restic: add daily external backups of all safe/backups

2024-12-07 19:28:04 +01:00 · 2024-12-07 19:28:04 +01:00 · 3a0792caec
commit 3a0792caec
parent d4d8236501
7 changed files with 64 additions and 1 deletions
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@ -4,7 +4,8 @@

    ./../shared/applications/server/acme.nix
    ./../shared/applications/server/nginx.nix
-    ./../shared/applications/server/postgresql.nix
+    ./../shared/applications/server/postgresql.nix # INCLUDES DATABASE BACKUPS
+    ./../shared/applications/server/restic.nix # EXTERNAL BACKUP
    ./../shared/applications/state/postgresql.nix
    ./../shared/applications/state/ssh.nix

--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -41,6 +41,10 @@

    # wger
    wger-env.file = ./wger/env.age;
+
+    # restic
+    restic-env.file = ./restic/env.age;
+    restic-pass.file = ./restic/pass.age;
  };

  users.groups.secrets-lldap-bind-user-pass = {};
--- a/secrets/restic/env.age
+++ b/secrets/restic/env.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg PybnzljzRzswiQPSo1I10lSPRjXHd8rVFSNDH1ZsUig
+RzLFaSgJWuDDBS+eTmz0J2aVWjTWV50laojbkyzp4fM
+-> X25519 ZCS4baMlt3oGpkHjdeQibFt4oxum00sHV55sW5yW+3I
+oT/YlQ4sAYkOC4V6+PfK+CYgDT2l/fOlQJ+sVaBVYV4
+-> ssh-ed25519 n8n9DQ anOLNIDopvdtK7A8BH/bzcz3plEzULJW73BvGS9aSmQ
+YPzmwoT/Ltnu5GvicbCs9qqN5CjlsoHClN3seAQdRSo
+-> ssh-ed25519 BTp6UA 8H6CnD8TJUP5acPMs/9Yvnc9cu2kx1blrK/oDlts4Fg
+O6JIlYDxQB10liQ8tqIqi/Gya3k0v/pcIKbI0VBUyn0
+--- PjFfEkfF3yWY4QolKjwCv6Mj30AcoL4cE0qKlgaUV5o
+„h8°^&C¹“ôÏ<C3B4>=‘“&âö«éÒò#Þo…Y–+{j<>ÒÞ]Œ“Vïî<C3AF>ÝEîQ	<09>[M±«òb»wsà¾¼e¨£lÐ“0}3Ò´ÚCæ5HK<uïÄò{Ãa´ôbÎ,KoD[“
íƒ—_×š¨
--- a/secrets/restic/pass.age
+++ b/secrets/restic/pass.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg +vE6VbbU5XgX0XkEWh9crm+5mdtURyQAqVffU7EXfFg
+UAx9/0QBx+liLIHc2S6Z/JZmtIcBuzxYOlM9YMC4CfI
+-> X25519 KcSKOsQyykcTUtcJYhkU+s6b9xzEQp5nxxdC2lmd8xU
+oZUIGnUXg5bYCCqeNSHs2cXF4LnxGIYC0HyapGoaF0k
+-> ssh-ed25519 n8n9DQ E47ziDXHHPcsQtaHPT17XkgoCcvCQcyFIluEycWfQWw
+MHpLKSfAUAuVoCxcrpH87dJKnq0qK0Nvek9QIpdLPpE
+-> ssh-ed25519 BTp6UA JlHAZaDZkZoL8jHepRFB6CpfmgNPD/gNeXBMXzQuVmY
+XadtJ2aBU5f6mxAb7iCvBRvTr8skt+1OMIqJ2DOr8JI
+--- m/WIZdO5VuSKn3rj6f0ZY5+P8dejPOf1N8niALApC08
+}L<>vÆ"Ë{ã÷%¤ð²ñwáÏÌÑFk7ó¯0™Ð.‚ŒËÀÁ“b2VCêí{…ò‰åîêœ')ˆowóD/þÅ`ö¨*ìñr	Ã
+xî…ÌdD’ß±À&¥<ß
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -51,4 +51,8 @@ in

  # wger
  "wger/env.age".publicKeys = defaultAccess;
+
+  # restic
+  "restic/env.age".publicKeys = defaultAccess;
+  "restic/pass.age".publicKeys = defaultAccess;
 }
--- a/shared/applications/server/restic.nix
+++ b/shared/applications/server/restic.nix
@ -0,0 +1,30 @@
+{ config, lib, ... }:
+
+{
+  services.restic = {
+    # enable = true;
+    
+    backups.main  = {
+      repository = "b2:situla-${config.mine.shared.settings.brand_lower}:.";
+
+      passwordFile = config.age.secrets."restic-pass".path;
+      environmentFile = config.age.secrets."restic-env".path;
+
+      # take all `.*/safe/.*` and `.*/backup/.*` zfs volumes
+      paths = let
+        backupPaths = lib.filterAttrs (n: _:
+          (lib.hasInfix "/safe/" n) || (lib.hasInfix "/backup/" n)
+        ) config.mine.zfsMounts;
+      in lib.attrValues backupPaths;
+
+      initialize = true;
+      runCheck = true;
+      pruneOpts = [
+        "--keep-last 7"
+        "--keep-weekly 4"
+        "--keep-monthly 6"
+        "--keep-yearly 2"
+      ];
+    };
+  };
+}
--- a/shared/default.nix
+++ b/shared/default.nix
@ -19,5 +19,6 @@ in {
  # mine.shared.settings.domain = "${config.mine.shared.settings.domain_sld}.${config.mine.shared.settings.domain_tld}";
  mine.shared.settings.domain = "fricloud.dk";

+  mine.shared.settings.brand_lower = "fricloud";
  mine.shared.settings.brand = "Fricloud";
 }