wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity

restic: separate db backup cleanup from main backup service, add umask, add capability wrapper

Browse source 
oops i made this one commit but im not pro git enough to know how to solve this in post
This commit is contained in:
wo2wz 2025-11-02 13:41:23 -05:00
parent d28d54c307
commit 5fbae9dc20
1 changed files with 55 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

79
modules/nixos/services/homeserver/restic.nix
View file

@ -6,37 +6,70 @@
# for use as restic backend # for use as restic backend
# environment.systemPackages = [ pkgs.rclone ]; # environment.systemPackages = [ pkgs.rclone ];
systemd.services.db-backup = { systemd.services = {
wantedBy = [ "restic-backups-main.service" "restic-backups-offsite.service" ]; db-backup = {
script = '' wantedBy = [ "restic-backups-main.service" ];
DB_BACKUP_DIR=/var/backups/db-backup before = [ "restic-backups-main.service" ];
script = ''
DB_BACKUP_DIR=/var/backups/db-backup
SQLITE_PATH=${lib.getExe pkgs.sqlite} SQLITE_PATH=${lib.getExe pkgs.sqlite}
SUDO_PATH=${lib.getExe pkgs.sudo} SUDO_PATH=${lib.getExe pkgs.sudo}
PGDUMP_PATH=${lib.getExe' pkgs.postgresql "pg_dump"} PGDUMP_PATH=${lib.getExe' pkgs.postgresql "pg_dump"}
if [ ! -d $DB_BACKUP_DIR ]; then if [ ! -d $DB_BACKUP_DIR ]; then
mkdir -p -m 600 $DB_BACKUP_DIR mkdir -p -m 600 $DB_BACKUP_DIR
fi fi
$SQLITE_PATH /var/lib/vaultwarden/db.sqlite3 ".backup $DB_BACKUP_DIR/vaultwarden.sqlite3" umask 066
$SQLITE_PATH /var/lib/uptime-kuma/kuma.db ".backup $DB_BACKUP_DIR/kuma.db"
$SQLITE_PATH /var/lib/nextcloud/data/nextcloud.db ".backup $DB_BACKUP_DIR/nextcloud.db"
$SQLITE_PATH /var/lib/ntfy-sh/user.db ".backup $DB_BACKUP_DIR/ntfy-user.db"
$SQLITE_PATH /var/lib/kanidm/kanidm.db ".backup $DB_BACKUP_DIR/kanidm.db"
$SUDO_PATH -u onlyoffice -- $PGDUMP_PATH > /var/backups/db-backup/dump-onlyoffice $SQLITE_PATH /var/lib/vaultwarden/db.sqlite3 ".backup $DB_BACKUP_DIR/vaultwarden.sqlite3"
$SUDO_PATH -u zipline -- $PGDUMP_PATH > /var/backups/db-backup/dump-zipline $SQLITE_PATH /var/lib/uptime-kuma/kuma.db ".backup $DB_BACKUP_DIR/kuma.db"
$SUDO_PATH -u postgres -- ${lib.getExe' pkgs.postgresql "pg_dumpall"} -g > /var/backups/db-backup/dump-globals $SQLITE_PATH /var/lib/nextcloud/data/nextcloud.db ".backup $DB_BACKUP_DIR/nextcloud.db"
''; $SQLITE_PATH /var/lib/ntfy-sh/user.db ".backup $DB_BACKUP_DIR/ntfy-user.db"
serviceConfig = { $SQLITE_PATH /var/lib/kanidm/kanidm.db ".backup $DB_BACKUP_DIR/kanidm.db"
Type = "oneshot";
User = "root"; $SUDO_PATH -u onlyoffice -- $PGDUMP_PATH > $DB_BACKUP_DIR/dump-onlyoffice
$SUDO_PATH -u zipline -- $PGDUMP_PATH > $DB_BACKUP_DIR/dump-zipline
$SUDO_PATH -u postgres -- ${lib.getExe' pkgs.postgresql "pg_dumpall"} -g > $DB_BACKUP_DIR/dump-globals
'';
serviceConfig.Type = "oneshot";
}; };
db-backup-cleanup = {
wantedBy = [ "restic-backups-main.service" ];
after = [ "restic-backups-main.service" ];
script = "rm -r /var/backups/db-backup";
serviceConfig.Type = "oneshot";
};
restic-backups-main.serviceConfig.Type = "oneshot";
};
# make wrapper to run restic rootless
users = {
users.restic = {
group = "restic";
isSystemUser = true;
};
groups.restic = {};
};
security.wrappers.restic = {
source = lib.getExe pkgs.restic;
owner = "restic";
group = "restic";
permissions = "500";
capabilities = "cap_dac_read_search+ep";
}; };
services.restic.backups = { services.restic.backups = {
main = { main = {
user = "restic";
package = pkgs.writeShellScriptBin "restic" ''
exec /run/wrappers/bin/restic "$@"
'';
initialize = true; initialize = true;
repository = "/mnt/external/backup/restic"; repository = "/mnt/external/backup/restic";
passwordFile = config.sops.secrets."restic/password".path; passwordFile = config.sops.secrets."restic/password".path;
@ -60,8 +93,6 @@
"*.sqlite3-shm" "*.sqlite3-shm"
"*.sqlite3-wal" "*.sqlite3-wal"
]; ];
backupCleanupCommand = "rm -r /var/backups/db-backup/*";
}; };
# offsite = { # offsite = {