diff options
Diffstat (limited to 'tw/system')
| -rwxr-xr-x | tw/system/files/nextcloud-backup | 68 | ||||
| -rw-r--r-- | tw/system/lap.scm | 1 | ||||
| -rw-r--r-- | tw/system/lud.scm | 162 |
3 files changed, 5 insertions, 226 deletions
diff --git a/tw/system/files/nextcloud-backup b/tw/system/files/nextcloud-backup deleted file mode 100755 index 4c533758..00000000 --- a/tw/system/files/nextcloud-backup +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/sh -e -# Nextcloud backup script, to run nightly. -# Documentation on backups: -# https://docs.nextcloud.com/server/latest/admin_manual/maintenance/backup.html -# https://docs.nextcloud.com/server/latest/admin_manual/maintenance/restore.html -# https://git.mdns.eu/nextcloud/passwords/-/wikis/Administrators/Backups - -. /etc/default/nextcloud-backup -: "${DATABASE_PASSWORD:?You must pass the MySQL database password as DATABASE_PASSWORD}" - -php_ini=$1 -backup_dir=/var/backups/nextcloud/$(date -u '+%Y-%m-%d') -nextcloud_dir=/var/www/nextcloud -nextcloud_data_partition=/var/data # mountpoint of the partition containing Nextcloud data dir -nextcloud_data_path=nextcloud # relative to $nextcloud_data_partition -snapshot=$nextcloud_data_partition/tmp-nextcloud-backup - -nc_maintenance () { - # Enable (--on) or disable (--off) Nextcloud's maintenance mode. - sudo -nu httpd php ${php_ini:+-c "$php_ini"} "$nextcloud_dir/occ" maintenance:mode "$@" -} - -# If there is a previous backup, compare against it later (so we don't have to -# transfer every file). -last_backup_dir=$(ls -1d "$(dirname "$backup_dir")"/????-??-?? | LC_ALL=C sort | tail -1) -[ -d "$last_backup_dir" ] || unset last_backup_dir - -# Don't overwrite existing backups. mkdir will fail if $backup_dir exists. -mkdir -m 750 "$backup_dir" - -# Always turn off maintenance mode and clean up the temporary snapshot on exit, -# whether or not the backup succeeded. -cleanup () { - nc_maintenance --off || : - if [ -d "$snapshot" ]; then - btrfs subvolume delete -c "$snapshot" || : - fi -} -trap cleanup EXIT HUP INT TERM # can't trap KILL - -# Turn Nextcloud off temporarily so the data doesn't change during the backup. -nc_maintenance --on - -# Backup the database. This can only be done offline. -mysqldump --single-transaction --default-character-set=utf8mb4 \ - -u nextcloud -p"$DATABASE_PASSWORD" nextcloud > "$backup_dir/nextcloud.sql" - -# These shouldn't be copied while Nextcloud is online. -rsync -AUXHavx ${last_backup_dir+--link-dest="$last_backup_dir"} \ - "$nextcloud_dir/config" "$nextcloud_dir/themes" "$backup_dir" - -# Make sure everything is synced to disk so it's in our snapshot. -btrfs filesystem sync "$nextcloud_data_partition/$nextcloud_data_path" -btrfs subvolume snapshot -r "$nextcloud_data_partition" "$snapshot" - -# At this point, the data directory is in the snapshot, so Nextcloud can be -# turned on again. -nc_maintenance --off - -# --link-dest is brittle (it only hardlinks to the old file if no metadata has -# changed). Reflinks would be better, but rsync doesn't seem to support them. -# We don't need files under preview/, as those are thumbnails from the Previews -# "app" and can be regenerated using `php -f occ preview:pre-generate`. -rsync -AUXHavx --exclude='appdata_*/preview' --exclude='appdata_*/passwords/*Cache' \ - ${last_backup_dir+--link-dest="$last_backup_dir/data"} \ - "$snapshot/$nextcloud_data_path/" "$backup_dir/data" -# Make sure everything is written out to