diff --git a/hosts/gitea/default.nix b/hosts/gitea/default.nix index 5c7f45f1..94218f53 100644 --- a/hosts/gitea/default.nix +++ b/hosts/gitea/default.nix @@ -16,6 +16,16 @@ }; services = { + backup = { + paths = [ "/var/lib/gitea/" ]; + exclude = [ + "/var/lib/gitea/data/indexers/" + "/var/lib/gitea/data/repo-archive" + "/var/lib/gitea/data/queues" + "/var/lib/gitea/data/tmp/" + ]; + }; + gitea = { enable = true; appName = "Gitea: with a cup of Kolle Mate"; @@ -131,21 +141,6 @@ package = pkgs.postgresql_15; upgrade.stopServices = [ "gitea" ]; }; - - restic.backups = rec { - server8 = { - paths = [ "/var/lib/gitea/" ]; - extraBackupArgs = [ - "--exclude-file=${pkgs.writeText "restic-exclude-file" '' - /var/lib/gitea/data/indexers/ - /var/lib/gitea/data/repo-archive - /var/lib/gitea/data/queues - /var/lib/gitea/data/tmp/ - ''}" - ]; - }; - offsite = server8; - }; }; sops = { diff --git a/hosts/hydra/default.nix b/hosts/hydra/default.nix index dc9fae0e..45677bed 100644 --- a/hosts/hydra/default.nix +++ b/hosts/hydra/default.nix @@ -269,8 +269,8 @@ in owner = config.users.users.hydra-queue-runner.name; inherit (config.users.users.hydra-queue-runner) group; }; - "restic/hydra/password".owner = "root"; - "restic/hydra/repository".owner = "root"; + "restic/password".owner = "root"; + "restic/repository/server8".owner = "root"; "ssh-keys/hydra/private" = { owner = "hydra"; mode = "400"; diff --git a/hosts/hydra/secrets.yaml b/hosts/hydra/secrets.yaml index eda0098f..1b2781bf 100644 --- a/hosts/hydra/secrets.yaml +++ b/hosts/hydra/secrets.yaml @@ -17,9 +17,9 @@ ssh-keys: private: ENC[AES256_GCM,data:D9IHwI/gOc3LFDdiRpMYdldPwfZpvF03ThJvqVMESqHWRoKXrb0raUkLDfy0kvJZF2glWwXME3SDToiyi+4/iaxCEkO40qxxW4mqzrNfVNq1OjcyganYML3f7sDtQ6UzsBQK3CWlb6YvdQlvAwaUvhPuCu9bi8IBfSTDZtV8NcAyVkir8sOYALAPUxoiHXAk01I3htcL9EMpK9MExQhpkwL4ESlXQ5cB+qzUnOW1jGyN7FvKIlkLpIPxtKKiUV86cNkxYe84H9/1Jy3VjmTf03xhnWlp3d4/pbUhgFnT2wVZH0A4tu6Ewhkx8I5v9fqEunOTvZE2+6a5lfHpdva+mK+wDItwF2fwt0PHXUBVoIvqRI3LZzlqI9FNv3xRW7Sa0q8tHiQjrtTLxw9MtuwDlisBpLEWKkhVEUGuSznGRH1PxyL2kNjavWTgRsRY5dPDWAWAQ37AJBCfqGyRg+NE5cqZBzYBheMHKrGqp7ePmKaIBw6F5qFZ1II7ucNUeimu9A/3qMMU41B/++opDKq3,iv:DMD11AUuWPHutmZOVBeL1megyvQxbJ9Tw5ApH3RWrCw=,tag:yyWpFuJua79+QCMIOOCpwQ==,type:str] public: