From 6b3755ca066e38688ac83d8a9f21ccec78cf3218 Mon Sep 17 00:00:00 2001 From: foehammer127 Date: Thu, 6 Feb 2025 17:44:13 -0600 Subject: [PATCH] Add restic backups to lebesgue. --- machines/lebesgue/config/backups.nix | 40 ++++++++++++++++++++++++++++ machines/lebesgue/config/secrets.nix | 3 +++ machines/lebesgue/config/state.nix | 1 + machines/lebesgue/secrets/main.yaml | 7 +++-- 4 files changed, 49 insertions(+), 2 deletions(-) create mode 100644 machines/lebesgue/config/backups.nix diff --git a/machines/lebesgue/config/backups.nix b/machines/lebesgue/config/backups.nix new file mode 100644 index 0000000..3a16bf9 --- /dev/null +++ b/machines/lebesgue/config/backups.nix @@ -0,0 +1,40 @@ +{ + pkgs, + config, + ... +}: let + paths = ["/var/lib/vaultwarden"]; + exclude = []; + + secrets = config.sops.secrets; +in { + users.groups.restic = {}; + users.users.restic = { + isSystemUser = true; + group = "restic"; + }; + + security.wrappers.restic = { + source = "${pkgs.restic.out}/bin/restic"; + owner = "restic"; + group = "restic"; + permissions = "u=rwx,g=,o="; + capabilities = "cap_dac_read_search=+ep"; + }; + + services.restic.backups = { + s3 = { + inherit paths exclude; + user = "restic"; + + repositoryFile = secrets.restic-repository.path; + environmentFile = secrets.restic-env.path; + passwordFile = secrets.restic-password.path; + + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + ]; + }; + }; +} diff --git a/machines/lebesgue/config/secrets.nix b/machines/lebesgue/config/secrets.nix index 3763276..6e88e6a 100644 --- a/machines/lebesgue/config/secrets.nix +++ b/machines/lebesgue/config/secrets.nix @@ -6,6 +6,9 @@ admin-password.neededForUsers = true; tskey = {}; vaultwarden-env = {}; + restic-env = {owner = "restic";}; + restic-password = {owner = "restic";}; + restic-repository = {owner = "restic";}; }; }; } diff --git a/machines/lebesgue/config/state.nix b/machines/lebesgue/config/state.nix index b2262ab..9cf7c0f 100644 --- a/machines/lebesgue/config/state.nix +++ b/machines/lebesgue/config/state.nix @@ -3,6 +3,7 @@ environment.persistence."/persist" = { directories = [ + "/var/cache/restic-backups-s3" "/var/lib/tailscale" "/var/log" "/var/lib/nixos" diff --git a/machines/lebesgue/secrets/main.yaml b/machines/lebesgue/secrets/main.yaml index 3941403..641f017 100644 --- a/machines/lebesgue/secrets/main.yaml +++ b/machines/lebesgue/secrets/main.yaml @@ -1,6 +1,9 @@ admin-password: ENC[AES256_GCM,data:Uc5c1Z9yiU+zwXn5c8S7w3jpw3TNzvsznbNJ7Ay9SV+F8itPTjIwFzp+KHwZaWRFdv6joAwj5ZVgqmhghSG1JA56qJW4PVs+Mw==,iv:Aj+YoV9mDB+nIwiT80sd2EhMGerDq9HC+Hypq/5+6hc=,tag:616ws4u6hyuwEmwMPvUucA==,type:str] tskey: ENC[AES256_GCM,data:iJdTZHoakbQQ6e1qZDEyVnB3mtJdGKQd1gVV03VTUeiulqeeK20MDZvZ32XveNwJ32D//BKGV/gaOdYOEE4=,iv:1vdI8UMz0KwsyLJ3t5elIkXc/xHITmV5T4+IWdqYdyE=,tag:V+b6Z9+f5LqqAJP46kDEww==,type:str] vaultwarden-env: ENC[AES256_GCM,data:A1iRHxFxgI5P8DtsXQa1KvEKKnF+qZY7LVuJba00CLj7kp7EdiWBV8cXyHs189ncJ/vG02QCkrv46BH2eBN6kq4eHhefAoklS8kT0v9/7w==,iv:JrWh/0/arWoXOFhtgC+s/eoRDV9tppGXblZR3YOrTZg=,tag:3+wVYTlOodSwkLzApAsLOg==,type:str] +restic-password: ENC[AES256_GCM,data:Ympe5/hJxOzJp7IeJy5mZy0fMIrnV+3cWJo1uKwbHHDJ0G4TNivMNrHEdff6CjVnAbkVgjkR90z1FJOpExd+KQ==,iv:CRJaA3fTG8B/qBDkwctgma4DaGDjoyk4eX6/SynIcLE=,tag:pJW45ijV+wVTR+4IRnLcsw==,type:str] +restic-repository: ENC[AES256_GCM,data:KkFaam8iltY9nz89sVxk4u0xZ46Sq+7UsOY/9wieASD5A2FRruou7BiudX9X4hRA2RMTctO8aqYkrg==,iv:mIZ9z7BJV9s+wSiVMnzYAWM1/zsa6C+RCK1UhSiJVxI=,tag:S7tedxcfd/UaQ5hMEYfBVQ==,type:str] +restic-env: ENC[AES256_GCM,data:KW9ma36zmHJF3xBStpoStDRQqg34wlMJMVSYfbLSnWq26R6e6eGf3+kTVkobhn/bqL6ZYi8ctlyvDS8IOz8VveYogsqxZ7/LK62mA0d9I3xEZMG7eNQ8M1PdeZ9RqAUgFJU=,iv:RxwvZ2vNuwmUc3haK2Ub8vHk9UQhjepLCwsfIcSJg9s=,tag:Tvq2RDh8mJ3jGhmpL1uuCA==,type:str] sops: kms: [] gcp_kms: [] @@ -16,8 +19,8 @@ sops: L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7 8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-03T23:49:44Z" - mac: ENC[AES256_GCM,data:gtH6PMQzxRGMpFI2hAka/MpXeLEivczq+L4Vruo1Vdain9f7iIdvATjomYO+NwkWUiDNWXqzU3VBb8NoyfqDeywtbu6GaUhmAUgVEFt0W2ceyqSF8qje+inI8rCjduodzIRG8XFgHoCvR8iQOtYWseyo6oOHFqBGiw1cBr/ciW8=,iv:9SeerJbjF3LTbjnAkvqqg4ceGJQCJScRBg1rG+xJ5dk=,tag:09H9oJU25ApddCgiMGIQFg==,type:str] + lastmodified: "2025-02-06T23:41:49Z" + mac: ENC[AES256_GCM,data:r8T1Yn5UjKy9zBbFUf9fMVQxy7iyAu1LZINeDQtHuU/tCpn2cqs8FHqhSbtKdFTSPeq3KUe3RTMcbWV17iIoo2CPX+Q9PGQMiN6Wai1CJY5ybr43op7U/WntC3ui/5BGODGbL8EWCc4SHuedqfXTtt8tWIN+qbONzQltP1spVbk=,iv:g9kdAU7bNUdLE+Cr3OhO9IFL2EKKAT2ty05OOoLMOdU=,tag:6JhgR8vqjOBA/VPV9TEK1A==,type:str] pgp: - created_at: "2025-02-03T18:58:54Z" enc: |-