diff --git a/hosts/envoy/idmail.nix b/hosts/envoy/idmail.nix index ff8d5ce..616f1e7 100644 --- a/hosts/envoy/idmail.nix +++ b/hosts/envoy/idmail.nix @@ -66,6 +66,7 @@ in { owner = "admin"; } ); + # XXX: create mailboxes for git@ vaultwarden@ and simultaneously alias them to the catch all for a send only mail. }; }; systemd.services.idmail.serviceConfig.RestartSec = "60"; # Retry every minute diff --git a/hosts/envoy/stalwart-mail.nix b/hosts/envoy/stalwart-mail.nix index 0003911..8c3a032 100644 --- a/hosts/envoy/stalwart-mail.nix +++ b/hosts/envoy/stalwart-mail.nix @@ -8,6 +8,7 @@ primaryDomain = globals.mail.primary; stalwartDomain = "mail.${primaryDomain}"; dataDir = "/var/lib/stalwart-mail"; + mailBackupDir = "/var/cache/mail-backup"; in { environment.persistence."/persist".directories = [ { @@ -193,7 +194,7 @@ in { -- Finally, select any catch_all address that would catch this. -- Again make sure everything is active. UNION - SELECT d.catch_all, 3 AS rowOrder AS name + SELECT d.catch_all AS name, 3 AS rowOrder FROM domains AS d JOIN mailboxes AS m ON d.catch_all = m.address JOIN users AS u ON m.owner = u.username @@ -567,36 +568,51 @@ in { }; }; - # systemd.services.stalwart-backup = { - # description = "Stalwart and idmail backup"; - # serviceConfig = { - # ExecStart = "${config.services.paperless.package}/bin/paperless-ngx document_exporter -na -nt -f -d ${stalwartBackupDir}"; - # ReadWritePaths = [ - # dataDir - # config.services.idmail.dataDir - # stalwartBackupDir - # ]; - # Restart = "no"; - # Type = "oneshot"; - # }; - # inherit (cfg) environment; - # requiredBy = ["restic-backups-storage-box-dusk.service"]; - # before = ["restic-backups-storage-box-dusk.service"]; - # }; - # - # # Needed so we don't run out of tmpfs space for large backups. - # # Technically this could be cleared each boot but whatever. - # environment.persistence."/state".directories = [ - # { - # directory = stalwartBackupDir; - # user = "stalwart-mail"; - # group = "stalwart-mail"; - # mode = "0700"; - # } - # ]; - # - # backups.storageBoxes.dusk = { - # subuser = "stalwart"; - # paths = [stalwartBackupDir]; - # }; + systemd.services.backup-mail = { + description = "Mail backup"; + environment = { + STALWART_DATA = dataDir; + IDMAIL_DATA = config.services.idmail.dataDir; + BACKUP_DIR = mailBackupDir; + }; + serviceConfig = { + SyslogIdentifier = "backup-mail"; + Type = "oneshot"; + User = "stalwart-mail"; + Group = "stalwart-mail"; + ExecStart = lib.getExe (pkgs.writeShellApplication { + name = "backup-mail"; + runtimeInputs = [pkgs.sqlite]; + text = '' + sqlite3 "$STALWART_DATA/database.sqlite3" ".backup '$BACKUP_DIR/database.sqlite3'" + sqlite3 "$IDMAIL_DATA/database.sqlite3" ".backup '$BACKUP_DIR/idmail.db'" + cp -r "$STALWART_DATA/dkim" "$BACKUP_DIR/" + ''; + }); + ReadWritePaths = [ + dataDir + config.services.idmail.dataDir + mailBackupDir + ]; + Restart = "no"; + }; + requiredBy = ["restic-backups-storage-box-dusk.service"]; + before = ["restic-backups-storage-box-dusk.service"]; + }; + + # Needed so we don't run out of tmpfs space for large backups. + # Technically this could be cleared each boot but whatever. + environment.persistence."