feat: enable storage box backups for mail

hosts/envoy/idmail.nix

@@ -66,6 +66,7 @@ in {
             owner = "admin";
           }
       );
+      # XXX: create mailboxes for git@ vaultwarden@ and simultaneously alias them to the catch all for a send only mail.
     };
   };
   systemd.services.idmail.serviceConfig.RestartSec = "60"; # Retry every minute

hosts/envoy/stalwart-mail.nix

@@ -8,6 +8,7 @@
   primaryDomain = globals.mail.primary;
   stalwartDomain = "mail.${primaryDomain}";
   dataDir = "/var/lib/stalwart-mail";
+  mailBackupDir = "/var/cache/mail-backup";
 in {
   environment.persistence."/persist".directories = [
     {
@@ -193,7 +194,7 @@ in {
                 -- Finally, select any catch_all address that would catch this.
                 -- Again make sure everything is active.
                 UNION
-                SELECT d.catch_all, 3 AS rowOrder AS name
+                SELECT d.catch_all AS name, 3 AS rowOrder
                   FROM domains AS d
                   JOIN mailboxes AS m ON d.catch_all = m.address
                   JOIN users AS u ON m.owner = u.username
@@ -567,36 +568,51 @@ in {
     };
   };
 
-  # systemd.services.stalwart-backup = {
+  systemd.services.backup-mail = {
-  #   description = "Stalwart and idmail backup";
+    description = "Mail backup";
-  #   serviceConfig = {
+    environment = {
-  #     ExecStart = "${config.services.paperless.package}/bin/paperless-ngx document_exporter -na -nt -f -d ${stalwartBackupDir}";
+      STALWART_DATA = dataDir;
-  #     ReadWritePaths = [
+      IDMAIL_DATA = config.services.idmail.dataDir;
-  #       dataDir
+      BACKUP_DIR = mailBackupDir;
-  #       config.services.idmail.dataDir
+    };
-  #       stalwartBackupDir
+    serviceConfig = {
-  #     ];
+      SyslogIdentifier = "backup-mail";
-  #     Restart = "no";
+      Type = "oneshot";
-  #     Type = "oneshot";
+      User = "stalwart-mail";
-  #   };
+      Group = "stalwart-mail";
-  #   inherit (cfg) environment;
+      ExecStart = lib.getExe (pkgs.writeShellApplication {
-  #   requiredBy = ["restic-backups-storage-box-dusk.service"];
+        name = "backup-mail";
-  #   before = ["restic-backups-storage-box-dusk.service"];
+        runtimeInputs = [pkgs.sqlite];
-  # };
+        text = ''
-  #
+          sqlite3 "$STALWART_DATA/database.sqlite3" ".backup '$BACKUP_DIR/database.sqlite3'"
-  # # Needed so we don't run out of tmpfs space for large backups.
+          sqlite3 "$IDMAIL_DATA/database.sqlite3" ".backup '$BACKUP_DIR/idmail.db'"
-  # # Technically this could be cleared each boot but whatever.
+          cp -r "$STALWART_DATA/dkim" "$BACKUP_DIR/"
-  # environment.persistence."/state".directories = [
+        '';
-  #   {
+      });
-  #     directory = stalwartBackupDir;
+      ReadWritePaths = [
-  #     user = "stalwart-mail";
+        dataDir
-  #     group = "stalwart-mail";
+        config.services.idmail.dataDir
-  #     mode = "0700";
+        mailBackupDir
-  #   }
+      ];
-  # ];
+      Restart = "no";
-  #
+    };
-  # backups.storageBoxes.dusk = {
+    requiredBy = ["restic-backups-storage-box-dusk.service"];
-  #   subuser = "stalwart";
+    before = ["restic-backups-storage-box-dusk.service"];
-  #   paths = [stalwartBackupDir];
+  };
-  # };
+
+  # Needed so we don't run out of tmpfs space for large backups.
+  # Technically this could be cleared each boot but whatever.
+  environment.persistence."/state".directories = [
+    {
+      directory = mailBackupDir;
+      user = "stalwart-mail";
+      group = "stalwart-mail";
+      mode = "0700";
+    }
+  ];
+
+  backups.storageBoxes.dusk = {
+    subuser = "stalwart";
+    paths = [mailBackupDir];
+  };
 }

nix/storage-box.nix

@@ -1,13 +1,9 @@
 {inputs, ...}: {
-  perSystem = {
+  perSystem = {pkgs, ...}: {
-    config,
-    pkgs,
-    ...
-  }: {
     apps.setupHetznerStorageBoxes = import (inputs.nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") {
       inherit pkgs;
       nixosConfigurations = inputs.self.nodes;
-      decryptIdentity = builtins.head config.secretsConfig.masterIdentities;
+      decryptIdentity = builtins.head inputs.self.secretsConfig.masterIdentities;
     };
   };
 }

secrets/generated/envoy/restic-encryption-password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 OH3vohVD+wOgaXnBXkPmISX/rKOHw9vAkHhvbKNc5SI
+7iJoL/5LbcmBL+9F8OP/H4DLz3OsQO2/Jo7/SGIMPeQ
+-> piv-p256 xqSe8Q AtlmXfAqQRosyLlV5EHnGsDkvqA9ng1IxD1F4uMldAkt
+I53dck5u2DJ3WpHZEqbO5tJRLhXCzTpjx+YOGunZU1M
+-> 7@H=O~_X-grease Dn
+Gs1wrPIA9dG0rm00/+DBzC0
+--- CipW/4FDMF+bWtWTNLatWXqYLV8MThrR26cWHDrKT0k
+¿ãjHqÍ>
/�R�±ò:eŠ–®tÐÔ‹3ºF!Á®Õ{÷™Äº7Ä@ÆϯVٙܫX·Ž ³Ô>Õ¹˜!)Ëœž,ÞŠ"(õScO_>'

secrets/rekeyed/envoy/9dc0c843d69f02a6b0c3b64c4dd995fa-restic-encryption-password.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 rz300w 2nOYeoxR+f268mg+ZdrWkOnbZ4Kt8wo2LqKDxn/yHl4
+et62QuU5pCxgSBGnr3y4QqSbZ2JtIPa8VSNkWRE/OFs
+-> 9tGrxZ)-grease ucb=Pw 6CW&' YK?& ^
++Ge5Vl7GgagHYuLisS63vR3TQtzneq+AppcSadnCRs9ZwzpyRH2/m9xn3eftbliv
+6kWgXJS4iOxUDJS5FpZWsC1krmwWgmNdLtYoGEaJK9nmAS2CcrCQ38CLeQ
+--- bwtbv70YcG3bkzeV8ldrdzjbC6YOVvl9Flqs2J8YElo
+µx:Hqè¸ü`
+sAZy¸1ór—;ÞZù‚“Z¿
q›vB]YMŒ ‹Gت¼ï=ŠM‚"HÉ7d¢ØÞ±J•*m™€T¤¾
+±ãå:†WxÜZ