ENC[AES256_GCM,data:sphILo6Xz3eCsIC0Y8fr4+CllH2nK42aijMDp5Psc5vhnxCuBxL+Zh4yT3NkPjAHMYZyAxp35uOGOjpOUNS+ii14C86WVTpWtiX3d52/1W5MK9SUGIBQrw8oGoqJeg==,iv:SlinQ+S0QEI6pMzUm8oJqJmlW11ULne2e73974RHiYw=,tag:QkFP9D3MsXM6OSPDqnKKOw==,type:str] restic: - hydra: - password: ENC[AES256_GCM,data:TVQ12PZpREWiOosAd6bLF6ksOcrIJyxn6SUyYTEimT0=,iv:76iy8wX89CxeRJLjH+xN38HuU2if9UmslFQSskQQGPc=,tag:Ov1Kk2jGwqberFPNldW3Sg==,type:str] - repository: ENC[AES256_GCM,data:enrY2E+ckmqh4ZPx87/JPZVdumAq4LltVyyOMJu8VfFTobE/KbvZZ8APJofMRdGFy74DVUDfbTearHBLjryZG/s8JSBEkFA+qN4FoeUTYRjriNaWzGLQFI3QVnlETNeQ,iv:61RIcOEnYzcwVcw9+Tzq1uyqPEGm3MDOzaYfPaBQm4k=,tag:xImYRWaeWytMhvVNQkJYaA==,type:str] + password: ENC[AES256_GCM,data:O5p3Nk6XN2NN2+H3toKh1P0txDAsskPA8+/7zYqahQw=,iv:fbT5m+wiR5LBffzECm3TV3WjstGJibeT41UFm4EjHk0=,tag:Zm0U2zum27YDA4jZl0E96Q==,type:str] + repository: + server8: ENC[AES256_GCM,data:j9gYfkG8h1zm0xZf9Z2rvQgzUI1Ul6Cq7CbY1dXGVUNLRr9z6vTObjA2Oq7OgOdakzypf3gdwptdC+L8CwZI+/axCckbHoN/U0S9M5LcVq7UtNk2DVujfllzbkAcvL8F,iv:asI3IoiVjenusVNHi4Y53E017nJ24cWZZfQm1ldeYr8=,tag:YwXyvuZfUOTqQhJcY9xbmA==,type:str] sops: kms: [] gcp_kms: [] @@ -44,8 +44,8 @@ sops: WkRmWkpEYVMrZ0tKQVgrRk5YU0grTFEK3cX9v11MK9LIw4w51hr2zyLP3biGxkdf dl77D0IS9m2u0HipmzUs95m+z5j47hiX4Qo1Uza/sshwDBYyia4upg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-15T21:34:01Z" - mac: ENC[AES256_GCM,data:/Nf2F9WAt9FwdU+kfwomjCtu41r5LMezzQL/7AmOTDRw4geqL/AmlDo0UacJjAy9sa7pPl267lsv3CWCocVaCDCyemzjhW6/IbmGpx/2KlkX27pVIxd7S7Ai8lsqHQzhWcFaI3ASgFuisbZhl60CPeG/7p3lVXi2tOFUCT5sfvc=,iv:WZjQqU4EjN3IHlGTvy3VMWkF+DbGmUqyFpPovS7RZYo=,tag:afSJ5E/QkuL/KkHq9Fx1ag==,type:str] + lastmodified: "2023-05-17T23:47:04Z" + mac: ENC[AES256_GCM,data:ABWZEgD/3+2TeKPxLyXf3L1o05BvHNNtIZhgJ+GTyVnZ5YHXpBihk7fkMv9K21kNbXAQ8JAV4eXF+WRczY0bet22Ng3oAolNGxNNqlU6Z0Ijy7PmOsbJ2Lgjn+p2p6zVJt+hSLTHttp33m2mgg+8jLuVJuLlxmuuCOEB/GCvXv4=,iv:nxnzG2SBFRCc+tb34LW/AW8Ci+WIXoN4ZdqUq8D72Gs=,tag:VE2QaRkMcLIDjGLqa1NuLQ==,type:str] pgp: - created_at: "2022-12-26T19:10:03Z" enc: | diff --git a/hosts/mastodon/default.nix b/hosts/mastodon/default.nix index e8c3d008..a48183b8 100644 --- a/hosts/mastodon/default.nix +++ b/hosts/mastodon/default.nix @@ -10,6 +10,8 @@ networking.hostName = "mastodon"; services = { + backup.paths = [ "/var/lib/mastodon/" ]; + # Sidekiq monitoring collectd.plugins = { redis = @@ -148,8 +150,6 @@ package = pkgs.postgresql_15; upgrade.stopServices = [ "mastodon-sidekiq" "mastodon-streaming" "mastodon-web" ]; }; - - restic.backups."remote-server8".paths = [ "/var/lib/mastodon/" ]; }; sops = { @@ -160,8 +160,8 @@ "mastodon/secret-key".owner = "mastodon"; "mastodon/vapid-private-key".owner = "mastodon"; "mastodon/vapid-public-key".owner = "mastodon"; - "restic/mastodon/password".owner = "root"; - "restic/mastodon/repository".owner = "root"; + "restic/password".owner = "root"; + "restic/repository/server8".owner = "root"; }; }; diff --git a/hosts/mastodon/secrets.yaml b/hosts/mastodon/secrets.yaml index de506b46..d9edf3c5 100644 --- a/hosts/mastodon/secrets.yaml +++ b/hosts/mastodon/secrets.yaml @@ -5,9 +5,9 @@ mastodon: vapid-private-key: ENC[AES256_GCM,data:ztmjieUomc9hdcwfV63Mv50/41yOXAhyO+gRT6gYH20SkRcVa6CXAA1snJI=,iv:ut7QDR3NfvCKzgWtFpSpqtYnZ4PsffFn6gTki6JPXXo=,tag:y6df9UkwOB/GIs+KyfqtrA==,type:str] vapid-public-key: ENC[AES256_GCM,data:To3y0FkdfZNGpeVOMeyCyuuXMjHRkQjchQZrvhihGHtqZ4hhrTL8IWhKxznNZZgIf4GqlwKxujfLVNaO3JH/1losBWIg9H6n8w2tiCvBimmmLy5/kMxgoA==,iv:OR6+ncumdmOc59thNKICykpEjntucGr6FY6B1dl/koQ=,tag:Mk/Qc9VuU9R7MG6q74OJpg==,type:str] restic: - mastodon: - password: ENC[AES256_GCM,data:vPOCjFC/lT6xrQgeebDH2JPs7CfmfXBae2FUOl+C36w=,iv:T6WCFtXDKyQGDIOLq9YEteUOu1IZTeDaOaPI3gFc4Sw=,tag:eYPA8oe/OAMSxio09jX/iw==,type:str] - repository: ENC[AES256_GCM,data:+3lgxWCY66L7EqoVljQeJ6kbYg++GRFeX6S9TPF2+55ISk1aV7N7+EGFnvpA4tnm1cWP9/PHhtUsNnnr/ZojrONoRb4dxtRR40PrFa2Qjx7i3gC/aI5OofD+s8YVwDDHgrGj2tZv,iv:Y/R4I7VJnb6LRG39VcMMn+fvvV25fbomaSGsbil6E10=,tag:KE9w0163i1l9+HrN4+UMAQ==,type:str] + password: ENC[AES256_GCM,data:chAXIgrx5xoy3+s2m9Kb2BjQhnAqMp2AcNNi1hTFB70=,iv:ZzfQqv6iAp3gh/jxqMI69uN7jpu+88hw/O6yYCZ+Z58=,tag:mQCL26Y/KjH9Eu279v6rxQ==,type:str] + repository: + server8: ENC[AES256_GCM,data:7HapKqLgOpgmCKVnZSf/8+wi+8ipCQM6AGtR25oObnJQnbu721j+8O0H45Xv6PZGib7k6guRnGO0vNO4iNmbfOO9UfjjAooUO+aV3o6ljXaLNvRXFELid9zmUQaXskS4Wqkt3l4b,iv:skAytH30A8w5+9bk1nikaYwcmm+XAUqipMIHhgMCXuM=,tag:AdaHjBrse6EQUdmQE3F0bA==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +32,8 @@ sops: OU1FcHVDb2xIenVIdm5kNUdjYy9GTDQKRmjJIq4yiWN4mLU/+rJfdsZZT2m41DD9 0xlVibN8UkR/uLfs1CxdYSTewFKXtJzDYcQR1vUyb3oLUxP7fghPAw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-16T21:29:49Z" - mac: