diff --git a/modules/services/backups.nix b/modules/services/backups.nix index d63e3dd..f07539b 100644 --- a/modules/services/backups.nix +++ b/modules/services/backups.nix @@ -32,6 +32,20 @@ permissions = "0440"; }; + users.users.litestream.extraGroups = [ "backup" ]; + + services.litestream = { + enable = true; + environmentFile = config.secrets.backup.dest; + }; + + # Wait for secret to exist + systemd.services.litestream = { + after = [ "backup-secret.service" ]; + requires = [ "backup-secret.service" ]; + environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId; + }; + # # Backup library to object storage # services.restic.backups.calibre = { # user = "calibre-web"; diff --git a/modules/services/nextcloud.nix b/modules/services/nextcloud.nix index 13f6aeb..55d18eb 100644 --- a/modules/services/nextcloud.nix +++ b/modules/services/nextcloud.nix @@ -60,12 +60,11 @@ lib.mkForce "0770"; # Allow litestream and nextcloud to share a sqlite database - users.users.litestream.extraGroups = [ "nextcloud" "backup" ]; + users.users.litestream.extraGroups = [ "nextcloud" ]; users.users.nextcloud.extraGroups = [ "litestream" ]; # Backup sqlite database with litestream services.litestream = { - enable = true; settings = { dbs = [{ path = "${config.services.nextcloud.datadir}/data/nextcloud.db"; @@ -75,14 +74,12 @@ }]; }]; }; - environmentFile = config.secrets.backup.dest; }; # Don't start litestream unless nextcloud is up systemd.services.litestream = { - after = [ "phpfpm-nextcloud.service" "backup-secret.service" ]; - requires = [ "phpfpm-nextcloud.service" "backup-secret.service" ]; - environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId; + after = [ "phpfpm-nextcloud.service" ]; + requires = [ "phpfpm-nextcloud.service" ]; }; }; diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index 8acb438..e80ab8d 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -1,4 +1,10 @@ -{ config, lib, ... }: { +{ config, pkgs, lib, ... }: + +let vaultwardenPath = "/var/lib/bitwarden_rs"; # Default service directory + +in { + + imports = [ ./caddy.nix ./secrets.nix ./backups.nix ]; options = { @@ -49,4 +55,69 @@ }]; }]; + ## Backup config + + # Open to groups, allowing for backups + systemd.services.vaultwarden.serviceConfig.StateDirectoryMode = + lib.mkForce "0770"; + systemd.tmpfiles.rules = [ + "f ${vaultwardenPath}/db.sqlite3 0660 vaultwarden vaultwarden" + "f ${vaultwardenPath}/db.sqlite3-shm 0660 vaultwarden vaultwarden" + "f ${vaultwardenPath}/db.sqlite3-wal 0660 vaultwarden vaultwarden" + ]; + + # Allow litestream and nextcloud to share a sqlite database + users.users.litestream.extraGroups = [ "vaultwarden" ]; + users.users.vaultwarden.extraGroups = [ "litestream" ]; + + # Backup sqlite database with litestream + services.litestream = { + settings = { + dbs = [{ + path = "${vaultwardenPath}/db.sqlite3"; + replicas = [{ + url = + "s3://${config.backupS3.bucket}.${config.backupS3.endpoint}/vaultwarden"; + }]; + }]; + }; + }; + + # Don't start litestream unless vaultwarden is up + systemd.services.litestream = { + after = [ "vaultwarden.service" ]; + requires = [ "vaultwarden.service" ]; + }; + + # Run a separate file backup on a schedule + systemd.timers.vaultwarden-backup = { + timerConfig = { + OnCalendar = "*-*-* 06:00:00"; # Once per day + Unit = "vaultwarden-backup.service"; + }; + wantedBy = [ "timers.target" ]; + }; + + # Backup other Vaultwarden data to object storage + systemd.services.vaultwarden-backup = { + description = "Backup Vaultwarden files"; + environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId; + serviceConfig = { + Type = "oneshot"; + User = "vaultwarden"; + Group = "backup"; + EnvironmentFile = config.secrets.backup.dest; + }; + script = '' + ${pkgs.awscli2}/bin/aws s3 sync \ + ${vaultwardenPath}/ \ + s3://${config.backupS3.bucket}/vaultwarden/ \ + --endpoint-url=https://${config.backupS3.endpoint} \ + --exclude "*db.sqlite3*" \ + --exclude ".db.sqlite3*" + ''; + }; + + }; + }