home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

backup nextcloud and hedgedoc database using borgmatic

Browse source 
expose database passwords using agenix
install lsof and parted
This commit is contained in:
Pim Kunis 2024-01-06 20:17:45 +01:00
parent fc2da07613
commit 97fc20e251
5 changed files with 30 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
nixos/default.nix
View file

@ -110,6 +110,8 @@
tree tree
file file
tcpdump tcpdump
lsof
parted
]; ];

26
nixos/modules/backups.nix
View file

@ -23,6 +23,17 @@ let
unknown_unencrypted_repo_access_is_ok: true unknown_unencrypted_repo_access_is_ok: true
before_everything: before_everything:
- ${beforeEverything}/bin/beforeEverything - ${beforeEverything}/bin/beforeEverything
postgresql_databases:
- name: nextcloud
hostname: lewis.dmz
username: nextcloud
password: ''${NEXTCLOUD_DATABASE_PASSWORD}
format: tar
- name: hedgedoc
hostname: lewis.dmz
username: hedgedoc
password: ''${HEDGEDOC_DATABASE_PASSWORD}
format: tar
''; '';
}; };
in in
@ -63,17 +74,16 @@ in
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [ borgbackup ]; environment.systemPackages = with pkgs; [ borgbackup postgresql ];
# Converted from: # Converted from:
# https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd
systemd.services.borgmatic = { systemd.services.borgmatic = {
description = "borgmatic backup"; description = "borgmatic backup";
wants = [ "network-online.target" ]; wants = [ "network-online.target" ];
after = [ "network-online.target" ]; after = [ "network-online.target" ];
unitConfig.ConditionACPower = true;
unitConfig = { preStart = "${pkgs.coreutils}/bin/sleep 10s";
ConditionACPower = true; path = with pkgs; [ postgresql ];
};
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
@ -84,9 +94,9 @@ in
IOWeight = 100; IOWeight = 100;
Restart = "no"; Restart = "no";
LogRateLimitIntervalSec = 0; LogRateLimitIntervalSec = 0;
EnvironmentFile = config.age.secrets."database_passwords.env".path;
}; };
preStart = "${pkgs.coreutils}/bin/sleep 1m";
script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}"; script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}";
}; };
@ -99,5 +109,9 @@ in
RandomizedDelaySec = "3h"; RandomizedDelaySec = "3h";
}; };
}; };
age.secrets."database_passwords.env" = {
file = ../secrets/database_passwords.env.age;
};
}; };
} }

4
nixos/modules/data-sharing.nix
View file

@ -71,8 +71,8 @@ in
dataDir = cfg.postgresDir; dataDir = cfg.postgresDir;
authentication = '' authentication = ''
host nextcloud nextcloud all md5 host nextcloud nextcloud all md5
host hedgedoc hedgedoc all md5 host hedgedoc hedgedoc all md5
''; '';
}; };
}; };

5
nixos/secrets/database_passwords.env.age Normal file
View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 aqswPA nsjKPakYuFVxfbJkPKnhqPytMz07KIT32xgJpiuaRD0
fv+HZdDb1Evy0LIA5sFMFx+KUbAF7jJojrQXMSSmNAo
--- zJOYXheC2OupvfQNtDfcUCkVMg3TqJQEFjTfAwyi/Pw
¼¬Î°‡<EFBFBD>¨×¶†¡£‰¹maåJ^¤ˆ•€UZÂ>¬f±ââ÷@¨•¤‰÷òmÎG¨`ðrOY2‰#‡ÜŽ¼oΙþ‡= åSƒî_.ô¼MÅa3ŸL<C5B8>ÉÈüçcB·t§ÜËZ× Žç5 c•ä0Á=ŽLK¢¥ +!cu<63>t«Rƒà¥U2îŸ6½ßª½)<13>ƒ¯fPÚ³AU«¤

1
nixos/secrets/secrets.nix
View file

@ -28,6 +28,7 @@ let
encryptedFiles = [ encryptedFiles = [
"lewis_host_ed25519.age" "lewis_host_ed25519.age"
"lewis_user_ed25519.age" "lewis_user_ed25519.age"
"database_passwords.env.age"
]; ];
}; };
}; };