os/hosts/pie/invoiceplane.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

101 lines
2.7 KiB
Nix
Raw Normal View History

2023-10-21 20:46:17 +00:00
{
flake,
config,
pkgs,
lib,
...
}: let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
backupDir = "/var/lib/invoiceplane/backup";
in {
age.secrets."invoiceplane-db-password" = {
2023-10-21 20:46:17 +00:00
file = "${flake.self}/secrets/invoiceplane-db-password.age";
mode = "400";
2023-10-24 13:54:18 +00:00
owner = "invoiceplane";
2023-10-21 20:46:17 +00:00
};
age.secrets."invoiceplane-db-secrets.env" = {
file = "${flake.self}/secrets/invoiceplane-db-secrets.env.age";
mode = "400";
2023-10-21 20:46:17 +00:00
};
security.acme.certs = {
"invoicing.b12f.io" = {};
};
services.nginx.virtualHosts = {
"invoicing.b12f.io" = {
forceSSL = true;
useACMEHost = "invoicing.b12f.io";
};
};
services.invoiceplane.webserver = "nginx";
2023-10-21 20:46:17 +00:00
services.invoiceplane.sites."invoicing.b12f.io" = {
# nginx is not supported
2023-10-21 20:46:17 +00:00
enable = true;
database = {
user = "invoiceplane";
name = "invoiceplane";
passwordFile = config.age.secrets."invoiceplane-db-password".path;
2023-10-26 13:53:35 +00:00
host = "127.0.0.1";
2023-10-24 13:54:18 +00:00
port = 3306;
2023-10-21 20:46:17 +00:00
createLocally = false;
};
2023-10-26 13:53:35 +00:00
poolConfig = {
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.max_spare_servers" = 4;
"pm.min_spare_servers" = 2;
"pm.start_servers" = 2;
"php_admin_value[error_log]" = "/var/lib/invoiceplane/invoicing.b12f.io/logs/php-error.log";
"php_admin_flag[display_errors]" = "off";
"php_admin_flag[log_errors]" = "on";
"catch_workers_output" = "yes";
};
2023-10-21 20:46:17 +00:00
};
virtualisation = {
oci-containers = {
backend = "docker";
containers."invoiceplane-db" = {
2023-10-24 13:54:18 +00:00
image = "mariadb:11";
2023-10-21 20:46:17 +00:00
autoStart = true;
ports = [ "127.0.0.1:3306:3306" ];
2023-10-21 20:46:17 +00:00
volumes = [
2023-10-24 13:54:18 +00:00
"/var/lib/invoiceplane/db:/var/lib/mysql"
2023-10-21 20:46:17 +00:00
];
environmentFiles = [
config.age.secrets."invoiceplane-db-secrets.env".path
];
};
};
};
systemd.tmpfiles.rules = [
"d '${backupDir}' 0700 root root - -"
];
services.restic.backups = {
invoiceplane = {
paths = [
backupDir
"/var/lib/invoiceplane/invoicing.b12f.io"
];
initialize = true;
passwordFile = config.age.secrets."restic-password".path;
2023-10-21 20:46:17 +00:00
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/InvoicePlane";
backupPrepareCommand = ''
PW=$(cat ${config.age.secrets."invoiceplane-db-password".path})
2023-10-24 13:54:18 +00:00
${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql"
2023-10-21 20:46:17 +00:00
'';
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
};
};
}