feat: add backups for firefly and paperless

This commit is contained in:
Benjamin Bädorf 2023-10-09 22:52:28 +02:00
parent 6fabfdc431
commit 6f6140f660
No known key found for this signature in database
GPG key ID: 4406E80E13CD656C
13 changed files with 99 additions and 12 deletions

View file

@ -26,9 +26,7 @@ in {
pub-solar.terminal-life.full = true; pub-solar.terminal-life.full = true;
services.openssh.openFirewall = true;
networking.hostName = "chocolatebar"; networking.hostName = "chocolatebar";
networking.firewall.allowedUDPPorts = [43050];
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
drone-docker-runner drone-docker-runner

View file

@ -57,7 +57,6 @@
./pie ./pie
self.nixosModules.yule self.nixosModules.yule
self.nixosModules.printing self.nixosModules.printing
self.nixosModules.paperless
self.nixosModules.docker self.nixosModules.docker
]; ];
}; };

View file

@ -9,8 +9,6 @@ with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in { in {
pub-solar.core.disk-encryption-active = false;
boot.loader.systemd-boot.enable = lib.mkForce false; boot.loader.systemd-boot.enable = lib.mkForce false;
boot.loader.grub = { boot.loader.grub = {
enable = true; enable = true;
@ -23,6 +21,10 @@ in {
networking.hostName = "droppie"; networking.hostName = "droppie";
services.openssh.enable = true;
pub-solar.core.disk-encryption-active = false;
# ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZQSephFJU0NMbVbhwvVJ2/m6jcPYo1IsWCsoarqKin root@droppie
age.secrets."droppie-ssh-root.key" = { age.secrets."droppie-ssh-root.key" = {
file = "${flake.self}/secrets/droppie-ssh-root.key"; file = "${flake.self}/secrets/droppie-ssh-root.key";

View file

@ -33,8 +33,6 @@
config.mobile.device.firmware config.mobile.device.firmware
]; ];
services.openssh.enable = true;
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave # on your system were taken. Its perfectly fine and recommended to leave

View file

@ -36,6 +36,8 @@ in {
pub-solar.core.disk-encryption-active = false; pub-solar.core.disk-encryption-active = false;
services.openssh.enable = true;
security.sudo.extraRules = [ security.sudo.extraRules = [
{ {
users = ["${psCfg.user.name}"]; users = ["${psCfg.user.name}"];

View file

@ -8,6 +8,7 @@
./dhcpd.nix ./dhcpd.nix
./wake-droppie.nix ./wake-droppie.nix
./ddclient.nix ./ddclient.nix
./paperless.nix
./firefly.nix ./firefly.nix
]; ];
} }

View file

@ -4,7 +4,11 @@
pkgs, pkgs,
lib, lib,
... ...
}: { }: let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
backupDir = "/var/lib/firefly/backup";
in {
age.secrets."firefly-secrets.env" = { age.secrets."firefly-secrets.env" = {
file = "${flake.self}/secrets/firefly-secrets.env"; file = "${flake.self}/secrets/firefly-secrets.env";
mode = "600"; mode = "600";
@ -93,4 +97,36 @@
# }; # };
}; };
}; };
systemd.tmpfiles.rules = [
"d '${backupDir}' 0700 root root - -"
];
age.secrets."rclone-pie.conf" = {
file = "${flake.self}/secrets/rclone-pie.conf";
path = "/root/.config/rclone/rclone.conf";
mode = "600";
};
age.secrets."restic-password.age" = {
file = "${flake.self}/secrets/restic-password.age";
mode = "600";
};
services.restic.backups = {
firefly = {
paths = [
backupDir
"/var/lib/firefly/upload"
];
initialize = true;
passwordFile = config.age.secrets."restic-password.age".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/FireflyIII";
backupPrepareCommand = ''
docker exec -t firefly-db pg_dumpall -c -U postgres > "${backupDir}/postgres.sql"
'';
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
};
};
} }

View file

@ -10,6 +10,7 @@ with lib; let
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
dataDir = "${xdg.dataHome}/Paperless"; dataDir = "${xdg.dataHome}/Paperless";
backupDir = "${xdg.dataHome}/PaperlessBackup";
consumptionDir = "/home/${psCfg.user.name}/.local/share/scandir"; consumptionDir = "/home/${psCfg.user.name}/.local/share/scandir";
scannerDefaultDevice = "hp3900:libusb:005:004"; scannerDefaultDevice = "hp3900:libusb:005:004";
in { in {
@ -18,7 +19,7 @@ in {
user = psCfg.user.name; user = psCfg.user.name;
consumptionDir = consumptionDir; consumptionDir = consumptionDir;
dataDir = dataDir; dataDir = dataDir;
address = "paperless.local"; address = "localhost";
extraConfig = { extraConfig = {
PAPERLESS_OCR_LANGUAGE = "nld+deu"; PAPERLESS_OCR_LANGUAGE = "nld+deu";
PAPERLESS_ADMIN_USER = psCfg.user.name; PAPERLESS_ADMIN_USER = psCfg.user.name;
@ -53,4 +54,31 @@ in {
} }
''; '';
}; };
systemd.tmpfiles.rules = [
"d '${backupDir}' 0700 ${psCfg.user.name} users - -"
];
age.secrets."rclone-pie.conf" = {
file = "${flake.self}/secrets/rclone-pie.conf";
path = "/root/.config/rclone/rclone.conf";
mode = "600";
};
age.secrets."restic-password.age" = {
file = "${flake.self}/secrets/restic-password.age";
mode = "600";
};
services.restic.backups = {
paperless = {
paths = [ backupDir ];
initialize = true;
passwordFile = config.age.secrets."restic-password.age".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/Paperless";
backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p";
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
};
};
} }

