From 56f9cba5bcf097a3ef622fdec935e4d1be820b71 Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Sun, 3 Jan 2021 22:06:31 +0100
Subject: [PATCH] update email, setup backups

---
 keys/pennyworth_borg_repo.key    | Bin 0 -> 70 bytes
 keys/pennyworth_borg_ssh.key     | Bin 0 -> 3403 bytes
 keys/pennyworth_borg_ssh.key.pub | Bin 0 -> 763 bytes
 logical/pennyworth.nix           |  25 ++++-------------
 nix/sources.json                 |   7 +++++
 services/backup.nix              |  46 +++++++++++++++++++++++++++++++
 services/email.nix               |  26 +++++++++++++++++
 7 files changed, 84 insertions(+), 20 deletions(-)
 create mode 100644 keys/pennyworth_borg_repo.key
 create mode 100644 keys/pennyworth_borg_ssh.key
 create mode 100644 keys/pennyworth_borg_ssh.key.pub
 create mode 100644 services/backup.nix
 create mode 100644 services/email.nix

diff --git a/keys/pennyworth_borg_repo.key b/keys/pennyworth_borg_repo.key
new file mode 100644
index 0000000000000000000000000000000000000000..3f320f0d4af520f5a38d2fc3287e341c85201881
GIT binary patch
literal 70
zcmV-M0J;AFM@dveQdv+`0DZFMTX^IUO8wY+|Gs;v$$1b<p}(++ywNxEN7C043@-Di
cv++3_o}4wC)Gc-u5-mmuNE__cm`_}-y_qN>djJ3c

