feat: add backups for firefly and paperless

2023-10-09 22:52:28 +02:00 · 2023-10-09 22:52:28 +02:00 · 6f6140f660
parent 6fabfdc431
commit 6f6140f660
13 changed files with 99 additions and 12 deletions
--- a/hosts/chocolatebar/configuration.nix
+++ b/hosts/chocolatebar/configuration.nix
@ -26,9 +26,7 @@ in {

  pub-solar.terminal-life.full = true;

-  services.openssh.openFirewall = true;
  networking.hostName = "chocolatebar";
-  networking.firewall.allowedUDPPorts = [43050];

  environment.systemPackages = with pkgs; [
    drone-docker-runner
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -57,7 +57,6 @@
          ./pie
          self.nixosModules.yule
          self.nixosModules.printing
-          self.nixosModules.paperless
          self.nixosModules.docker
        ];
      };
--- a/hosts/droppie/configuration.nix
+++ b/hosts/droppie/configuration.nix
@ -9,8 +9,6 @@ with lib; let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
 in {
-  pub-solar.core.disk-encryption-active = false;
-
  boot.loader.systemd-boot.enable = lib.mkForce false;
  boot.loader.grub = {
    enable = true;
@ -23,6 +21,10 @@ in {

  networking.hostName = "droppie";

+  services.openssh.enable = true;
+
+  pub-solar.core.disk-encryption-active = false;
+
  # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
  age.secrets."droppie-ssh-root.key" = {
    file = "${flake.self}/secrets/droppie-ssh-root.key";
--- a/hosts/maoam/configuration.nix
+++ b/hosts/maoam/configuration.nix
@ -33,8 +33,6 @@
    config.mobile.device.firmware
  ];

-  services.openssh.enable = true;
-
  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
--- a/hosts/pie/configuration.nix
+++ b/hosts/pie/configuration.nix
@ -36,6 +36,8 @@ in {

  pub-solar.core.disk-encryption-active = false;

+  services.openssh.enable = true;
+
  security.sudo.extraRules = [
    {
      users = ["${psCfg.user.name}"];
--- a/hosts/pie/default.nix
+++ b/hosts/pie/default.nix
@ -8,6 +8,7 @@
    ./dhcpd.nix
    ./wake-droppie.nix
    ./ddclient.nix
+    ./paperless.nix
    ./firefly.nix
  ];
 }
--- a/hosts/pie/firefly.nix
+++ b/hosts/pie/firefly.nix
@ -4,7 +4,11 @@
  pkgs,
  lib,
  ...
-}: {
+}: let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+  backupDir = "/var/lib/firefly/backup";
+in {
  age.secrets."firefly-secrets.env" = {
    file = "${flake.self}/secrets/firefly-secrets.env";
    mode = "600";
@ -93,4 +97,36 @@
      # };
    };
  };
+
+  systemd.tmpfiles.rules = [
+    "d '${backupDir}' 0700 root root - -"
+  ];
+
+  age.secrets."rclone-pie.conf" = {
+    file = "${flake.self}/secrets/rclone-pie.conf";
+    path = "/root/.config/rclone/rclone.conf";
+    mode = "600";
+  };
+
+  age.secrets."restic-password.age" = {
+    file = "${flake.self}/secrets/restic-password.age";
+    mode = "600";
+  };
+
+  services.restic.backups = {
+    firefly = {
+      paths = [
+        backupDir
+        "/var/lib/firefly/upload"
+      ];
+      initialize = true;
+      passwordFile = config.age.secrets."restic-password.age".path;
+      # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
+      repository = "rclone:cloud.pub.solar:/backups/FireflyIII";
+      backupPrepareCommand = ''
+        docker exec -t firefly-db pg_dumpall -c -U postgres > "${backupDir}/postgres.sql"
+      '';
+      rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
+    };
+  };
 }
--- a/modules/paperless/default.nix
+++ b/modules/paperless/default.nix
@ -10,6 +10,7 @@ with lib; let
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;