View file

@ -19,8 +19,8 @@
# For rage encryption, all hosts need a ssh key pair # For rage encryption, all hosts need a ssh key pair
services.openssh = { services.openssh = {
enable = true; enable = lib.mkDefault false;
allowSFTP = false; allowSFTP = lib.mkDefault false;
# If you don't want the host to have SSH actually opened up to the net, # If you don't want the host to have SSH actually opened up to the net,
# set `services.openssh.openFirewall` to false in your config. # set `services.openssh.openFirewall` to false in your config.

View file

@ -20,7 +20,6 @@
nix = import ./nix; nix = import ./nix;
nextcloud = import ./nextcloud; nextcloud = import ./nextcloud;
office = import ./office; office = import ./office;
paperless = import ./paperless;
printing = import ./printing; printing = import ./printing;
terminal-life = import ./terminal-life; terminal-life = import ./terminal-life;
uhk = import ./uhk; uhk = import ./uhk;

BIN
secrets/rclone-pie.conf Normal file

Binary file not shown.

View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 8bHz7g Cm7Mj904CLIkeevSll7VvKpI0dufxbP1un3N/aQgIEc
mOE0vPi/Lwpqfw2E3ZQkFJHQ9oH493QqrjCnBNgwhx4
-> ssh-rsa kFDS0A
SJtQbBdBExuEzQdLLl+bTLKk0sMVI955uOBID1YrScrs8dkDL9IGuwzWnDVy85Ny
MpafrfregK6Ah1ma0k6FlAQ7hsNy3HY4YEZFsqC4U1aQjj1CgpuEwPuYNk7Ol1Od
abwEDzSJf6yNBIqu3lItkHQ7DDyZF4fKEQwtkJcWqAjRKdi9Uce270RSdUdcvhcB
5hth49ve/t6piaBckkZCp2FT0QiBj/ozjMrZQhmCMaG3RhBYJV8DZ+XXPxXMY5OM
ZLAg/y0Uw4nZHl8GXl4heBDAwMtRmf99hB+GkniXFM7ilGpjb8TBziDZ7kPCfVIl
mnwyGut370ZA0+FDBc2w0v/+MBm3FWMF4udbcc1piIImg6hFasbjtpG+yGP7NPKW
w+ZZx5FJvg2lKyhOgw6u607qm+e+enXSx0DfiU8noLzCMNQjDz6kUSGrZ81J/1RV
jagiafSTBI7uRdtNfclil/JmEOtqyQGPbI8DoH3aeP+ZgsdMEXE6tKjSTauDG+51
Nif5PdvE9ttCdh0fsiujBuHNDeiXzjgtDcweAMONwtugc77QTtD8xOyc50aSCsv0
wYtC36r9Ov0vLxE3o9ZAGpIHTqwquS4fa2T+qUrV3awD1E8jgePz5cfJPoka5poN
NpgDq4x4tguOPqKqnTR0Bz6uVPp713FjRFwhXBlyoug
-> ZeLZA-grease hkzH` 3) })H|k -]KWQY
X2iif6L7A6obBx+aXOOQiB5Xq1kKbOXgYMYkt3rZVaYTs8MBpoyZUWj5KqcRFO86
WepOh2d2ig
--- 197qo27k+qo171895rFXXYrp0Z9TUiY8QqLT35SqKXc
5ÈJè­dïLDdìiF_ôè§<E28098>ÿ°AY°n\°tÎ⛳±8)þ»öÔŸÙ¸ƒÊéq˜Ó 2¦jHq)·‰R¼<52>ÛSÌüâí}Î(.ˆ¡Z7dÛH<C39B>ïØ#5<{d0¿E]` ²n<C2B2>XZR¿ê¸BþS;1î¿FQž¬®%$©Öµ9+¡Ã½w<>C)u ÅX"

View file

@ -64,4 +64,8 @@ in {
"firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys; "firefly-db-secrets.env".publicKeys = pieKeys ++ baseKeys;
"firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys; "firefly-importer-secrets.env".publicKeys = pieKeys ++ baseKeys;
"rclone-pie.conf".publicKeys = pieKeys ++ baseKeys;
"restic-password.age".publicKeys = pieKeys ++ baseKeys;
} }