ctucx.git: nixfiles

machines/lollo/gotosocial: add restic backup

diff --git a/machines/lollo/configuration.nix b/machines/lollo/configuration.nix
@@ -26,6 +26,7 @@
 
   age.secrets.restic-server-desastro.file = ../../secrets/restic-server/desastro.age;
   age.secrets.restic-server-hector.file   = ../../secrets/restic-server/hector.age;
+  age.secrets.restic-server-lollo.file    = ../../secrets/restic-server/lollo.age;
 
   boot.loader = {
     systemd-boot.enable      = true;

diff --git a/machines/lollo/gotosocial.nix b/machines/lollo/gotosocial.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 
 let
   gotosocialbin = pkgs.callPackage ../../pkgs/gotosocial-bin.nix {};

@@ -7,6 +7,14 @@ in {
 
   imports = [ ../../modules/gotosocial.nix ];
 
+  age.secrets.restic-gotosocial.file = ../../secrets/lollo/restic/gotosocial.age;
+
+  restic-backups.gotosocial = {
+    user         = "gotosocial";
+    passwordFile = config.age.secrets.restic-gotosocial.path;
+    paths        = [ "/var/lib/gotosocial" ];
+  };
+
   services.gotosocial = {
     enable  = true;
     package = gotosocialbin;

diff --git a/modules/gotosocial.nix b/modules/gotosocial.nix
@@ -57,51 +57,73 @@ in {
 
     environment.etc."/gotosocial/config.yaml".text = "${cfg.config}";
 
-    systemd.services.gotosocial = {
-      description = "gotosocial";
-      after = [ "network-online.target" ];
-      wantedBy = [ "multi-user.target" ];
-      restartTriggers = [ config.environment.etc."/gotosocial/config.yaml".source ];
-
-      serviceConfig = {
-        User = cfg.user;
-        Group = cfg.group;
-
-        Type = "exec";
-        WorkingDirectory = "~";
-        StateDirectory = "gotosocial gotosocial/storage";
-        StateDirectoryMode = "700";
-
-        ExecStart = "${cfg.package}/bin/gotosocial --config-path /etc/gotosocial/config.yaml server start";
-
-#        NoNewPrivileges = true;
-#        PrivateTmp      = true;
-#        PrivateDevices  = false;
-
-#        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
-#        RestrictNamespaces      = true;
-#        RestrictRealtime        = true;
+    systemd.services = {
+      gotosocial-export = {
+        description   = "gotosocial export";
+
+        startAt       = "*-*-* 1:00:00";
+        onFailure     = [ "notify-failure@%i.service" ];
+
+        serviceConfig = {
+          User = cfg.user;
+          Group = cfg.group;
+
+          Type = "exec";
+          WorkingDirectory = "~";
+          StateDirectory = "gotosocial gotosocial/storage";
+          StateDirectoryMode = "700";
+
+          ExecStart = "${cfg.package}/bin/gotosocial --config-path /etc/gotosocial/config.yaml admin export --path /var/lib/gotosocial/backup.json";
+        };
+      };
+
+      gotosocial = {
+        description     = "gotosocial";
+        after           = [ "network-online.target" ];
+        wantedBy        = [ "multi-user.target" ];
+        restartTriggers = [ config.environment.etc."/gotosocial/config.yaml".source ];
+        onFailure       = [ "notify-failure@%i.service" ];
+
+        serviceConfig = {
+          User = cfg.user;
+          Group = cfg.group;
+
+          Type = "exec";
+          WorkingDirectory = "~";
+          StateDirectory = "gotosocial gotosocial/storage";
+          StateDirectoryMode = "700";
+
+          ExecStart = "${cfg.package}/bin/gotosocial --config-path /etc/gotosocial/config.yaml server start";
+
+#          NoNewPrivileges = true;
+#          PrivateTmp      = true;
+#          PrivateDevices  = false;
+
+#          RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
+#          RestrictNamespaces      = true;
+#          RestrictRealtime        = true;
         
-#        ProtectSystem         = "full";
-#        ProtectControlGroups  = true;
-#        ProtectKernelModules  = true;
-#        ProtectKernelTunables = true;
+#          ProtectSystem         = "full";
+#          ProtectControlGroups  = true;
+#          ProtectKernelModules  = true;
+#          ProtectKernelTunables = true;
 #
-#        DevicePolicy     = "closed";
-#        LockPersonality  = true;
-#        SystemCallFilter = "~@clock @debug @module @mount @obsolete @reboot @setuid @swap";
+#          DevicePolicy     = "closed";
+#          LockPersonality  = true;
+#          SystemCallFilter = "~@clock @debug @module @mount @obsolete @reboot @setuid @swap";
 #
-#        CapabilityBoundingSet = [
-#          "~CAP_RAWIO CAP_MKNOD"
-#          "~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE"
-#          "~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT"
-#          "~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK"
-#          "~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM"
-#          "~CAP_SYS_TTY_CONFIG"
-#          "~CAP_MAC_ADMIN CAP_MAC_OVERRIDE"
-#          "~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW"
-#          "~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG"
-#        ];
+#          CapabilityBoundingSet = [
+#            "~CAP_RAWIO CAP_MKNOD"
+#            "~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE"
+#            "~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT"
+#            "~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK"
+#            "~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM"
+#            "~CAP_SYS_TTY_CONFIG"
+#            "~CAP_MAC_ADMIN CAP_MAC_OVERRIDE"
+#            "~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW"
+#            "~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG"
+#          ];
+        };
       };
     };