literal 0
HcmV?d00001

diff --git a/keys/pennyworth_borg_ssh.key b/keys/pennyworth_borg_ssh.key
new file mode 100644
index 0000000000000000000000000000000000000000..c830363bb66791f3a50395860b84f2d2a1d0e776
GIT binary patch
literal 3403
zcmV-R4YcwAM@dveQdv+`0NWuILs_62z@EZDW0{tcGTP6(Np)rSXBp<({olx^MNH)o
zU{ub!d_HOPtQ=wd+XD|XcnC52BbOVd%Dp0N2iI_Lzj+!7BFa2}?&McNOkPOD;B7F#
z;0As7GAN;+r3-DmIKc;b)_JB6o%Z2SU`7yvio_SO6#Bhi!FXyNs-HMo8<ld4Xt65?
zA3rW!{ye?`qA!wO9&{of`oX(yM#kzD#1&ITy_pR;?*7!r_HDu4N3C$5baHcvyP;Dd
z^i>D}SW-abEF##Ke<iFF3cfV-PWs<X<YI@*CG7bNaG?gOq+|@bDk`GP_sesyI<5+1
zIp7UXMj#@=e)cMrs&b*cS7Kcb+Kvh!t#EgGjo9xEfi%f~MNDR^WUL~I09{I|=$Tq~
zf@ydFh2BCwbI#Qi?$;O<85nj~47}gY1_YrL<hAlF{#>aRc9uzG@$%($Sy?$=d3#<b
zI6B>PSwTnG1H??exs<2NAxr8}z~So<qX9rThE{(=&wksB{*Eg-5<jX8_3%bhSE{DH
zr9i}YJ7XTJ#*c80TF_HH3l|J<mV<;CG*VINaC>9(7;>s701gfsM_J<9hIP|@A{8W`
z8{mh6V${MTg%_n|O)UJgIY7SzK;}KDiZgdtq}r^xZGFAG3a!C}=;%MHT)Q^KOQ=``
zR{p8zUby}EE7f#uEZ69DeVzF0ZuD&-G07IJH5^Yen-3Ndis9^*j)Fg3Wx4ra%H5W$
z^xi(v&cqk#ViusNU?lc-j#ca(Vd?9B5aa3Y;#jnLQ!zO|{Eo$mZu1r<x#vBsmdncU
z!(zgozL~01#KtQY`V8i$qW$4-2E-PS8J+JHKxjdYQz$IM_C__Kbj~(I#E73PC~>>`
zS}QUclcFciQ>jk1&!<GI^1$(QmvEFOPHO|>moS9HP#MA@dnmTlMoGNA)I6?B?}<W9
z2jVDioEB0_1x^;EdkzW7kDK!B_j}BHykD({$aC!4SdNIofHBzF<>&%}Igz32S7v!g
ziS)==7Fvsf79Rd7P<j!3y3Z4K=W)Jl2840QWK!hvoi$PbScgM^#8j|LIuW43G*hB+
z%*N0>(Wk@n(<4uIceSFJx8^eyad1-Fh|67M`1sK?<;mRFI~b&>b&;fI7-0ym;X@^s
z+3Rn9a8^B$C~Iz22t`B1iJ_z5cxP;~HXDvfE*Sw6YN&DUH7s;-fH%`%K-))~)3DK^
zLf8l<03{Y~@?aMnE5E?h2pl2mMDJ#~rhFblxu<X`0->$w5*^&KK9_aLIAYF`gtSzh
z*}d5m4-yIlN(qzwSpj&F+C1fIXzn$9CvtNiU+A<2QfmaHKpEp?-B|1f^)-z@XeE;n
zIQ55R+6$byyf6C&F7=+DL9i*(pgkjIQGwR9qT5QuIR0&bcc%Gp9s%yy(Tli95!{#^
z*}`H{)n=#!kldl4_i1lyljj1HXJNMvbwTz1PjV|fC@Ym8jxA*nG&JK?2|hNKw%SBo
zvHPEl)@AcGb--rhwKCyV_$<!rqjopRo`j&#nG%BK5msI-l{1?fj6tb%mjkOj;VRDH
z8;5L#PAjsRR<(QqP(&~ye}^Zfg6OO9$f*$pU&iul$1U8?5(9@_7R1dABLJXmokE{h
z$iY<TWIRUBJVy6B&1`GNv_c8Wch51Z-qOx1G}vLSd%a|$8%l`GPfn}Ms>=CqKY0%3
zQlf5*wpqq=mQ-oI*kHks7{F>rotlZAG-L%sW|35-Ek2SPL6xHWYlLE5R17RAfUr|E
z#lcdUfQ9zyG$9NaDfbS*Xigwd{5D7#lO&(Ed=<z42VKK$eK{Q}g9{e9&4wqH7B!8l
zrEzTw^M39m{pyOmsPqNu9{pWGYz&E3zpurx=6zE+p|gO4{50&>Vh1~uS&<>?$cR}-
z>91kx0dXM@XU*#Lp%vmTz!*GpU%hM>H66|vF!Vs9650qL7l^D-gjSoHm*tfc#O&&^
zJzlMk10i+iZ3MPjAhCa%0i`^4)-{k2ec<~06h{EErPuFTv%0BzZ@Q+bxQKrkF}mT&
z=@V3pX9DUmtRfnTIk5hh+YuJazH-hX2fJ30bDOt#m3~Ha*!rW!`fG6tDN1*`2)ltC
