feat: enable storage box backups for mail

2024-08-04 20:39:06 +02:00 · 2024-08-04 20:39:06 +02:00 · 3994f21100
commit 3994f21100
parent d58364619f
8 changed files with 71 additions and 39 deletions
--- a/hosts/envoy/idmail.nix
+++ b/hosts/envoy/idmail.nix
@ -66,6 +66,7 @@ in {
            owner = "admin";
          }
      );
+      # XXX: create mailboxes for git@ vaultwarden@ and simultaneously alias them to the catch all for a send only mail.
    };
  };
  systemd.services.idmail.serviceConfig.RestartSec = "60"; # Retry every minute
--- a/hosts/envoy/stalwart-mail.nix
+++ b/hosts/envoy/stalwart-mail.nix
@ -8,6 +8,7 @@
  primaryDomain = globals.mail.primary;
  stalwartDomain = "mail.${primaryDomain}";
  dataDir = "/var/lib/stalwart-mail";
+  mailBackupDir = "/var/cache/mail-backup";
 in {
  environment.persistence."/persist".directories = [
    {
@ -193,7 +194,7 @@ in {
                -- Finally, select any catch_all address that would catch this.
                -- Again make sure everything is active.
                UNION
-                SELECT d.catch_all, 3 AS rowOrder AS name
+                SELECT d.catch_all AS name, 3 AS rowOrder
                  FROM domains AS d
                  JOIN mailboxes AS m ON d.catch_all = m.address
                  JOIN users AS u ON m.owner = u.username
@ -567,36 +568,51 @@ in {
    };
  };

-  # systemd.services.stalwart-backup = {
-  #   description = "Stalwart and idmail backup";
-  #   serviceConfig = {
-  #     ExecStart = "${config.services.paperless.package}/bin/paperless-ngx document_exporter -na -nt -f -d ${stalwartBackupDir}";
-  #     ReadWritePaths = [
-  #       dataDir
-  #       config.services.idmail.dataDir
-  #       stalwartBackupDir
-  #     ];
-  #     Restart = "no";
-  #     Type = "oneshot";
-  #   };
-  #   inherit (cfg) environment;
-  #   requiredBy = ["restic-backups-storage-box-dusk.service"];
-  #   before = ["restic-backups-storage-box-dusk.service"];
-  # };
-  #
-  # # Needed so we don't run out of tmpfs space for large backups.
-  # # Technically this could be cleared each boot but whatever.
-  # environment.persistence."/state".directories = [
-  #   {
-  #     directory = stalwartBackupDir;
-  #     user = "stalwart-mail";
-  #     group = "stalwart-mail";
-  #     mode = "0700";
-  #   }
-  # ];
-  #
-  # backups.storageBoxes.dusk = {
-  #   subuser = "stalwart";
-  #   paths = [stalwartBackupDir];
-  # };
+  systemd.services.backup-mail = {
+    description = "Mail backup";
+    environment = {
+      STALWART_DATA = dataDir;
+      IDMAIL_DATA = config.services.idmail.dataDir;
+      BACKUP_DIR = mailBackupDir;
+    };
+    serviceConfig = {
+      SyslogIdentifier = "backup-mail";
+      Type = "oneshot";
+      User = "stalwart-mail";
+      Group = "stalwart-mail";
+      ExecStart = lib.getExe (pkgs.writeShellApplication {
+        name = "backup-mail";
+        runtimeInputs = [pkgs.sqlite];
+        text = ''
+          sqlite3 "$STALWART_DATA/database.sqlite3" ".backup '$BACKUP_DIR/database.sqlite3'"
+          sqlite3 "$IDMAIL_DATA/database.sqlite3" ".backup '$BACKUP_DIR/idmail.db'"
+          cp -r "$STALWART_DATA/dkim" "$BACKUP_DIR/"
+        '';
+      });
+      ReadWritePaths = [
+        dataDir
+        config.services.idmail.dataDir
+        mailBackupDir
+      ];
+      Restart = "no";
+    };
+    requiredBy = ["restic-backups-storage-box-dusk.service"];
+    before = ["restic-backups-storage-box-dusk.service"];
+  };
+
+  # Needed so we don't run out of tmpfs space for large backups.
