Use options for restic backups

This commit is contained in:
Sandro - 2023-05-18 01:55:16 +02:00
parent 5fd87acd57
commit 2547cfe54b
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
10 changed files with 76 additions and 56 deletions

View File

@ -16,6 +16,16 @@
};
services = {
backup = {
paths = [ "/var/lib/gitea/" ];
exclude = [
"/var/lib/gitea/data/indexers/"
"/var/lib/gitea/data/repo-archive"
"/var/lib/gitea/data/queues"
"/var/lib/gitea/data/tmp/"
];
};
gitea = {
enable = true;
appName = "Gitea: with a cup of Kolle Mate";
@ -131,21 +141,6 @@
package = pkgs.postgresql_15;
upgrade.stopServices = [ "gitea" ];
};
restic.backups = rec {
server8 = {
paths = [ "/var/lib/gitea/" ];
extraBackupArgs = [
"--exclude-file=${pkgs.writeText "restic-exclude-file" ''
/var/lib/gitea/data/indexers/
/var/lib/gitea/data/repo-archive
/var/lib/gitea/data/queues
/var/lib/gitea/data/tmp/
''}"
];
};
offsite = server8;
};
};
sops = {

View File

@ -269,8 +269,8 @@ in
owner = config.users.users.hydra-queue-runner.name;
inherit (config.users.users.hydra-queue-runner) group;
};
"restic/hydra/password".owner = "root";
"restic/hydra/repository".owner = "root";
"restic/password".owner = "root";
"restic/repository/server8".owner = "root";
"ssh-keys/hydra/private" = {
owner = "hydra";
mode = "400";

