summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorSilas Schöffel <sils@sils.li>2025-01-21 21:21:14 +0100
committerSilas Schöffel <sils@sils.li>2025-01-21 21:29:50 +0100
commit1b04a415e98b72841e6b9dba0b0c030428ba0434 (patch)
tree120cd8919c2929255ee8be597fb782d42a453ada
parentfix(modules/peertube): correct email setup (diff)
downloadnixos-server-1b04a415e98b72841e6b9dba0b0c030428ba0434.zip
feat(modules/backup): init
Diffstat (limited to '')
-rw-r--r--hosts/by-name/server1/configuration.nix6


-rw-r--r--hosts/by-name/server1/secrets/backuppass.age (renamed from system/secrets/backup/backuppass.age)0


-rw-r--r--hosts/by-name/server1/secrets/backupssh.age (renamed from system/secrets/backup/backupssh.age)0


-rw-r--r--hosts/by-name/server2/configuration.nix6


-rw-r--r--hosts/by-name/server2/secrets/backuppass.age14


-rw-r--r--hosts/by-name/server2/secrets/backupssh.age22


-rw-r--r--hosts/by-name/server3/configuration.nix6


-rw-r--r--hosts/by-name/server3/secrets/backuppass.age13


-rw-r--r--hosts/by-name/server3/secrets/backupssh.age22


-rw-r--r--modules/by-name/ba/backup/module.nix91


-rw-r--r--secrets.nix11


-rw-r--r--system/secrets/default.nix12


-rw-r--r--system/services/default.nix1


-rw-r--r--system/services/restic/default.nix50


14 files changed, 189 insertions, 65 deletions
diff --git a/hosts/by-name/server1/configuration.nix b/hosts/by-name/server1/configuration.nix
index 95a0766..5b5ede6 100644
--- a/hosts/by-name/server1/configuration.nix
+++ b/hosts/by-name/server1/configuration.nix
@@ -7,6 +7,12 @@
   ];
 
