mirror of
https://github.com/nmasur/dotfiles
synced 2024-11-22 22:45:37 +00:00
vaultwarden automated backups
This commit is contained in:
parent
6f67e31723
commit
41d8e30990
@ -32,6 +32,20 @@
|
|||||||
permissions = "0440";
|
permissions = "0440";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users.litestream.extraGroups = [ "backup" ];
|
||||||
|
|
||||||
|
services.litestream = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = config.secrets.backup.dest;
|
||||||
|
};
|
||||||
|
|
||||||
|
# Wait for secret to exist
|
||||||
|
systemd.services.litestream = {
|
||||||
|
after = [ "backup-secret.service" ];
|
||||||
|
requires = [ "backup-secret.service" ];
|
||||||
|
environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
|
||||||
|
};
|
||||||
|
|
||||||
# # Backup library to object storage
|
# # Backup library to object storage
|
||||||
# services.restic.backups.calibre = {
|
# services.restic.backups.calibre = {
|
||||||
# user = "calibre-web";
|
# user = "calibre-web";
|
||||||
|
@ -60,12 +60,11 @@
|
|||||||
lib.mkForce "0770";
|
lib.mkForce "0770";
|
||||||
|
|
||||||
# Allow litestream and nextcloud to share a sqlite database
|
# Allow litestream and nextcloud to share a sqlite database
|
||||||
users.users.litestream.extraGroups = [ "nextcloud" "backup" ];
|
users.users.litestream.extraGroups = [ "nextcloud" ];
|
||||||
users.users.nextcloud.extraGroups = [ "litestream" ];
|
users.users.nextcloud.extraGroups = [ "litestream" ];
|
||||||
|
|
||||||
# Backup sqlite database with litestream
|
# Backup sqlite database with litestream
|
||||||
services.litestream = {
|
services.litestream = {
|
||||||
enable = true;
|
|
||||||
settings = {
|
settings = {
|
||||||
dbs = [{
|
dbs = [{
|
||||||
path = "${config.services.nextcloud.datadir}/data/nextcloud.db";
|
path = "${config.services.nextcloud.datadir}/data/nextcloud.db";
|
||||||
@ -75,14 +74,12 @@
|
|||||||
}];
|
}];
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
environmentFile = config.secrets.backup.dest;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# Don't start litestream unless nextcloud is up
|
# Don't start litestream unless nextcloud is up
|
||||||
systemd.services.litestream = {
|
systemd.services.litestream = {
|
||||||
after = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
|
after = [ "phpfpm-nextcloud.service" ];
|
||||||
requires = [ "phpfpm-nextcloud.service" "backup-secret.service" ];
|
requires = [ "phpfpm-nextcloud.service" ];
|
||||||
environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
@ -1,4 +1,10 @@
|
|||||||
{ config, lib, ... }: {
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
let vaultwardenPath = "/var/lib/bitwarden_rs"; # Default service directory
|
||||||
|
|
||||||
|
in {
|
||||||
|
|
||||||
|
imports = [ ./caddy.nix ./secrets.nix ./backups.nix ];
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
|
|
||||||
@ -49,4 +55,69 @@
|
|||||||
}];
|
}];
|
||||||
}];
|
}];
|
||||||
|
|
||||||
|
## Backup config
|
||||||
|
|
||||||
|
# Open to groups, allowing for backups
|
||||||
|
systemd.services.vaultwarden.serviceConfig.StateDirectoryMode =
|
||||||
|
lib.mkForce "0770";
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"f ${vaultwardenPath}/db.sqlite3 0660 vaultwarden vaultwarden"
|
||||||
|
"f ${vaultwardenPath}/db.sqlite3-shm 0660 vaultwarden vaultwarden"
|
||||||
|
"f ${vaultwardenPath}/db.sqlite3-wal 0660 vaultwarden vaultwarden"
|
||||||
|
];
|
||||||
|
|
||||||
|
# Allow litestream and nextcloud to share a sqlite database
|
||||||
|
users.users.litestream.extraGroups = [ "vaultwarden" ];
|
||||||
|
users.users.vaultwarden.extraGroups = [ "litestream" ];
|
||||||
|
|
||||||
|
# Backup sqlite database with litestream
|
||||||
|
services.litestream = {
|
||||||
|
settings = {
|
||||||
|
dbs = [{
|
||||||
|
path = "${vaultwardenPath}/db.sqlite3";
|
||||||
|
replicas = [{
|
||||||
|
url =
|
||||||
|
"s3://${config.backupS3.bucket}.${config.backupS3.endpoint}/vaultwarden";
|
||||||
|
}];
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
# Don't start litestream unless vaultwarden is up
|
||||||
|
systemd.services.litestream = {
|
||||||
|
after = [ "vaultwarden.service" ];
|
||||||
|
requires = [ "vaultwarden.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Run a separate file backup on a schedule
|
||||||
|
systemd.timers.vaultwarden-backup = {
|
||||||
|
timerConfig = {
|
||||||
|
OnCalendar = "*-*-* 06:00:00"; # Once per day
|
||||||
|
Unit = "vaultwarden-backup.service";
|
||||||
|
};
|
||||||
|
wantedBy = [ "timers.target" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Backup other Vaultwarden data to object storage
|
||||||
|
systemd.services.vaultwarden-backup = {
|
||||||
|
description = "Backup Vaultwarden files";
|
||||||
|
environment.AWS_ACCESS_KEY_ID = config.backupS3.accessKeyId;
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
User = "vaultwarden";
|
||||||
|
Group = "backup";
|
||||||
|
EnvironmentFile = config.secrets.backup.dest;
|
||||||
|
};
|
||||||
|
script = ''
|
||||||
|
${pkgs.awscli2}/bin/aws s3 sync \
|
||||||
|
${vaultwardenPath}/ \
|
||||||
|
s3://${config.backupS3.bucket}/vaultwarden/ \
|
||||||
|
--endpoint-url=https://${config.backupS3.endpoint} \
|
||||||
|
--exclude "*db.sqlite3*" \
|
||||||
|
--exclude ".db.sqlite3*"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user