blob: 0927788a784174c6587241130c088bd96e1f3a5e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
let
domain = "pad.lassul.us";
in
{
# redirect legacy domain to new one
services.nginx.virtualHosts."codi.lassul.us" = {
enableACME = true;
addSSL = true;
locations."/".return = "301 https://${domain}\$request_uri";
};
services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://localhost:3091";
proxyWebsockets = true;
};
};
security.acme.certs.${domain}.group = "hedgecert";
users.groups.hedgecert.members = [ "hedgedoc" "nginx" ];
security.dhparams = {
enable = true;
params.hedgedoc = { };
};
systemd.services.hedgedoc.environment = {
CMD_COOKIE_POLICY = "none";
CMD_CSP_ALLOW_FRAMING = "true";
};
systemd.services.hedgedoc-backup = {
startAt = "daily";
serviceConfig = {
ExecStart = ''${pkgs.sqlite}/bin/sqlite3 /var/lib/hedgedoc/db.hedgedoc.sqlite ".backup /var/backup/hedgedoc/backup.sq3"'';
Type = "oneshot";
};
};
services.postgresqlBackup.enable = true;
systemd.services.borgbackup-job-hetzner.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
services.borgbackup.jobs.hetzner = {
paths = [
"/home"
"/etc"
"/var"
"/root"
];
exclude = [
"*.pyc"
"/home/*/.direnv"
"/home/*/.cache"
"/home/*/.cargo"
"/home/*/.npm"
"/home/*/.m2"
"/home/*/.gradle"
"/home/*/.opam"
"/home/*/.clangd"
"/var/lib/containerd"
# already included in database backup
"/var/lib/postgresql"
# not so important
"/var/lib/docker/"
"/var/log/journal"
"/var/cache"
"/var/tmp"
"/var/log"
];
repo = "u348918@u348918.your-storagebox.de:/./hetzner";
encryption.mode = "none";
compression = "auto,zstd";
startAt = "daily";
# TODO: change backup key
environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
preHook = ''
set -x
'';
postHook = ''
cat > /var/log/telegraf/borgbackup-job-hetzner.service <<EOF
task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
EOF
'';
prune.keep = {
within = "1d"; # Keep all archives from the last day
daily = 7;
weekly = 4;
monthly = 0;
};
};
services.hedgedoc = {
enable = true;
configuration.allowOrigin = [ domain ];
settings = {
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
useCDN = false;
port = 3091;
domain = domain;
allowFreeURL = true;
useSSL = true;
protocolUseSSL = true;
sslCAPath = [ "/etc/ssl/certs/ca-certificates.crt" ];
sslCertPath = "/var/lib/acme/${domain}/cert.pem";
sslKeyPath = "/var/lib/acme/${domain}/key.pem";
dhParamPath = config.security.dhparams.params.hedgedoc.path;
};
};
}
|
