From 089d87bc9deb73096c4e8979d9e35ca20d40142e Mon Sep 17 00:00:00 2001
From: Barrett Ruth <br.barrettruth@gmail.com>
Date: Fri, 13 Mar 2026 18:00:21 -0400
Subject: [PATCH] fix: auto-sync passwords

---
 hosts/netcup/configuration.nix | 38 ++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/hosts/netcup/configuration.nix b/hosts/netcup/configuration.nix
index af44c71..4b3bc69 100644
--- a/hosts/netcup/configuration.nix
+++ b/hosts/netcup/configuration.nix
@@ -77,6 +77,7 @@
     enable = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
+    clientMaxBodySize = "512m";
     virtualHosts."vault.barrettruth.com" = {
       enableACME = true;
       forceSSL = true;
@@ -131,6 +132,43 @@
     git
   ];
 
+  systemd.services.vaultwarden-r2-backup = {
+    description = "Backup Vaultwarden to Cloudflare R2";
+    after = [ "backup-vaultwarden.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      EnvironmentFile = "/etc/vaultwarden-r2-backup.env";
+    };
+    path = [ pkgs.awscli2 pkgs.gawk ];
+    script = ''
+      export AWS_ACCESS_KEY_ID="$R2_ACCESS_KEY_ID"
+      export AWS_SECRET_ACCESS_KEY="$R2_SECRET_ACCESS_KEY"
+      ENDPOINT="$R2_ENDPOINT"
+      DATE=$(date +%Y-%m-%d)
+
+      aws s3 cp /var/backup/vaultwarden/db.sqlite3 \
+        "s3://vaultwarden/$DATE/db.sqlite3" \
+        --endpoint-url "$ENDPOINT"
+
+      CUTOFF=$(date -d '30 days ago' +%Y-%m-%d)
+      aws s3 ls s3://vaultwarden/ --endpoint-url "$ENDPOINT" \
+        | awk '{print $2}' | tr -d '/' \
+        | while read dir; do
+            if [ "$dir" \< "$CUTOFF" ]; then
+              aws s3 rm "s3://vaultwarden/$dir" --recursive --endpoint-url "$ENDPOINT"
+            fi
+          done
+    '';
+  };
+
+  systemd.timers.vaultwarden-r2-backup = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = true;
+    };
+  };
+
   nix.settings = {
     auto-optimise-store = true;
     experimental-features = [