feat: add backup for server

2025-09-28 12:37:26 +08:00 · 2025-09-28 12:37:26 +08:00 · f7409e0537
commit f7409e0537
parent 20ee47caa2
14 changed files with 256 additions and 165 deletions
--- a/system/modules/cockpit.nix
+++ b/system/modules/cockpit.nix
@ -0,0 +1,33 @@
+{
+  enableNginx ? false,
+  domain,
+}:
+{
+  lib,
+  config,
+  ...
+}:
+let
+  inherit (lib) mkIf;
+in
+{
+  services.cockpit = {
+    enable = true;
+    openFirewall = true;
+    allowed-origins = [
+    ];
+    settings = {
+      WebService = {
+        ProtocolHeader = "X-Forwarded-Proto";
+        ForwardedForHeader = "X-Forwarded-For";
+        LoginTo = false;
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = mkIf enableNginx {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://localhost:${toString config.services.cockpit.port}";
+  };
+}
--- a/system/modules/fail2ban.nix
+++ b/system/modules/fail2ban.nix
@ -3,7 +3,6 @@
  ...
 }:
 {
-
  services.fail2ban = {
    enable = true;
    maxretry = 5;
@ -18,38 +17,34 @@
      maxtime = "1y";
      overalljails = true;
    };
-    jails =
-      let
-        nginxLogPath = "/var/log/nginx/error.log*";
-      in
-      {
-        sshd.settings = {
-          logPath = "";
-          filter = "sshd";
-          action = ''nftables-multiport[name="sshd", port="ssh,30072"]'';
-          backend = "systemd";
-          findtime = 600;
-          bantime = 600;
-          maxretry = 5;
-        };
-        nginx-error-common.settings = {
-          logPath = nginxLogPath;
-          filter = "nginx-error-common";
-          action = ''nftables-multiport[name=HTTP, port="http,https"]'';
-          backend = "auto";
-          findtime = 600;
-          bantime = 600;
-          maxretry = 5;
-        };
-        nginx-forbidden.settings = {
-          logPath = nginxLogPath;
-          filter = "nginx-forbidden";
-          action = ''nftables-multiport[name=HTTP, port="http,https"]'';
-          backend = "auto";
-          findtime = 600;
-          bantime = 600;
-          maxretry = 5;
-        };
+    jails = {
+      sshd.settings = {
+        logPath = "";
+        filter = "sshd";
+        action = ''nftables-multiport[name="sshd", port="ssh,30072"]'';
+        backend = "systemd";
+        findtime = 600;
+        bantime = 600;
+        maxretry = 5;
      };
+      nginx-error-common.settings = {
+        logPath = "";
+        filter = "nginx-error-common";
+        action = ''nftables-multiport[name=HTTP, port="http,https"]'';
+        backend = "systemd";
+        findtime = 600;
+        bantime = 600;
+        maxretry = 5;
+      };
+      nginx-forbidden.settings = {
+        logPath = "";
+        filter = "nginx-forbidden";
+        action = ''nftables-multiport[name=HTTP, port="http,https"]'';
+        backend = "systemd";
+        findtime = 600;
+        bantime = 600;
+        maxretry = 5;
+      };
+    };
  };
 }
--- a/system/modules/mail-server/server.nix
+++ b/system/modules/mail-server/server.nix
@ -541,7 +541,7 @@ in
        };
      };
      oci-containers = {
-        backend = "docker";
+        backend = "podman";
        containers = {
          phpLDAPadmin = {
            extraOptions = [ "--network=host" ];
--- a/system/modules/nextcloud.nix
+++ b/system/modules/nextcloud.nix
@ -66,6 +66,7 @@ in
        contacts
        calendar
        tasks
+        whiteboard
        ;

      camerarawpreviews = pkgs.fetchNextcloudApp {
@ -120,74 +121,4 @@ in
    exiftool
  ];

-  systemd = {
-    timers = lib.mkIf enableBackup {
-      "nextcloud-backup" = {
-        enable = true;
-        description = "Nextcloud backup";
-        timerConfig = {
-          OnCalendar = "*-*-* 03:00:00";
-          Persistent = true;
-          OnUnitActiveSec = "1d";
-          AccuracySec = "1h";
-          Unit = "nextcloud-backup.service";
-        };
-        wantedBy = [ "timers.target" ];
-      };
-    };
-
-    services."nextcloud-backup" = lib.mkIf enableBackup {
-      enable = true;
-      serviceConfig = {
-        User = "nextcloud";
-        ExecStart =
-          let
-            script = pkgs.writeShellScriptBin "backup" (
-              ''
-                nextcloudPath="${config.services.nextcloud.datadir}"
-
-                if [ ! -d "$nextcloudPath" ]; then
-                  echo "nextcloud path not found: $nextcloudPath"
-                  exit 1
-                fi
-              ''
-              + (
-                if dataBackupPath != null then
-                  ''
-                    backupPath="${dataBackupPath}"
-                    nextcloudBakPath="$backupPath"
-
-                    if [ ! -d "$backupPath" ]; then
-                      echo "Backup device is not mounted: $backupPath"
-                      exit 1
-                    fi
-
-                    echo "Start syncing..."
-                    ${pkgs.rsync}/bin/rsync -rh --delete "$nextcloudPath" "$nextcloudBakPath"
-                    echo "Data dir backup completed."
-                  ''
-                else
-                  ""
-              )
-              + (
-                if dbBackupPath != null then
-                  ''
-                    nextcloudDBBakPath="${dbBackupPath}/nextcloud-db.bak.tar"
-                    if [ ! -d "$nextcloudBakPath" ]; then
-                      mkdir -p "$nextcloudBakPath"
-                    fi
-
-                    echo "Try backing up database (postgresql)"
-                    ${pkgs.postgresql}/bin/pg_dump -F t nextcloud -f "$nextcloudDBBakPath"
-                    echo "Database backup completed."
-                  ''
-                else
-                  ""
-              )
-            );
-          in
-          "${script}/bin/backup";
-      };
-    };
-  };
 }
--- a/system/modules/virtualization.nix
+++ b/system/modules/virtualization.nix
@ -1,42 +1,16 @@
 {
-  pkgs,
-  config,
-  username,
  ...
 }:
 {
-  programs.virt-manager.enable = true;
-  users.groups.libvirtd.members = [ username ];
-
  virtualisation = {
    docker.enable = true;

    # Run container as systemd service
    oci-containers = {
-      backend = "docker";
+      backend = "podman";
      containers = { };
    };

-    libvirtd = {
-      enable = true;
-      qemu = {
-        package = pkgs.qemu_kvm;
-        swtpm.enable = true;
-        ovmf.enable = true;
-        ovmf.packages = [ pkgs.OVMFFull.fd ];
-      };
-    };
-
    spiceUSBRedirection.enable = true;
  };
-
-  environment.etc = {
-    "ovmf/edk2-x86_64-secure-code.fd" = {
-      source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-x86_64-secure-code.fd";
-    };
-
-    "ovmf/edk2-i386-vars.fd" = {
-      source = config.virtualisation.libvirtd.qemu.package + "/share/qemu/edk2-i386-vars.fd";
-    };
-  };
 }