From 1b04a415e98b72841e6b9dba0b0c030428ba0434 Mon Sep 17 00:00:00 2001 From: Silas Schöffel Date: Tue, 21 Jan 2025 21:21:14 +0100 Subject: feat(modules/backup): init --- hosts/by-name/server1/configuration.nix | 6 ++ hosts/by-name/server1/secrets/backuppass.age | 14 +++++ hosts/by-name/server1/secrets/backupssh.age | 23 +++++++ hosts/by-name/server2/configuration.nix | 6 ++ hosts/by-name/server2/secrets/backuppass.age | 14 +++++ hosts/by-name/server2/secrets/backupssh.age | 22 +++++++ hosts/by-name/server3/configuration.nix | 6 ++ hosts/by-name/server3/secrets/backuppass.age | 13 ++++ hosts/by-name/server3/secrets/backupssh.age | 22 +++++++ modules/by-name/ba/backup/module.nix | 91 ++++++++++++++++++++++++++++ secrets.nix | 11 +++- system/secrets/backup/backuppass.age | 14 ----- system/secrets/backup/backupssh.age | 23 ------- system/secrets/default.nix | 12 ---- system/services/default.nix | 1 - system/services/restic/default.nix | 50 --------------- 16 files changed, 226 insertions(+), 102 deletions(-) create mode 100644 hosts/by-name/server1/secrets/backuppass.age create mode 100644 hosts/by-name/server1/secrets/backupssh.age create mode 100644 hosts/by-name/server2/secrets/backuppass.age create mode 100644 hosts/by-name/server2/secrets/backupssh.age create mode 100644 hosts/by-name/server3/secrets/backuppass.age create mode 100644 hosts/by-name/server3/secrets/backupssh.age create mode 100644 modules/by-name/ba/backup/module.nix delete mode 100644 system/secrets/backup/backuppass.age delete mode 100644 system/secrets/backup/backupssh.age delete mode 100644 system/services/restic/default.nix diff --git a/hosts/by-name/server1/configuration.nix b/hosts/by-name/server1/configuration.nix index 95a0766..5b5ede6 100644 --- a/hosts/by-name/server1/configuration.nix +++ b/hosts/by-name/server1/configuration.nix @@ -7,6 +7,12 @@ ]; vhack = { + backup = { + enable = true; + privateSshKey = ./secrets/backupssh.age; + privatePassword = ./secrets/backuppass.age; + user = "u384702-sub2"; + }; etesync.enable = true; nginx.enable = true; openssh.enable = true; diff --git a/hosts/by-name/server1/secrets/backuppass.age b/hosts/by-name/server1/secrets/backuppass.age new file mode 100644 index 0000000..8ec40a9 --- /dev/null +++ b/hosts/by-name/server1/secrets/backuppass.