diff options
| -rw-r--r-- | hosts/by-name/server1/configuration.nix | 6 | ||||
| -rw-r--r-- | hosts/by-name/server1/secrets/backuppass.age (renamed from system/secrets/backup/backuppass.age) | 0 | ||||
| -rw-r--r-- | hosts/by-name/server1/secrets/backupssh.age (renamed from system/secrets/backup/backupssh.age) | 0 | ||||
| -rw-r--r-- | hosts/by-name/server2/configuration.nix | 6 | ||||
| -rw-r--r-- | hosts/by-name/server2/secrets/backuppass.age | 14 | ||||
| -rw-r--r-- | hosts/by-name/server2/secrets/backupssh.age | 22 | ||||
| -rw-r--r-- | hosts/by-name/server3/configuration.nix | 6 | ||||
| -rw-r--r-- | hosts/by-name/server3/secrets/backuppass.age | 13 | ||||
| -rw-r--r-- | hosts/by-name/server3/secrets/backupssh.age | 22 | ||||
| -rw-r--r-- | modules/by-name/ba/backup/module.nix | 91 | ||||
| -rw-r--r-- | secrets.nix | 11 | ||||
| -rw-r--r-- | system/secrets/default.nix | 12 | ||||
| -rw-r--r-- | system/services/default.nix | 1 | ||||
| -rw-r--r-- | system/services/restic/default.nix | 50 |
14 files changed, 189 insertions, 65 deletions
diff --git a/hosts/by-name/server1/configuration.nix b/hosts/by-name/server1/configuration.nix index 95a0766..5b5ede6 100644 --- a/hosts/by-name/server1/configuration.nix +++ b/hosts/by-name/server1/configuration.nix @@ -7,6 +7,12 @@ ]; vhack = { + backup = { + enable = true; + privateSshKey = ./secrets/backupssh.age; + privatePassword = ./secrets/backuppass.age; + user = "u384702-sub2"; + }; etesync.enable = true; nginx.enable = true; openssh.enable = true; diff --git a/system/secrets/backup/backuppass.age b/hosts/by-name/server1/secrets/backuppass.age index 8ec40a9..8ec40a9 100644 --- a/system/secrets/backup/backuppass.age +++ b/hosts/by-name/server1/secrets/backuppass.age diff --git a/system/secrets/backup/backupssh.age b/hosts/by-name/server1/secrets/backupssh.age index bd7cafa..bd7cafa 100644 --- a/system/secrets/backup/backupssh.age +++ b/hosts/by-name/server1/secrets/backupssh.age diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix index b256c5f..70f663b 100644 --- a/hosts/by-name/server2/configuration.nix +++ b/hosts/by-name/server2/configuration.nix @@ -21,6 +21,12 @@ }; }; }; + backup = { + enable = true; + privateSshKey = ./secrets/backupssh.age; + privatePassword = ./secrets/backuppass.age; + user = "u384702-sub3"; + }; fail2ban.enable = true; git-server = { enable = true; diff --git a/hosts/by-name/server2/secrets/backuppass.age b/hosts/by-name/server2/secrets/backuppass.age new file mode 100644 index 0000000..5fd5568 --- /dev/null +++ b/hosts/by-name/server2/secrets/backuppass.