  dataDir = "${xdg.dataHome}/Paperless";
+  backupDir = "${xdg.dataHome}/PaperlessBackup";
  consumptionDir = "/home/${psCfg.user.name}/.local/share/scandir";
  scannerDefaultDevice = "hp3900:libusb:005:004";
 in {
@ -18,7 +19,7 @@ in {
    user = psCfg.user.name;
    consumptionDir = consumptionDir;
    dataDir = dataDir;
-    address = "paperless.local";
+    address = "localhost";
    extraConfig = {
      PAPERLESS_OCR_LANGUAGE = "nld+deu";
      PAPERLESS_ADMIN_USER = psCfg.user.name;
@ -53,4 +54,31 @@ in {
      }
    '';
  };
+
+  systemd.tmpfiles.rules = [
+    "d '${backupDir}' 0700 ${psCfg.user.name} users - -"
+  ];
+
+  age.secrets."rclone-pie.conf" = {
+    file = "${flake.self}/secrets/rclone-pie.conf";
+    path = "/root/.config/rclone/rclone.conf";
+    mode = "600";
+  };
+
+  age.secrets."restic-password.age" = {
+    file = "${flake.self}/secrets/restic-password.age";
+    mode = "600";
+  };
+
+  services.restic.backups = {
+    paperless = {
+      paths = [ backupDir ];
+      initialize = true;
+      passwordFile = config.age.secrets."restic-password.age".path;
+      # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
+      repository = "rclone:cloud.pub.solar:/backups/Paperless";
+      backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";
+      rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
+    };
+  };
 }
--- a/modules/core/networking.nix
+++ b/modules/core/networking.nix
@ -19,8 +19,8 @@

  # For rage encryption, all hosts need a ssh key pair
  services.openssh = {
-    enable = true;
-    allowSFTP = false;
+    enable = lib.mkDefault false;
+    allowSFTP = lib.mkDefault false;

    # If you don't want the host to have SSH actually opened up to the net,
    # set `services.openssh.openFirewall` to false in your config.
--- a/modules/default.nix
+++ b/modules/default.nix
@ -20,7 +20,6 @@
      nix = import ./nix;
      nextcloud = import ./nextcloud;
      office = import ./office;
-      paperless = import ./paperless;
      printing = import ./printing;
      terminal-life = import ./terminal-life;
      uhk = import ./uhk;
--- a/secrets/rclone-pie.conf
+++ b/secrets/rclone-pie.conf
--- a/secrets/restic-password.age
+++ b/secrets/restic-password.age
@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 8bHz7g Cm7Mj904CLIkeevSll7VvKpI0dufxbP1un3N/aQgIEc
+mOE0vPi/Lwpqfw2E3ZQkFJHQ9oH493QqrjCnBNgwhx4
+-> ssh-rsa kFDS0A
+SJtQbBdBExuEzQdLLl+bTLKk0sMVI955uOBID1YrScrs8dkDL9IGuwzWnDVy85Ny
+MpafrfregK6Ah1ma0k6FlAQ7hsNy3HY4YEZFsqC4U1aQjj1CgpuEwPuYNk7Ol1Od
+abwEDzSJf6yNBIqu3lItkHQ7DDyZF4fKEQwtkJcWqAjRKdi9Uce270RSdUdcvhcB
+5hth49ve/t6piaBckkZCp2FT0QiBj/ozjMrZQhmCMaG3RhBYJV8DZ+XXPxXMY5OM
+ZLAg/y0Uw4nZHl8GXl4heBDAwMtRmf99hB+GkniXFM7ilGpjb8TBziDZ7kPCfVIl
+mnwyGut370ZA0+FDBc2w0v/+MBm3FWMF4udbcc1piIImg6hFasbjtpG+yGP7NPKW
+w+ZZx5FJvg2lKyhOgw6u607qm+e+enXSx0DfiU8noLzCMNQjDz6kUSGrZ81J/1RV
+jagiafSTBI7uRdtNfclil/JmEOtqyQGPbI8DoH3aeP+ZgsdMEXE6tKjSTauDG+51
+Nif5PdvE9ttCdh0fsiujBuHNDeiXzjgtDcweAMONwtugc77QTtD8xOyc50aSCsv0
+wYtC36r9Ov0vLxE3o9ZAGpIHTqwquS4fa2T+qUrV3awD1E8jgePz5cfJPoka5poN
+NpgDq4x4tguOPqKqnTR0Bz6uVPp713FjRFwhXBlyoug
+-> ZeLZA-grease hkzH` 3) })H|k -]KWQY
+X2iif6L7A6obBx+aXOOQiB5Xq1kKbOXgYMYkt3rZVaYTs8MBpoyZUWj5KqcRFO86
+WepOh2d2ig
+--- 197qo27k+qo171895rFXXYrp0Z9TUiY8QqLT35SqKXc
+5ÈJèdïLDdìiF_ôè‘‘§<E28098>ÿ°AY°n\°tÎâ›³±8›)þ»öÔŸÙ¸ƒÊéq˜›ÓÂ
2¦jHq)·‰R¼<52>ÛSÌüâí}Î(.ˆ¡Z7dÛH<C39B>ïØ#5<{d0¿’E]`²n<C2B2>XZR¿ê¸‹BþS;1î¿FQž¬®%$©Öµ9+¡Ã½w<>C)u
ÅX"
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -64,4 +64,8 @@ in {
  "firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys;

  "firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys;
+
+  "rclone-pie.conf".publicKeys = pieKeys ++ baseKeys;
+
+  "restic-password.age".publicKeys = pieKeys ++ baseKeys;
 }