View File

@ -17,9 +17,9 @@ ssh-keys:
private: ENC[AES256_GCM,data:D9IHwI/gOc3LFDdiRpMYdldPwfZpvF03ThJvqVMESqHWRoKXrb0raUkLDfy0kvJZF2glWwXME3SDToiyi+4/iaxCEkO40qxxW4mqzrNfVNq1OjcyganYML3f7sDtQ6UzsBQK3CWlb6YvdQlvAwaUvhPuCu9bi8IBfSTDZtV8NcAyVkir8sOYALAPUxoiHXAk01I3htcL9EMpK9MExQhpkwL4ESlXQ5cB+qzUnOW1jGyN7FvKIlkLpIPxtKKiUV86cNkxYe84H9/1Jy3VjmTf03xhnWlp3d4/pbUhgFnT2wVZH0A4tu6Ewhkx8I5v9fqEunOTvZE2+6a5lfHpdva+mK+wDItwF2fwt0PHXUBVoIvqRI3LZzlqI9FNv3xRW7Sa0q8tHiQjrtTLxw9MtuwDlisBpLEWKkhVEUGuSznGRH1PxyL2kNjavWTgRsRY5dPDWAWAQ37AJBCfqGyRg+NE5cqZBzYBheMHKrGqp7ePmKaIBw6F5qFZ1II7ucNUeimu9A/3qMMU41B/++opDKq3,iv:DMD11AUuWPHutmZOVBeL1megyvQxbJ9Tw5ApH3RWrCw=,tag:yyWpFuJua79+QCMIOOCpwQ==,type:str]
public: ENC[AES256_GCM,data:sphILo6Xz3eCsIC0Y8fr4+CllH2nK42aijMDp5Psc5vhnxCuBxL+Zh4yT3NkPjAHMYZyAxp35uOGOjpOUNS+ii14C86WVTpWtiX3d52/1W5MK9SUGIBQrw8oGoqJeg==,iv:SlinQ+S0QEI6pMzUm8oJqJmlW11ULne2e73974RHiYw=,tag:QkFP9D3MsXM6OSPDqnKKOw==,type:str]
restic:
hydra:
password: ENC[AES256_GCM,data:TVQ12PZpREWiOosAd6bLF6ksOcrIJyxn6SUyYTEimT0=,iv:76iy8wX89CxeRJLjH+xN38HuU2if9UmslFQSskQQGPc=,tag:Ov1Kk2jGwqberFPNldW3Sg==,type:str]
repository: ENC[AES256_GCM,data:enrY2E+ckmqh4ZPx87/JPZVdumAq4LltVyyOMJu8VfFTobE/KbvZZ8APJofMRdGFy74DVUDfbTearHBLjryZG/s8JSBEkFA+qN4FoeUTYRjriNaWzGLQFI3QVnlETNeQ,iv:61RIcOEnYzcwVcw9+Tzq1uyqPEGm3MDOzaYfPaBQm4k=,tag:xImYRWaeWytMhvVNQkJYaA==,type:str]
password: ENC[AES256_GCM,data:O5p3Nk6XN2NN2+H3toKh1P0txDAsskPA8+/7zYqahQw=,iv:fbT5m+wiR5LBffzECm3TV3WjstGJibeT41UFm4EjHk0=,tag:Zm0U2zum27YDA4jZl0E96Q==,type:str]
repository:
server8: ENC[AES256_GCM,data:j9gYfkG8h1zm0xZf9Z2rvQgzUI1Ul6Cq7CbY1dXGVUNLRr9z6vTObjA2Oq7OgOdakzypf3gdwptdC+L8CwZI+/axCckbHoN/U0S9M5LcVq7UtNk2DVujfllzbkAcvL8F,iv:asI3IoiVjenusVNHi4Y53E017nJ24cWZZfQm1ldeYr8=,tag:YwXyvuZfUOTqQhJcY9xbmA==,type:str]
sops:
kms: []
gcp_kms: []
@ -44,8 +44,8 @@ sops:
WkRmWkpEYVMrZ0tKQVgrRk5YU0grTFEK3cX9v11MK9LIw4w51hr2zyLP3biGxkdf
dl77D0IS9m2u0HipmzUs95m+z5j47hiX4Qo1Uza/sshwDBYyia4upg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-15T21:34:01Z"
mac: ENC[AES256_GCM,data:/Nf2F9WAt9FwdU+kfwomjCtu41r5LMezzQL/7AmOTDRw4geqL/AmlDo0UacJjAy9sa7pPl267lsv3CWCocVaCDCyemzjhW6/IbmGpx/2KlkX27pVIxd7S7Ai8lsqHQzhWcFaI3ASgFuisbZhl60CPeG/7p3lVXi2tOFUCT5sfvc=,iv:WZjQqU4EjN3IHlGTvy3VMWkF+DbGmUqyFpPovS7RZYo=,tag:afSJ5E/QkuL/KkHq9Fx1ag==,type:str]
lastmodified: "2023-05-17T23:47:04Z"
mac: ENC[AES256_GCM,data:ABWZEgD/3+2TeKPxLyXf3L1o05BvHNNtIZhgJ+GTyVnZ5YHXpBihk7fkMv9K21kNbXAQ8JAV4eXF+WRczY0bet22Ng3oAolNGxNNqlU6Z0Ijy7PmOsbJ2Lgjn+p2p6zVJt+hSLTHttp33m2mgg+8jLuVJuLlxmuuCOEB/GCvXv4=,iv:nxnzG2SBFRCc+tb34LW/AW8Ci+WIXoN4ZdqUq8D72Gs=,tag:VE2QaRkMcLIDjGLqa1NuLQ==,type:str]
pgp:
- created_at: "2022-12-26T19:10:03Z"
enc: |

View File

@ -10,6 +10,8 @@
networking.hostName = "mastodon";
services = {
backup.paths = [ "/var/lib/mastodon/" ];
# Sidekiq monitoring
collectd.plugins = {
redis =
@ -148,8 +150,6 @@
package = pkgs.postgresql_15;
upgrade.stopServices = [ "mastodon-sidekiq" "mastodon-streaming" "mastodon-web" ];
};
restic.backups."remote-server8".paths = [ "/var/lib/mastodon/" ];
};
sops = {
@ -160,8 +160,8 @@
"mastodon/secret-key".owner = "mastodon";
"mastodon/vapid-private-key".owner = "mastodon";
"mastodon/vapid-public-key".owner = "mastodon";
"restic/mastodon/password".owner = "root";
"restic/mastodon/repository".owner = "root";
"restic/password".owner = "root";
"restic/repository/server8".owner = "root";
};
};

