update email, setup backups

2021-01-03 22:06:31 +01:00 · 2021-01-03 22:06:31 +01:00 · 56f9cba5bc
parent bd925ad014
commit 56f9cba5bc
7 changed files with 84 additions and 20 deletions
--- a/keys/pennyworth_borg_repo.key
+++ b/keys/pennyworth_borg_repo.key
--- a/keys/pennyworth_borg_ssh.key
+++ b/keys/pennyworth_borg_ssh.key
--- a/keys/pennyworth_borg_ssh.key.pub
+++ b/keys/pennyworth_borg_ssh.key.pub
--- a/logical/pennyworth.nix
+++ b/logical/pennyworth.nix
@ -18,11 +18,9 @@ in
  imports = [
    ../physical/hetznercloud.nix
    ../roles/server.nix
-    (builtins.fetchTarball {
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz";
-      sha256 = "03d49v8qnid9g9rha0wg2z6vic06mhp0b049s3whccn1axvs2zzx";
-    })
-   ../modules/muflax-blog.nix
+    ../modules/muflax-blog.nix
+    ../services/backup.nix
+    ../services/email.nix
  ];

  system.stateVersion = "19.03";
@ -34,20 +32,6 @@ in
    git = { enable = true; vhost = "git.yori.cc"; };
    muflax-church = { enable = true; vhost = "muflax.church"; };
  };
-  mailserver = rec {
-    enable = true;
-    fqdn = "pennyworth.yori.cc";
-    domains = [ "yori.cc" "yorickvanpelt.nl" ];
-    loginAccounts = {
-      "yorick@yori.cc" = {
-        hashedPassword = (import ../secrets.nix).yorick_mailPassword;
-        catchAll = domains;
-        aliases = [ "@yori.cc" "@yorickvanpelt.nl" ];
-      };
-    };
-    certificateScheme = 3;
-    enableImapSsl = true;
-  };

  services.muflax-blog = {
    enable = true;
@ -94,6 +78,7 @@ in
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
  environment.noXlibs = true;
  users.users.yorick.packages = with pkgs; [
-    python2 sshfs-fuse weechat
+    python2 sshfs-fuse weechat ripgrep
  ];
+
 }
--- a/nix/sources.json
+++ b/nix/sources.json
@ -23,6 +23,13 @@
        "url": "https://github.com/nixos/nixos-hardware/archive/c242378e63b0ec334e964ac0c0fbbdd2b3e89ebf.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    },
+    "nixos-mailserver": {
+        "sha256": "1m8ylrxlkn8nrpsvnivg32ncba9jkfal8a9sjy840hpl1jlm5lc4",
+        "type": "tarball",
+        "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864/nixos-mailserver-ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864.tar.gz",
+        "url_template": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/<version>/nixos-mailserver-<version>.tar.gz",
+        "version": "ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864"
+    },
    "nixpkgs": {
        "branch": "nixos-unstable",
        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
--- a/services/backup.nix
+++ b/services/backup.nix
@ -0,0 +1,46 @@
+{ name, ... }:
+{
+  deployment.keyys = [
+    (../keys + "/${name}_borg_repo.key")
+    (../keys + "/${name}_borg_ssh.key")
+  ];
+  services.borgbackup.jobs.backup = {
+    encryption = {
+      # Keep the encryption key in the repo itself
+      mode = "repokey-blake2";
+
+      # Password is used to decrypt the encryption key from the repo
+      passCommand = "cat /root/keys/${name}_borg_repo.key";
+    };
+    environment = {
+      # Make sure we're using Borg >= 1.0
+      BORG_REMOTE_PATH = "borg1";
+
+      # SSH key is specific to the subaccount defined in the repo username
+      BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key";
+    };
+
+    # Define schedule
+    startAt = "hourly";
+
+    repo = "14337@ch-s012.rsync.net:${name}";
+    paths = [ "/home" "/root" "/var/lib" ];
+    
+    prune.keep = {
+      # hourly backups for the past week
+      within = "7d";
+
+      # daily backups for two weeks before that
+      daily = 14;
+
+      # weekly backups for a month before that
+      weekly = 4;
+
+      # monthly backups for 6 months before that
+      monthly = 6;
+
+      # 2 years
+      yearly = 2;
+    };
+  };
+}
--- a/services/email.nix
+++ b/services/email.nix
@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+let
+  sources = import ../nix/sources.nix;
+in
+{
+  imports = [
+    ("${sources.nixos-mailserver}")
+  ];
+
+  mailserver = rec {
+    enable = true;
+    fqdn = "pennyworth.yori.cc";
+    domains = [ "yori.cc" "yorickvanpelt.nl" ];
+    loginAccounts = {
+      "yorick@yori.cc" = {
+        hashedPassword = (import ../secrets.nix).yorick_mailPassword;
+        catchAll = domains;
+        aliases = [ "@yori.cc" "@yorickvanpelt.nl" ];
+      };
+    };
+    certificateScheme = 3;
+    enableImapSsl = true;
+  };
+
+  services.borgbackup.jobs.backup.paths = [ "/var/vmail" ];
+}