From 6592341dc31c6f26422ec3a9fed2e601ab985cfc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 31 Aug 2023 11:44:53 +0200
Subject: [PATCH] prism: add backup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
---
lass/2configs/codimd.nix | 71 +++++++++++++++++++++++++++++++++++++---
1 file changed, 67 insertions(+), 4 deletions(-)
diff --git a/lass/2configs/codimd.nix b/lass/2configs/codimd.nix
index ccca49fac..0927788a7 100644
--- a/lass/2configs/codimd.nix
+++ b/lass/2configs/codimd.nix
@@ -2,7 +2,8 @@
with import <stockholm/lib>;
let
domain = "pad.lassul.us";
-in {
+in
+{
# redirect legacy domain to new one
services.nginx.virtualHosts."codi.lassul.us" = {
@@ -25,13 +26,77 @@ in {
security.dhparams = {
enable = true;
- params.hedgedoc = {};
+ params.hedgedoc = { };
};
systemd.services.hedgedoc.environment = {
CMD_COOKIE_POLICY = "none";
CMD_CSP_ALLOW_FRAMING = "true";
};
+
+ systemd.services.hedgedoc-backup = {
+ startAt = "daily";
+ serviceConfig = {
+ ExecStart = ''${pkgs.sqlite}/bin/sqlite3 /var/lib/hedgedoc/db.hedgedoc.sqlite ".backup /var/backup/hedgedoc/backup.sq3"'';
+ Type = "oneshot";
+ };
+ };
+
+ services.postgresqlBackup.enable = true;
+
+ systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
+
+ services.borgbackup.jobs.hetzner = {
+ paths = [
+ "/home"
+ "/etc"
+ "/var"
+ "/root"
+ ];
+ exclude = [
+ "*.pyc"
+ "/home/*/.direnv"
+ "/home/*/.cache"
+ "/home/*/.cargo"
+ "/home/*/.npm"
+ "/home/*/.m2"
+ "/home/*/.gradle"
+ "/home/*/.opam"
+ "/home/*/.clangd"
+ "/var/lib/containerd"
+ # already included in database backup
+ "/var/lib/postgresql"
+ # not so important
+ "/var/lib/docker/"
+ "/var/log/journal"
+ "/var/cache"
+ "/var/tmp"
+ "/var/log"
+ ];
+ repo = "u348918@u348918.your-storagebox.de:/./hetzner";
+ encryption.mode = "none";
+ compression = "auto,zstd";
+ startAt = "daily";
+ # TODO: change backup key
+ environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
+ preHook = ''
+ set -x
+ '';
+
+ postHook = ''
+ cat > /var/log/telegraf/borgbackup-job-hetzner.service <<EOF
+ task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
+ EOF
+ '';
+
+ prune.keep = {
+ within = "1d"; # Keep all archives from the last day
+ daily = 7;
+ weekly = 4;
+ monthly = 0;
+ };
+ };
+
services.hedgedoc = {
enable = true;
configuration.allowOrigin = [ domain ];
@@ -51,8 +116,6 @@ in {
sslCertPath = "/var/lib/acme/${domain}/cert.pem";
sslKeyPath = "/var/lib/acme/${domain}/key.pem";
dhParamPath = config.security.dhparams.params.hedgedoc.path;
-
};
};
}
-