zA8cG(g#GoZX2ZwK=ET~t(5^nE(X%Oxm|)$fj^1Dh+LK=K*rq);_$$c2C<OYJ9hMLa
z39GupFG<Oxy@dx(wE`<BvY(1H)JY!<maKX~By9j*-uP$J)7U1E)z!;IuJl6x=+lGO
zF4B}uwnpa6_d*X+`cY87$v1d>cD??;=^(7G5a;r*e(2;Q3!L>#k0m>_+_tL(XIXeC
zt^OnOs=fL5RP1Hm#CxB1FQr?GN95Se{Kf56HzMNYi46XDtkcqw0P0U3C;=scc|d+}
zUcK86>xSncaMs#U?h00#%3Rio0Mpvxt)8?KB1Ru3Vr=bqEt8Clz6HZyU~MKr^b>!k
z*u0|te{>B)rnXG|Tw=WMRYNTvvGxAHi1M<do=s+^@*u-#))k>pjjQzyWpAHwTctqa
z!dX;Lb03e@qBWRJHczOH7lf1ttwe=V7@$!ci2Qc`#ymZbGAWOt0j%MXfLN;IVs#q;
zp0-bYMi4-1JbJ;jqfhtKWjYhk!OYV7r;9|=hkSCQpMTzL?jTygja|CIP#tvZkubKU
z6bcN^1`K8IG%><$Ui%x4ZTRzf%onaUMefl7vZbV+sqFgP--W5{u3j^hhwo`=;~noJ
z0!rO9kO5R~2kwqLGjJtEnT#1HKX#UyfIpge9+2>qRm1qIt+Afs%(=tNi_`FgMFqVt
zVpeXNO6C)H!ZI1=#Fiw&f{+%q;bU}YS7vlN*U}^7%5tRhd7i?37{nA{&B@z|KaYB{
zub85;j`Mt2M5i=+RWZPu@O3h&d@D-5PgS{`;)T%4mmOdnXfTEL!FBwwX-2V?{zU%6
zU3FI>s&JwvAdi<|P3$lY<Nu--oT`cJpK-R8lQnZYdf$M(s08U<^YIEDd}~$eyU~xt
zKQ=E!<(4egIe{U>fmZ*#VLyT_T&tS~eOBFy=vT$f2`5%_N0DCy7SLdW2SM#A^+W7M
zYtiO?GB&(f>k{i^-3;$~9GT)aID#<@wes*T23la;y4Xms#EbJGJKo{!vc!09($0tW
zat43lm1>_*?rvsyoPY!mx&a?R)7Iq|T26E8>^;=-ve3r=*td+c3C+{?S4DkR<nVIT
z0LWC&UKsE7?=lzOnk39#0LushkmCOHnlrPN!z}fUEj|m$+sI+YPp6K1jn#OrSCUbT
zfIcw)Vk5O?3DVSD_Drhqa*P;Jq|$wJ8Y#~NzP?{hojz>i_P8V{$$G*4@I%h|UM$bO
zfTzj1%d1c0!@Gb_vxM5&>KbU8EZ>?5kU!0XN4HJ-RPwYmV^>Nk0?E)7nl*}IK9$3g
ztq0BWJm{7&c*j2?M~Icb@)^7Ni&wB}{x9g&^H+lyH`@omE<Ewoq$?eDK?(YZM~_))
zhr^8Z9}d7y+1;huSw=z%f!NRuQCjbt!C?EZ?{k`wT1UVz#Thbngw_-n-QFW!m<5kO
zSRdr*VGAmzX@uqG`TYTjQ)%~Gu#YY|@C1Y>r2=c(AP{2<uh^~T%a*j%yM$KzeB|@G
zundtU(aCPdYTqtGWy8eb=rntKNwF`d(-)L2R?OMHPN<m|Ek`6L*2=;P5FeQ#<Bzm^
zo9J4+Zu11M%$28wSILRYvmUIvB0im_CtNR@JQNpxJJN1(?~!zGeH=#bNQ}?6Zm|kV
zxB7v>OsP!4*~c}&h{qC}7`ab<9%&Kq3S+IQ2Rn=S;h_TuLX>4}3=6P3ZRp3k5c))?
zq_D%|)}@i|E=b5FZG8zPmeXi<HLJ>N1aMt*7V<UTG~xpq1hAPFxr=-t;CAzG9GJ@~
zojxhwddGB-V*6db;9wl|$#u;HQWSY0-6X=sH%P#Yz8O55yPIa4i&q<Oy*7AfU<pgV
z|7IhPK0&1qI_x6pdBJ1*vfhg2bOOgYuS7WUFnI5eJBUkd$+nxyvZX}+vxQeqb=AVx
zyK~M$fbqIH8DwM0K8K5lf|9|QE=LNQBZa8D5L2qOG-|ey@5Eem8j9;>k_nu)B0KYf
z8vn8p|5X`Zh2wV1^tK9v&?L0MBJ4&qsmIc?b5vv)aMhFke9j{_?(S?0wLkf@S6Pv@
zBH%w}e%MB*DQuW5wOvOrrRHu)(eyO|Y@)sV6987v?(ZVrAJW6HUOlMB$2?+@1s*q9
zWFmCf_WI!~?orMi`+3J2yg0<UOFe*pw~6AW(SxPkZ9F{xJ&N;BmZa`A@?1@vu~`ZC
z;r1jYJVW+3Os4tZl^lRu9FvcQMs!9jU<3gU8o@e*LB6yl5`$`)eoVS~cWE&JW%T@M
zyNfOGh{e{lY%q!3Dq+m{KjHv8+LsU%`_<cOMnX`i;LH2$aVr%2cgs3H@1N-=jP4@x
hUrKJ%14G5q=K-L-n;Bj@_(m5(M*?{(5qL-WC|x=Xsw@Bi

