feat: add paperless and radicale backups to hetzner

2025-10-10 23:00:39 +02:00 · 2024-01-20 03:02:26 +01:00 · 2024-01-20 03:02:26 +01:00 · 78ecdd2780
commit 78ecdd2780
parent f9e1247b8a
12 changed files with 128 additions and 67 deletions
--- a/hosts/sire/guests/paperless.nix
+++ b/hosts/sire/guests/paperless.nix
@ -1,10 +1,12 @@
 {
  config,
+  lib,
  nodes,
  ...
 }: let
  sentinelCfg = nodes.sentinel.config;
  paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}";
+  paperlessBackupDir = "/var/cache/paperless-backup";
 in {
  microvm.mem = 1024 * 6;
  microvm.vcpu = 8;
@ -92,4 +94,29 @@ in {
  };

  systemd.services.paperless.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+
+  systemd.tmpfiles.settings."10-paperless".${paperlessBackupDir}.d = {
+    inherit (config.services.paperless) user;
+    mode = "0700";
+  };
+
+  systemd.services.paperless-backup = let
+    cfg = config.systemd.services.paperless-consumer;
+  in {
+    description = "Paperless documents backup";
+    serviceConfig = lib.recursiveUpdate cfg.serviceConfig {
+      ExecStart = "${config.services.paperless.package}/bin/paperless-ngx document_exporter -na -nt -f -d ${paperlessBackupDir}";
+      ReadWritePaths = cfg.serviceConfig.ReadWritePaths ++ [paperlessBackupDir];
+      Restart = "no";
+      Type = "oneshot";
+    };
+    inherit (cfg) environment;
+    requiredBy = ["restic-backups-storage-box-dusk.service"];
+  };
+
+  backups.storageBoxes.dusk = {
+    subuser = "paperless";
+    user = "paperless";
+    paths = [paperlessBackupDir];
+  };
 }
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@ -246,7 +246,7 @@ in {
            "/shares/users/${user}-paperless".d = {
              user = "paperless";
              group = "paperless";
-              mode = "0750";
+              mode = "0550";
            };
            "/paperless/consume/${user}".d = {
              user = "paperless";
@ -347,37 +347,9 @@ in {
    }
    // lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups);

-  # Backups
-  # ========================================================================
-
-  age.secrets.restic-encryption-password.generator.script = "alnum";
-  age.secrets.restic-ssh-privkey.generator.script = "ssh-ed25519";
-
-  services.restic.backups.main = {
-    hetznerStorageBox = let
-      box = config.repo.secrets.global.hetzner.storageboxes.dusk;
-    in {
-      enable = true;
-      inherit (box) mainUser;
-      inherit (box.users.samba) subUid path;
-      sshAgeSecret = "restic-ssh-privkey";
-    };
-
-    # We need to backup stuff from other users, so run as root.
+  backups.storageBoxes.dusk = {
+    subuser = "samba";
    user = "root";
-    timerConfig = {
-      OnCalendar = "06:15";
-      RandomizedDelaySec = "3h";
-      Persistent = true;
-    };
-    initialize = true;
-    passwordFile = config.age.secrets.restic-encryption-password.path;
    paths = ["/bunker"];
-    pruneOpts = [
-      "--keep-daily 14"
-      "--keep-weekly 7"
-      "--keep-monthly 12"
-      "--keep-yearly 75"
-    ];
  };
 }
--- a/hosts/ward/guests/radicale.nix
+++ b/hosts/ward/guests/radicale.nix
@ -82,4 +82,10 @@ in {
  };

  systemd.services.radicale.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
+
+  backups.storageBoxes.dusk = {
+    subuser = "radicale";
+    user = "radicale";
+    paths = ["/var/lib/radicale"];
+  };
 }
--- a/hosts/ward/guests/vaultwarden.nix
+++ b/hosts/ward/guests/vaultwarden.nix
@ -74,7 +74,6 @@ in {
      smtpSecurity = "force_tls";
      smtpPort = 465;
    };
-    #backupDir = "/data/backup";
    environmentFile = config.age.secrets.vaultwarden-env.path;
  };

@ -85,36 +84,9 @@ in {
    RestartSec = "600"; # Retry every 10 minutes
  };

-  # Backups
-  # ========================================================================
-
-  age.secrets.restic-encryption-password.generator.script = "alnum";
-  age.secrets.restic-ssh-privkey.generator.script = "ssh-ed25519";
-
-  services.restic.backups.main = {
-    hetznerStorageBox = let
-      box = config.repo.secrets.global.hetzner.storageboxes.dusk;
-    in {
-      enable = true;
-      inherit (box) mainUser;
-      inherit (box.users.vaultwarden) subUid path;
-      sshAgeSecret = "restic-ssh-privkey";
-    };
-
+  backups.storageBoxes.dusk = {
+    subuser = "vaultwarden";
    user = "vaultwarden";
-    timerConfig = {
-      OnCalendar = "06:15";
-      RandomizedDelaySec = "3h";
-      Persistent = true;
-    };
-    initialize = true;
-    passwordFile = config.age.secrets.restic-encryption-password.path;
    paths = [config.services.vaultwarden.backupDir];
-    pruneOpts = [
-      "--keep-daily 14"
-      "--keep-weekly 7"
-      "--keep-monthly 12"
-      "--keep-yearly 75"
-    ];
  };
 }
--- a/hosts/ward/net.nix
+++ b/hosts/ward/net.nix
@ -104,12 +104,6 @@ in {
        masquerade = true;
      };

-      # Rule needed to allow local-vms wireguard traffic
-      lan-to-local = {
-        from = ["lan"];
-        to = ["local"];
-      };
-
      outbound = {
        from = ["lan"];
        to = ["lan" "untrusted"];