diff --git a/hosts/elisabeth/secrets/paperless/generated/paperlessHetznerSsh.age b/hosts/elisabeth/secrets/paperless/generated/paperlessHetznerSsh.age new file mode 100644 index 0000000..4ada659 Binary files /dev/null and b/hosts/elisabeth/secrets/paperless/generated/paperlessHetznerSsh.age differ diff --git a/hosts/elisabeth/secrets/paperless/generated/resticpasswd.age b/hosts/elisabeth/secrets/paperless/generated/resticpasswd.age new file mode 100644 index 0000000..ef4aee0 --- /dev/null +++ b/hosts/elisabeth/secrets/paperless/generated/resticpasswd.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> X25519 k9S1TqxAKH41Lq6xpAYBaMd9f90qCAQmyxrq0chU+Tc +irgvzLHOIREuCUA2k1+FnxZCXNTIpChKE3uNN5l48OA +-> piv-p256 XTQkUA A/Jy50UrN5mbigxkQI5K1Q0FQTor4ocPQh1YJXYnWMvl +z73ZTKho/qeVH2XyneDKUxw+eg2FrHDfrllHVaj3s5U +-> piv-p256 ZFgiIw AlVTQpjtIYs7vQ/M0jDmRzRebsIQ+Kj39qyeQk1OIwZ+ +jAPOyDEuginirLTSUFJ2oW1VsdpWN1ASdfR7ybU+G0M +-> piv-p256 5vmPtQ AhiueRGQs93xrLgEwnhC/G3GZfB8WnU/U6fP4Zoj6CAm +Zrx69DLkn13YXMPzyVgzKCakPwMuuqhc9ev1JZ6O19o +-> piv-p256 ZFgiIw ApvxXQDq40lC1AHIi/Goo7zdxBNMzdyaICbc99l+7AKV +HaqccPBNp4O5HG5HXqkV4ks6/egCx83KTHFNHek8/VI +-> "[q9C-grease &e7[}5WO @C'4x = +3OGP2dJt6w +--- 0GHa/cHUag5xe+LPDSEgHvSWTi9tNDdaq1FQZIsK2uc +Ǩ`pc' ,ݜ8EBG%FtŹKVN~ TJ2IVa<I+F띰oO> ە \ No newline at end of file diff --git a/modules/services/paperless.nix b/modules/services/paperless.nix index 100fd34..41fd77b 100644 --- a/modules/services/paperless.nix +++ b/modules/services/paperless.nix @@ -4,7 +4,62 @@ ... }: let paperlessdomain = "ppl.${config.secrets.secrets.global.domains.web}"; + paperlessBackupDir = "/var/cache/backups/paperless"; in { + systemd.tmpfiles.settings = { + "10-paperless".${paperlessBackupDir}.d = { + inherit (config.services.paperless) user; + mode = "0770"; + }; + }; + age.secrets.resticpasswd = { + generator.script = "alnum"; + }; + age.secrets.paperlessHetznerSsh = { + generator.script = "ssh-ed25519"; + }; + services.restic.backups = { + main = { + inherit (config.services.paperless) user; + timerConfig = { + OnCalendar = "06:00"; + Persistent = true; + RandomizedDelaySec = "3h"; + }; + initialize = true; + passwordFile = config.age.secrets.resticpasswd.path; + hetznerStorageBox = { + enable = true; + inherit (config.secrets.secrets.global.hetzner) mainUser; + inherit (config.secrets.secrets.global.hetzner.users.paperless) subUid path; + sshAgeSecret = "paperlessHetznerSsh"; + }; + paths = [paperlessBackupDir]; + pruneOpts = [ + "--keep-daily 10" + "--keep-weekly 7" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; + }; + systemd.services.paperless-backup = let + cfg = config.systemd.services.paperless-consumer; + in { + description = "Paperless document backup"; + serviceConfig = + lib.recursiveUpdate + cfg.serviceConfig + { + ExecStart = "${config.services.paperless.package}/bin/paperless-ngx document_exporter -na -nt -f -d ${paperlessBackupDir}"; + ReadWritePaths = cfg.serviceConfig.ReadWritePaths ++ [paperlessBackupDir]; + Restart = "no"; + Type = "oneshot"; + }; + inherit (cfg) environment; + requiredBy = ["restic-backups-main.service"]; + }; + networking.firewall.allowedTCPPorts = [3000]; age.secrets.paperless-admin-passwd = { generator.script = "alnum"; diff --git a/modules/services/samba.nix b/modules/services/samba.nix index 1728daa..4ecc29d 100644 --- a/modules/services/samba.nix +++ b/modules/services/samba.nix @@ -234,21 +234,57 @@ systemd.tmpfiles.settings = lib.mkMerge (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v: lib.optionalAttrs ((v ? "#paperless") && v."#paperless") { + "10-smb-paperless"."/paperless/consume/".d = { + user = "paperless"; + group = "paperless"; + mode = "0770"; + }; "10-smb-paperless"."/paperless/consume/${v."#user"}".d = { user = "paperless"; group = "paperless"; mode = "0770"; }; + "10-smb-paperless"."/paperless/media/".d = { + user = "paperless"; + group = "paperless"; + mode = "0770"; + }; + "10-smb-paperless"."/paperless/media/documents/".d = { + user = "paperless"; + group = "paperless"; + mode = "0770"; + }; + + "10-smb-paperless"."/paperless/media/documents/archive/".d = { + user = "paperless"; + group = "paperless"; + mode = "0770"; + }; "10-smb-paperless"."/paperless/media/documents/archive/${v."#user"}".d = { user = "paperless"; group = "paperless"; mode = "0770"; }; + "10-smb-paperless"."/paperless/media/documents/archive/${v."#user"}/.keep".f = { + user = "paperless"; + group = "paperless"; + mode = "0660"; + }; + "10-smb-paperless"."/paperless/media/documents/originals/".d = { + user = "paperless"; + group = "paperless"; + mode = "0770"; + }; "10-smb-paperless"."/paperless/media/documents/originals/${v."#user"}".d = { user = "paperless"; group = "paperless"; mode = "0770"; }; + "10-smb-paperless"."/paperless/media/documents/originals/${v."#user"}/.keep".f = { + user = "paperless"; + group = "paperless"; + mode = "0660"; + }; })); environment.persistence = lib.mkMerge (lib.flip lib.mapAttrsToList config.services.samba.shares (_: v: lib.optionalAttrs ((v ? "#persistRoot") && (v."#persistRoot" != "")) { diff --git a/modules/services/vaultwarden.nix b/modules/services/vaultwarden.nix index 914f64e..dd8c3e9 100644 --- a/modules/services/vaultwarden.nix +++ b/modules/services/vaultwarden.nix @@ -28,7 +28,7 @@ in { }; services.restic.backups = { main = { - user = "root"; + user = "vaultwarden"; timerConfig = { OnCalendar = "06:00"; Persistent = true; @@ -75,7 +75,6 @@ in { smtpSecurity = "force_tls"; smtpPort = 465; }; - #backupDir = "/data/backup"; environmentFile = config.age.secrets.vaultwarden-env.path; }; diff --git a/secrets/secrets.nix.age b/secrets/secrets.nix.age index bf36d74..93dd8b3 100644 Binary files a/secrets/secrets.nix.age and b/secrets/secrets.nix.age differ