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2R1JQczJDblhnWmZQMkJU +SVNwS2RNSkMwNHVGdHg4U1dsdXdXUTVOanlVCjNPQWxST2pnYXdIVjl1TExQNzlt +V0QwTzdWcTNJM0lJNW1OaExHcjlhWU0KLT4gWDI1NTE5IG10Y01KcDJWUUV5SVo2 +RmlMbHNWcS82enAvckZSWUVQbFdyMTdtY2NqR1kKbmVtSzRGYVdiTWdyMTA0SWQy +M1FYWTZidWI5UGIvVmxYbUphQkhJWUt4SQotPiBzc2gtZWQyNTUxOSBYUG94RFEg +WTd4ekxiWUR0WVoybU5VVy9TenpldDRMSTduQm5idzJZSWVCMHRlZmVEbwpqamps +Q2tuUHc0bU1kcHIvZ3FQalVMMWZ6aThsRDRNOHpUOTVGbkZ6TnR3Ci0+IDttZ2VJ +RzMtZ3JlYXNlIDFXIEpeIicqID1JLSFZaDcgd0ZzOjUKc3dCbDdjNmEzRUtjc0VN +SHM2MU4zVkFhQWdHd0JxVnpFVDN0UHpQYVE0d2s0QmQwbzRZZHpzanQzYnZRCi0t +LSBpR0E0V3FiV2pjVWt2OFY5UE1BQlpteXZWekZNK1lHSFV4TzFQVVV0em9RChir ++4/eHcBC2sNJgSssV4Zh/7p2GZrN7fyuxc29lhhGAQsRZ+VE9xSy08q2vIPRlqjf +nG72bAKGPiviFpH+uCWWllwoERST1QkkcqpyPjXzVpHrElSXHeE= +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server2/secrets/backupssh.age b/hosts/by-name/server2/secrets/backupssh.age new file mode 100644 index 0000000..c2d3abb --- /dev/null +++ b/hosts/by-name/server2/secrets/backupssh.age @@ -0,0 +1,22 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjclNCOGsxNUNEWEJDSGpQ +MW8vc2FnakpTczhVbEFFenk5V2tSZm5IdGpvCkVzejlwT2svT2pLRExDbTdXajEy +elp5QTBTRGErL3NkRmJIU2lVNTI5V00KLT4gWDI1NTE5IFRjamhzdlhDUVl2RkhY +ZUhwTmg2V2NCeHFUb2hWdFMxL0czUWZteE5tSFkKaWNFa2NhdzQrZUNWMVFKRzNP +QVJzdEJZRXZlRUFQMTBscGZRNC83Rk55RQotPiBzc2gtZWQyNTUxOSBYUG94RFEg +R1JVdEU0SGJNak16ZmRaNzdlaTd5ZUdjUjYzZ3ljQ3J2cGkxUDV3TE93bwpQbDlE +SUFBblNvUmR4N09MUHFuamtiUVh0M244SGluZmFzenc0OS9uakNZCi0+IEwtZ3Jl +YXNlICp6IDp6OEJTIW43IHNaUih6YApuUmRZeWZwdFRCOTFTSXlMVkZxYW52azd4 +ZisrSmR6SEhJTWlGNWxtVzJBRWdmMnBhWVRuc1J0QUgxZ0lKZ0dLCm1KdklXL2xn +M3Y0NUVmeDhLWHRHWlhSbzhmNGNUU3R0OFdBCi0tLSB3UHphWkpuU1RENU16Nkln +V2k5TjRhejdCd2VCMXBaU0JSaEtuTmdvWTBnCpLTtP020Vy7Rldly79rARfETmam +kbRUCWiyHeKnFUWeraVr1R/l4Rt5QJh9Y6hxEBudymbyOy0VMZiQPZv7jq/pmDiB +ULnSnfRVZM7gmU09loxf9S4LatDT/Rjf/B8uMef7Ru89DH0fnewmSGcn0KkQMUNg ++ZNtg1Qti3R1baF7ZyXZfi1UY2oIbVe1T4iZQm7n0RdP/+taCm4EfNmX3QQely/R +CTRWl3An28JTWUePAO5qJWlvisRjNWFlsFGA+UZSRQVfWmiSnMlZ1PNbnNAo9+K4 +lIn2LNLZAOh0Cp+Rl38pusLlVLefyXhomdrp6vfE6mxBTk3scVfipDrChyt8jvbM +2CxUA2zhZ63kNDsQmrEbH375XKzOy2vIPMTzohQx3uN0fFBIQW9pPJcNCN7jJOQU +8CCL0R56Q5nQbNI+oz4oBuolhszkYPaiIzBlcHjjJUjxnUa5RX0SXTI7gCkqlIqZ +niS9z1Vql3QUTdPEyrhfzwOqDcGWr6B/edNHE6D5ILUm5mis/mJgRcEiF0Y/BlZi +mHPTGVdzkhtIIGEqiSlWMvB6zoL4uTru+yiB +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix index 13cd833..de4c1dd 100644 --- a/hosts/by-name/server3/configuration.nix +++ b/hosts/by-name/server3/configuration.nix @@ -5,6 +5,12 @@ ]; vhack = { + backup = { + enable = true; + privateSshKey = ./secrets/backupssh.age; + privatePassword = ./secrets/backuppass.age; + user = "u384702-sub4"; + }; fail2ban.enable = true; mastodon = { enable = true; diff --git a/hosts/by-name/server3/secrets/backuppass.age b/hosts/by-name/server3/secrets/backuppass.age new file mode 100644 index 0000000..e7eea19 --- /dev/null +++ b/hosts/by-name/server3/secrets/backuppass.