   vhack = {
+    backup = {
+      enable = true;
+      privateSshKey = ./secrets/backupssh.age;
+      privatePassword = ./secrets/backuppass.age;
+      user = "u384702-sub2";
+    };
     etesync.enable = true;
     nginx.enable = true;
     openssh.enable = true;
diff --git a/system/secrets/backup/backuppass.age b/hosts/by-name/server1/secrets/backuppass.age
index 8ec40a9..8ec40a9 100644
--- a/system/secrets/backup/backuppass.age
+++ b/hosts/by-name/server1/secrets/backuppass.age
diff --git a/system/secrets/backup/backupssh.age b/hosts/by-name/server1/secrets/backupssh.age
index bd7cafa..bd7cafa 100644
--- a/system/secrets/backup/backupssh.age
+++ b/hosts/by-name/server1/secrets/backupssh.age
diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix
index b256c5f..70f663b 100644
--- a/hosts/by-name/server2/configuration.nix
+++ b/hosts/by-name/server2/configuration.nix
@@ -21,6 +21,12 @@
         };
       };
     };
+    backup = {
+      enable = true;
+      privateSshKey = ./secrets/backupssh.age;
+      privatePassword = ./secrets/backuppass.age;
+      user = "u384702-sub3";
+    };
     fail2ban.enable = true;
     git-server = {
       enable = true;
diff --git a/hosts/by-name/server2/secrets/backuppass.age b/hosts/by-name/server2/secrets/backuppass.age
new file mode 100644
index 0000000..5fd5568
--- /dev/null
+++ b/hosts/by-name/server2/secrets/backuppass.age
@@ -0,0 +1,14 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2R1JQczJDblhnWmZQMkJU
+SVNwS2RNSkMwNHVGdHg4U1dsdXdXUTVOanlVCjNPQWxST2pnYXdIVjl1TExQNzlt
+V0QwTzdWcTNJM0lJNW1OaExHcjlhWU0KLT4gWDI1NTE5IG10Y01KcDJWUUV5SVo2
+RmlMbHNWcS82enAvckZSWUVQbFdyMTdtY2NqR1kKbmVtSzRGYVdiTWdyMTA0SWQy
+M1FYWTZidWI5UGIvVmxYbUphQkhJWUt4SQotPiBzc2gtZWQyNTUxOSBYUG94RFEg
+WTd4ekxiWUR0WVoybU5VVy9TenpldDRMSTduQm5idzJZSWVCMHRlZmVEbwpqamps
+Q2tuUHc0bU1kcHIvZ3FQalVMMWZ6aThsRDRNOHpUOTVGbkZ6TnR3Ci0+IDttZ2VJ
+RzMtZ3JlYXNlIDFXIEpeIicqID1JLSFZaDcgd0ZzOjUKc3dCbDdjNmEzRUtjc0VN
+SHM2MU4zVkFhQWdHd0JxVnpFVDN0UHpQYVE0d2s0QmQwbzRZZHpzanQzYnZRCi0t
+LSBpR0E0V3FiV2pjVWt2OFY5UE1BQlpteXZWekZNK1lHSFV4TzFQVVV0em9RChir
++4/eHcBC2sNJgSssV4Zh/7p2GZrN7fyuxc29lhhGAQsRZ+VE9xSy08q2vIPRlqjf
+nG72bAKGPiviFpH+uCWWllwoERST1QkkcqpyPjXzVpHrElSXHeE=
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/by-name/server2/secrets/backupssh.age b/hosts/by-name/server2/secrets/backupssh.age
new file mode 100644
index 0000000..c2d3abb
--- /dev/null
+++ b/hosts/by-name/server2/secrets/backupssh.age
@@ -0,0 +1,22 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjclNCOGsxNUNEWEJDSGpQ
+MW8vc2FnakpTczhVbEFFenk5V2tSZm5IdGpvCkVzejlwT2svT2pLRExDbTdXajEy
+elp5QTBTRGErL3NkRmJIU2lVNTI5V00KLT4gWDI1NTE5IFRjamhzdlhDUVl2RkhY
+ZUhwTmg2V2NCeHFUb2hWdFMxL0czUWZteE5tSFkKaWNFa2NhdzQrZUNWMVFKRzNP
+QVJzdEJZRXZlRUFQMTBscGZRNC83Rk55RQotPiBzc2gtZWQyNTUxOSBYUG94RFEg
+R1JVdEU0SGJNak16ZmRaNzdlaTd5ZUdjUjYzZ3ljQ3J2cGkxUDV3TE93bwpQbDlE
+SUFBblNvUmR4N09MUHFuamtiUVh0M244SGluZmFzenc0OS9uakNZCi0+IEwtZ3Jl
+YXNlICp6IDp6OEJTIW43IHNaUih6YApuUmRZeWZwdFRCOTFTSXlMVkZxYW52azd4
+ZisrSmR6SEhJTWlGNWxtVzJBRWdmMnBhWVRuc1J0QUgxZ0lKZ0dLCm1KdklXL2xn
+M3Y0NUVmeDhLWHRHWlhSbzhmNGNUU3R0OFdBCi0tLSB3UHphWkpuU1RENU16Nkln
+V2k5TjRhejdCd2VCMXBaU0JSaEtuTmdvWTBnCpLTtP020Vy7Rldly79rARfETmam
+kbRUCWiyHeKnFUWeraVr1R/l4Rt5QJh9Y6hxEBudymbyOy0VMZiQPZv7jq/pmDiB
+ULnSnfRVZM7gmU09loxf9S4LatDT/Rjf/B8uMef7Ru89DH0fnewmSGcn0KkQMUNg
++ZNtg1Qti3R1baF7ZyXZfi1UY2oIbVe1T4iZQm7n0RdP/+taCm4EfNmX3QQely/R
+CTRWl3An28JTWUePAO5qJWlvisRjNWFlsFGA+UZSRQVfWmiSnMlZ1PNbnNAo9+K4
+lIn2LNLZAOh0Cp+Rl38pusLlVLefyXhomdrp6vfE6mxBTk3scVfipDrChyt8jvbM
+2CxUA2zhZ63kNDsQmrEbH375XKzOy2vIPMTzohQx3uN0fFBIQW9pPJcNCN7jJOQU
+8CCL0R56Q5nQbNI+oz4oBuolhszkYPaiIzBlcHjjJUjxnUa5RX0SXTI7gCkqlIqZ
+niS9z1Vql3QUTdPEyrhfzwOqDcGWr6B/edNHE6D5ILUm5mis/mJgRcEiF0Y/BlZi
+mHPTGVdzkhtIIGEqiSlWMvB6zoL4uTru+yiB
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix
index 13cd833..de4c1dd 100644
--- a/hosts/by-name/server3/configuration.nix
+++ b/hosts/by-name/server3/configuration.nix
@@ -5,6 +5,12 @@
   ];
 
