From 454665e77d70449f7b14ee55675639f9fa00edfb Mon Sep 17 00:00:00 2001
From: Philipp Hochkamp <git@phochkamp.de>
Date: Sat, 23 Apr 2022 01:38:20 +0200
Subject: [PATCH] a

---
 hosts/ds9/default.nix                |  7 +++++--
 hosts/ds9/hardware-configuration.nix |  1 -
 nixos-modules/services/paperless.nix | 11 +++++------
 secrets/ds9OffsiteBackupSSH.age      | 11 +++++++++++
 secrets/secrets.nix                  |  1 +
 5 files changed, 22 insertions(+), 9 deletions(-)
 create mode 100644 secrets/ds9OffsiteBackupSSH.age

diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix
index 4b5855f1..6153a31f 100644
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@@ -19,7 +19,10 @@ in
   services.syncthing.enable = true;
   services.syncthing.user = "ragon";
 
-  services.syncoid.command =
+  ragon.agenix.secrets."ds9OffsiteBackupSSH" = { owner = config.services.syncoid.user; };
+  services.syncoid.enable = true;
+  services.syncoid.sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
+  services.syncoid.commands =
     let
       datasets = {
         backups = "rpool/content/local/backups";
@@ -28,7 +31,7 @@ in
         hassosvm = "rpool/content/safe/vms/hassos";
       };
     in
-    builtins.mapAttrs (n: v: { target = "backup/${n}"; source = v; sendOptions = [ "w" ]; }) datasets;
+    builtins.mapAttrs (n: v: { target = "backup/${n}"; source = v; sendOptions = "w"; }) datasets;
 
   security.sudo.wheelNeedsPassword = false;
   networking.useDHCP = true;
diff --git a/hosts/ds9/hardware-configuration.nix b/hosts/ds9/hardware-configuration.nix
index fcd10e40..1f9b350f 100644
--- a/hosts/ds9/hardware-configuration.nix
+++ b/hosts/ds9/hardware-configuration.nix
@@ -22,7 +22,6 @@
     persistent = "rpool/content/safe/persist";
     arcSize = 8;
   };
-  services.syncoid.enable = false; # TODO setup offsite backups
 
   services.sanoid.datasets."rpool/content/safe".recursive = true;
   services.sanoid.datasets."rpool/content/local/backups" = { };
diff --git a/nixos-modules/services/paperless.nix b/nixos-modules/services/paperless.nix
index a2aeffed..66b35e8b 100644
--- a/nixos-modules/services/paperless.nix
+++ b/nixos-modules/services/paperless.nix
@@ -13,27 +13,26 @@ in
       default = "paperless";
     };
   config = mkIf cfg.enable {
-    services.paperless-ng = {
+    services.paperless = {
       enable = true;
-      package = pkgs.paperless-ng.overrideAttrs (oldAttrs: rec { doCheck = false; doInstallCheck = false; });
       mediaDir = mkDefault "/data/documents/paperless";
-      consumptionDir = mkDefault "/data/applications/paperless-consumption";
+      consumptionDir = "/data/applications/paperless-consumption";
       consumptionDirIsPublic = true;
       passwordFile = "${config.age.secrets.paperlessAdminPW.path}";
       extraConfig = {
         PAPERLESS_OCR_LANGUAGE = "deu+eng";
       };
     };
-    ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless-ng.user}"; mode = "0440"; };
+    ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless.user}"; mode = "0440"; };
     services.nginx.clientMaxBodySize = "100m";
     services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
       useACMEHost = "${domain}";
       addSSL = true;
-      locations."/".proxyPass = "http://${config.services.paperless-ng.address}:${toString config.services.paperless-ng.port}";
+      locations."/".proxyPass = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
       locations."/".proxyWebsockets = true;
     };
     ragon.persist.extraDirectories = [
-      "${config.services.paperless-ng.dataDir}"
+      "${config.services.paperless.dataDir}"
     ];
   };
 }
diff --git a/secrets/ds9OffsiteBackupSSH.age b/secrets/ds9OffsiteBackupSSH.age
new file mode 100644
index 00000000..b18c7bed
--- /dev/null
+++ b/secrets/ds9OffsiteBackupSSH.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 IbXxfw 2bY8D4MwTRAlIJC/IPqR2sT0M7r3mIzTxNRqyWsIVlg
+Ls8ipcH9B7LgPEOnOfFoe6zGlJgY3fPYm7MX+dlse00
+-> ssh-ed25519 ugHWWw 3NecEQxzuriPw39On2S6d6F2KBepfnjzpZXyVMjpNW4
+lvnErLbxlzt0EgrGia0sINCYBP1zocdy2myQwrCYvuw
+-> ssh-ed25519 UU9RSA oe8XNsT+h0ZeAwS994tw2KhMINl6nYshS0S6GSc/c0Y
+oDOUhJS58DaXOHGA9yu44Z+bm3OqhmkWY++8kMcG+xU
+-> (i-grease t="[ CDeDs
+i6bTwsfNz5+rcQs0N1c1
+--- RtYYZM/2+RhILZMfyhrRhd7DhawxUMYNKdVFQxnCio8
+4XæÛao4ûü£bù“],[2K‚€k˜2ÁŽ/XWÝ’ÄÁ°íã‡¹´üB?¢nëjQSQ=üÓVCr½¼¥§øòcÂ_ÃWÀ-póÅ˜›|#±ß}Ùð)J'ç>j4 „o|&nš (ä¦;ö9gÞ}Y‡Gg<+mÖï+Fn²…_ìió!¾˜Å¢FÉ@Îª¤'#7pæÃ[½Ø‘ÎøëCšUøN’FUà3`t›4{Z´>†ðž`¾úÝï;^œKòA'–i¨¨*1ÿXÅërÑÑ£º›¯4báºå¡|iÉ¡QêøÚs˜@¬d$ÁŠ5;ï4[xÞÚèÚ\’#{¢¾‚ojFL9ÀXÒ­S>4®Œí‰‡¸!1=ÙÞ6ˆo/‹§PÔ!ì)Ù1&  Î«Ô¨vI1mQØ»áþùd5Û^å:uïZVt&‰¹Ö°ýñøT#²r¯>‘5œ¥’Oÿ^Óž6žD™.+G:‰#5EzxÜƒtEŠ1Çäxâ­–i•J#»°¼AFáé9»Ð›´â,Æ¿FÇ?o’HÉÎ…\
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index d1dccb62..78db40a0 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,6 +10,7 @@ in
   "ragonPasswd.age".publicKeys = pubkeys.ragon.computers;
   "tailscaleKey.age".publicKeys = pubkeys.ragon.computers;
   "paperlessAdminPW.age".publicKeys = pubkeys.ragon.host "ds9";
+  "ds9OffsiteBackupSSH.age".publicKeys = pubkeys.ragon.host "ds9";
   "hedgedocSecret.age".publicKeys = pubkeys.ragon.host "picard";
   "gitlabInitialRootPassword.age".publicKeys = pubkeys.ragon.host "picard";
   "gitlabSecretFile.age".publicKeys = pubkeys.ragon.host "picard";