diff --git a/machines/chungus/configuration.nix b/machines/chungus/configuration.nix index 99847aa..3c968f4 100644 --- a/machines/chungus/configuration.nix +++ b/machines/chungus/configuration.nix @@ -47,6 +47,8 @@ ./service-atuin.nix ./service-forgejo.nix ./service-paperless.nix + ./service-paperless-backup.nix + ./service-paperless-healthchecks.nix ./service-s3.nix #./service-taskwarrior.nix ./service-vault.nix diff --git a/machines/chungus/service-paperless-backup.nix b/machines/chungus/service-paperless-backup.nix new file mode 100644 index 0000000..989b246 --- /dev/null +++ b/machines/chungus/service-paperless-backup.nix @@ -0,0 +1,40 @@ +{ + config, + pkgs, + lib, + factsGenerator, + ... +}: +{ + + clan.core.facts.services."paperless-ngx.borg" = factsGenerator.password { name = "borgbackup"; }; + clan.core.facts.services."paperless-ngx.ssh" = factsGenerator.ssh { name = "paperless-ngx"; }; + + # backup + services.borgbackup.jobs."paperless-ngx" = { + paths = [ config.services.paperless.dataDir ]; + repo = "root@orbi.bear:borg-${config.networking.hostName}-paperless"; + compression = "auto,lzma"; + startAt = "daily"; + encryption = { + mode = "keyfile-blake2"; + passCommand = "cat ${ + toString config.clan.core.facts.services."paperless-ngx.borg".secret."password.borgbackup".path + }"; + }; + environment = { + BORG_RSH = "ssh -i ${ + toString + config.clan.core.facts.services."paperless-ngx.ssh".secret."ssh.paperless-ngx.id_ed25519".path + }"; + BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes"; + }; + prune.keep = { + within = "3d"; # Keep all backups in the last 10 days. + weekly = 2; # Keep 8 additional end of week archives. + monthly = -1; # Keep end of month archive for every month + }; + doInit = true; + }; + +} diff --git a/machines/chungus/service-paperless-healthchecks.nix b/machines/chungus/service-paperless-healthchecks.nix new file mode 100644 index 0000000..46ffec1 --- /dev/null +++ b/machines/chungus/service-paperless-healthchecks.nix @@ -0,0 +1,16 @@ +{ + config, + pkgs, + lib, + factsGenerator, + ... +}: +{ + + healthchecks.http.paperless = { + url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/"; + expectedContent = "paperless.chungus.private"; + }; + healthchecks.closed.retiolum.ports.paperless = [ config.services.paperless.port ]; + +} diff --git a/machines/chungus/service-paperless.nix b/machines/chungus/service-paperless.nix index 6fc3770..28629c7 100644 --- a/machines/chungus/service-paperless.nix +++ b/machines/chungus/service-paperless.nix @@ -2,8 +2,6 @@ config, pkgs, lib, - nixos-artwork, - factsGenerator, ... }: { @@ -36,11 +34,6 @@ }; networking.firewall.interfaces.wg0.allowedTCPPorts = [ config.services.paperless.port ]; - healthchecks.http.paperless = { - url = "http://paperless.ingolf-wagner.de/accounts/login/?next=/"; - expectedContent = "paperless.chungus.private"; - }; - healthchecks.closed.retiolum.ports.paperless = [ config.services.paperless.port ]; services.nginx.virtualHosts."paperless.${config.networking.hostName}.private" = { serverAliases = [ "paperless.ingolf-wagner.de" ]; @@ -58,34 +51,4 @@ }; }; - clan.core.facts.services."paperless-ngx.borg" = factsGenerator.password { name = "borgbackup"; }; - clan.core.facts.services."paperless-ngx.ssh" = factsGenerator.ssh { name = "paperless-ngx"; }; - - # backup - services.borgbackup.jobs."paperless-ngx" = { - paths = [ config.services.paperless.dataDir ]; - repo = "root@orbi.bear:borg-${config.networking.hostName}-paperless"; - compression = "auto,lzma"; - startAt = "daily"; - encryption = { - mode = "keyfile-blake2"; - passCommand = "cat ${ - toString config.clan.core.facts.services."paperless-ngx.borg".secret."password.borgbackup".path - }"; - }; - environment = { - BORG_RSH = "ssh -i ${ - toString - config.clan.core.facts.services."paperless-ngx.ssh".secret."ssh.paperless-ngx.id_ed25519".path - }"; - BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes"; - }; - prune.keep = { - within = "3d"; # Keep all backups in the last 10 days. - weekly = 2; # Keep 8 additional end of week archives. - monthly = -1; # Keep end of month archive for every month - }; - doInit = true; - }; - }