   vhack = {
+    backup = {
+      enable = true;
+      privateSshKey = ./secrets/backupssh.age;
+      privatePassword = ./secrets/backuppass.age;
+      user = "u384702-sub4";
+    };
     fail2ban.enable = true;
     mastodon = {
       enable = true;
diff --git a/hosts/by-name/server3/secrets/backuppass.age b/hosts/by-name/server3/secrets/backuppass.age
new file mode 100644
index 0000000..e7eea19
--- /dev/null
+++ b/hosts/by-name/server3/secrets/backuppass.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6cUM5S1FKZis0R0o2czRs
+cnVCQXlqdXNDWjMvSVlwUEF5S1pTKzNNR2w0ClgycUdEc1EyMjhJZ2lBMjhXVk5n
+V3djaVduV3Q4RWw1KzJNQXNYdmhjR1UKLT4gWDI1NTE5IG44TU9lcGc2NkRmczVS
+R1hkd0xyVUZwYWVRM05PZzhCK3BkMGFkUDJobXcKejhGMHpQWG4zdnU3WmFBNkhG
+Wk5kZy9UWThQcUdRLzBNbEE1c3VrTXdURQotPiBzc2gtZWQyNTUxOSBweXU5Ymcg
+RkMwdENYRUFSRHoxTDRHK2xsQndTekJSZ3NmWnlMMW11TjkxTWpMQnJTTQpOSVF5
+RzQ0aXpIeUkyeWJPdlFoWHJPSy9lU2tVUFNOQUVPNXRrZUE4SnN3Ci0+IEEjQUVl
+XGxgLWdyZWFzZSA9WVwxaU4hTgpkbTIyMDBuSWhsSEJueGMKLS0tIEh3ZEhoN0FI
+NnlUa2ZHdVFmWkVQY3h2ejM4ZkUzcEc1MEcydlRzdVA5UGcKhFaeVepKkQHcbhHS
+uxZnlCZoJHEFhc4vCK0w588WJIfkilDk7b5uH/Cn8kWFWLsX0FFe/kk350gEVVm7
+UUndM/+sAEoVzQR8HO1XWGZDd1T70myysBsutA==
+-----END AGE ENCRYPTED FILE-----
diff --git a/hosts/by-name/server3/secrets/backupssh.age b/hosts/by-name/server3/secrets/backupssh.age
new file mode 100644
index 0000000..ae8c5ec
--- /dev/null
+++ b/hosts/by-name/server3/secrets/backupssh.age
@@ -0,0 +1,22 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNjNnRUMzK1FWWFNEQUtC
+ZjF0dFVVTllrYW0ySEt3eHNyL1RhbkZDeWowCnBldm9oSHhuUm1EM3JXbnRZc3JB
+WGVNZGdSNm45L3JEenNlcEZqSXdaS0EKLT4gWDI1NTE5IGpZaTA3RUNGbXF4a1Ji
+MWJwRkZkM3dqaldMN2d5Wm9mbmxoQmhKeldNeUEKZ0dQZlU1MVhTLzlGMVNSZEhG
+MEo2cGxZUXhnbEF2OXFiWjk4bmZIaVdSNAotPiBzc2gtZWQyNTUxOSBweXU5Ymcg
+UEg4a05hMGQxUmZPMExzOXZtTVMySWdibHdudDFSWkFuUXlveFFOQnl3Zwp0QkZY
+QStEeCtKMXZFd3hmVkd3NXZuK0hKdWxSMzBoMjhuV2thd0dxR0IwCi0+IGtfJFgt
+Z3JlYXNlIFJgYHggfTh8QEogJDx+J2tcCjhja3owNWtBVmhSeFIyK0xIcWplMG1m
+RiszK05oZktPTVlpSXFRTFVTaWVBeEFCdTZuRWMvdHJFYU10NlNpVGYKYnhkOEor
+c1c2ZwotLS0gMmR1djFRTGJ2Qy9hODdGa1RFSVRxQk4rTFB6WW1YZnN2bFhrRDF3
+ZENqNAoTSBXv8NPsyt2RH+qJcbsMMhJ0qqCmyeUWF3Uicv6fiN99TB7xjD6lRXdB
+utfLiuBr0gt73QEb44AQFAGzG3Jig9Ql/UFubeKaMRVBscQ4FJXYnHlEK8aB7sVs
+k6VgI/Uvs6YH3YDlATfCaD8d/ASG30whH1TcgH6KF3GPX112uUqkIscGifFz4wxu
+Fa8Av9XmkBdIQAPS3ze10O866m5Fv4vWeJZ1KEhzV+0nSrBZKPS9a2JqI1c63kz8
+2txZHm26gS4duDqncwnL41jmZ5GX7+TWTj3adIBQrXVSlUPb9h4t5NX2IMS1Fuj8
+UuvKDZplTGEmIJZGoF79VOqOhoCUg9+lqEd53BaAKlLSuHrUeZ1v0IhhquMiOMSt
+TrtuhEvdhiH92eWOBNkDNeoEzxU1wCLc1YOk7QCAQEOy0HM5oMntlbMDc+4QmZXz
+1QYQKEEMVAi4B53Mm4OFwHTi6GMqDT2r6PsP86uzCB1F8V7q2LDmPnD1rGTQ46al
+N8XFq/3uEqd/yNaZU6kffpdK25ibytmvLhjWQ+0LNrUtfftqeTZzaxApQc6bGW5K
+KbBnN1A=
+-----END AGE ENCRYPTED FILE-----
diff --git a/modules/by-name/ba/backup/module.nix b/modules/by-name/ba/backup/module.nix
new file mode 100644
index 0000000..856a1c3
--- /dev/null
+++ b/modules/by-name/ba/backup/module.nix
@@ -0,0 +1,91 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  cfg = config.vhack.backup;
+  snapshots = "/srv/snapshots";
+  postgresUser = "postgres";