the backup disk before we exit. -btrfs filesystem sync "$backup_dir" diff --git a/tw/system/lap.scm b/tw/system/lap.scm index d9793ab7..efbe19f7 100644 --- a/tw/system/lap.scm +++ b/tw/system/lap.scm @@ -17,6 +17,7 @@ #:use-module (nongnu packages scanner) #:use-module (nongnu system linux-initrd) #:use-module (nonguix licenses) + #:use-module (tw services wireguard) #:use-module (tw system)) (use-package-modules android certs cups disk docker file-systems gnome diff --git a/tw/system/lud.scm b/tw/system/lud.scm index 9986c30a..b770fc90 100644 --- a/tw/system/lud.scm +++ b/tw/system/lud.scm @@ -5,6 +5,8 @@ #:use-module (gnu system nss) #:use-module (guix gexp) #:use-module (tw packages php) + #:use-module (tw services nextcloud) + #:use-module (tw services matrix) #:use-module (tw system)) (use-package-modules admin bash certs databases linux man php python rsync @@ -21,40 +23,6 @@ (define data-partition ; /dev/sdc1 (uuid "4715ae0e-5cef-48f2-a59e-025321153888" 'btrfs)) -(define httpd-cert-deploy-hook - (program-file "httpd-cert-deploy-hook" - #~(kill (call-with-input-file "/var/run/httpd" read) SIGHUP))) - -(define nextcloud-php.ini - (computed-file "nextcloud-php.ini" - #~(begin - (use-modules (ice-9 popen) (ice-9 rdelim)) - (let* ((php-config #$(file-append php "/bin/php-config")) - (pipe (open-pipe* OPEN_READ php-config "--extension-dir")) - (php-extdir (read-line pipe))) - (unless (zero? (status:exit-val (close-pipe pipe))) - (error "Failed to get PHP extension dir")) - (with-output-to-file #$output - ;; Guix's PHP comes with the following extensions built-in, - ;; so no extension= line necessary: - ;; pdo_mysql, bcmath, bz2, exif, gd, iconv, intl - (lambda () (display (string-append "\ -memory_limit=512M -extension_dir=/run/current-system/profile/lib/php/extensions/" (basename php-extdir) " -; Caching extensions for Nextcloud -extension=apcu -apc.enable_cli=1 -zend_extension=opcache -; https://www.php.net/manual/en/opcache.configuration.php -opcache.enable=1 -opcache.interned_strings_buffer=32 -opcache.max_accelerated_files=10000 -opcache.memory_consumption=128 -opcache.save_comments=1 -; It will take up to revalidate_freq seconds for changes to config.php to be applied. -opcache.revalidate_freq=120 -")))))))) - (define httpd-intermediate-ssl-config "\ # SSL configuration. # https://ssl-config.mozilla.org/#server=apache&version=2.4.53&config=intermediate&openssl=1.1.1n&ocsp=false&guideline=5.6 @@ -70,128 +38,6 @@ SSLSessionCache \"shmcb:logs/ssl_scache(65535)\" SSLSessionCacheTimeout 1200 ") -(define nextcloud-services - (list (simple-service 'nextcloud-https-server httpd-service-type - ;; The certbot service redirects everything on port 80 to - ;; port 443 by default, modulo its own /.well-known paths. - (list (httpd-virtualhost "*:443" (list "\ -# For Nextcloud. -ServerName cloud.wilkenfamily.de -DocumentRoot /var/www/nextcloud -SSLEngine on -SSLCertificateFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/fullchain.pem\" -SSLCertificateKeyFile \"/etc/letsencrypt/live/cloud.wilkenfamily.de/privkey.pem\" -Header always set Strict-Transport-Security \"max-age=15552000\" - -# Don't check for .htaccess files above DocumentRoot. -<Directory \"/\"> - AllowOverride None -</Directory> - -<Directory /var/www/nextcloud> - Options +FollowSymlinks - AllowOverride All - <IfModule mod_dav.c> - Dav off - </IfModule> - SetEnv HOME /var/www/nextcloud - SetEnv HTTP_HOME /var/www/nextcloud -</Directory> - -# Redirect to local php-fpm if mod_php is not available -<IfModule !mod_php7.c> - <IfModule proxy_fcgi_module> - # Enable http authorization headers - <IfModule setenvif_module> - SetEnvIfNoCase ^Authorization$ \"(.