View File

@ -5,9 +5,9 @@ mastodon:
vapid-private-key: ENC[AES256_GCM,data:ztmjieUomc9hdcwfV63Mv50/41yOXAhyO+gRT6gYH20SkRcVa6CXAA1snJI=,iv:ut7QDR3NfvCKzgWtFpSpqtYnZ4PsffFn6gTki6JPXXo=,tag:y6df9UkwOB/GIs+KyfqtrA==,type:str]
vapid-public-key: ENC[AES256_GCM,data:To3y0FkdfZNGpeVOMeyCyuuXMjHRkQjchQZrvhihGHtqZ4hhrTL8IWhKxznNZZgIf4GqlwKxujfLVNaO3JH/1losBWIg9H6n8w2tiCvBimmmLy5/kMxgoA==,iv:OR6+ncumdmOc59thNKICykpEjntucGr6FY6B1dl/koQ=,tag:Mk/Qc9VuU9R7MG6q74OJpg==,type:str]
restic:
mastodon:
password: ENC[AES256_GCM,data:vPOCjFC/lT6xrQgeebDH2JPs7CfmfXBae2FUOl+C36w=,iv:T6WCFtXDKyQGDIOLq9YEteUOu1IZTeDaOaPI3gFc4Sw=,tag:eYPA8oe/OAMSxio09jX/iw==,type:str]
repository: ENC[AES256_GCM,data:+3lgxWCY66L7EqoVljQeJ6kbYg++GRFeX6S9TPF2+55ISk1aV7N7+EGFnvpA4tnm1cWP9/PHhtUsNnnr/ZojrONoRb4dxtRR40PrFa2Qjx7i3gC/aI5OofD+s8YVwDDHgrGj2tZv,iv:Y/R4I7VJnb6LRG39VcMMn+fvvV25fbomaSGsbil6E10=,tag:KE9w0163i1l9+HrN4+UMAQ==,type:str]
password: ENC[AES256_GCM,data:chAXIgrx5xoy3+s2m9Kb2BjQhnAqMp2AcNNi1hTFB70=,iv:ZzfQqv6iAp3gh/jxqMI69uN7jpu+88hw/O6yYCZ+Z58=,tag:mQCL26Y/KjH9Eu279v6rxQ==,type:str]
repository:
server8: ENC[AES256_GCM,data:7HapKqLgOpgmCKVnZSf/8+wi+8ipCQM6AGtR25oObnJQnbu721j+8O0H45Xv6PZGib7k6guRnGO0vNO4iNmbfOO9UfjjAooUO+aV3o6ljXaLNvRXFELid9zmUQaXskS4Wqkt3l4b,iv:skAytH30A8w5+9bk1nikaYwcmm+XAUqipMIHhgMCXuM=,tag:AdaHjBrse6EQUdmQE3F0bA==,type:str]
sops:
kms: []
gcp_kms: []
@ -32,8 +32,8 @@ sops:
OU1FcHVDb2xIenVIdm5kNUdjYy9GTDQKRmjJIq4yiWN4mLU/+rJfdsZZT2m41DD9
0xlVibN8UkR/uLfs1CxdYSTewFKXtJzDYcQR1vUyb3oLUxP7fghPAw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-16T21:29:49Z"
mac: ENC[AES256_GCM,data:A/9PI3G6VlZfSjK8b62dwgmvCkhK0Dkh7vFtNTCky8R/uayYlHjYJph7NHrUhhFl3ATodXq4+QCAYIhwPRZwnqV7pqDVUJzrrJGjr7WKKkRmappmfQ8f51P/P3RGfiakTh6ZKWTT97tTFNpyvC6vcRyge9d5OZaEB1w9niwcpas=,iv:wMHWTSAT1m5l6KC6ImRgkouflMhfVQYgY6qj7gEqeEo=,tag:oqkYef9GribP7JTHWytC4A==,type:str]
lastmodified: "2023-05-17T23:25:47Z"
mac: ENC[AES256_GCM,data:inLu1QDMX3nDUcXsaVqBQ6psmJdYUEn3KU/KQm/giboM2c9lAAulNHDyz8a8ZAXEKbLmgRUX4fRYggrpIK8Kmvu86btB+OkBiUcHYS4r32Ms30us2H76krTxbiDanQxI0w1d+1Ta6B3VNLEa60xeICB9Yzmm9JuX+LILWghfJC8=,iv:l8yHD3/s/kOoC91e9Ubv1P110zorC0m8C4eK/sLRwZ0=,tag:Gwk/ZtMJGUqdGZX+M6UAwQ==,type:str]
pgp:
- created_at: "2022-12-26T19:10:06Z"
enc: |

View File

@ -63,8 +63,8 @@
defaultSopsFile = ./secrets.yaml;
secrets = {
"nginx/basic-auth".owner = "nginx";
"restic/matemat/password".owner = "root";
"restic/matemat/repository".owner = "root";
"restic/password".owner = "root";
"restic/repository/server8".owner = "root";
};
};

