forked from mirrors_public/oddlama_nix-config
feat: add paperless and radicale backups to hetzner
This commit is contained in:
oddlama
parent
f9e1247b8a
commit
78ecdd2780
12 changed files with 128 additions and 67 deletions
|
|
@ -1,10 +1,12 @@
|
|||
{
|
||||
config,
|
||||
lib,
|
||||
nodes,
|
||||
...
|
||||
}: let
|
||||
sentinelCfg = nodes.sentinel.config;
|
||||
paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}";
|
||||
paperlessBackupDir = "/var/cache/paperless-backup";
|
||||
in {
|
||||
microvm.mem = 1024 * 6;
|
||||
microvm.vcpu = 8;
|
||||
|
|
@ -92,4 +94,29 @@ in {
|
|||
};
|
||||
|
||||
systemd.services.paperless.serviceConfig.RestartSec = "600"; # Retry every 10 minutes
|
||||
|
||||
systemd.tmpfiles.settings."10-paperless".${paperlessBackupDir}.d = {
|
||||
inherit (config.services.paperless) user;
|
||||
mode = "0700";
|
||||
};
|
||||
|
||||
systemd.services.paperless-backup = let
|
||||
cfg = config.systemd.services.paperless-consumer;
|
||||
in {
|
||||
description = "Paperless documents backup";
|
||||
serviceConfig = lib.recursiveUpdate cfg.serviceConfig {
|
||||
ExecStart = "${config.services.paperless.package}/bin/paperless-ngx document_exporter -na -nt -f -d ${paperlessBackupDir}";
|
||||
ReadWritePaths = cfg.serviceConfig.ReadWritePaths ++ [paperlessBackupDir];
|
||||
Restart = "no";
|
||||
Type = "oneshot";
|
||||
};
|
||||
inherit (cfg) environment;
|
||||
requiredBy = ["restic-backups-storage-box-dusk.service"];
|
||||
};
|
||||
|
||||
backups.storageBoxes.dusk = {
|
||||
subuser = "paperless";
|
||||
user = "paperless";
|
||||
paths = [paperlessBackupDir];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -246,7 +246,7 @@ in {
|
|||
"/shares/users/${user}-paperless".d = {
|
||||
user = "paperless";
|
||||
group = "paperless";
|
||||
mode = "0750";
|
||||
mode = "0550";
|
||||
};
|
||||
"/paperless/consume/${user}".d = {
|
||||
user = "paperless";
|
||||
|
|
@ -347,37 +347,9 @@ in {
|
|||
}
|
||||
// lib.mapAttrs (_: cfg: {gid = cfg.id;}) (smbUsers // smbGroups);
|
||||
|
||||
# Backups
|
||||
# ========================================================================
|
||||
|
||||
age.secrets.restic-encryption-password.generator.script = "alnum";
|
||||
age.secrets.restic-ssh-privkey.generator.script = "ssh-ed25519";
|
||||
|
||||
services.restic.backups.main = {
|
||||
hetznerStorageBox = let
|
||||
box = config.repo.secrets.global.hetzner.storageboxes.dusk;
|
||||
in {
|
||||
enable = true;
|
||||
inherit (box) mainUser;
|
||||
inherit (box.users.samba) subUid path;
|
||||
sshAgeSecret = "restic-ssh-privkey";
|
||||
};
|
||||
|
||||
# We need to backup stuff from other users, so run as root.
|
||||
backups.storageBoxes.dusk = {
|
||||
subuser = "samba";
|
||||
user = "root";
|
||||
timerConfig = {
|
||||
OnCalendar = "06:15";
|
||||
RandomizedDelaySec = "3h";
|
||||
Persistent = true;
|
||||
};
|
||||
initialize = true;
|
||||
passwordFile = config.age.secrets.restic-encryption-password.path;
|
||||
paths = ["/bunker"];
|
||||
pruneOpts = [
|
||||
"--keep-daily 14"
|
||||
"--keep-weekly 7"
|
||||
"--keep-monthly 12"
|
||||
"--keep-yearly 75"
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue