diff --git a/hosts/chocolatebar/configuration.nix b/hosts/chocolatebar/configuration.nix index 395932d..a30b525 100644 --- a/hosts/chocolatebar/configuration.nix +++ b/hosts/chocolatebar/configuration.nix @@ -26,9 +26,7 @@ in { pub-solar.terminal-life.full = true; - services.openssh.openFirewall = true; networking.hostName = "chocolatebar"; - networking.firewall.allowedUDPPorts = [43050]; environment.systemPackages = with pkgs; [ drone-docker-runner diff --git a/hosts/default.nix b/hosts/default.nix index 4fdaae7..166103c 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -57,7 +57,6 @@ ./pie self.nixosModules.yule self.nixosModules.printing - self.nixosModules.paperless self.nixosModules.docker ]; }; diff --git a/hosts/droppie/configuration.nix b/hosts/droppie/configuration.nix index e54c97b..a5174a9 100644 --- a/hosts/droppie/configuration.nix +++ b/hosts/droppie/configuration.nix @@ -9,8 +9,6 @@ with lib; let psCfg = config.pub-solar; xdg = config.home-manager.users."${psCfg.user.name}".xdg; in { - pub-solar.core.disk-encryption-active = false; - boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.grub = { enable = true; @@ -23,6 +21,10 @@ in { networking.hostName = "droppie"; + services.openssh.enable = true; + + pub-solar.core.disk-encryption-active = false; + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie age.secrets."droppie-ssh-root.key" = { file = "${flake.self}/secrets/droppie-ssh-root.key"; diff --git a/hosts/maoam/configuration.nix b/hosts/maoam/configuration.nix index 8e07c2f..4a217b0 100644 --- a/hosts/maoam/configuration.nix +++ b/hosts/maoam/configuration.nix @@ -33,8 +33,6 @@ config.mobile.device.firmware ]; - services.openssh.enable = true; - # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave diff --git a/hosts/pie/configuration.nix b/hosts/pie/configuration.nix index 82ad449..7a75bfd 100644 --- a/hosts/pie/configuration.nix +++ b/hosts/pie/configuration.nix @@ -36,6 +36,8 @@ in { pub-solar.core.disk-encryption-active = false; + services.openssh.enable = true; + security.sudo.extraRules = [ { users = ["${psCfg.user.name}"]; diff --git a/hosts/pie/default.nix b/hosts/pie/default.nix index 4c53f2b..1604b59 100644 --- a/hosts/pie/default.nix +++ b/hosts/pie/default.nix @@ -8,6 +8,7 @@ ./dhcpd.nix ./wake-droppie.nix ./ddclient.nix + ./paperless.nix ./firefly.nix ]; } diff --git a/hosts/pie/firefly.nix b/hosts/pie/firefly.nix index ee44237..80c08c3 100644 --- a/hosts/pie/firefly.nix +++ b/hosts/pie/firefly.nix @@ -4,7 +4,11 @@ pkgs, lib, ... -}: { +}: let + psCfg = config.pub-solar; + xdg = config.home-manager.users."${psCfg.user.name}".xdg; + backupDir = "/var/lib/firefly/backup"; +in { age.secrets."firefly-secrets.env" = { file = "${flake.self}/secrets/firefly-secrets.env"; mode = "600"; @@ -93,4 +97,36 @@ # }; }; }; + + systemd.tmpfiles.rules = [ + "d '${backupDir}' 0700 root root - -" + ]; + + age.secrets."rclone-pie.conf" = { + file = "${flake.self}/secrets/rclone-pie.conf"; + path = "/root/.config/rclone/rclone.conf"; + mode = "600"; + }; + + age.secrets."restic-password.age" = { + file = "${flake.self}/secrets/restic-password.age"; + mode = "600"; + }; + + services.restic.backups = { + firefly = { + paths = [ + backupDir + "/var/lib/firefly/upload" + ]; + initialize = true; + passwordFile = config.age.secrets."restic-password.age".path; + # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ + repository = "rclone:cloud.pub.solar:/backups/FireflyIII"; + backupPrepareCommand = '' + docker exec -t firefly-db pg_dumpall -c -U postgres > "${backupDir}/postgres.sql" + ''; + rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; + }; + }; } diff --git a/modules/paperless/default.nix b/hosts/pie/paperless.nix similarity index 59% rename from modules/paperless/default.nix rename to hosts/pie/paperless.nix index 0eca392..9dc8eaa 100644 --- a/modules/paperless/default.nix +++ b/hosts/pie/paperless.nix @@ -10,6 +10,7 @@ with lib; let xdg = config.home-manager.users."${psCfg.user.name}".xdg; dataDir = "${xdg.dataHome}/Paperless"; + backupDir = "${xdg.dataHome}/PaperlessBackup"; consumptionDir = "/home/${psCfg.user.name}/.local/share/scandir"; scannerDefaultDevice = "hp3900:libusb:005:004"; in { @@ -18,7 +19,7 @@ in { user = psCfg.user.name; consumptionDir = consumptionDir; dataDir = dataDir; - address = "paperless.local"; + address = "localhost"; extraConfig = { PAPERLESS_OCR_LANGUAGE = "nld+deu"; PAPERLESS_ADMIN_USER = psCfg.user.name; @@ -53,4 +54,31 @@ in { } ''; }; + + systemd.tmpfiles.rules = [ + "d '${backupDir}' 0700 ${psCfg.user.name} users - -" + ]; + + age.secrets."rclone-pie.conf" = { + file = "${flake.self}/secrets/rclone-pie.conf"; + path = "/root/.config/rclone/rclone.conf"; + mode = "600"; + }; + + age.secrets."restic-password.age" = { + file = "${flake.self}/secrets/restic-password.age"; + mode = "600"; + }; + + services.restic.backups = { + paperless = { + paths = [ backupDir ]; + initialize = true; + passwordFile = config.age.secrets."restic-password.age".path; + # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ + repository = "rclone:cloud.pub.solar:/backups/Paperless"; + backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p"; + rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; + }; + }; } diff --git a/modules/core/networking.nix b/modules/core/networking.nix index ec1eee1..815839a 100644 --- a/modules/core/networking.nix +++ b/modules/core/networking.nix @@ -19,8 +19,8 @@ # For rage encryption, all hosts need a ssh key pair services.openssh = { - enable = true; - allowSFTP = false; + enable = lib.mkDefault false; + allowSFTP = lib.mkDefault false; # If you don't want the host to have SSH actually opened up to the net, # set `services.openssh.openFirewall` to false in your config. diff --git a/modules/default.nix b/modules/default.nix index 2ce614c..5fe7282 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -20,7 +20,6 @@ nix = import ./nix; nextcloud = import ./nextcloud; office = import ./office; - paperless = import ./paperless; printing = import ./printing; terminal-life = import ./terminal-life; uhk = import ./uhk; diff --git a/secrets/rclone-pie.conf b/secrets/rclone-pie.conf new file mode 100644 index 0000000..09d6322 Binary files /dev/null and b/secrets/rclone-pie.conf differ diff --git a/secrets/restic-password.age b/secrets/restic-password.age new file mode 100644 index 0000000..5829d92 --- /dev/null +++ b/secrets/restic-password.age @@ -0,0 +1,20 @@ +age-encryption.org/v1 +-> ssh-ed25519 8bHz7g Cm7Mj904CLIkeevSll7VvKpI0dufxbP1un3N/aQgIEc +mOE0vPi/Lwpqfw2E3ZQkFJHQ9oH493QqrjCnBNgwhx4 +-> ssh-rsa kFDS0A +SJtQbBdBExuEzQdLLl+bTLKk0sMVI955uOBID1YrScrs8dkDL9IGuwzWnDVy85Ny +MpafrfregK6Ah1ma0k6FlAQ7hsNy3HY4YEZFsqC4U1aQjj1CgpuEwPuYNk7Ol1Od +abwEDzSJf6yNBIqu3lItkHQ7DDyZF4fKEQwtkJcWqAjRKdi9Uce270RSdUdcvhcB +5hth49ve/t6piaBckkZCp2FT0QiBj/ozjMrZQhmCMaG3RhBYJV8DZ+XXPxXMY5OM +ZLAg/y0Uw4nZHl8GXl4heBDAwMtRmf99hB+GkniXFM7ilGpjb8TBziDZ7kPCfVIl +mnwyGut370ZA0+FDBc2w0v/+MBm3FWMF4udbcc1piIImg6hFasbjtpG+yGP7NPKW +w+ZZx5FJvg2lKyhOgw6u607qm+e+enXSx0DfiU8noLzCMNQjDz6kUSGrZ81J/1RV +jagiafSTBI7uRdtNfclil/JmEOtqyQGPbI8DoH3aeP+ZgsdMEXE6tKjSTauDG+51 +Nif5PdvE9ttCdh0fsiujBuHNDeiXzjgtDcweAMONwtugc77QTtD8xOyc50aSCsv0 +wYtC36r9Ov0vLxE3o9ZAGpIHTqwquS4fa2T+qUrV3awD1E8jgePz5cfJPoka5poN +NpgDq4x4tguOPqKqnTR0Bz6uVPp713FjRFwhXBlyoug +-> ZeLZA-grease hkzH` 3) })H|k -]KWQY +X2iif6L7A6obBx+aXOOQiB5Xq1kKbOXgYMYkt3rZVaYTs8MBpoyZUWj5KqcRFO86 +WepOh2d2ig +--- 197qo27k+qo171895rFXXYrp0Z9TUiY8QqLT35SqKXc +5JdLDdiF_葑AYn\t⛳8)ԟq 2jHq)RS}(.Z7dH#5<{d0E]` nXZRBS;1FQ%$ֵ9+ýwC)u X" \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index db808d8..b6b55f3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -64,4 +64,8 @@ in { "firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys; "firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys; + + "rclone-pie.conf".publicKeys = pieKeys ++ baseKeys; + + "restic-password.age".publicKeys = pieKeys ++ baseKeys; }