+  # Technically this could be cleared each boot but whatever.
+  environment.persistence."/state".directories = [
+    {
+      directory = mailBackupDir;
+      user = "stalwart-mail";
+      group = "stalwart-mail";
+      mode = "0700";
+    }
+  ];
+
+  backups.storageBoxes.dusk = {
+    subuser = "stalwart";
+    paths = [mailBackupDir];
+  };
 }
--- a/nix/storage-box.nix
+++ b/nix/storage-box.nix
@ -1,13 +1,9 @@
 {inputs, ...}: {
-  perSystem = {
-    config,
-    pkgs,
-    ...
-  }: {
+  perSystem = {pkgs, ...}: {
    apps.setupHetznerStorageBoxes = import (inputs.nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") {
      inherit pkgs;
      nixosConfigurations = inputs.self.nodes;
-      decryptIdentity = builtins.head config.secretsConfig.masterIdentities;
+      decryptIdentity = builtins.head inputs.self.secretsConfig.masterIdentities;
    };
  };
 }
--- a/secrets/generated/envoy/restic-encryption-password.age
+++ b/secrets/generated/envoy/restic-encryption-password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 OH3vohVD+wOgaXnBXkPmISX/rKOHw9vAkHhvbKNc5SI
+7iJoL/5LbcmBL+9F8OP/H4DLz3OsQO2/Jo7/SGIMPeQ
+-> piv-p256 xqSe8Q AtlmXfAqQRosyLlV5EHnGsDkvqA9ng1IxD1F4uMldAkt
+I53dck5u2DJ3WpHZEqbO5tJRLhXCzTpjx+YOGunZU1M
+-> 7@H=O~_X-grease Dn
+Gs1wrPIA9dG0rm00/+DBzC0
+--- CipW/4FDMF+bWtWTNLatWXqYLV8MThrR26cWHDrKT0k
+¿ãjHqÍ>/�R�±ò:eŠ–®tÐÔ‹3ºF!Á®Õ{÷™Äº7Ä@ÆÏ¯VÙ™Ü«X·Ž ³Ô>Õ¹˜!)Ëœž,ÞŠ"(õScO_>'
--- a/secrets/generated/envoy/restic-ssh-privkey.age
+++ b/secrets/generated/envoy/restic-ssh-privkey.age
--- a/secrets/global.nix.age
+++ b/secrets/global.nix.age
--- a/secrets/rekeyed/envoy/9dc0c843d69f02a6b0c3b64c4dd995fa-restic-encryption-password.age
+++ b/secrets/rekeyed/envoy/9dc0c843d69f02a6b0c3b64c4dd995fa-restic-encryption-password.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 rz300w 2nOYeoxR+f268mg+ZdrWkOnbZ4Kt8wo2LqKDxn/yHl4
+et62QuU5pCxgSBGnr3y4QqSbZ2JtIPa8VSNkWRE/OFs
+-> 9tGrxZ)-grease ucb=Pw 6CW&' YK?& ^
+Ge5Vl7GgagHYuLisS63vR3TQtzneq+AppcSadnCRs9ZwzpyRH2/m9xn3eftbliv
+6kWgXJS4iOxUDJS5FpZWsC1krmwWgmNdLtYoGEaJK9nmAS2CcrCQ38CLeQ
+--- bwtbv70YcG3bkzeV8ldrdzjbC6YOVvl9Flqs2J8YElo
+µx:Hqè¸ü`
+sAZy¸1ór—;ÞZù‚“Z¿q›vB]YMŒ ‹GØª¼ï=ŠM‚"HÉ7d¢ØÞ±J•*m™€T¤¾
+±ãå:†WxÜZ
--- a/secrets/rekeyed/envoy/db9c11543e8500c4d58a856518f5774f-restic-ssh-privkey.age
+++ b/secrets/rekeyed/envoy/db9c11543e8500c4d58a856518f5774f-restic-ssh-privkey.age