/state".directories = [ + { + directory = mailBackupDir; + user = "stalwart-mail"; + group = "stalwart-mail"; + mode = "0700"; + } + ]; + + backups.storageBoxes.dusk = { + subuser = "stalwart"; + paths = [mailBackupDir]; + }; } diff --git a/nix/storage-box.nix b/nix/storage-box.nix index c195684..e1be2fd 100644 --- a/nix/storage-box.nix +++ b/nix/storage-box.nix @@ -1,13 +1,9 @@ {inputs, ...}: { - perSystem = { - config, - pkgs, - ... - }: { + perSystem = {pkgs, ...}: { apps.setupHetznerStorageBoxes = import (inputs.nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") { inherit pkgs; nixosConfigurations = inputs.self.nodes; - decryptIdentity = builtins.head config.secretsConfig.masterIdentities; + decryptIdentity = builtins.head inputs.self.secretsConfig.masterIdentities; }; }; } diff --git a/secrets/generated/envoy/restic-encryption-password.age b/secrets/generated/envoy/restic-encryption-password.age new file mode 100644 index 0000000..68f8d68 --- /dev/null +++ b/secrets/generated/envoy/restic-encryption-password.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 OH3vohVD+wOgaXnBXkPmISX/rKOHw9vAkHhvbKNc5SI +7iJoL/5LbcmBL+9F8OP/H4DLz3OsQO2/Jo7/SGIMPeQ +-> piv-p256 xqSe8Q AtlmXfAqQRosyLlV5EHnGsDkvqA9ng1IxD1F4uMldAkt +I53dck5u2DJ3WpHZEqbO5tJRLhXCzTpjx+YOGunZU1M +-> 7@H=O~_X-grease Dn +Gs1wrPIA9dG0rm00/+DBzC0 +--- CipW/4FDMF+bWtWTNLatWXqYLV8MThrR26cWHDrKT0k +jHq>/R:etԋ3F!{ĺ7@ϯVٙܫX>չ!)˜,ފ"(ScO_>' \ No newline at end of file diff --git a/secrets/generated/envoy/restic-ssh-privkey.age b/secrets/generated/envoy/restic-ssh-privkey.age new file mode 100644 index 0000000..f7807e5 Binary files /dev/null and b/secrets/generated/envoy/restic-ssh-privkey.age differ diff --git a/secrets/global.nix.age b/secrets/global.nix.age index eaf1b19..7fffe1c 100644 Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ diff --git a/secrets/rekeyed/envoy/9dc0c843d69f02a6b0c3b64c4dd995fa-restic-encryption-password.age b/secrets/rekeyed/envoy/9dc0c843d69f02a6b0c3b64c4dd995fa-restic-encryption-password.age new file mode 100644 index 0000000..cb43cc7 --- /dev/null +++ b/secrets/rekeyed/envoy/9dc0c843d69f02a6b0c3b64c4dd995fa-restic-encryption-password.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 rz300w 2nOYeoxR+f268mg+ZdrWkOnbZ4Kt8wo2LqKDxn/yHl4 +et62QuU5pCxgSBGnr3y4QqSbZ2JtIPa8VSNkWRE/OFs +-> 9tGrxZ)-grease ucb=Pw 6CW&' YK?& ^ ++Ge5Vl7GgagHYuLisS63vR3TQtzneq+AppcSadnCRs9ZwzpyRH2/m9xn3eftbliv +6kWgXJS4iOxUDJS5FpZWsC1krmwWgmNdLtYoGEaJK9nmAS2CcrCQ38CLeQ +--- bwtbv70YcG3bkzeV8ldrdzjbC6YOVvl9Flqs2J8YElo +x:Hq` +sAZy1r;ZZqvB]YM G=M"H7dޱJ*mT +:WxZ \ No newline at end of file diff --git a/secrets/rekeyed/envoy/db9c11543e8500c4d58a856518f5774f-restic-ssh-privkey.age b/secrets/rekeyed/envoy/db9c11543e8500c4d58a856518f5774f-restic-ssh-privkey.age new file mode 100644 index 0000000..1d3fb5e Binary files /dev/null and b/secrets/rekeyed/envoy/db9c11543e8500c4d58a856518f5774f-restic-ssh-privkey.age differ