mirror of
https://github.com/nmasur/dotfiles
synced 2024-12-24 17:44:52 +00:00
vaultwarden automated backups
This commit is contained in:
parent
6f67e31723
commit
41d8e30990
@ -32,6 +32,20 @@
|
||||
permissions = "0440";
|
||||
};
|
||||
|
||||
users.users.litestream.extraGroups = [ "backup" ];
|
||||
|
||||
services.litestream = {
|
||||
enable = true;
|
||||
environmentFile = config.secrets.backup.dest;
|
||||
};
|
||||
|
||||
# Wait for secret to exist
|
||||
systemd.services.litestream = {
|
||||
after = [ "backup-secret.service" ];
|
||||
requires = [ "backup-secret.service" ];
|
||||
environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
|
||||
};
|
||||
|
||||
# # Backup library to object storage
|
||||
# services.restic.backups.calibre = {
|
||||
# user = "calibre-web";
|
||||
|
@ -60,12 +60,11 @@
|
||||
lib.mkForce "0770";
|
||||
|
||||
# Allow litestream and nextcloud to share a sqlite database
|
||||
users.users.litestream.extraGroups = [ "nextcloud" "backup" ];
|
||||
users.users.litestream.extraGroups = [ "nextcloud" ];
|
||||
users.users.nextcloud.extraGroups = [ "litestream" ];
|
||||
|
||||
# Backup sqlite database with litestream
|
||||
services.litestream = {
|
||||
enable = true;
|
||||
settings = {
|
||||
dbs = [{
|
||||
path = "${config.services.nextcloud.datadir}/data/nextcloud.db";
|
||||
@ -75,14 +74,12 @@
|
||||
}];
|
||||
}];
|
||||
};
|
||||
environmentFile = config.secrets.backup.dest;
|
||||
};
|
||||
|
||||
# Don't start litestream unless nextcloud is up
|
||||
systemd.services.litestream = {
|
||||
after = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
|
||||
requires = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
|
||||
environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
|
||||
after = [ "phpfpm-nextcloud.service" ];
|
||||
requires = [ "phpfpm-nextcloud.service" ];
|
||||
};
|
||||
|
||||
};
|
||||
|
@ -1,4 +1,10 @@
|
||||
{ config, lib, ... }: {
|
||||
{ config, pkgs, lib, ... }:
|
||||
|
||||
let vaultwardenPath = "/var/lib/bitwarden_rs"; # Default service directory
|
||||
|
||||
in {
|
||||
|
||||
imports = [ ./caddy.nix ./secrets.nix ./backups.nix ];
|
||||
|
||||
options = {
|
||||
|
||||
@ -49,4 +55,69 @@
|
||||
}];
|
||||
}];
|
||||
|
||||
## Backup config
|
||||
|
||||
# Open to groups, allowing for backups
|
||||
systemd.services.vaultwarden.serviceConfig.StateDirectoryMode =
|
||||
lib.mkForce "0770";
|
||||
systemd.tmpfiles.rules = [
|
||||
"f ${vaultwardenPath}/db.sqlite3 0660 vaultwarden vaultwarden"
|
||||
"f ${vaultwardenPath}/db.sqlite3-shm 0660 vaultwarden vaultwarden"
|
||||
"f ${vaultwardenPath}/db.sqlite3-wal 0660 vaultwarden vaultwarden"
|
||||
];
|
||||
|
||||
# Allow litestream and nextcloud to share a sqlite database
|
||||
users.users.litestream.extraGroups = [ "vaultwarden" ];
|
||||
users.users.vaultwarden.extraGroups = [ "litestream" ];
|
||||
|
||||
# Backup sqlite database with litestream
|
||||
services.litestream = {
|
||||
settings = {
|
||||
dbs = [{
|
||||
path = "${vaultwardenPath}/db.sqlite3";
|
||||
replicas = [{
|
||||
url =
|
||||
"s3://${config.backupS3.bucket}.${config.backupS3.endpoint}/vaultwarden";
|
||||
}];
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
# Don't start litestream unless vaultwarden is up
|
||||
systemd.services.litestream = {
|
||||
after = [ "vaultwarden.service" ];
|
||||
requires = [ "vaultwarden.service" ];
|
||||
};
|
||||
|
||||
# Run a separate file backup on a schedule
|
||||
systemd.timers.vaultwarden-backup = {
|
||||
timerConfig = {
|
||||
OnCalendar = "*-*-* 06:00:00"; # Once per day
|
||||
Unit = "vaultwarden-backup.service";
|
||||
};
|
||||
wantedBy = [ "timers.target" ];
|
||||
};
|
||||
|
||||
# Backup other Vaultwarden data to object storage
|
||||
systemd.services.vaultwarden-backup = {
|
||||
description = "Backup Vaultwarden files";
|
||||
environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "vaultwarden";
|
||||
Group = "backup";
|
||||
EnvironmentFile = config.secrets.backup.dest;
|
||||
};
|
||||
script = ''
|
||||
${pkgs.awscli2}/bin/aws s3 sync \
|
||||
${vaultwardenPath}/ \
|
||||
s3://${config.backupS3.bucket}/vaultwarden/ \
|
||||
--endpoint-url=https://${config.backupS3.endpoint} \
|
||||
--exclude "*db.sqlite3*" \
|
||||
--exclude ".db.sqlite3*"
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user