ENC[AES256_GCM,data:A/9PI3G6VlZfSjK8b62dwgmvCkhK0Dkh7vFtNTCky8R/uayYlHjYJph7NHrUhhFl3ATodXq4+QCAYIhwPRZwnqV7pqDVUJzrrJGjr7WKKkRmappmfQ8f51P/P3RGfiakTh6ZKWTT97tTFNpyvC6vcRyge9d5OZaEB1w9niwcpas=,iv:wMHWTSAT1m5l6KC6ImRgkouflMhfVQYgY6qj7gEqeEo=,tag:oqkYef9GribP7JTHWytC4A==,type:str] + lastmodified: "2023-05-17T23:25:47Z" + mac: ENC[AES256_GCM,data:inLu1QDMX3nDUcXsaVqBQ6psmJdYUEn3KU/KQm/giboM2c9lAAulNHDyz8a8ZAXEKbLmgRUX4fRYggrpIK8Kmvu86btB+OkBiUcHYS4r32Ms30us2H76krTxbiDanQxI0w1d+1Ta6B3VNLEa60xeICB9Yzmm9JuX+LILWghfJC8=,iv:l8yHD3/s/kOoC91e9Ubv1P110zorC0m8C4eK/sLRwZ0=,tag:Gwk/ZtMJGUqdGZX+M6UAwQ==,type:str] pgp: - created_at: "2022-12-26T19:10:06Z" enc: | diff --git a/hosts/matemat/default.nix b/hosts/matemat/default.nix index c031abd1..9ef4324e 100644 --- a/hosts/matemat/default.nix +++ b/hosts/matemat/default.nix @@ -63,8 +63,8 @@ defaultSopsFile = ./secrets.yaml; secrets = { "nginx/basic-auth".owner = "nginx"; - "restic/matemat/password".owner = "root"; - "restic/matemat/repository".owner = "root"; + "restic/password".owner = "root"; + "restic/repository/server8".owner = "root"; }; }; diff --git a/hosts/matemat/secrets.yaml b/hosts/matemat/secrets.yaml index 8b9bcc17..4c8dae55 100644 --- a/hosts/matemat/secrets.yaml +++ b/hosts/matemat/secrets.yaml @@ -1,9 +1,9 @@ nginx: basic-auth: ENC[AES256_GCM,data:VIjP7lqSmGxKswz1XDLxKp4=,iv:meyfO0gUjfqS5bRjnBMzR34UL0uLInvodv+8DS5IRnI=,tag:GHIKdh14N1JGWbRedr9T7w==,type:str] restic: - matemat: - password: ENC[AES256_GCM,data:HTmFqGVJXx/jJsJa5wAQgVChxCxowcIPAtIIlcGrBZo=,iv:GQiU5QHJnltFDZIvCbNjxQ8G0q2Dx96iHMtVED0+WlU=,tag:A/DqiVDzdTkAsMQ91WlDvw==,type:str] - repository: ENC[AES256_GCM,data:T9vOnodT1tpu1S0Kg89/Pgm/vD3vjxj7oi0Ecn5xWfNhZNOZNrk7VAYSQMWYSPLECdVNVirAGSNpHFDViPppeT38uVkA1ErU9QVMuHnBnTKKFxF5sVzjlRLIWw9T2Yca5bKVlw==,iv:z/VGOwMAj8nY6Y2qGXWD/LL4ndh6p4obLmB4QgzoRhw=,tag:yAhL9dHecf8DtrRn5E4HnQ==,type:str] + password: ENC[AES256_GCM,data:ERBTYAMLZjBuQ7kbMRhsiUZAENBC/Yb/Ly9NV9mpBl4=,iv:V5zGRTioYEAFXUuPAtmyAG3vRDnB1zEivIMGdPww9uE=,tag:PrkyForMSeNzSz89n/CaVg==,type:str] + repository: + server8: ENC[AES256_GCM,data:Fw9XkRpUWfR8TCClB2rtNpkAqQ5QMaMRdM/KvP2s9sobGZ961fNQ4OwMWRBLINLZ4ZtwRNrZAK6PBUyyvtzYeEYxiYYNx0/H8wh/FFL+KgRV7cKxZYWdiY4vxhcIMZ+YN9kutA==,iv:RjwuYh5L8VEovX53HGvQmTl9jNiEEJFmOsmj3xbmj4s=,tag:VHWeCwIoxDRCTf9y/3rwcQ==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +28,8 @@ sops: QnpEYmxzdXVoM2lQaWJTRk5jUnY5ZTgKIiOCV2WB+R5LAgj6nyS/9dcqmN6FWIaN SlQTSOzYFop776o7A9r109XtKi00ay4wMssZapTuyGaDkTrdgltE6Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-15T21:24:22Z" - mac: ENC[AES256_GCM,data:V0HKPqkonpbJtxpUtCkz2pPIYWjtE5BhRgwbb/uGFTIlkA+VX75xhTWmKZBxHgcIhNvFI2uxnQgq7AOuegN3klAOq82qlWMHR2bIwj25ugc90gOJoZt8QnDTM/aH8G0xgO2KKEtQ8l31YMQjr8RWzGF9WbAxY5t5a/ULrxPESvY=,iv:0/qShbUIcdKrFnIx0CoUQzVAaueRoM38yGEYvUh79HQ=,tag:Iu/vRr2G93PU27W6k+0yDg==,type:str] + lastmodified: "2023-05-17T23:26:58Z" + mac: ENC[AES256_GCM,data:zHBrs3NYqKeJ1CSivf+thYIrnnxGUHN8QapKSegbi4TAs8n5f5t4VXGUUDCfSfsORV6EvoF1a2RKio1WKjdsQuZZDpKohXAZhWRHjSV9nqwcT91dOvy1dbMv20nqVJxuvLH0pTx7Kij7Npt9K8vOiVpZY5zP8+YO/NKZNm/jgpw=,iv:f/hwsIbJeyJKXDjSd+P6M4UT31N6vkH9U2BM28M1tLk=,tag:2EpQLyWGjzf4+DtVs6+2pA==,type:str] pgp: - created_at: "2022-12-26T22:15:56Z" enc: | diff --git a/hosts/mediawiki/default.nix b/hosts/mediawiki/default.nix index ec7ab863..37ec6069 100644 --- a/hosts/mediawiki/default.nix +++ b/hosts/mediawiki/default.nix @@ -14,6 +14,8 @@ in }; services = { + backup.paths = [ "/var/lib/mediawiki/uploads/" ]; + logrotate.checkConfig = false; mediawiki = { @@ -201,8 +203,6 @@ in package = pkgs.postgresql_15; upgrade.stopServices = [ "httpd" "phpfpm-mediawiki" ]; }; - - restic.backups."remote-server8".paths = [ "/var/lib/mediawiki/uploads/" ]; }; sops = { @@ -216,8 +216,8 @@ in path = "/var/lib/mediawiki/secret.key"; }; "mediawiki/upgradeKey".owner = config.systemd.services.mediawiki-init.serviceConfig.User; - "restic/mediawiki/password".owner = "root"; - "restic/mediawiki/repository".owner = "root"; + "restic/password".owner = "root"; + "restic/repository/server8".owner = "root"; }; }; diff --git a/hosts/mediawiki/secrets.yaml b/hosts/mediawiki/secrets.yaml index 027456ef..36e7f1c6 100644 --- a/hosts/mediawiki/secrets.yaml +++ b/hosts/mediawiki/secrets.yaml @@ -4,9 +4,9 @@ mediawiki: upgradeKey: ENC[AES256_GCM,data:d6nSrNN3bD9smLH4VaJBuA==,iv:XFivelGD25QQmZ44raSvGB89oBtxu9rKRxuHQ04+53w=,tag:eNHkNnfOF6JOQENope65tg==,type:str] ldapprovider: ENC[AES256_GCM,data:Q1npwIIQCl21FzFQD/AYdFP+BO654z61lufCq1Fr5Xc4QxNOJ3J4DPlMwX3nxFai+rY5aZK6FBm0BwT2wUMWkq/Yzdinn7I6nAIgLWNi1Gw8z1KZGfegkoywct34eo68LDP5qdELaCMxnYG2OnqQbDSAaanuhL5EAzg/QoUP8CbTC8VYe9JhQKPfxpwdkVT/d8bpTE4VwJMUdubUfrwmaJzBHkFv4nqdpTBcZbevI4n2VBTA//knZw0BCrMQWtaIBJeS7ocDlg5NTak6Jy/smV0jWj4we5AMQNIOkTDcMOn5dDnbKwJgWnUmaCk60xPQd/WZd/8IZxkCcsLdYsEQrIfvlg4ui6FowGuuVxKuFvA3bC4o4IWA5BOGl6H0Bz3xZHIrvWt5Ov4PERhjMz3PsNJc0XA3opiHJtA1Q0gTQnRluwCpwPwQqDP1QCtcYyaGWWsrGphevmM41cFWmhJmcXSSRvMSeybd3LOfpLB1Mx62gljuiGlcb8E850Sc459I7Byth66c9S9vd3Ft0NO2/ulxvfzuBOIo7KV3DUmWS4vFDCxnI3Y13xamy82nefnyp8MvYAPaNAcRgl2M18zvgXnaaJbgp2uyV7IkHCgAxyDdRXaNOpDHIsKhtds2PYUuZIwCdmb1oliux7r4AskvkwXbrTHR66wANa0S6jVzlNu18q2Z2I5eyxL3cW8yhv0qr8f6bokBj3cLjeWGTZaELbsxRpPyiY7RkDA80+yklJ5y9CyrMkg9jwUQqg==,iv:q49SA9/vfnoIysVGE68LMf8dZ3/Cj7aEH0vCH/MAvJM=,tag:LJINBjCtMrAveBKY6mqz5Q==,type:str] restic: - mediawiki: - password: ENC[AES256_GCM,data:5jnUE4UQ1JY65tR8W+8E5IUal3xFLb2ApZb5zm/XgFE=,iv:NMWpSXlPmlQrLD+dKUkWFGj+90laZJ4J7d4a9bcMjwo=,tag:iGXCUOwaaBWAMUez00GTeA==,type:str] - repository: ENC[AES256_GCM,data:3YCwwUNsi9xdabnF++NfKMxfuSKMRXqaSQX/2EOjEBzQ0gKlzZtx6fCX1YJzfZGThmL79kNkqoJL4tuR6ou5pqC/xYf3BmbfK5OuDOpMWdvFpbhzwCf1752lo5v5RSRWpXthjZpPjU4=,iv:iRDs2NuFLkMf/2vCT43A5gY0U3hsmkcTCLXR0QZZczI=,tag:yBAn5RSY5gpUfTEpMFaS7Q==,type:str] + password: ENC[AES256_GCM,data:FwzTzJysad41gnMooiqPqiwveTfikSkA9+G5kYjdj78=,iv:EiEPWQBT5hRefkqTRhKOdtx+HK+634A1goCX7GSeOKw=,tag:MSlshF1SRsnSTANEcv40JA==,type:str] + repository: + server8: ENC[AES256_GCM,data:K4jQx/t5mquEGQ+K+XlGkoKLPMDNcAn+EphiNArLfvFspji+tcPapC/jjmA0QCw6MK9v2FZZHL3y81XY+oxOn+6uW7XlbRpeEE06uxDNaEIlYwFDsmetopOUJWPFPmDMwTyL1JjjVRY=,iv:W5zt9nJXQqHsMWU3nhZyoiIktT3klsV98ego+u7hj+g=,tag:GPiZDU0xWN3CT2W8oID9zA==,type:str] sops: kms: [] gcp_kms: [] @@ -31,8 +31,8 @@ sops: dGFiNnQ2YjlYbE10VVY0TS9JSGoxVE0KIGxsQZ3NW8obnIud3H6s+zVNkiFf2TYD 8ddmsulRCZAtw3qRuNikMKAbNsE+foO0fLb5Cem9doOcXpcYIwp1vA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-16T20:47:10Z" - mac: ENC[AES256_GCM,data:B+KDkXpag2Q/WahJDfcCXh75A4tmlvr7Mt7rq1XvnPhAIqQjoXbZOnKs0/99mY8WZuO4qbBUfxKDk1rs+rbQv5yQgSsrK1ISMQ9qqIQBMwm9WcX+F+7l93PRm6sPNQgWXq6XG7ekHOeu4KTzm61nWxv3ugdXHokRKEnduAVOXOk=,iv:5WrtZKr8/neSqleG3/Xk0Mp/eNmlM9i4KNooiVs8jQs=,tag:MAB6/dwuc4pVD+htFYRQOg==,type:str] + lastmodified: "2023-05-17T23:56:00Z" + mac: ENC[AES256_GCM,data:0xUlHyfWpeVmGbC/j363RByhk0KUEP8V5w7YHmpMvBwezAmmnuAxpt+MpcmUCgmkfTdCsBUsVZGNqMO5He0vmP0LADrTscOw8ozCv9BqBXU29NvktbBxmx+cSkqXkkGJDB+lB2pLpbw8iUU2a/tk/w7UyB/iJPI50uIdr6fF5Tk=,iv:xitRxbzvv0rLyophVMtm5Sxv2pVUy7qP7uhWyiyiaHg=,tag:ryL0gpFJR3mWFeR2z7SrMQ==,type:str] pgp: - created_at: "2022-12-26T19:10:07Z" enc: | diff --git a/modules/backup.nix b/modules/backup.nix index 613e2e98..686207c4 100644 --- a/modules/backup.nix +++ b/modules/backup.nix @@ -1,6 +1,27 @@ -{ config, lib, ... }: +{ config, lib, pkgs, ... }: +let + cfg = config.services.backup; +in { + options.services.backup = { + enable = lib.mkEnableOption "backup" // { + default = config.services.postgresql.enable; + }; + + paths = lib.mkOption { + type = with lib.types; listOf str; + default = []; + description = "Extra paths to include in backup."; + }; + + exclude = lib.mkOption { + type = with lib.types; listOf str; + default = []; + description = "Extra paths to exclude in backup."; + }; + }; + config = { services = { postgresqlBackup = { @@ -15,9 +36,13 @@ restic.backups = let commonOpts = { + extraBackupArgs = [ + "--exclude-file=${pkgs.writeText "restic-exclude-file" (lib.concatMapStrings (x: x + "\n") cfg.exclude)}" + ]; initialize = true; passwordFile = config.sops.secrets."restic/password".path; - paths = [ "/var/backup/postgresql/" ]; + paths = cfg.paths + ++ lib.optionals config.services.postgresql.enable [ "/var/backup/postgresql/" ]; pruneOpts = [ "--group-by host" "--keep-daily 7" @@ -30,17 +55,17 @@ }; }; in - { - server8 = lib.mkIf config.services.postgresql.enable (commonOpts // { + lib.mkIf cfg.enable { + server8 = commonOpts // { repositoryFile = config.sops.secrets."restic/repository/server8".path; - }); - offsite = lib.mkIf config.services.postgresql.enable (commonOpts // { + }; + offsite = commonOpts // { repository = "sftp://offsite/${config.networking.hostName}"; - }); + }; }; }; - sops.secrets = { + sops.secrets = lib.mkIf cfg.enable { "restic/offsite/private" = { mode = "400"; owner = "root"; @@ -61,7 +86,7 @@ }; }; - system.activationScripts.linkResticSSHConfigIntoVirtioFS = '' + system.activationScripts.linkResticSSHConfigIntoVirtioFS = lib.mkIf cfg.enable '' echo "Linking restic ssh config..." mkdir -m700 -p /home/root/.ssh/ ln -fs {,/home}/root/.ssh/id_offsite-backup