literal 0
HcmV?d00001

diff --git a/keys/pennyworth_borg_ssh.key.pub b/keys/pennyworth_borg_ssh.key.pub
new file mode 100644
index 0000000000000000000000000000000000000000..3274dc5b66036eaf015595abd3e82e41665ef2af
GIT binary patch
literal 763
zcmV<X0tEd4M@dveQdv+`02^%M?uc?jVNHhKGp_xA2FI-n&w4*F;2xTgMb_82=W1|z
zUQ3*t7$r|MzkP<OR4JI7E}G`gI_LhKzmuAUBrBP)&Coi3!W^?5?&&{qSIICT)qD$^
z|2^XMN;1{H)0453F(z@=mskcHj3}MgyfE*K3`09WxZKJ^@!QmNNC7-_;x0I{A_~8t
zt$HUB?~MgVraWXf_fl>#=Sq#_9~_ujI*e-*%p6B8z0T&)*Y;R@!nAP1i{S<_(#S;t
z{cb%9jGVY^H4h|~by5*wRwQY!=5JCtel{{-Pv_3oMbjz5OpSzU6vm7B1AN&$ZYJEV
zMAf(>cfXDq8x?b8o;QF1(|yNZ?KG_(Sw;{VXkdSAAM@d%dfzO^<4WfkfSupJex~St
z)cto*xm8Iv6;4S8a`n{t{Z%+!hGJihv3-UJ5V(Wba8rsPZ>5D^|5~?5r|)x=jcvY{
zk(b}t)UU5$$_irprypX^UhG9(5U8#~duKgrAxY!jhg54}`L<rA8u>J0-i?v&Vd)h}
zetAH_PqV=Kd}G3Ws~v5unYn#yjULod7(*B(muQu+`6rwQ5G0k9ad4ksV%hJL><q@R
zZ;Yt;uRcXMdZ4(6a-gqxoJzB*nIIsfxpCBTp0ug7U}+&xx}j?_O0_f&_@ZeA!hLB6
z=C2e?kTF>Fq)Z>i#TG8SPBvCpRXVx^DIbi{u0nNDi55&ywtQUWw_jnOY?#<N&w&wT
zD*8d1)LjQ~;;UBzvb-ujMKy=gUeR4)?t4zAEJYI#q~3Fz5nLJuiNPVGt|?w>pSttM
zF>#rHsdwWICE?YbT>0TPMlbhNXm58cDdKr%{`K170KS96;lD1$8XTTOfYJp0FQ1$v
zKj`ro$@r|Saw8*yA+~xkz}{~IE{I)09gY+Lt~G-)Gj^jK?$3=<oU8xZq@q`sR+F%;
t9^%CGztv3|@nfl!$(rDDaW|u$Y;ye!Vj(SvUBUdG$`*ZJQfAW&--y+Ob=Uv^

literal 0
HcmV?d00001

diff --git a/logical/pennyworth.nix b/logical/pennyworth.nix
index 6e527a0..51cb658 100644
--- a/logical/pennyworth.nix
+++ b/logical/pennyworth.nix
@@ -18,11 +18,9 @@ in
   imports = [
     ../physical/hetznercloud.nix
     ../roles/server.nix
-    (builtins.fetchTarball {
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/v2.2.1/nixos-mailserver-v2.2.1.tar.gz";
-      sha256 = "03d49v8qnid9g9rha0wg2z6vic06mhp0b049s3whccn1axvs2zzx";
-    })
-   ../modules/muflax-blog.nix
+    ../modules/muflax-blog.nix
+    ../services/backup.nix
+    ../services/email.nix
   ];
 