View File

@ -1,9 +1,9 @@
nginx:
basic-auth: ENC[AES256_GCM,data:VIjP7lqSmGxKswz1XDLxKp4=,iv:meyfO0gUjfqS5bRjnBMzR34UL0uLInvodv+8DS5IRnI=,tag:GHIKdh14N1JGWbRedr9T7w==,type:str]
restic:
matemat:
password: ENC[AES256_GCM,data:HTmFqGVJXx/jJsJa5wAQgVChxCxowcIPAtIIlcGrBZo=,iv:GQiU5QHJnltFDZIvCbNjxQ8G0q2Dx96iHMtVED0+WlU=,tag:A/DqiVDzdTkAsMQ91WlDvw==,type:str]
repository: ENC[AES256_GCM,data:T9vOnodT1tpu1S0Kg89/Pgm/vD3vjxj7oi0Ecn5xWfNhZNOZNrk7VAYSQMWYSPLECdVNVirAGSNpHFDViPppeT38uVkA1ErU9QVMuHnBnTKKFxF5sVzjlRLIWw9T2Yca5bKVlw==,iv:z/VGOwMAj8nY6Y2qGXWD/LL4ndh6p4obLmB4QgzoRhw=,tag:yAhL9dHecf8DtrRn5E4HnQ==,type:str]
password: ENC[AES256_GCM,data:ERBTYAMLZjBuQ7kbMRhsiUZAENBC/Yb/Ly9NV9mpBl4=,iv:V5zGRTioYEAFXUuPAtmyAG3vRDnB1zEivIMGdPww9uE=,tag:PrkyForMSeNzSz89n/CaVg==,type:str]
repository:
server8: ENC[AES256_GCM,data:Fw9XkRpUWfR8TCClB2rtNpkAqQ5QMaMRdM/KvP2s9sobGZ961fNQ4OwMWRBLINLZ4ZtwRNrZAK6PBUyyvtzYeEYxiYYNx0/H8wh/FFL+KgRV7cKxZYWdiY4vxhcIMZ+YN9kutA==,iv:RjwuYh5L8VEovX53HGvQmTl9jNiEEJFmOsmj3xbmj4s=,tag:VHWeCwIoxDRCTf9y/3rwcQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -28,8 +28,8 @@ sops:
QnpEYmxzdXVoM2lQaWJTRk5jUnY5ZTgKIiOCV2WB+R5LAgj6nyS/9dcqmN6FWIaN
SlQTSOzYFop776o7A9r109XtKi00ay4wMssZapTuyGaDkTrdgltE6Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-15T21:24:22Z"
mac: ENC[AES256_GCM,data:V0HKPqkonpbJtxpUtCkz2pPIYWjtE5BhRgwbb/uGFTIlkA+VX75xhTWmKZBxHgcIhNvFI2uxnQgq7AOuegN3klAOq82qlWMHR2bIwj25ugc90gOJoZt8QnDTM/aH8G0xgO2KKEtQ8l31YMQjr8RWzGF9WbAxY5t5a/ULrxPESvY=,iv:0/qShbUIcdKrFnIx0CoUQzVAaueRoM38yGEYvUh79HQ=,tag:Iu/vRr2G93PU27W6k+0yDg==,type:str]
lastmodified: "2023-05-17T23:26:58Z"
mac: ENC[AES256_GCM,data:zHBrs3NYqKeJ1CSivf+thYIrnnxGUHN8QapKSegbi4TAs8n5f5t4VXGUUDCfSfsORV6EvoF1a2RKio1WKjdsQuZZDpKohXAZhWRHjSV9nqwcT91dOvy1dbMv20nqVJxuvLH0pTx7Kij7Npt9K8vOiVpZY5zP8+YO/NKZNm/jgpw=,iv:f/hwsIbJeyJKXDjSd+P6M4UT31N6vkH9U2BM28M1tLk=,tag:2EpQLyWGjzf4+DtVs6+2pA==,type:str]
pgp:
- created_at: "2022-12-26T22:15:56Z"
enc: |