+)\" HTTP_AUTHORIZATION=$1 - </IfModule> - <FilesMatch \".+\\.ph(ar|p|tml)$\"> - <If \"-f %{REQUEST_FILENAME}\"> - SetHandler \"proxy:unix:/var/run/php-fpm.sock|fcgi://localhost/\" - </If> - </FilesMatch> - # Deny access to raw PHP sources and files without filename (e.g. '.php') - <FilesMatch \"^\\.ph(ar|p|ps|tml)$|.*\\.phps$\"> - Require all denied - </FilesMatch> - </IfModule> -</IfModule> -")))) - - (service php-fpm-service-type - (php-fpm-configuration - (user "httpd") - (group "httpd") - (socket "/var/run/php-fpm.sock") - (socket-user "httpd") - (socket-group "httpd") - (php-ini-file nextcloud-php.ini))) - - (simple-service 'nextcloud-certificates certbot-service-type - (list (certificate-configuration - (domains '("cloud.wilkenfamily.de")) - (deploy-hook httpd-cert-deploy-hook)))) - - ;; Nextcloud cron - (simple-service 'nextcloud-cron mcron-service-type - (list #~(job "*/5 * * * *" - (lambda () - (chdir "/var/www/nextcloud") - ;; `setgid' first while we're still root - (setgid (group:gid (getgr "httpd"))) - (setuid (passwd:uid (getpw "httpd"))) - (execl #$(file-append php "/bin/php") "php" - "-c" #$nextcloud-php.ini "cron.php")) - (string-append - #$(file-append php "/bin/php") - " -c " #$nextcloud-php.ini - " /var/www/nextcloud/cron.php")) - - ;; Nextcloud backups - ;; Requires: sudo, php, btrfs, mysqldump, rsync - (let ((backup-script (local-file "files/nextcloud-backup" #:recursive? #t))) - #~(job "0 6 * * *" - (lambda () - ;; Pass through the php.ini file that allows us to - ;; use Nextcloud's occ script. - (execl #$backup-script "nextcloud-backup" #$nextcloud-php.ini)) - (string-append #$backup-script " " #$nextcloud-php.ini))))))) - -(define matrix-services - (list (simple-service 'synapse-certificates certbot-service-type - (list (certificate-configuration - (domains '("matrix.twilken.net")) - (deploy-hook httpd-cert-deploy-hook)))) - - (simple-service 'synapse-https-proxy httpd-service-type - ;; Synapse can't access certbot certs, but Apache/httpd - ;; can, so proxy HTTPS access through. It's good to have - ;; Synapse available on port 443 anyway. - (list (httpd-virtualhost "*:443" (list "\ -# Redirect to Synapse, to avoid having to specify its port number in Matrix clients. -ServerName matrix.twilken.net -SSLEngine on -SSLCertificateFile \"/etc/letsencrypt/live/matrix.twilken.net/fullchain.pem\" -SSLCertificateKeyFile \"/etc/letsencrypt/live/matrix.twilken.net/privkey.pem\" -ProxyPass \"/\" \"https://127.0.0.1:48448/\" -")))) - - ;; TODO: Postgres for Synapse - ;; (service postgresql-service-type - ;; (postgresql-configuration - ;; (postgresql postgresql-15) - ;; (data-directory "/var/lib/postgresql/data"))) - - ;; (service postgresql-role-service-type - ;; (postgresql-role-configuration - ;; (roles (list (postgresql-role - ;; (name "synapse") ; TODO - ;; (create-database? #t)))))) - - ;; TODO: Matrix/Synapse - ;; TODO: Matrix bridges - )) - (define-public %lud-system (operating-system (host-name "lud.twilken.net") @@ -313,8 +159,8 @@ innodb_io_capacity = 4000 ;; TODO: Transmission exporter ) - nextcloud-services - matrix-services + %nextcloud-services + %matrix-services (server-base-services host-name))) ;; The list of user accounts ('root' is implicit). |