   system.stateVersion = "19.03";
@@ -34,20 +32,6 @@ in
     git = { enable = true; vhost = "git.yori.cc"; };
     muflax-church = { enable = true; vhost = "muflax.church"; };
   };
-  mailserver = rec {
-    enable = true;
-    fqdn = "pennyworth.yori.cc";
-    domains = [ "yori.cc" "yorickvanpelt.nl" ];
-    loginAccounts = {
-      "yorick@yori.cc" = {
-        hashedPassword = (import ../secrets.nix).yorick_mailPassword;
-        catchAll = domains;
-        aliases = [ "@yori.cc" "@yorickvanpelt.nl" ];
-      };
-    };
-    certificateScheme = 3;
-    enableImapSsl = true;
-  };
 
   services.muflax-blog = {
     enable = true;
@@ -94,6 +78,7 @@ in
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
   environment.noXlibs = true;
   users.users.yorick.packages = with pkgs; [
-    python2 sshfs-fuse weechat
+    python2 sshfs-fuse weechat ripgrep
   ];
+
 }
diff --git a/nix/sources.json b/nix/sources.json
index 24d095a..e25c1ec 100644
--- a/nix/sources.json
+++ b/nix/sources.json
@@ -23,6 +23,13 @@
         "url": "https://github.com/nixos/nixos-hardware/archive/c242378e63b0ec334e964ac0c0fbbdd2b3e89ebf.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
+    "nixos-mailserver": {
+        "sha256": "1m8ylrxlkn8nrpsvnivg32ncba9jkfal8a9sjy840hpl1jlm5lc4",
+        "type": "tarball",
+        "url": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864/nixos-mailserver-ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864.tar.gz",
+        "url_template": "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/<version>/nixos-mailserver-<version>.tar.gz",
+        "version": "ee3d38a1570a1a9aa5e2daa3284d65a35d5e8864"
+    },
     "nixpkgs": {
         "branch": "nixos-unstable",
         "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
diff --git a/services/backup.nix b/services/backup.nix
new file mode 100644
index 0000000..5af3a98
--- /dev/null
+++ b/services/backup.nix
@@ -0,0 +1,46 @@
+{ name, ... }:
+{
+  deployment.keyys = [
+    (../keys + "/${name}_borg_repo.key")
+    (../keys + "/${name}_borg_ssh.key")
+  ];
+  services.borgbackup.jobs.backup = {
+    encryption = {
+      # Keep the encryption key in the repo itself
+      mode = "repokey-blake2";
+
+      # Password is used to decrypt the encryption key from the repo
+      passCommand = "cat /root/keys/${name}_borg_repo.key";
+    };
+    environment = {
+      # Make sure we're using Borg >= 1.0
+      BORG_REMOTE_PATH = "borg1";
+
+      # SSH key is specific to the subaccount defined in the repo username
+      BORG_RSH = "ssh -i /root/keys/${name}_borg_ssh.key";
+    };
+
+    # Define schedule
+    startAt = "hourly";
+
+    repo = "14337@ch-s012.rsync.net:${name}";
+    paths = [ "/home" "/root" "/var/lib" ];
+    
+    prune.keep = {
+      # hourly backups for the past week
+      within = "7d";
+
+      # daily backups for two weeks before that
+      daily = 14;
+
+      # weekly backups for a month before that
+      weekly = 4;
+
+      # monthly backups for 6 months before that
+      monthly = 6;
+
+      # 2 years
+      yearly = 2;
+    };
+  };
+}
diff --git a/services/email.nix b/services/email.nix
new file mode 100644
index 0000000..44a7dc8
--- /dev/null
+++ b/services/email.nix
@@ -0,0 +1,26 @@
+{ config, pkgs, lib, ... }:
+let
+  sources = import ../nix/sources.nix;
+in
+{
+  imports = [
+    ("${sources.nixos-mailserver}")
+  ];
+
+  mailserver = rec {
+    enable = true;
+    fqdn = "pennyworth.yori.cc";
+    domains = [ "yori.cc" "yorickvanpelt.nl" ];
+    loginAccounts = {
+      "yorick@yori.cc" = {
+        hashedPassword = (import ../secrets.nix).yorick_mailPassword;
+        catchAll = domains;
+        aliases = [ "@yori.cc" "@yorickvanpelt.nl" ];
+      };
+    };
+    certificateScheme = 3;
+    enableImapSsl = true;
+  };
+
+  services.borgbackup.jobs.backup.paths = [ "/var/vmail" ];
+}