From f795bac18d309620ac9df08990aadc6c24f798f4 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 7 Nov 2024 09:07:19 +0100 Subject: [PATCH] fae: prepare backups of invoiceplane + paperless --- hosts/fae/invoiceplane.nix | 36 ++++++++++++++++-------------- hosts/fae/paperless.nix | 43 +++++++++++++++++++----------------- secrets/fae-rclone.conf.age | Bin 0 -> 622 bytes secrets/restic-password.age | 9 ++++++++ secrets/secrets.nix | 10 +++++++++ 5 files changed, 61 insertions(+), 37 deletions(-) create mode 100644 secrets/fae-rclone.conf.age create mode 100644 secrets/restic-password.age diff --git a/hosts/fae/invoiceplane.nix b/hosts/fae/invoiceplane.nix index 37ece074..9d2b0c64 100644 --- a/hosts/fae/invoiceplane.nix +++ b/hosts/fae/invoiceplane.nix @@ -58,21 +58,23 @@ in systemd.tmpfiles.rules = [ "d '${backupDir}' 0700 root root - -" ]; - #services.restic.backups = { - # invoiceplane = { - # paths = [ - # backupDir - # "/var/lib/invoiceplane/billing.faenix.eu" - # ]; - # initialize = true; - # passwordFile = config.age.secrets."restic-password".path; - # # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ - # repository = "rclone:cloud.pub.solar:/backups/InvoicePlane"; - # backupPrepareCommand = '' - # PW=$(cat ${config.age.secrets."invoiceplane-db-password".path}) - # ${pkgs.mariadb-client}/bin/mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/mariadb-dump.sql" - # ''; - # rcloneConfigFile = config.age.secrets."rclone-fae.conf".path; - # }; - #}; + services.restic.backups = { + invoiceplane = { + paths = [ + backupDir + "/var/lib/invoiceplane/billing.faenix.eu" + ]; + timerConfig = { + OnCalendar = "*-*-* 00:00:00 Etc/UTC"; + }; + initialize = true; + passwordFile = config.age.secrets."restic-password.age".path; + # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ + repository = "rclone:cloud.pub.solar:/Backups/InvoicePlane"; + backupPrepareCommand = '' + ${pkgs.mariadb-client}/bin/mariadb-dump --all-databases --user=invoiceplane > "${backupDir}/invoiceplane-mariadb-dump.sql" + ''; + rcloneConfigFile = config.age.secrets."fae-rclone.conf.age".path; + }; + }; } diff --git a/hosts/fae/paperless.nix b/hosts/fae/paperless.nix index 6057c686..a68dd670 100644 --- a/hosts/fae/paperless.nix +++ b/hosts/fae/paperless.nix @@ -79,26 +79,29 @@ in "d '${backupDir}' 0700 ${psCfg.user.name} users - -" ]; - #age.secrets."rclone-fae.conf" = { - # file = "${flake.self}/secrets/rclone-fae.conf.age"; - # path = "/root/.config/rclone/rclone.conf"; - # mode = "400"; - #}; + age.secrets."fae-rclone.conf.age" = { + file = "${flake.self}/secrets/fae-rclone.conf.age"; + path = "/root/.config/rclone/rclone.conf"; + mode = "400"; + }; - #age.secrets."restic-password" = { - # file = "${flake.self}/secrets/restic-password.age"; - # mode = "400"; - #}; + age.secrets."restic-password.age" = { + file = "${flake.self}/secrets/restic-password.age"; + mode = "400"; + }; - #services.restic.backups = { - # paperless = { - # paths = [ backupDir ]; - # initialize = true; - # passwordFile = config.age.secrets."restic-password".path; - # # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ - # repository = "rclone:cloud.pub.solar:/backups/Paperless"; - # backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p"; - # rcloneConfigFile = config.age.secrets."rclone-fae.conf".path; - # }; - #}; + services.restic.backups = { + paperless = { + paths = [ backupDir ]; + timerConfig = { + OnCalendar = "*-*-* 01:00:00 Etc/UTC"; + }; + initialize = true; + passwordFile = config.age.secrets."restic-password.age".path; + # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ + repository = "rclone:cloud.pub.solar:/Backups/Paperless"; + backupPrepareCommand = "${dataDir}/paperless-manage document_exporter ${backupDir} -c -p"; + rcloneConfigFile = config.age.secrets."fae-rclone.conf.age".path; + }; + }; } diff --git a/secrets/fae-rclone.conf.age b/secrets/fae-rclone.conf.age new file mode 100644 index 0000000000000000000000000000000000000000..a1c6abfb4d8a0c2aed171456391a4a227346be8d GIT binary patch literal 622 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+Fe*+@Emtr#EH+E> zaV>Ez3yJiIs4~yhb}p_;Dt9&xFEes+O|5is4e$!iOil{Rvf#?h(~b=C$aJ+#b4)8X zDY10R_RQ3_%rlCJbj{50F%I+zHq!U;bV|($C`Y%=DXh3M#8IIn&_zG8A~(A*DagAj z%E#T?AUmtf-^bOpAXVSeEF`-kA|T1rG$JZL$AT*&ztkis%-6tIyTT~ME5ab%!!ga( zB0nR|Njs#{F)=gWIKnf;&#O2rI}~JFL1vk5fsv`1LWO%(WmUO?qmijgPGp6#cCm?} zPj;Alwo9Q$uxF`3u~}7te^z3MX@0PAX<}4*sA+Z;mvfoFvwlHHL6NpozHyYdhpA6k zX|Z2Ga7c)UQ(>TAwy&R2L54}Dc7;~drkI>%#5&A2zVOieQ~L-ah$f^zlNS0E3WT7UF;axeQ-6yv808~eiJX*wXVgs+)<5gvMS9c$8m0R#E^0~TFjaKHN!&+vx1-Ez9 zO%1oK&0^iMlJ8>thn;R2Kg&uP ssh-ed25519 P2sgew RtTlKjDJLmZla6psMGCLCyGdC528wgKpAGRyjOSr0Xw +z6mXQcJ3EJsm6xdye2RW1UywRzGsw+F7YuBJCu7u97U +-> ssh-ed25519 BVsyTA MX32S4W/JPaZ0fHhvbrv9kfKFzsn0q1sSXCE0dP6GSc +xY3y6IfT10qov1RG/jTqHsvGaVx7TWqhIuPwvCVjD/o +-> piv-p256 xGzyzw A8UHNgwcama6GAq90f76XC1dXEnn4zFCnJnxZFZvLkTR +eJUaZhD9I+IuRwe72xICMrL9KRY5DXoZJdq4RSAC8vw +--- 13DAMF41oXunKtZwXnkW5b/8LOblg+6mq53H/rtm6d8 +ƒ^+™B£w‰ÐTßZÁ;ß0ÓVÕwf~:½âà^ ÿ~– ë¯’ùO[‰â<_FÑ…øê-{àÝ‚Ù²{|ZÕ]ò™©ø…R—ÉÆ‘B-sJ{Š9ÞâçÚ›-^É& \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 78765814..4a263e54 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -31,4 +31,14 @@ in users.teutat3s users.teutat3s-5-nfc ]; + "fae-rclone.conf.age".publicKeys = [ + machines.fae + users.teutat3s + users.teutat3s-5-nfc + ]; + "restic-password.age".publicKeys = [ + machines.fae + users.teutat3s + users.teutat3s-5-nfc + ]; }