/Credentials.ini chmod 0440 /var/lib/cloudflare/Credentials.ini
chown nginx:acmereceivers /var/lib/cloudflare/Credentials.ini chown nginx:acmereceivers /var/lib/cloudflare/Credentials.ini
''; '';
resticCredentials = ''
mkdir -p /root/.config/rclone
chmod 0400 /root/.config/rclone
chown root:root /root/.config/rclone
echo '[backblaze]' > /root/.config/rclone/rclone.conf
echo 'type = b2' >> /root/.config/rclone/rclone.conf
echo 'account = REPLACEME1' >> /root/.config/rclone/rclone.conf
echo 'key = REPLACEME2' >> /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME1/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.backup.accountId')/g" /root/.config/rclone/rclone.conf
${sed} -i "s/REPLACEME2/$(cat /etc/selfprivacy/secrets.json | ${jq} -r '.backup.accountKey')/g" /root/.config/rclone/rclone.conf
chmod 0400 /root/.config/rclone/rclone.conf
chown root:root /root/.config/rclone/rclone.conf
cat /etc/selfprivacy/secrets.json | ${jq} -r '.resticPassword' > /var/lib/restic/pass
chmod 0400 /var/lib/restic/pass
chown restic /var/lib/restic/pass
'';
bitwardenCredentials = bitwardenCredentials =
if cfg.bitwarden.enable then '' if cfg.bitwarden.enable then ''
mkdir -p /var/lib/bitwarden mkdir -p /var/lib/bitwarden

3
sp-modules/restic/config-paths-needed.json Normal file
View file

@ -0,0 +1,3 @@
[
[ "selfprivacy", "modules", "restic" ]
]

9
sp-modules/restic/flake.nix Normal file
View file

@ -0,0 +1,9 @@
{
description = "PoC SP module for Restic backup service";
outputs = { self }: {
nixosModules.default = import ./module.nix;
configPathsNeeded =
builtins.fromJSON (builtins.readFile ./config-paths-needed.json);
};
}

71
sp-modules/restic/module.nix Normal file
View file

@ -0,0 +1,71 @@
{ config, lib, pkgs, ... }:
let
sp = config.selfprivacy;
secrets-filepath = "/etc/selfprivacy/secrets.json";
rclone-conf-filepath = "/root/.config/rclone/rclone.conf";
in
{
options.selfprivacy.modules.restic = {
enable = lib.mkOption {
default = false;
type = with lib.types; nullOr bool;
};
# TODO AWS region should be configurable too?
s3BucketName = lib.mkOption {
type = lib.types.str;
};
};
config = lib.mkIf config.selfprivacy.modules.restic.enable {
services.restic.backups = {
options = {
# TODO is it the right location?
passwordFile = "/etc/restic/resticPasswd";
repository = "s3:s3.anazonaws.com/${sp.modules.restic.s3BucketName}";
initialize = true;
paths = [
"/var/dkim"
"/var/vmail"
];
timerConfig = {
OnCalendar = [ "daily" ];
};
user = "restic";
pruneOpts = [
"--keep-daily 5"
];
};
};
users.groups.restic.members = [ "restic" ];
users.users.restic = {
isNormalUser = false;
isSystemUser = true;
group = "restic";
};
systemd.tmpfiles.rules = [
"d /var/lib/restic 0600 restic - - -"
];
systemd.services.restic-secrets = {
before = [ "restic-backups-options.service" ];
requiredBy = [ "restic-backups-options.service" ];
serviceConfig.Type = "oneshot";
path = with pkgs; [ coreutils gnused jq ];
script = ''
set -o nounset
account="$(jq -r '.modules.restic.accountId' ${secrets-filepath})"
key="$(jq -r '.modules.restic.accountKey' ${secrets-filepath})"
rclone_conf=$(cat <<- EOF
[backblaze]
account = $account
key = $key
EOF
)
install -m 0400 -o root -g root -DT \
<(printf "%s" "$rclone_conf") ${rclone-conf-filepath}
install -m 0400 -o restic -g restic -DT \
<(jq -r '.resticPassword' ${secrets-filepath}) /var/lib/restic/pass
'';
};
};
}