fix: move paperless config to module

feat(stolas): add backup config
2025-07-17 21:47:49 +02:00 · 2025-07-17 21:41:56 +02:00
7 changed files with 52 additions and 27 deletions
--- a/nixos/modules/borg-server.nix
+++ b/nixos/modules/borg-server.nix
@ -39,6 +39,14 @@ in
        path = "${cfg.path}/gorgon";
        quota = "1T";
      };
      "stolas" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINC/mVYd3o7oA0dsA58CgkqR40CSfeuU+rikleSrSXFz dadada@gorgon"
        ];
        path = "${cfg.path}/stolas";
        quota = "1T";
      };
      "surgat" = {
        allowSubRepos = false;
        authorizedKeysAppendOnly = [
--- a/nixos/stolas/default.nix
+++ b/nixos/stolas/default.nix
@ -4,6 +4,7 @@
  imports = [
    ../modules/profiles/laptop.nix
    ./disks.nix
    # TODO ./paperless.nix
  ];
  boot = {
@ -32,7 +33,7 @@
      luks.devices = {
        root = {
          # TODO 
-          device = "/dev/disk/by-uuid/todo";
+          device = "/dev/disk/by-uuid/TODO";
          allowDiscards = true;
          # TODO lanzaboote + TPM2 unlock with PIN https://www.freedesktop.org/software/systemd/man/251/systemd-cryptenroll.html#--tpm2-with-pin=BOOL
          #crypttabExtraOpts = [ "fido2-device=auto" ];
@ -85,13 +86,11 @@
    settings.max-jobs = lib.mkDefault 16;
  };
-  # TODO dadada.backupClient.backup1.enable = true;
+  dadada.backupClient.backup1.enable = true;
-  # dadada.backupClient.backup2 = {
+  dadada.backupClient.backup2 = {
-  #   enable = true;
+    enable = true;
-  #   passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path;
+    repo = "u355513-sub5@u355513-sub5.your-storagebox.de:/home/backup";
-  #   sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path;
+  };
  #   repo = "u355513-subX@u355513-subX.your-storagebox.de:/home/backup";
  # };
  programs = {
    adb.enable = true;
@ -117,11 +116,6 @@
      enable = true;
      browsing = true;
    };
    paperless = {
      # TODO migrate DB
      enable = true;
      passwordFile = config.age.secrets.paperless.path;
    };
    tlp.enable = false;
  };
@ -129,19 +123,6 @@
    stateVersion = "25.05";
  };
  systemd.tmpfiles.rules =
    let
      cfg = config.services.paperless;
    in
    [
      (
        if cfg.consumptionDirIsPublic then
          "d '${cfg.consumptionDir}' 777 - - - -"
        else
          "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
      )
    ];
  systemd.services = {
    modem-manager.enable = lib.mkForce false;
    "dbus-org.freedesktop.ModemManager1".enable = lib.mkForce false;
--- a/nixos/stolas/disks.nix
+++ b/nixos/stolas/disks.nix
@ -25,7 +25,6 @@
                mountOptions = [ "umask=0077" ];
              };
            };
            # TODO tmpfs for nix/var/nix/builds
            luks = {
              size = "100%";
              content = {