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6cUM5S1FKZis0R0o2czRs +cnVCQXlqdXNDWjMvSVlwUEF5S1pTKzNNR2w0ClgycUdEc1EyMjhJZ2lBMjhXVk5n +V3djaVduV3Q4RWw1KzJNQXNYdmhjR1UKLT4gWDI1NTE5IG44TU9lcGc2NkRmczVS +R1hkd0xyVUZwYWVRM05PZzhCK3BkMGFkUDJobXcKejhGMHpQWG4zdnU3WmFBNkhG +Wk5kZy9UWThQcUdRLzBNbEE1c3VrTXdURQotPiBzc2gtZWQyNTUxOSBweXU5Ymcg +RkMwdENYRUFSRHoxTDRHK2xsQndTekJSZ3NmWnlMMW11TjkxTWpMQnJTTQpOSVF5 +RzQ0aXpIeUkyeWJPdlFoWHJPSy9lU2tVUFNOQUVPNXRrZUE4SnN3Ci0+IEEjQUVl +XGxgLWdyZWFzZSA9WVwxaU4hTgpkbTIyMDBuSWhsSEJueGMKLS0tIEh3ZEhoN0FI +NnlUa2ZHdVFmWkVQY3h2ejM4ZkUzcEc1MEcydlRzdVA5UGcKhFaeVepKkQHcbhHS +uxZnlCZoJHEFhc4vCK0w588WJIfkilDk7b5uH/Cn8kWFWLsX0FFe/kk350gEVVm7 +UUndM/+sAEoVzQR8HO1XWGZDd1T70myysBsutA== +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server3/secrets/backupssh.age b/hosts/by-name/server3/secrets/backupssh.age new file mode 100644 index 0000000..ae8c5ec --- /dev/null +++ b/hosts/by-name/server3/secrets/backupssh.age @@ -0,0 +1,22 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNjNnRUMzK1FWWFNEQUtC +ZjF0dFVVTllrYW0ySEt3eHNyL1RhbkZDeWowCnBldm9oSHhuUm1EM3JXbnRZc3JB +WGVNZGdSNm45L3JEenNlcEZqSXdaS0EKLT4gWDI1NTE5IGpZaTA3RUNGbXF4a1Ji +MWJwRkZkM3dqaldMN2d5Wm9mbmxoQmhKeldNeUEKZ0dQZlU1MVhTLzlGMVNSZEhG +MEo2cGxZUXhnbEF2OXFiWjk4bmZIaVdSNAotPiBzc2gtZWQyNTUxOSBweXU5Ymcg +UEg4a05hMGQxUmZPMExzOXZtTVMySWdibHdudDFSWkFuUXlveFFOQnl3Zwp0QkZY +QStEeCtKMXZFd3hmVkd3NXZuK0hKdWxSMzBoMjhuV2thd0dxR0IwCi0+IGtfJFgt +Z3JlYXNlIFJgYHggfTh8QEogJDx+J2tcCjhja3owNWtBVmhSeFIyK0xIcWplMG1m +RiszK05oZktPTVlpSXFRTFVTaWVBeEFCdTZuRWMvdHJFYU10NlNpVGYKYnhkOEor +c1c2ZwotLS0gMmR1djFRTGJ2Qy9hODdGa1RFSVRxQk4rTFB6WW1YZnN2bFhrRDF3 +ZENqNAoTSBXv8NPsyt2RH+qJcbsMMhJ0qqCmyeUWF3Uicv6fiN99TB7xjD6lRXdB +utfLiuBr0gt73QEb44AQFAGzG3Jig9Ql/UFubeKaMRVBscQ4FJXYnHlEK8aB7sVs +k6VgI/Uvs6YH3YDlATfCaD8d/ASG30whH1TcgH6KF3GPX112uUqkIscGifFz4wxu +Fa8Av9XmkBdIQAPS3ze10O866m5Fv4vWeJZ1KEhzV+0nSrBZKPS9a2JqI1c63kz8 +2txZHm26gS4duDqncwnL41jmZ5GX7+TWTj3adIBQrXVSlUPb9h4t5NX2IMS1Fuj8 +UuvKDZplTGEmIJZGoF79VOqOhoCUg9+lqEd53BaAKlLSuHrUeZ1v0IhhquMiOMSt +TrtuhEvdhiH92eWOBNkDNeoEzxU1wCLc1YOk7QCAQEOy0HM5oMntlbMDc+4QmZXz +1QYQKEEMVAi4B53Mm4OFwHTi6GMqDT2r6PsP86uzCB1F8V7q2LDmPnD1rGTQ46al +N8XFq/3uEqd/yNaZU6kffpdK25ibytmvLhjWQ+0LNrUtfftqeTZzaxApQc6bGW5K +KbBnN1A= +-----END AGE ENCRYPTED FILE----- diff --git a/modules/by-name/ba/backup/module.nix b/modules/by-name/ba/backup/module.nix new file mode 100644 index 0000000..856a1c3 --- /dev/null +++ b/modules/by-name/ba/backup/module.nix @@ -0,0 +1,91 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.vhack.backup; + snapshots = "/srv/snapshots"; + postgresUser = "postgres"; +in { + options.vhack.backup = { + enable = lib.mkEnableOption "backups with restic"; + user = lib.mkOption { + type = lib.types.str; + description = "The storagebox-user to use"; + example = "u384702-sub2"; + }; + privateSshKey = lib.mkOption { + type = lib.types.path; + description = "The age-encrypted ssh-key, passed to agenix"; + }; + privatePassword = lib.mkOption { + type = lib.types.path; + description = "The age-encrypted restic password, passed to agenix"; + }; + }; + config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + { + directory = "/root/.ssh"; + user = "root"; + group = "root"; + mode = "0700"; + } + ]; + age.secrets = { + resticpass = { + file = cfg.privatePassword; + mode = "0700"; + owner = "root"; + group = "root"; + }; + resticssh = { + file = cfg.privateSshKey; + mode = "0700"; + owner = "root"; + group = "root"; + }; + }; + services.restic.backups = { + storagebox = { + initialize = true; + backupPrepareCommand = '' + ${pkgs.sudo}/bin/sudo -u ${postgresUser} ${pkgs.postgresql}/bin/pg_dumpall --clean --if-exists --quote-all-identifiers > /srv/db_backup.sql + + [ -d /srv/snapshots ] || ${pkgs.btrfs-progs}/bin/btrfs subvolume create /srv/snapshots; + [ -d /srv/snapshots/srv ] && ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /srv/snapshots/srv; + ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /srv /srv/snapshots/srv; + + # dump() { + # # compression: + # # pg_dump -F t -v "$1" | xz -z -9 -e -T0 > "db_$1.tar.xz" + # pg_dump -v "$1" > "db_$1.tar.xz" + # } + # # List all databases, and dump each of them in its own file + # # psql --list --csv | while read -r line; do echo "$line" | grep ','; done | while IFS=, read -r name _; do echo "$name"; done | sed '1d' | while read -r db_name; do dump "$db_name"; done + ''; + paths = [ + snapshots + ]; + exclude = [ + ".snapshots" + "/var/lib/postgresql" # included in the db dump + ]; + extraBackupArgs = [ + "--verbose" # spam log + ]; + passwordFile = config.age.secrets.resticpass.path; + extraOptions = [ + "rclone.program='ssh -p 23 ${cfg.user}@${cfg.user}.your-storagebox.de -i ${config.age.secrets.resticssh.path}'" + ]; + repository = "rclone: "; # There is only one repository served + timerConfig = { + Requires = "network-online.target"; + OnCalendar = "daily"; + Persistent = true; + }; + }; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index 1c34530..d3b6e51 100644 --- a/secrets.nix +++ b/secrets.nix @@ -31,8 +31,15 @@ in { "./modules/by-name/ma/mastodon/mail.age".publicKeys = server3; "./modules/by-name/ma/matrix/passwd.age".publicKeys = server3; - "./system/secrets/backup/backuppass.age".publicKeys = server1; - "./system/secrets/backup/backupssh.age".publicKeys = server1; + "./hosts/by-name/server1/secrets/backuppass.age".publicKeys = server1; + "./hosts/by-name/server1/secrets/backupssh.age".publicKeys = server1; + + "./hosts/by-name/server2/secrets/backuppass.age".publicKeys = server2; + "./hosts/by-name/server2/secrets/backupssh.age".publicKeys = server2; + + "./hosts/by-name/server3/secrets/backuppass.age".publicKeys = server3; + "./hosts/by-name/server3/secrets/backupssh.age".publicKeys = server3; + "./system/secrets/invidious/hmac.age".publicKeys = server1; "./system/secrets/taskserver/ca.age".publicKeys = server1; "./system/secrets/taskserver/systemd_tmpfiles.age".publicKeys = server1; diff --git a/system/secrets/default.nix b/system/secrets/default.nix index ab89942..7100eff 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -7,18 +7,6 @@ owner = "root"; group = "root"; }; - resticpass = { - file = ./backup/backuppass.age; - mode = "0700"; - owner = "root"; - group = "root"; - }; - resticssh = { - file = ./backup/backupssh.age; - mode = "0700"; - owner = "root"; - group = "root"; - }; taskserverCaKey = { file = ./taskserver/ca.age; mode = "700"; diff --git a/system/services/default.nix b/system/services/default.nix index d78ee28..4d3700d 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -3,7 +3,6 @@ ./invidious ./mail ./minecraft - ./restic ./taskserver ]; } diff --git a/system/services/restic/default.nix b/system/services/restic/default.nix deleted file mode 100644 index cfeaca3..0000000 --- a/system/services/restic/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - config, - pkgs, - ... -}: { - services.restic.backups = let - snapshots = "/srv/snapshots"; - boxUser = "u384702-sub2"; - postgresUser = "postgres"; - in { - storagebox = { - initialize = true; - backupPrepareCommand = '' - ${pkgs.sudo}/bin/sudo -u ${postgresUser} ${pkgs.postgresql}/bin/pg_dumpall --clean --if-exists --quote-all-identifiers > /srv/db_backup.sql - - [ -d /srv/snapshots ] || ${pkgs.btrfs-progs}/bin/btrfs subvolume create /srv/snapshots; - [ -d /srv/snapshots/srv ] && ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /srv/snapshots/srv; - ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /srv /srv/snapshots/srv; - - # dump() { - # # compression: - # # pg_dump -F t -v "$1" | xz -z -9 -e -T0 > "db_$1.tar.xz" - # pg_dump -v "$1" > "db_$1.tar.xz" - # } - # # List all databases, and dump each of them in its own file - # # psql --list --csv | while read -r line; do echo "$line" | grep ','; done | while IFS=, read -r name _; do echo "$name"; done | sed '1d' | while read -r db_name; do dump "$db_name"; done - ''; - paths = [ - snapshots - ]; - exclude = [ - ".snapshots" - "/var/lib/postgresql" # included in the db dump - ]; - extraBackupArgs = [ - "--verbose" # spam log - ]; - passwordFile = config.age.secrets.resticpass.path; - extraOptions = [ - "rclone.program='ssh -p 23 ${boxUser}@${boxUser}.your-storagebox.de -i ${config.age.secrets.resticssh.path}'" - ]; - repository = "rclone: "; # There is only one repository served - timerConfig = { - Requires = "network-online.target"; - OnCalendar = "daily"; - Persistent = true; - }; - }; - }; -} |