diff --git a/machines/gerd.nix b/machines/gerd.nix index d62607a..a8a7593 100644 --- a/machines/gerd.nix +++ b/machines/gerd.nix @@ -4,7 +4,8 @@ ./../shared/applications/server/acme.nix ./../shared/applications/server/nginx.nix - ./../shared/applications/server/postgresql.nix + ./../shared/applications/server/postgresql.nix # INCLUDES DATABASE BACKUPS + ./../shared/applications/server/restic.nix # EXTERNAL BACKUP ./../shared/applications/state/postgresql.nix ./../shared/applications/state/ssh.nix diff --git a/secrets/default.nix b/secrets/default.nix index 5ee11a2..f081463 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -41,6 +41,10 @@ # wger wger-env.file = ./wger/env.age; + + # restic + restic-env.file = ./restic/env.age; + restic-pass.file = ./restic/pass.age; }; users.groups.secrets-lldap-bind-user-pass = {}; diff --git a/secrets/restic/env.age b/secrets/restic/env.age new file mode 100644 index 0000000..ef27682 --- /dev/null +++ b/secrets/restic/env.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 QSDXqg PybnzljzRzswiQPSo1I10lSPRjXHd8rVFSNDH1ZsUig +RzLFaSgJWuDDBS+eTmz0J2aVWjTWV50laojbkyzp4fM +-> X25519 ZCS4baMlt3oGpkHjdeQibFt4oxum00sHV55sW5yW+3I +oT/YlQ4sAYkOC4V6+PfK+CYgDT2l/fOlQJ+sVaBVYV4 +-> ssh-ed25519 n8n9DQ anOLNIDopvdtK7A8BH/bzcz3plEzULJW73BvGS9aSmQ +YPzmwoT/Ltnu5GvicbCs9qqN5CjlsoHClN3seAQdRSo +-> ssh-ed25519 BTp6UA 8H6CnD8TJUP5acPMs/9Yvnc9cu2kx1blrK/oDlts4Fg +O6JIlYDxQB10liQ8tqIqi/Gya3k0v/pcIKbI0VBUyn0 +--- PjFfEkfF3yWY4QolKjwCv6Mj30AcoL4cE0qKlgaUV5o +h8^&Cϐ=&#oY+{j]VEQ [Mbwsྼel0}3ҴC5HK ssh-ed25519 QSDXqg +vE6VbbU5XgX0XkEWh9crm+5mdtURyQAqVffU7EXfFg +UAx9/0QBx+liLIHc2S6Z/JZmtIcBuzxYOlM9YMC4CfI +-> X25519 KcSKOsQyykcTUtcJYhkU+s6b9xzEQp5nxxdC2lmd8xU +oZUIGnUXg5bYCCqeNSHs2cXF4LnxGIYC0HyapGoaF0k +-> ssh-ed25519 n8n9DQ E47ziDXHHPcsQtaHPT17XkgoCcvCQcyFIluEycWfQWw +MHpLKSfAUAuVoCxcrpH87dJKnq0qK0Nvek9QIpdLPpE +-> ssh-ed25519 BTp6UA JlHAZaDZkZoL8jHepRFB6CpfmgNPD/gNeXBMXzQuVmY +XadtJ2aBU5f6mxAb7iCvBRvTr8skt+1OMIqJ2DOr8JI +--- m/WIZdO5VuSKn3rj6f0ZY5+P8dejPOf1N8niALApC08 +}Lv"{%wFk70.b2VC{')owD/` *r +x dD߱&< \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 4a5c194..bda44db 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -51,4 +51,8 @@ in # wger "wger/env.age".publicKeys = defaultAccess; + + # restic + "restic/env.age".publicKeys = defaultAccess; + "restic/pass.age".publicKeys = defaultAccess; } diff --git a/shared/applications/server/restic.nix b/shared/applications/server/restic.nix new file mode 100644 index 0000000..2c44cdb --- /dev/null +++ b/shared/applications/server/restic.nix @@ -0,0 +1,30 @@ +{ config, lib, ... }: + +{ + services.restic = { + # enable = true; + + backups.main = { + repository = "b2:situla-${config.mine.shared.settings.brand_lower}:."; + + passwordFile = config.age.secrets."restic-pass".path; + environmentFile = config.age.secrets."restic-env".path; + + # take all `.*/safe/.*` and `.*/backup/.*` zfs volumes + paths = let + backupPaths = lib.filterAttrs (n: _: + (lib.hasInfix "/safe/" n) || (lib.hasInfix "/backup/" n) + ) config.mine.zfsMounts; + in lib.attrValues backupPaths; + + initialize = true; + runCheck = true; + pruneOpts = [ + "--keep-last 7" + "--keep-weekly 4" + "--keep-monthly 6" + "--keep-yearly 2" + ]; + }; + }; +} diff --git a/shared/default.nix b/shared/default.nix index 56ca0b0..d361ef3 100644 --- a/shared/default.nix +++ b/shared/default.nix @@ -19,5 +19,6 @@ in { # mine.shared.settings.domain = "${config.mine.shared.settings.domain_sld}.${config.mine.shared.settings.domain_tld}"; mine.shared.settings.domain = "fricloud.dk"; + mine.shared.settings.brand_lower = "fricloud"; mine.shared.settings.brand = "Fricloud"; }