wo2w/nixos-config
1
0
Fork 0
Code Issues Pull requests Activity

restic: separate db backup cleanup from main backup service, add umask, add capability wrapper

Browse source 
oops i made this one commit but im not pro git enough to know how to solve this in post
This commit is contained in:
wo2wz 2025-11-02 13:41:23 -05:00
parent d28d54c307
commit 5fbae9dc20
1 changed files with 55 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

79
modules/nixos/services/homeserver/restic.nix
View file

@ -6,37 +6,70 @@
# for use as restic backend
# environment.systemPackages = [ pkgs.rclone ];
systemd.services.db-backup = {
wantedBy = [ "restic-backups-main.service" "restic-backups-offsite.service" ];
script = ''
DB_BACKUP_DIR=/var/backups/db-backup
systemd.services = {
db-backup = {
wantedBy = [ "restic-backups-main.service" ];
before = [ "restic-backups-main.service" ];
script = ''
DB_BACKUP_DIR=/var/backups/db-backup
SQLITE_PATH=${lib.getExe pkgs.sqlite}
SUDO_PATH=${lib.getExe pkgs.sudo}
PGDUMP_PATH=${lib.getExe' pkgs.postgresql "pg_dump"}
SQLITE_PATH=${lib.getExe pkgs.sqlite}
SUDO_PATH=${lib.getExe pkgs.sudo}
PGDUMP_PATH=${lib.getExe' pkgs.postgresql "pg_dump"}
if [ ! -d $DB_BACKUP_DIR ]; then
mkdir -p -m 600 $DB_BACKUP_DIR
fi
if [ ! -d $DB_BACKUP_DIR ]; then
mkdir -p -m 600 $DB_BACKUP_DIR
fi
$SQLITE_PATH /var/lib/vaultwarden/db.sqlite3 ".backup $DB_BACKUP_DIR/vaultwarden.sqlite3"
$SQLITE_PATH /var/lib/uptime-kuma/kuma.db ".backup $DB_BACKUP_DIR/kuma.db"
$SQLITE_PATH /var/lib/nextcloud/data/nextcloud.db ".backup $DB_BACKUP_DIR/nextcloud.db"
$SQLITE_PATH /var/lib/ntfy-sh/user.db ".backup $DB_BACKUP_DIR/ntfy-user.db"
$SQLITE_PATH /var/lib/kanidm/kanidm.db ".backup $DB_BACKUP_DIR/kanidm.db"
umask 066
$SUDO_PATH -u onlyoffice -- $PGDUMP_PATH > /var/backups/db-backup/dump-onlyoffice
$SUDO_PATH -u zipline -- $PGDUMP_PATH > /var/backups/db-backup/dump-zipline
$SUDO_PATH -u postgres -- ${lib.getExe' pkgs.postgresql "pg_dumpall"} -g > /var/backups/db-backup/dump-globals
'';
serviceConfig = {
Type = "oneshot";
User = "root";
$SQLITE_PATH /var/lib/vaultwarden/db.sqlite3 ".backup $DB_BACKUP_DIR/vaultwarden.sqlite3"
$SQLITE_PATH /var/lib/uptime-kuma/kuma.db ".backup $DB_BACKUP_DIR/kuma.db"
$SQLITE_PATH /var/lib/nextcloud/data/nextcloud.db ".backup $DB_BACKUP_DIR/nextcloud.db"
$SQLITE_PATH /var/lib/ntfy-sh/user.db ".backup $DB_BACKUP_DIR/ntfy-user.db"
$SQLITE_PATH /var/lib/kanidm/kanidm.db ".backup $DB_BACKUP_DIR/kanidm.db"
$SUDO_PATH -u onlyoffice -- $PGDUMP_PATH > $DB_BACKUP_DIR/dump-onlyoffice
$SUDO_PATH -u zipline -- $PGDUMP_PATH > $DB_BACKUP_DIR/dump-zipline
$SUDO_PATH -u postgres -- ${lib.getExe' pkgs.postgresql "pg_dumpall"} -g > $DB_BACKUP_DIR/dump-globals
'';
serviceConfig.Type = "oneshot";
};
db-backup-cleanup = {
wantedBy = [ "restic-backups-main.service" ];
after = [ "restic-backups-main.service" ];
script = "rm -r /var/backups/db-backup";
serviceConfig.Type = "oneshot";
};
restic-backups-main.serviceConfig.Type = "oneshot";
};
# make wrapper to run restic rootless
users = {
users.restic = {
group = "restic";
isSystemUser = true;
};
groups.restic = {};
};
security.wrappers.restic = {
source = lib.getExe pkgs.restic;
owner = "restic";
group = "restic";
permissions = "500";
capabilities = "cap_dac_read_search+ep";
};
services.restic.backups = {
main = {
user = "restic";
package = pkgs.writeShellScriptBin "restic" ''
exec /run/wrappers/bin/restic "$@"
'';
initialize = true;
repository = "/mnt/external/backup/restic";
passwordFile = config.sops.secrets."restic/password".path;
@ -60,8 +93,6 @@
"*.sqlite3-shm"
"*.sqlite3-wal"
];
backupCleanupCommand = "rm -r /var/backups/db-backup/*";
};
# offsite = {