View File

@ -14,6 +14,8 @@ in
};
services = {
backup.paths = [ "/var/lib/mediawiki/uploads/" ];
logrotate.checkConfig = false;
mediawiki = {
@ -201,8 +203,6 @@ in
package = pkgs.postgresql_15;
upgrade.stopServices = [ "httpd" "phpfpm-mediawiki" ];
};
restic.backups."remote-server8".paths = [ "/var/lib/mediawiki/uploads/" ];
};
sops = {
@ -216,8 +216,8 @@ in
path = "/var/lib/mediawiki/secret.key";
};
"mediawiki/upgradeKey".owner = config.systemd.services.mediawiki-init.serviceConfig.User;
"restic/mediawiki/password".owner = "root";
"restic/mediawiki/repository".owner = "root";
"restic/password".owner = "root";
"restic/repository/server8".owner = "root";
};
};

View File

@ -4,9 +4,9 @@ mediawiki:
upgradeKey: ENC[AES256_GCM,data:d6nSrNN3bD9smLH4VaJBuA==,iv:XFivelGD25QQmZ44raSvGB89oBtxu9rKRxuHQ04+53w=,tag:eNHkNnfOF6JOQENope65tg==,type:str]
ldapprovider: ENC[AES256_GCM,data:Q1npwIIQCl21FzFQD/AYdFP+BO654z61lufCq1Fr5Xc4QxNOJ3J4DPlMwX3nxFai+rY5aZK6FBm0BwT2wUMWkq/Yzdinn7I6nAIgLWNi1Gw8z1KZGfegkoywct34eo68LDP5qdELaCMxnYG2OnqQbDSAaanuhL5EAzg/QoUP8CbTC8VYe9JhQKPfxpwdkVT/d8bpTE4VwJMUdubUfrwmaJzBHkFv4nqdpTBcZbevI4n2VBTA//knZw0BCrMQWtaIBJeS7ocDlg5NTak6Jy/smV0jWj4we5AMQNIOkTDcMOn5dDnbKwJgWnUmaCk60xPQd/WZd/8IZxkCcsLdYsEQrIfvlg4ui6FowGuuVxKuFvA3bC4o4IWA5BOGl6H0Bz3xZHIrvWt5Ov4PERhjMz3PsNJc0XA3opiHJtA1Q0gTQnRluwCpwPwQqDP1QCtcYyaGWWsrGphevmM41cFWmhJmcXSSRvMSeybd3LOfpLB1Mx62gljuiGlcb8E850Sc459I7Byth66c9S9vd3Ft0NO2/ulxvfzuBOIo7KV3DUmWS4vFDCxnI3Y13xamy82nefnyp8MvYAPaNAcRgl2M18zvgXnaaJbgp2uyV7IkHCgAxyDdRXaNOpDHIsKhtds2PYUuZIwCdmb1oliux7r4AskvkwXbrTHR66wANa0S6jVzlNu18q2Z2I5eyxL3cW8yhv0qr8f6bokBj3cLjeWGTZaELbsxRpPyiY7RkDA80+yklJ5y9CyrMkg9jwUQqg==,iv:q49SA9/vfnoIysVGE68LMf8dZ3/Cj7aEH0vCH/MAvJM=,tag:LJINBjCtMrAveBKY6mqz5Q==,type:str]
restic:
mediawiki:
password: ENC[AES256_GCM,data:5jnUE4UQ1JY65tR8W+8E5IUal3xFLb2ApZb5zm/XgFE=,iv:NMWpSXlPmlQrLD+dKUkWFGj+90laZJ4J7d4a9bcMjwo=,tag:iGXCUOwaaBWAMUez00GTeA==,type:str]
repository: ENC[AES256_GCM,data:3YCwwUNsi9xdabnF++NfKMxfuSKMRXqaSQX/2EOjEBzQ0gKlzZtx6fCX1YJzfZGThmL79kNkqoJL4tuR6ou5pqC/xYf3BmbfK5OuDOpMWdvFpbhzwCf1752lo5v5RSRWpXthjZpPjU4=,iv:iRDs2NuFLkMf/2vCT43A5gY0U3hsmkcTCLXR0QZZczI=,tag:yBAn5RSY5gpUfTEpMFaS7Q==,type:str]
password: ENC[AES256_GCM,data:FwzTzJysad41gnMooiqPqiwveTfikSkA9+G5kYjdj78=,iv:EiEPWQBT5hRefkqTRhKOdtx+HK+634A1goCX7GSeOKw=,tag:MSlshF1SRsnSTANEcv40JA==,type:str]
repository:
server8: ENC[AES256_GCM,data:K4jQx/t5mquEGQ+K+XlGkoKLPMDNcAn+EphiNArLfvFspji+tcPapC/jjmA0QCw6MK9v2FZZHL3y81XY+oxOn+6uW7XlbRpeEE06uxDNaEIlYwFDsmetopOUJWPFPmDMwTyL1JjjVRY=,iv:W5zt9nJXQqHsMWU3nhZyoiIktT3klsV98ego+u7hj+g=,tag:GPiZDU0xWN3CT2W8oID9zA==,type:str]
sops:
kms: []
gcp_kms: []
@ -31,8 +31,8 @@ sops:
dGFiNnQ2YjlYbE10VVY0TS9JSGoxVE0KIGxsQZ3NW8obnIud3H6s+zVNkiFf2TYD
8ddmsulRCZAtw3qRuNikMKAbNsE+foO0fLb5Cem9doOcXpcYIwp1vA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-16T20:47:10Z"
mac: ENC[AES256_GCM,data:B+KDkXpag2Q/WahJDfcCXh75A4tmlvr7Mt7rq1XvnPhAIqQjoXbZOnKs0/99mY8WZuO4qbBUfxKDk1rs+rbQv5yQgSsrK1ISMQ9qqIQBMwm9WcX+F+7l93PRm6sPNQgWXq6XG7ekHOeu4KTzm61nWxv3ugdXHokRKEnduAVOXOk=,iv:5WrtZKr8/neSqleG3/Xk0Mp/eNmlM9i4KNooiVs8jQs=,tag:MAB6/dwuc4pVD+htFYRQOg==,type:str]
lastmodified: "2023-05-17T23:56:00Z"
mac: ENC[AES256_GCM,data:0xUlHyfWpeVmGbC/j363RByhk0KUEP8V5w7YHmpMvBwezAmmnuAxpt+MpcmUCgmkfTdCsBUsVZGNqMO5He0vmP0LADrTscOw8ozCv9BqBXU29NvktbBxmx+cSkqXkkGJDB+lB2pLpbw8iUU2a/tk/w7UyB/iJPI50uIdr6fF5Tk=,iv:xitRxbzvv0rLyophVMtm5Sxv2pVUy7qP7uhWyiyiaHg=,tag:ryL0gpFJR3mWFeR2z7SrMQ==,type:str]
pgp:
- created_at: "2022-12-26T19:10:07Z"
enc: |