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDNDcxbkFiWndxZGdwR2lB +N2lxQjdxZS9FTTl1UDdTbGMyaEtaZ29aM1NVClE0L1dDdllIQUx3MXlJUEJya3N1 +Y1ovWVh4YjNUUXluKzAzd1VKZWFkUHMKLT4gWDI1NTE5IC9YR3JnQVQxYWhSVVdy +c3p2OExkb0xnbStKUHFRZkE0QTBpTStaYjBBak0KRnQ3enZLaXRNbVdtNXBveTN1 +U1FmZDBXZXJpZlorQVd5eXFSTVYxMHZaWQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +empPMTdrZWZGclAzdnBBbUFjZVB6YTl1VnMxY0dIenhjRGtnSUVjTktIcwpsRFFv +TURIVkswM1EreVgvWWZiSEU0aDBGYWZlZFk2dnZnNExLY3NBbVJvCi0+IGhJY2xX +anwtZ3JlYXNlIEw4S0Q2bHVyIFg1dSAjNnRcdWwKaU53OENqWUVJMWgrZURNbzQ5 +VjZzb1hNbndVCi0tLSBCNktxeXFiVzVlNjdQeXdNZnJtQ0NlVzZuWVpaMExZUVEv +RzdtaU1URzBJCoHd8ODHla1b7opUSmrEAm9S7Ul3QD0iLIyTpKn/PnB5vQ4oVd4H +kgB9FFvfYUpRSVebVyOh/Ocqq0Lalc6Gjc1+/tTbkcJLrhyO6G8x/519Sm0o7qXE +5/jXBpzFoFrsR68= +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server1/secrets/backupssh.age b/hosts/by-name/server1/secrets/backupssh.age new file mode 100644 index 0000000..bd7cafa --- /dev/null +++ b/hosts/by-name/server1/secrets/backupssh.age @@ -0,0 +1,23 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VkhnUmpGU3hycEExSWxz +ZVAzM3B5M2pFbFFUMXVGWnRaa3Y1a2VtSDM4ClVncXlpUnNUc1JiM01YcmU4dnNQ +WGZXSFBUQ3FIN0U2K2lBZjVHOFlidXMKLT4gWDI1NTE5IFV4VUczSXJ5TVNEdHdN +VVVJYVgzMTN3Rm5IeXRoekt0dEx5eUVlUGFGVzQKZUJGcU9yWUIzaGVCMDE4bW5m +dGhXM1VDL1c1U0N0NDJEK1J5ODdsNTdqcwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg +TDVjckpka2w2TFRFSXdNbTlOeDBYcFlvajBpMlp0eGJTOUdldlRTck9HRQovdGhY +TkxMZlhEZjVLZ0pPa29Zc09DcjY5YzArYnV4YklQU3Q2U0ZpenhJCi0+IH5SQFt+ +RGlILWdyZWFzZSB2MDBhTnw1OiBmIEhaQiBHZUVaKHErClMwOWlZVGhJcG1LOERw +dTVyOXhVVG5YSGNsd2xYR2lyMkh6cEtHbmYreWIwMU13OFJSYW1xTUVWZm5ySTRy +TzYKKzFwY1RpelpudDFZUzBpKzlMWEV6MnhhUDFpaTRMbVhKQkcrYVFlYnQxSFBj +bnhubmdyYzBiWVBOZwotLS0gV2xIaVhsSVBmU2xINDFXMFlyckJ3WjMxdzluSmFT +bUp2TnFnUHdQUmcxbwpOQ5eYFn1lvDjatNZLdErDyyi+b1xLzhkErEaqDxuY++9b +owQ0rdzFRCokI34Vsa4OOrHOhDUyp7n0EmfXGTrkroTF3hyzpr+2M4jnwVFC7uLU +BbU+ZvekUjekXYBy7WXSt30E9RiUJbiHF5FtOboS2A7j+BXbVaHWPEJgnHDbqVy/ +ejESfOaCkg6avXx32rTkV8FfqQmLSxOpwPnsKgiPeZlE6gXViZ0pLm4pwLr5w75s +ln1ksjjfqQ/wBZn+/tTPEpbwAulEe2qEutCL5NbUih8knx1Wvvm/oFtYvjjaA2ZQ +VizCl+v9cRNfkYfczKSTIrGHRuToADqxzxbA88oZFGHu7td6NCVdWIxenA8yaaT+ +csUCfCVUOd6EoKmEKhTqy0EPfDq807c/+lK4il7DbB2geXs/GiMc0he8KGWuruHU +U2wbOaMYdN9Uez1tlBWJhKrnwOPw3Jad615B/MRt9/rDOAaBVI5ttxpNkLcrx22k +rpLItm23yg35+4e+a9Vl03L7kTOqIurS4JRsMyJpRvrRPJMa5cEVMZ4ZzLe3HrGQ +WrH6OXPGKbq4ZB+1mSE= +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server2/configuration.nix b/hosts/by-name/server2/configuration.nix index b256c5f..70f663b 100644 --- a/hosts/by-name/server2/configuration.nix +++ b/hosts/by-name/server2/configuration.nix @@ -21,6 +21,12 @@ }; }; }; + backup = { + enable = true; + privateSshKey = ./secrets/backupssh.age; + privatePassword = ./secrets/backuppass.age; + user = "u384702-sub3"; + }; fail2ban.enable = true; git-server = { enable = true; diff --git a/hosts/by-name/server2/secrets/backuppass.age b/hosts/by-name/server2/secrets/backuppass.age new file mode 100644 index 0000000..5fd5568 --- /dev/null +++ b/hosts/by-name/server2/secrets/backuppass.age @@ -0,0 +1,14 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2R1JQczJDblhnWmZQMkJU +SVNwS2RNSkMwNHVGdHg4U1dsdXdXUTVOanlVCjNPQWxST2pnYXdIVjl1TExQNzlt +V0QwTzdWcTNJM0lJNW1OaExHcjlhWU0KLT4gWDI1NTE5IG10Y01KcDJWUUV5SVo2 +RmlMbHNWcS82enAvckZSWUVQbFdyMTdtY2NqR1kKbmVtSzRGYVdiTWdyMTA0SWQy +M1FYWTZidWI5UGIvVmxYbUphQkhJWUt4SQotPiBzc2gtZWQyNTUxOSBYUG94RFEg +WTd4ekxiWUR0WVoybU5VVy9TenpldDRMSTduQm5idzJZSWVCMHRlZmVEbwpqamps +Q2tuUHc0bU1kcHIvZ3FQalVMMWZ6aThsRDRNOHpUOTVGbkZ6TnR3Ci0+IDttZ2VJ +RzMtZ3JlYXNlIDFXIEpeIicqID1JLSFZaDcgd0ZzOjUKc3dCbDdjNmEzRUtjc0VN +SHM2MU4zVkFhQWdHd0JxVnpFVDN0UHpQYVE0d2s0QmQwbzRZZHpzanQzYnZRCi0t +LSBpR0E0V3FiV2pjVWt2OFY5UE1BQlpteXZWekZNK1lHSFV4TzFQVVV0em9RChir ++4/eHcBC2sNJgSssV4Zh/7p2GZrN7fyuxc29lhhGAQsRZ+VE9xSy08q2vIPRlqjf +nG72bAKGPiviFpH+uCWWllwoERST1QkkcqpyPjXzVpHrElSXHeE= +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server2/secrets/backupssh.age b/hosts/by-name/server2/secrets/backupssh.age new file mode 100644 index 0000000..c2d3abb --- /dev/null +++ b/hosts/by-name/server2/secrets/backupssh.age @@ -0,0 +1,22 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjclNCOGsxNUNEWEJDSGpQ +MW8vc2FnakpTczhVbEFFenk5V2tSZm5IdGpvCkVzejlwT2svT2pLRExDbTdXajEy +elp5QTBTRGErL3NkRmJIU2lVNTI5V00KLT4gWDI1NTE5IFRjamhzdlhDUVl2RkhY +ZUhwTmg2V2NCeHFUb2hWdFMxL0czUWZteE5tSFkKaWNFa2NhdzQrZUNWMVFKRzNP +QVJzdEJZRXZlRUFQMTBscGZRNC83Rk55RQotPiBzc2gtZWQyNTUxOSBYUG94RFEg +R1JVdEU0SGJNak16ZmRaNzdlaTd5ZUdjUjYzZ3ljQ3J2cGkxUDV3TE93bwpQbDlE +SUFBblNvUmR4N09MUHFuamtiUVh0M244SGluZmFzenc0OS9uakNZCi0+IEwtZ3Jl +YXNlICp6IDp6OEJTIW43IHNaUih6YApuUmRZeWZwdFRCOTFTSXlMVkZxYW52azd4 +ZisrSmR6SEhJTWlGNWxtVzJBRWdmMnBhWVRuc1J0QUgxZ0lKZ0dLCm1KdklXL2xn +M3Y0NUVmeDhLWHRHWlhSbzhmNGNUU3R0OFdBCi0tLSB3UHphWkpuU1RENU16Nkln +V2k5TjRhejdCd2VCMXBaU0JSaEtuTmdvWTBnCpLTtP020Vy7Rldly79rARfETmam +kbRUCWiyHeKnFUWeraVr1R/l4Rt5QJh9Y6hxEBudymbyOy0VMZiQPZv7jq/pmDiB +ULnSnfRVZM7gmU09loxf9S4LatDT/Rjf/B8uMef7Ru89DH0fnewmSGcn0KkQMUNg ++ZNtg1Qti3R1baF7ZyXZfi1UY2oIbVe1T4iZQm7n0RdP/+taCm4EfNmX3QQely/R +CTRWl3An28JTWUePAO5qJWlvisRjNWFlsFGA+UZSRQVfWmiSnMlZ1PNbnNAo9+K4 +lIn2LNLZAOh0Cp+Rl38pusLlVLefyXhomdrp6vfE6mxBTk3scVfipDrChyt8jvbM +2CxUA2zhZ63kNDsQmrEbH375XKzOy2vIPMTzohQx3uN0fFBIQW9pPJcNCN7jJOQU +8CCL0R56Q5nQbNI+oz4oBuolhszkYPaiIzBlcHjjJUjxnUa5RX0SXTI7gCkqlIqZ +niS9z1Vql3QUTdPEyrhfzwOqDcGWr6B/edNHE6D5ILUm5mis/mJgRcEiF0Y/BlZi +mHPTGVdzkhtIIGEqiSlWMvB6zoL4uTru+yiB +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server3/configuration.nix b/hosts/by-name/server3/configuration.nix index 13cd833..de4c1dd 100644 --- a/hosts/by-name/server3/configuration.nix +++ b/hosts/by-name/server3/configuration.nix @@ -5,6 +5,12 @@ ]; vhack = { + backup = { + enable = true; + privateSshKey = ./secrets/backupssh.age; + privatePassword = ./secrets/backuppass.age; + user = "u384702-sub4"; + }; fail2ban.enable = true; mastodon = { enable = true; diff --git a/hosts/by-name/server3/secrets/backuppass.age b/hosts/by-name/server3/secrets/backuppass.age new file mode 100644 index 0000000..e7eea19 --- /dev/null +++ b/hosts/by-name/server3/secrets/backuppass.age @@ -0,0 +1,13 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6cUM5S1FKZis0R0o2czRs +cnVCQXlqdXNDWjMvSVlwUEF5S1pTKzNNR2w0ClgycUdEc1EyMjhJZ2lBMjhXVk5n +V3djaVduV3Q4RWw1KzJNQXNYdmhjR1UKLT4gWDI1NTE5IG44TU9lcGc2NkRmczVS +R1hkd0xyVUZwYWVRM05PZzhCK3BkMGFkUDJobXcKejhGMHpQWG4zdnU3WmFBNkhG +Wk5kZy9UWThQcUdRLzBNbEE1c3VrTXdURQotPiBzc2gtZWQyNTUxOSBweXU5Ymcg +RkMwdENYRUFSRHoxTDRHK2xsQndTekJSZ3NmWnlMMW11TjkxTWpMQnJTTQpOSVF5 +RzQ0aXpIeUkyeWJPdlFoWHJPSy9lU2tVUFNOQUVPNXRrZUE4SnN3Ci0+IEEjQUVl +XGxgLWdyZWFzZSA9WVwxaU4hTgpkbTIyMDBuSWhsSEJueGMKLS0tIEh3ZEhoN0FI +NnlUa2ZHdVFmWkVQY3h2ejM4ZkUzcEc1MEcydlRzdVA5UGcKhFaeVepKkQHcbhHS +uxZnlCZoJHEFhc4vCK0w588WJIfkilDk7b5uH/Cn8kWFWLsX0FFe/kk350gEVVm7 +UUndM/+sAEoVzQR8HO1XWGZDd1T70myysBsutA== +-----END AGE ENCRYPTED FILE----- diff --git a/hosts/by-name/server3/secrets/backupssh.age b/hosts/by-name/server3/secrets/backupssh.age new file mode 100644 index 0000000..ae8c5ec --- /dev/null +++ b/hosts/by-name/server3/secrets/backupssh.age @@ -0,0 +1,22 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTNjNnRUMzK1FWWFNEQUtC +ZjF0dFVVTllrYW0ySEt3eHNyL1RhbkZDeWowCnBldm9oSHhuUm1EM3JXbnRZc3JB +WGVNZGdSNm45L3JEenNlcEZqSXdaS0EKLT4gWDI1NTE5IGpZaTA3RUNGbXF4a1Ji +MWJwRkZkM3dqaldMN2d5Wm9mbmxoQmhKeldNeUEKZ0dQZlU1MVhTLzlGMVNSZEhG +MEo2cGxZUXhnbEF2OXFiWjk4bmZIaVdSNAotPiBzc2gtZWQyNTUxOSBweXU5Ymcg +UEg4a05hMGQxUmZPMExzOXZtTVMySWdibHdudDFSWkFuUXlveFFOQnl3Zwp0QkZY +QStEeCtKMXZFd3hmVkd3NXZuK0hKdWxSMzBoMjhuV2thd0dxR0IwCi0+IGtfJFgt +Z3JlYXNlIFJgYHggfTh8QEogJDx+J2tcCjhja3owNWtBVmhSeFIyK0xIcWplMG1m +RiszK05oZktPTVlpSXFRTFVTaWVBeEFCdTZuRWMvdHJFYU10NlNpVGYKYnhkOEor +c1c2ZwotLS0gMmR1djFRTGJ2Qy9hODdGa1RFSVRxQk4rTFB6WW1YZnN2bFhrRDF3 +ZENqNAoTSBXv8NPsyt2RH+qJcbsMMhJ0qqCmyeUWF3Uicv6fiN99TB7xjD6lRXdB +utfLiuBr0gt73QEb44AQFAGzG3Jig9Ql/UFubeKaMRVBscQ4FJXYnHlEK8aB7sVs +k6VgI/Uvs6YH3YDlATfCaD8d/ASG30whH1TcgH6KF3GPX112uUqkIscGifFz4wxu +Fa8Av9XmkBdIQAPS3ze10O866m5Fv4vWeJZ1KEhzV+0nSrBZKPS9a2JqI1c63kz8 +2txZHm26gS4duDqncwnL41jmZ5GX7+TWTj3adIBQrXVSlUPb9h4t5NX2IMS1Fuj8 +UuvKDZplTGEmIJZGoF79VOqOhoCUg9+lqEd53BaAKlLSuHrUeZ1v0IhhquMiOMSt +TrtuhEvdhiH92eWOBNkDNeoEzxU1wCLc1YOk7QCAQEOy0HM5oMntlbMDc+4QmZXz +1QYQKEEMVAi4B53Mm4OFwHTi6GMqDT2r6PsP86uzCB1F8V7q2LDmPnD1rGTQ46al +N8XFq/3uEqd/yNaZU6kffpdK25ibytmvLhjWQ+0LNrUtfftqeTZzaxApQc6bGW5K +KbBnN1A= +-----END AGE ENCRYPTED FILE----- diff --git a/modules/by-name/ba/backup/module.nix b/modules/by-name/ba/backup/module.nix new file mode 100644 index 0000000..856a1c3 --- /dev/null +++ b/modules/by-name/ba/backup/module.nix @@ -0,0 +1,91 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.vhack.backup; + snapshots = "/srv/snapshots"; + postgresUser = "postgres"; +in { + options.vhack.backup = { + enable = lib.mkEnableOption "backups with restic"; + user = lib.mkOption { + type = lib.types.str; + description = "The storagebox-user to use"; + example = "u384702-sub2"; + }; + privateSshKey = lib.mkOption { + type = lib.types.path; + description = "The age-encrypted ssh-key, passed to agenix"; + }; + privatePassword = lib.mkOption { + type = lib.types.path; + description = "The age-encrypted restic password, passed to agenix"; + }; + }; + config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + { + directory = "/root/.ssh"; + user = "root"; + group = "root"; + mode = "0700"; + } + ]; + age.secrets = { + resticpass = { + file = cfg.privatePassword; + mode = "0700"; + owner = "root"; + group = "root"; + }; + resticssh = { + file = cfg.privateSshKey; + mode = "0700"; + owner = "root"; + group = "root"; + }; + }; + services.restic.backups = { + storagebox = { + initialize = true; + backupPrepareCommand = '' + ${pkgs.sudo}/bin/sudo -u ${postgresUser} ${pkgs.postgresql}/bin/pg_dumpall --clean --if-exists --quote-all-identifiers > /srv/db_backup.sql + + [ -d /srv/snapshots ] || ${pkgs.btrfs-progs}/bin/btrfs