diff --git a/modules/nixos/services/homeserver/restic.nix b/modules/nixos/services/homeserver/restic.nix index ca90b03..ec6660d 100644 --- a/modules/nixos/services/homeserver/restic.nix +++ b/modules/nixos/services/homeserver/restic.nix @@ -6,37 +6,70 @@ # for use as restic backend # environment.systemPackages = [ pkgs.rclone ]; - systemd.services.db-backup = { - wantedBy = [ "restic-backups-main.service" "restic-backups-offsite.service" ]; - script = '' - DB_BACKUP_DIR=/var/backups/db-backup + systemd.services = { + db-backup = { + wantedBy = [ "restic-backups-main.service" ]; + before = [ "restic-backups-main.service" ]; + script = '' + DB_BACKUP_DIR=/var/backups/db-backup - SQLITE_PATH=${lib.getExe pkgs.sqlite} - SUDO_PATH=${lib.getExe pkgs.sudo} - PGDUMP_PATH=${lib.getExe' pkgs.postgresql "pg_dump"} + SQLITE_PATH=${lib.getExe pkgs.sqlite} + SUDO_PATH=${lib.getExe pkgs.sudo} + PGDUMP_PATH=${lib.getExe' pkgs.postgresql "pg_dump"} - if [ ! -d $DB_BACKUP_DIR ]; then - mkdir -p -m 600 $DB_BACKUP_DIR - fi + if [ ! -d $DB_BACKUP_DIR ]; then + mkdir -p -m 600 $DB_BACKUP_DIR + fi - $SQLITE_PATH /var/lib/vaultwarden/db.sqlite3 ".backup $DB_BACKUP_DIR/vaultwarden.sqlite3" - $SQLITE_PATH /var/lib/uptime-kuma/kuma.db ".backup $DB_BACKUP_DIR/kuma.db" - $SQLITE_PATH /var/lib/nextcloud/data/nextcloud.db ".backup $DB_BACKUP_DIR/nextcloud.db" - $SQLITE_PATH /var/lib/ntfy-sh/user.db ".backup $DB_BACKUP_DIR/ntfy-user.db" - $SQLITE_PATH /var/lib/kanidm/kanidm.db ".backup $DB_BACKUP_DIR/kanidm.db" + umask 066 - $SUDO_PATH -u onlyoffice -- $PGDUMP_PATH > /var/backups/db-backup/dump-onlyoffice - $SUDO_PATH -u zipline -- $PGDUMP_PATH > /var/backups/db-backup/dump-zipline - $SUDO_PATH -u postgres -- ${lib.getExe' pkgs.postgresql "pg_dumpall"} -g > /var/backups/db-backup/dump-globals - ''; - serviceConfig = { - Type = "oneshot"; - User = "root"; + $SQLITE_PATH /var/lib/vaultwarden/db.sqlite3 ".backup $DB_BACKUP_DIR/vaultwarden.sqlite3" + $SQLITE_PATH /var/lib/uptime-kuma/kuma.db ".backup $DB_BACKUP_DIR/kuma.db" + $SQLITE_PATH /var/lib/nextcloud/data/nextcloud.db ".backup $DB_BACKUP_DIR/nextcloud.db" + $SQLITE_PATH /var/lib/ntfy-sh/user.db ".backup $DB_BACKUP_DIR/ntfy-user.db" + $SQLITE_PATH /var/lib/kanidm/kanidm.db ".backup $DB_BACKUP_DIR/kanidm.db" + + $SUDO_PATH -u onlyoffice -- $PGDUMP_PATH > $DB_BACKUP_DIR/dump-onlyoffice + $SUDO_PATH -u zipline -- $PGDUMP_PATH > $DB_BACKUP_DIR/dump-zipline + $SUDO_PATH -u postgres -- ${lib.getExe' pkgs.postgresql "pg_dumpall"} -g > $DB_BACKUP_DIR/dump-globals + ''; + serviceConfig.Type = "oneshot"; }; + + db-backup-cleanup = { + wantedBy = [ "restic-backups-main.service" ]; + after = [ "restic-backups-main.service" ]; + script = "rm -r /var/backups/db-backup"; + serviceConfig.Type = "oneshot"; + }; + + restic-backups-main.serviceConfig.Type = "oneshot"; + }; + + # make wrapper to run restic rootless + users = { + users.restic = { + group = "restic"; + isSystemUser = true; + }; + groups.restic = {}; + }; + + security.wrappers.restic = { + source = lib.getExe pkgs.restic; + owner = "restic"; + group = "restic"; + permissions = "500"; + capabilities = "cap_dac_read_search+ep"; }; services.restic.backups = { main = { + user = "restic"; + package = pkgs.writeShellScriptBin "restic" '' + exec /run/wrappers/bin/restic "$@" + ''; + initialize = true; repository = "/mnt/external/backup/restic"; passwordFile = config.sops.secrets."restic/password".path; @@ -60,8 +93,6 @@ "*.sqlite3-shm" "*.sqlite3-wal" ]; - - backupCleanupCommand = "rm -r /var/backups/db-backup/*"; }; # offsite = {