From 97fc20e251ca2a84e12ca1d752e22b1b57763c04 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 6 Jan 2024 20:17:45 +0100 Subject: [PATCH] backup nextcloud and hedgedoc database using borgmatic expose database passwords using agenix install lsof and parted --- nixos/default.nix | 2 ++ nixos/modules/backups.nix | 26 ++++++++++++++++++------ nixos/modules/data-sharing.nix | 4 ++-- nixos/secrets/database_passwords.env.age | 5 +++++ nixos/secrets/secrets.nix | 1 + 5 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 nixos/secrets/database_passwords.env.age diff --git a/nixos/default.nix b/nixos/default.nix index f2b74a4..596a355 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -110,6 +110,8 @@ tree file tcpdump + lsof + parted ]; diff --git a/nixos/modules/backups.nix b/nixos/modules/backups.nix index 6478111..11d838d 100644 --- a/nixos/modules/backups.nix +++ b/nixos/modules/backups.nix @@ -23,6 +23,17 @@ let unknown_unencrypted_repo_access_is_ok: true before_everything: - ${beforeEverything}/bin/beforeEverything + postgresql_databases: + - name: nextcloud + hostname: lewis.dmz + username: nextcloud + password: ''${NEXTCLOUD_DATABASE_PASSWORD} + format: tar + - name: hedgedoc + hostname: lewis.dmz + username: hedgedoc + password: ''${HEDGEDOC_DATABASE_PASSWORD} + format: tar ''; }; in @@ -63,17 +74,16 @@ in }; config = lib.mkIf cfg.enable { - environment.systemPackages = with pkgs; [ borgbackup ]; + environment.systemPackages = with pkgs; [ borgbackup postgresql ]; # Converted from: # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd systemd.services.borgmatic = { description = "borgmatic backup"; wants = [ "network-online.target" ]; after = [ "network-online.target" ]; - - unitConfig = { - ConditionACPower = true; - }; + unitConfig.ConditionACPower = true; + preStart = "${pkgs.coreutils}/bin/sleep 10s"; + path = with pkgs; [ postgresql ]; serviceConfig = { Type = "oneshot"; @@ -84,9 +94,9 @@ in IOWeight = 100; Restart = "no"; LogRateLimitIntervalSec = 0; + EnvironmentFile = config.age.secrets."database_passwords.env".path; }; - preStart = "${pkgs.coreutils}/bin/sleep 1m"; script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}"; }; @@ -99,5 +109,9 @@ in RandomizedDelaySec = "3h"; }; }; + + age.secrets."database_passwords.env" = { + file = ../secrets/database_passwords.env.age; + }; }; } diff --git a/nixos/modules/data-sharing.nix b/nixos/modules/data-sharing.nix index 71f6f49..884cbb8 100644 --- a/nixos/modules/data-sharing.nix +++ b/nixos/modules/data-sharing.nix @@ -71,8 +71,8 @@ in dataDir = cfg.postgresDir; authentication = '' - host nextcloud nextcloud all md5 - host hedgedoc hedgedoc all md5 + host nextcloud nextcloud all md5 + host hedgedoc hedgedoc all md5 ''; }; }; diff --git a/nixos/secrets/database_passwords.env.age b/nixos/secrets/database_passwords.env.age new file mode 100644 index 0000000..29f885b --- /dev/null +++ b/nixos/secrets/database_passwords.env.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 aqswPA nsjKPakYuFVxfbJkPKnhqPytMz07KIT32xgJpiuaRD0 +fv+HZdDb1Evy0LIA5sFMFx+KUbAF7jJojrQXMSSmNAo +--- zJOYXheC2OupvfQNtDfcUCkVMg3TqJQEFjTfAwyi/Pw +ΰmaJ^UZ>f@mG`rOY2#܎oΙ= S_.Ma3HLcBtZנ5c0=LK+!cutRU26ߪ)fPڳAU \ No newline at end of file diff --git a/nixos/secrets/secrets.nix b/nixos/secrets/secrets.nix index 8b05dd6..9ce4ece 100644 --- a/nixos/secrets/secrets.nix +++ b/nixos/secrets/secrets.nix @@ -28,6 +28,7 @@ let encryptedFiles = [ "lewis_host_ed25519.age" "lewis_user_ed25519.age" + "database_passwords.env.age" ]; }; };