--- a/nixos/stolas/paperless.nix
+++ b/nixos/stolas/paperless.nix
@ -0,0 +1,20 @@
 { config }:
 {
  services.paperless = {
    # TODO migrate DB
    enable = true;
    passwordFile = config.age.secrets.paperless.path;
  };
  systemd.tmpfiles.rules =
    let
      cfg = config.services.paperless;
    in
    [
      (
        if cfg.consumptionDirIsPublic then
          "d '${cfg.consumptionDir}' 777 - - - -"
        else
          "d '${cfg.consumptionDir}' 770 ${cfg.user} ${config.users.users.${cfg.user}.group} - -"
      )
    ];
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -7,6 +7,7 @@ let
    ninurta = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8TDCzjVVO7A4k6rp+srMj0HHc5gmUOlskTBOvhMkEc root@nixos";
    pruflas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqZHu5ygTODgrNzcU9C2O+b8yCfVsnztV83qxXV4aA8 root@pruflas";
    surgat = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOJ9UgAle5sX0pAawfRztckVwaQm2U8o0Bawv7cZfXE root@surgat";
    stolas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFV1LSH8jeMnXJ/eqhJCebbwxenJmxNoeB6UGrBmRjZk root@stolas";
  };
  backupSecrets = hostName: {
    "${hostName}-backup-passphrase.age".publicKeys = [
@ -88,3 +89,4 @@ in
 // backupSecrets "pruflas"
 // backupSecrets "surgat"
 // backupSecrets "agares"
 // backupSecrets "stolas"
--- a/secrets/stolas-backup-passphrase.age
+++ b/secrets/stolas-backup-passphrase.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 OgKXZA A8XAP2YQw/CnN//rHPM9m9p1A/l4IiWV1Qhc9+RHdxQ
 mcpcULPCQUMtoCiTwiAU2AXD5UVrQkF5LxZqCJ3VEMA
 -> ssh-ed25519 Otklkw UzdSM3CCvzQ4owHWWmrBfiC6NuBAu0onns6s4nlR9Vs
 UQ4TBW/4O5rVi0xpS2lAS6M7zgUcWtGlXeL+i748KYE
 --- tqrtKyZVDght0KJQZDSDVdnEL38KZjPA2xZ3LjeKlI0
 ø2Šl£C@‘þô (<28>ãŽNë3‘-igÁaH?ÿ~üF‚‰ýnòÔqÁ¸·ÇcñÉ<C3B1>œçî<ûÛ¼ñ#Fš7ÔaB%®–Ž&t·}¢vr_<î
--- a/secrets/stolas-backup-ssh-key.age
+++ b/secrets/stolas-backup-ssh-key.age
@ -0,0 +1,8 @@
 age-encryption.org/v1
 -> ssh-ed25519 OgKXZA gTx4Ozd2BU13T8GpiBxSCZdjAwJ/zb10xqW62QMTwms
 M9y1f/ndVYnujqIDo0rocQEX/8Isg0vn97mQm8K83iE
 -> ssh-ed25519 Otklkw 2hyKMpf/Z8wgBowMgxwb77cj9B5b0/a7q4hq3CxWp0M
 jFLwfV72isKUdtr5m2n5303KZiJDKTJny9koUOHLLLg
 --- GQfIExiJTJEQTnesTVqF3X7AcorV+SH8TQ9uo5xLwso
 u`6^—ü |<7C>Ÿ&êµQ¢[KPF»ÏA†Æ‡ÑˆU*nŸ55†¶O–Øz›v…å‚º-C“0’Êr;6ÅJ¸‚²œC={<7B>'÷¼@Ôº9öO'b“½Æô#¬Rw-³õÔ(ØŠ<C398>RäjFÞ[=€ƒuD·3¨¸×vÚ<76>5bW¸xi†zï<>Í¢Å={þS;	rÖù.ìÎO´ê´è2ÊÖ|˜É«¯ÉjÞtOrñº‰põžþK2à97˜æœÓY/ñŸÈèé?â8¼³‚&·øpÃÕP<C395>:g‡Çÿ<ÓÎh¡Þ*iKùRÚ¨¼É«ÛÏS<C38F>"Aíˆ+÷
+&%ð×9^„QRŠÍÿ]˜„âsô'–ðD•D‘•ŠB¦ž§·Å^¤›¡ÉÓí;<02>~ÈÎæO[
 ÇÚˆ'[õ¨Ž®œú'kª'îb ßíO_Bž %z”#Åê{ÂÇ6LD«ò<C2AB>Û8é'	ÔÖ³ê‘^ð<>õ2Y™BL©<02>ZWsó!¿ÓHi±³Xâ–³·¨”rÙížZ!ª\Â•”…jéÙ€Q€ÿÄ‚îÓ<>
Author	SHA1	Message	Date
Tim Schubert	bdeb5584de	fix: move paperless config to module	2025-07-17 21:47:49 +02:00
Tim Schubert	f602f150ba	feat(stolas): add backup config	2025-07-17 21:41:56 +02:00