View File

@ -1,6 +1,27 @@
{ config, lib, ... }:
{ config, lib, pkgs, ... }:
let
cfg = config.services.backup;
in
{
options.services.backup = {
enable = lib.mkEnableOption "backup" // {
default = config.services.postgresql.enable;
};
paths = lib.mkOption {
type = with lib.types; listOf str;
default = [];
description = "Extra paths to include in backup.";
};
exclude = lib.mkOption {
type = with lib.types; listOf str;
default = [];
description = "Extra paths to exclude in backup.";
};
};
config = {
services = {
postgresqlBackup = {
@ -15,9 +36,13 @@
restic.backups =
let
commonOpts = {
extraBackupArgs = [
"--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}"
];
initialize = true;
passwordFile = config.sops.secrets."restic/password".path;
paths = [ "/var/backup/postgresql/" ];
paths = cfg.paths
++ lib.optionals config.services.postgresql.enable [ "/var/backup/postgresql/" ];
pruneOpts = [
"--group-by host"
"--keep-daily 7"
@ -30,17 +55,17 @@
};
};
in
{
server8 = lib.mkIf config.services.postgresql.enable (commonOpts // {
lib.mkIf cfg.enable {
server8 = commonOpts // {
repositoryFile = config.sops.secrets."restic/repository/server8".path;
});
offsite = lib.mkIf config.services.postgresql.enable (commonOpts // {
};
offsite = commonOpts // {
repository = "sftp://offsite/${config.networking.hostName}";
});
};
};
};
sops.secrets = {
sops.secrets = lib.mkIf cfg.enable {
"restic/offsite/private" = {
mode = "400";
owner = "root";
@ -61,7 +86,7 @@
};
};
system.activationScripts.linkResticSSHConfigIntoVirtioFS = ''
system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf cfg.enable ''
echo "Linking restic ssh config..."
mkdir -m700 -p /home/root/.ssh/
ln -fs {,/home}/root/.ssh/id_offsite-backup