a

2022-04-23 01:38:20 +02:00 · 2022-04-23 01:38:20 +02:00 · 454665e77d
commit 454665e77d
parent 33e4c75e19
5 changed files with 22 additions and 9 deletions
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -19,7 +19,10 @@ in
  services.syncthing.enable = true;
  services.syncthing.user = "ragon";

-  services.syncoid.command =
+  ragon.agenix.secrets."ds9OffsiteBackupSSH" = { owner = config.services.syncoid.user; };
+  services.syncoid.enable = true;
+  services.syncoid.sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
+  services.syncoid.commands =
    let
      datasets = {
        backups = "rpool/content/local/backups";
@ -28,7 +31,7 @@ in
        hassosvm = "rpool/content/safe/vms/hassos";
      };
    in
-    builtins.mapAttrs (n: v: { target = "backup/${n}"; source = v; sendOptions = [ "w" ]; }) datasets;
+    builtins.mapAttrs (n: v: { target = "backup/${n}"; source = v; sendOptions = "w"; }) datasets;

  security.sudo.wheelNeedsPassword = false;
  networking.useDHCP = true;
--- a/hosts/ds9/hardware-configuration.nix
+++ b/hosts/ds9/hardware-configuration.nix
@ -22,7 +22,6 @@
    persistent = "rpool/content/safe/persist";
    arcSize = 8;
  };
-  services.syncoid.enable = false; # TODO setup offsite backups

  services.sanoid.datasets."rpool/content/safe".recursive = true;
  services.sanoid.datasets."rpool/content/local/backups" = { };
--- a/nixos-modules/services/paperless.nix
+++ b/nixos-modules/services/paperless.nix
@ -13,27 +13,26 @@ in
      default = "paperless";
    };
  config = mkIf cfg.enable {
-    services.paperless-ng = {
+    services.paperless = {
      enable = true;
-      package = pkgs.paperless-ng.overrideAttrs (oldAttrs: rec { doCheck = false; doInstallCheck = false; });
      mediaDir = mkDefault "/data/documents/paperless";
-      consumptionDir = mkDefault "/data/applications/paperless-consumption";
+      consumptionDir = "/data/applications/paperless-consumption";
      consumptionDirIsPublic = true;
      passwordFile = "${config.age.secrets.paperlessAdminPW.path}";
      extraConfig = {
        PAPERLESS_OCR_LANGUAGE = "deu+eng";
      };
    };
-    ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless-ng.user}"; mode = "0440"; };
+    ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless.user}"; mode = "0440"; };
    services.nginx.clientMaxBodySize = "100m";
    services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
      useACMEHost = "${domain}";
      addSSL = true;
-      locations."/".proxyPass = "http://${config.services.paperless-ng.address}:${toString config.services.paperless-ng.port}";
+      locations."/".proxyPass = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
      locations."/".proxyWebsockets = true;
    };
    ragon.persist.extraDirectories = [
-      "${config.services.paperless-ng.dataDir}"
+      "${config.services.paperless.dataDir}"
    ];
  };
 }
--- a/secrets/ds9OffsiteBackupSSH.age
+++ b/secrets/ds9OffsiteBackupSSH.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 IbXxfw 2bY8D4MwTRAlIJC/IPqR2sT0M7r3mIzTxNRqyWsIVlg
+Ls8ipcH9B7LgPEOnOfFoe6zGlJgY3fPYm7MX+dlse00
+-> ssh-ed25519 ugHWWw 3NecEQxzuriPw39On2S6d6F2KBepfnjzpZXyVMjpNW4
+lvnErLbxlzt0EgrGia0sINCYBP1zocdy2myQwrCYvuw
+-> ssh-ed25519 UU9RSA oe8XNsT+h0ZeAwS994tw2KhMINl6nYshS0S6GSc/c0Y
+oDOUhJS58DaXOHGA9yu44Z+bm3OqhmkWY++8kMcG+xU
+-> (i-grease t="[ CDeDs
+i6bTwsfNz5+rcQs0N1c1
+--- RtYYZM/2+RhILZMfyhrRhd7DhawxUMYNKdVFQxnCio8
+4XæÛao4ûü£bù“],[2K‚€k˜2ÁŽ/XWÝ’ÄÁ°íã‡¹´üB?¢nëj
QSQ=üÓVCr½¼¥<>§øòcÂ_ÃWÀ-póÅ˜›|#±ß}Ùð)J'ç>j4 „o|&nš (ä¦;ö9gÞ}Y‡Gg<+mÖï+Fn²…_ìió!¾˜Å¢FÉ@Îª¤'#7pæÃ[½Ø‘ÎøëCšUøN’FUà<55>3`t›4{Z´>†ðž`¾ú<C2BE>Ýï;^œ<>KòA'–i¨¨*1ÿXÅërÑÑ£º›¯4báº<C3A1>å¡|iÉ¡QêøÚs˜@¬d$ÁŠ5;ï4[xÞÚèÚ\’#{¢¾‚ojFL9ÀXÒS>4®Œí‰‡¸!1=ÙÞ6<10>ˆo/‹§PÔ!ì)Ù1&  Î«Ô¨vI1mQØ»áþ<C3A1>ùd5Û^å:uïZVt&‰¹Ö°ýñøT#²r¯>‘5œ¥’Oÿ^Óž6žD™.+G:‰#5EzxÜƒtEŠ1Çäxâ–i•J#»°¼AFáé9»Ð›´â,Æ¿FÇ?o’HÉÎ…<C38E>\
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -10,6 +10,7 @@ in
  "ragonPasswd.age".publicKeys = pubkeys.ragon.computers;
  "tailscaleKey.age".publicKeys = pubkeys.ragon.computers;
  "paperlessAdminPW.age".publicKeys = pubkeys.ragon.host "ds9";
+  "ds9OffsiteBackupSSH.age".publicKeys = pubkeys.ragon.host "ds9";
  "hedgedocSecret.age".publicKeys = pubkeys.ragon.host "picard";
  "gitlabInitialRootPassword.age".publicKeys = pubkeys.ragon.host "picard";
  "gitlabSecretFile.age".publicKeys = pubkeys.ragon.host "picard";