noah/dotfiles
1
0
Fork 0
mirror of https://github.com/nmasur/dotfiles synced 2024-09-19 15:54:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

vaultwarden automated backups

Browse Source
This commit is contained in:
Noah Masur 2022-10-16 19:06:56 +00:00
parent 6f67e31723
commit 41d8e30990
3 changed files with 89 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
modules/services/backups.nix
View File

@ -32,6 +32,20 @@
permissions = "0440";
};
users.users.litestream.extraGroups = [ "backup" ];
services.litestream = {
enable = true;
environmentFile = config.secrets.backup.dest;
};
# Wait for secret to exist
systemd.services.litestream = {
after = [ "backup-secret.service" ];
requires = [ "backup-secret.service" ];
environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
};
# # Backup library to object storage
# services.restic.backups.calibre = {
# user = "calibre-web";

9
modules/services/nextcloud.nix
View File

@ -60,12 +60,11 @@
lib.mkForce "0770";
# Allow litestream and nextcloud to share a sqlite database
users.users.litestream.extraGroups = [ "nextcloud" "backup" ];
users.users.litestream.extraGroups = [ "nextcloud" ];
users.users.nextcloud.extraGroups = [ "litestream" ];
# Backup sqlite database with litestream
services.litestream = {
enable = true;
settings = {
dbs = [{
path = "${config.services.nextcloud.datadir}/data/nextcloud.db";
@ -75,14 +74,12 @@
}];
}];
};
environmentFile = config.secrets.backup.dest;
};
# Don't start litestream unless nextcloud is up
systemd.services.litestream = {
after = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
requires = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
after = [ "phpfpm-nextcloud.service" ];
requires = [ "phpfpm-nextcloud.service" ];
};
};

73
modules/services/vaultwarden.nix
View File

@ -1,4 +1,10 @@
{ config, lib, ... }: {
{ config, pkgs, lib, ... }:
let vaultwardenPath = "/var/lib/bitwarden_rs"; # Default service directory
in {
imports = [ ./caddy.nix ./secrets.nix ./backups.nix ];
options = {
@ -49,4 +55,69 @@
}];
}];
## Backup config
# Open to groups, allowing for backups
systemd.services.vaultwarden.serviceConfig.StateDirectoryMode =
lib.mkForce "0770";
systemd.tmpfiles.rules = [
"f ${vaultwardenPath}/db.sqlite3 0660 vaultwarden vaultwarden"
"f ${vaultwardenPath}/db.sqlite3-shm 0660 vaultwarden vaultwarden"
"f ${vaultwardenPath}/db.sqlite3-wal 0660 vaultwarden vaultwarden"
];
# Allow litestream and nextcloud to share a sqlite database
users.users.litestream.extraGroups = [ "vaultwarden" ];
users.users.vaultwarden.extraGroups = [ "litestream" ];
# Backup sqlite database with litestream
services.litestream = {
settings = {
dbs = [{
path = "${vaultwardenPath}/db.sqlite3";
replicas = [{
url =
"s3://${config.backupS3.bucket}.${config.backupS3.endpoint}/vaultwarden";
}];
}];
};
};
# Don't start litestream unless vaultwarden is up
systemd.services.litestream = {
after = [ "vaultwarden.service" ];
requires = [ "vaultwarden.service" ];
};
# Run a separate file backup on a schedule
systemd.timers.vaultwarden-backup = {
timerConfig = {
OnCalendar = "*-*-* 06:00:00"; # Once per day
Unit = "vaultwarden-backup.service";
};
wantedBy = [ "timers.target" ];
};
# Backup other Vaultwarden data to object storage
systemd.services.vaultwarden-backup = {
description = "Backup Vaultwarden files";
environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
serviceConfig = {
Type = "oneshot";
User = "vaultwarden";
Group = "backup";
EnvironmentFile = config.secrets.backup.dest;
};
script = ''
${pkgs.awscli2}/bin/aws s3 sync \
${vaultwardenPath}/ \
s3://${config.backupS3.bucket}/vaultwarden/ \
--endpoint-url=https://${config.backupS3.endpoint} \
--exclude "*db.sqlite3*" \
--exclude ".db.sqlite3*"
'';
};
};
}