+in {
+  options.vhack.backup = {
+    enable = lib.mkEnableOption "backups with restic";
+    user = lib.mkOption {
+      type = lib.types.str;
+      description = "The storagebox-user to use";
+      example = "u384702-sub2";
+    };
+    privateSshKey = lib.mkOption {
+      type = lib.types.path;
+      description = "The age-encrypted ssh-key, passed to agenix";
+    };
+    privatePassword = lib.mkOption {
+      type = lib.types.path;
+      description = "The age-encrypted restic password, passed to agenix";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    vhack.persist.directories = [
+      {
+        directory = "/root/.ssh";
+        user = "root";
+        group = "root";
+        mode = "0700";
+      }
+    ];
+    age.secrets = {
+      resticpass = {
+        file = cfg.privatePassword;
+        mode = "0700";
+        owner = "root";
+        group = "root";
+      };
+      resticssh = {
+        file = cfg.privateSshKey;
+        mode = "0700";
+        owner = "root";
+        group = "root";
+      };
+    };
+    services.restic.backups = {
+      storagebox = {
+        initialize = true;
+        backupPrepareCommand = ''
+          ${pkgs.sudo}/bin/sudo -u ${postgresUser} ${pkgs.postgresql}/bin/pg_dumpall --clean --if-exists --quote-all-identifiers > /srv/db_backup.sql
+
+          [ -d /srv/snapshots ] || ${pkgs.btrfs-progs}/bin/btrfs subvolume create /srv/snapshots;
+          [ -d /srv/snapshots/srv ] && ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /srv/snapshots/srv;
+          ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /srv /srv/snapshots/srv;
+
+          # dump() {
+          #   # compression:
+          #   # pg_dump -F t -v "$1" | xz -z -9 -e -T0 > "db_$1.tar.xz"
+          #   pg_dump -v "$1" > "db_$1.tar.xz"
+          # }
+          # # List all databases, and dump each of them in its own file
+          # # psql --list --csv | while read -r line; do echo "$line" | grep ','; done | while IFS=, read -r name _; do  echo "$name"; done | sed '1d' | while read -r db_name; do dump "$db_name"; done
+        '';
+        paths = [
+          snapshots
+        ];
+        exclude = [
+          ".snapshots"
+          "/var/lib/postgresql" # included in the db dump
+        ];
+        extraBackupArgs = [
+          "--verbose" # spam log
+        ];
+        passwordFile = config.age.secrets.resticpass.path;
+        extraOptions = [
+          "rclone.program='ssh -p 23 ${cfg.user}@${cfg.user}.your-storagebox.de -i ${config.age.secrets.resticssh.path}'"
+        ];
+        repository = "rclone: "; # There is only one repository served
+        timerConfig = {
+          Requires = "network-online.target";
+          OnCalendar = "daily";
+          Persistent = true;
+        };
+      };
+    };
+  };
+}
diff --git a/secrets.nix b/secrets.nix
index 1c34530..d3b6e51 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -31,8 +31,15 @@ in {
   "./modules/by-name/ma/mastodon/mail.age".publicKeys = server3;
   "./modules/by-name/ma/matrix/passwd.age".publicKeys = server3;
 