subvolume create /srv/snapshots; + [ -d /srv/snapshots/srv ] && ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /srv/snapshots/srv; + ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /srv /srv/snapshots/srv; + + # dump() { + # # compression: + # # pg_dump -F t -v "$1" | xz -z -9 -e -T0 > "db_$1.tar.xz" + # pg_dump -v "$1" > "db_$1.tar.xz" + # } + # # List all databases, and dump each of them in its own file + # # psql --list --csv | while read -r line; do echo "$line" | grep ','; done | while IFS=, read -r name _; do echo "$name"; done | sed '1d' | while read -r db_name; do dump "$db_name"; done + ''; + paths = [ + snapshots + ]; + exclude = [ + ".snapshots" + "/var/lib/postgresql" # included in the db dump + ]; + extraBackupArgs = [ + "--verbose" # spam log + ]; + passwordFile = config.age.secrets.resticpass.path; + extraOptions = [ + "rclone.program='ssh -p 23 ${cfg.user}@${cfg.user}.your-storagebox.de -i ${config.age.secrets.resticssh.path}'" + ]; + repository = "rclone: "; # There is only one repository served + timerConfig = { + Requires = "network-online.target"; + OnCalendar = "daily"; + Persistent = true; + }; + }; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index 1c34530..d3b6e51 100644 --- a/secrets.nix +++ b/secrets.nix @@ -31,8 +31,15 @@ in { "./modules/by-name/ma/mastodon/mail.age".publicKeys = server3; "./modules/by-name/ma/matrix/passwd.age".publicKeys = server3; - "./system/secrets/backup/backuppass.age".publicKeys = server1; - "./system/secrets/backup/backupssh.age".publicKeys = server1; + "./hosts/by-name/server1/secrets/backuppass.age".publicKeys = server1; + "./hosts/by-name/server1/secrets/backupssh.age".publicKeys = server1; + + "./hosts/by-name/server2/secrets/backuppass.age".publicKeys = server2; + "./hosts/by-name/server2/secrets/backupssh.age".publicKeys = server2; + + "./hosts/by-name/server3/secrets/backuppass.age".publicKeys = server3; + "./hosts/by-name/server3/secrets/backupssh.age".publicKeys = server3; + "./system/secrets/invidious/hmac.age".publicKeys = server1; "./system/secrets/taskserver/ca.age".publicKeys = server1; "./system/secrets/taskserver/systemd_tmpfiles.age".publicKeys = server1; diff --git a/system/secrets/backup/backuppass.age b/system/secrets/backup/backuppass.age deleted file mode 100644 index 8ec40a9..0000000 --- a/system/secrets/backup/backuppass.age +++ /dev/null @@ -1,14 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDNDcxbkFiWndxZGdwR2lB -N2lxQjdxZS9FTTl1UDdTbGMyaEtaZ29aM1NVClE0L1dDdllIQUx3MXlJUEJya3N1 -Y1ovWVh4YjNUUXluKzAzd1VKZWFkUHMKLT4gWDI1NTE5IC9YR3JnQVQxYWhSVVdy -c3p2OExkb0xnbStKUHFRZkE0QTBpTStaYjBBak0KRnQ3enZLaXRNbVdtNXBveTN1 -U1FmZDBXZXJpZlorQVd5eXFSTVYxMHZaWQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -empPMTdrZWZGclAzdnBBbUFjZVB6YTl1VnMxY0dIenhjRGtnSUVjTktIcwpsRFFv -TURIVkswM1EreVgvWWZiSEU0aDBGYWZlZFk2dnZnNExLY3NBbVJvCi0+IGhJY2xX -anwtZ3JlYXNlIEw4S0Q2bHVyIFg1dSAjNnRcdWwKaU53OENqWUVJMWgrZURNbzQ5 -VjZzb1hNbndVCi0tLSBCNktxeXFiVzVlNjdQeXdNZnJtQ0NlVzZuWVpaMExZUVEv -RzdtaU1URzBJCoHd8ODHla1b7opUSmrEAm9S7Ul3QD0iLIyTpKn/PnB5vQ4oVd4H -kgB9FFvfYUpRSVebVyOh/Ocqq0Lalc6Gjc1+/tTbkcJLrhyO6G8x/519Sm0o7qXE -5/jXBpzFoFrsR68= ------END AGE ENCRYPTED FILE----- diff --git a/system/secrets/backup/backupssh.age b/system/secrets/backup/backupssh.age deleted file mode 100644 index bd7cafa..0000000 --- a/system/secrets/backup/backupssh.age +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0VkhnUmpGU3hycEExSWxz -ZVAzM3B5M2pFbFFUMXVGWnRaa3Y1a2VtSDM4ClVncXlpUnNUc1JiM01YcmU4dnNQ -WGZXSFBUQ3FIN0U2K2lBZjVHOFlidXMKLT4gWDI1NTE5IFV4VUczSXJ5TVNEdHdN -VVVJYVgzMTN3Rm5IeXRoekt0dEx5eUVlUGFGVzQKZUJGcU9yWUIzaGVCMDE4bW5m -dGhXM1VDL1c1U0N0NDJEK1J5ODdsNTdqcwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg -TDVjckpka2w2TFRFSXdNbTlOeDBYcFlvajBpMlp0eGJTOUdldlRTck9HRQovdGhY -TkxMZlhEZjVLZ0pPa29Zc09DcjY5YzArYnV4YklQU3Q2U0ZpenhJCi0+IH5SQFt+ -RGlILWdyZWFzZSB2MDBhTnw1OiBmIEhaQiBHZUVaKHErClMwOWlZVGhJcG1LOERw -dTVyOXhVVG5YSGNsd2xYR2lyMkh6cEtHbmYreWIwMU13OFJSYW1xTUVWZm5ySTRy -TzYKKzFwY1RpelpudDFZUzBpKzlMWEV6MnhhUDFpaTRMbVhKQkcrYVFlYnQxSFBj -bnhubmdyYzBiWVBOZwotLS0gV2xIaVhsSVBmU2xINDFXMFlyckJ3WjMxdzluSmFT -bUp2TnFnUHdQUmcxbwpOQ5eYFn1lvDjatNZLdErDyyi+b1xLzhkErEaqDxuY++9b -owQ0rdzFRCokI34Vsa4OOrHOhDUyp7n0EmfXGTrkroTF3hyzpr+2M4jnwVFC7uLU -BbU+ZvekUjekXYBy7WXSt30E9RiUJbiHF5FtOboS2A7j+BXbVaHWPEJgnHDbqVy/ -ejESfOaCkg6avXx32rTkV8FfqQmLSxOpwPnsKgiPeZlE6gXViZ0pLm4pwLr5w75s -ln1ksjjfqQ/wBZn+/tTPEpbwAulEe2qEutCL5NbUih8knx1Wvvm/oFtYvjjaA2ZQ -VizCl+v9cRNfkYfczKSTIrGHRuToADqxzxbA88oZFGHu7td6NCVdWIxenA8yaaT+ -csUCfCVUOd6EoKmEKhTqy0EPfDq807c/+lK4il7DbB2geXs/GiMc0he8KGWuruHU -U2wbOaMYdN9Uez1tlBWJhKrnwOPw3Jad615B/MRt9/rDOAaBVI5ttxpNkLcrx22k -rpLItm23yg35+4e+a9Vl03L7kTOqIurS4JRsMyJpRvrRPJMa5cEVMZ4ZzLe3HrGQ -WrH6OXPGKbq4ZB+1mSE= ------END AGE ENCRYPTED FILE----- diff --git a/system/secrets/default.nix b/system/secrets/default.nix index ab89942..7100eff 100644 --- a/system/secrets/default.nix +++ b/system/secrets/default.nix @@ -7,18 +7,6 @@ owner = "root"; group = "root"; }; - resticpass = { - file = ./backup/backuppass.age; - mode = "0700"; - owner = "root"; - group = "root"; - }; - resticssh = { - file = ./backup/backupssh.age; - mode = "0700"; - owner = "root"; - group = "root"; - }; taskserverCaKey = { file = ./taskserver/ca.age; mode = "700"; diff --git a/system/services/default.nix b/system/services/default.nix index d78ee28..4d3700d 100644 --- a/system/services/default.nix +++ b/system/services/default.nix @@ -3,7 +3,6 @@ ./invidious ./mail ./minecraft - ./restic ./taskserver ]; } diff --git a/system/services/restic/default.nix b/system/services/restic/default.nix deleted file mode 100644 index cfeaca3..0000000 --- a/system/services/restic/default.nix +++ /dev/null @@ -1,50 +0,0 @@ -{ - config, - pkgs, - ... -}: { - services.restic.backups = let - snapshots = "/srv/snapshots"; - boxUser = "u384702-sub2"; - postgresUser = "postgres"; - in { - storagebox = { - initialize = true; - backupPrepareCommand = '' - ${pkgs.sudo}/bin/sudo -u ${postgresUser} ${pkgs.postgresql}/bin/pg_dumpall --clean --if-exists --quote-all-identifiers > /srv/db_backup.sql - - [ -d /srv/snapshots ] || ${pkgs.btrfs-progs}/bin/btrfs subvolume create /srv/snapshots; - [ -d /srv/snapshots/srv ] && ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /srv/snapshots/srv; - ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /srv /srv/snapshots/srv; - - # dump() { - # # compression: - # # pg_dump -F t -v "$1" | xz -z -9 -e -T0 > "db_$1.tar.xz" - # pg_dump -v "$1" > "db_$1.tar.xz" - # } - # # List all databases, and dump each of them in its own file - # # psql --list --csv | while read -r line; do echo "$line" | grep ','; done | while IFS=, read -r name _; do echo "$name"; done | sed '1d' | while read -r db_name; do dump "$db_name"; done - ''; - paths = [ - snapshots - ]; - exclude = [ - ".snapshots" - "/var/lib/postgresql" # included in the db dump - ]; - extraBackupArgs = [ - "--verbose" # spam log - ]; - passwordFile = config.age.secrets.resticpass.path; - extraOptions = [ - "rclone.program='ssh -p 23 ${boxUser}@${boxUser}.your-storagebox.de -i ${config.age.secrets.resticssh.path}'" - ]; - repository = "rclone: "; # There is only one repository served - timerConfig = { - Requires = "network-online.target"; - OnCalendar = "daily"; - Persistent = true; - }; - }; - }; -} -- cgit 1.4.1