-  "./system/secrets/backup/backuppass.age".publicKeys = server1;
-  "./system/secrets/backup/backupssh.age".publicKeys = server1;
+  "./hosts/by-name/server1/secrets/backuppass.age".publicKeys = server1;
+  "./hosts/by-name/server1/secrets/backupssh.age".publicKeys = server1;
+
+  "./hosts/by-name/server2/secrets/backuppass.age".publicKeys = server2;
+  "./hosts/by-name/server2/secrets/backupssh.age".publicKeys = server2;
+
+  "./hosts/by-name/server3/secrets/backuppass.age".publicKeys = server3;
+  "./hosts/by-name/server3/secrets/backupssh.age".publicKeys = server3;
+
   "./system/secrets/invidious/hmac.age".publicKeys = server1;
   "./system/secrets/taskserver/ca.age".publicKeys = server1;
   "./system/secrets/taskserver/systemd_tmpfiles.age".publicKeys = server1;
diff --git a/system/secrets/default.nix b/system/secrets/default.nix
index ab89942..7100eff 100644
--- a/system/secrets/default.nix
+++ b/system/secrets/default.nix
@@ -7,18 +7,6 @@
         owner = "root";
         group = "root";
       };
-      resticpass = {
-        file = ./backup/backuppass.age;
-        mode = "0700";
-        owner = "root";
-        group = "root";
-      };
-      resticssh = {
-        file = ./backup/backupssh.age;
-        mode = "0700";
-        owner = "root";
-        group = "root";
-      };
       taskserverCaKey = {
         file = ./taskserver/ca.age;
         mode = "700";
diff --git a/system/services/default.nix b/system/services/default.nix
index d78ee28..4d3700d 100644
--- a/system/services/default.nix
+++ b/system/services/default.nix
@@ -3,7 +3,6 @@
     ./invidious
     ./mail
     ./minecraft
-    ./restic
     ./taskserver
   ];
 }
diff --git a/system/services/restic/default.nix b/system/services/restic/default.nix
deleted file mode 100644
index cfeaca3..0000000
--- a/system/services/restic/default.nix
+++ /dev/null
@@ -1,50 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  services.restic.backups = let
-    snapshots = "/srv/snapshots";
-    boxUser = "u384702-sub2";
-    postgresUser = "postgres";
-  in {
-    storagebox = {
-      initialize = true;
-      backupPrepareCommand = ''
-        ${pkgs.sudo}/bin/sudo -u ${postgresUser} ${pkgs.postgresql}/bin/pg_dumpall --clean --if-exists --quote-all-identifiers > /srv/db_backup.sql
-
-        [ -d /srv/snapshots ] || ${pkgs.btrfs-progs}/bin/btrfs subvolume create /srv/snapshots;
-        [ -d /srv/snapshots/srv ] && ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /srv/snapshots/srv;
-        ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /srv /srv/snapshots/srv;
-
-        # dump() {
-        #   # compression:
-        #   # pg_dump -F t -v "$1" | xz -z -9 -e -T0 > "db_$1.tar.xz"
-        #   pg_dump -v "$1" > "db_$1.tar.xz"
-        # }
-        # # List all databases, and dump each of them in its own file
-        # # psql --list --csv | while read -r line; do echo "$line" | grep ','; done | while IFS=, read -r name _; do  echo "$name"; done | sed '1d' | while read -r db_name; do dump "$db_name"; done
-      '';
-      paths = [
-        snapshots
-      ];
-      exclude = [
-        ".snapshots"
-        "/var/lib/postgresql" # included in the db dump
-      ];
-      extraBackupArgs = [
-        "--verbose" # spam log
-      ];
-      passwordFile = config.age.secrets.resticpass.path;
-      extraOptions = [
-        "rclone.program='ssh -p 23 ${boxUser}@${boxUser}.your-storagebox.de -i ${config.age.secrets.resticssh.path}'"
-      ];
-      repository = "rclone: "; # There is only one repository served
-      timerConfig = {
-        Requires = "network-online.target";
-        OnCalendar = "daily";
-        Persistent = true;
-      };
-    };
-  };
-}

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-02-03 08:10:53 +0000