lorenzo/servers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add restic backups to lebesgue.

Browse source
This commit is contained in:
Lorenzo Good 2025-02-06 17:44:13 -06:00
parent 3917e40b53
commit 6b3755ca06
Signed by: lorenzo
GPG key ID: 7FCD64BD81180ED0
4 changed files with 49 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

40
machines/lebesgue/config/backups.nix Normal file
View file

@ -0,0 +1,40 @@
{
pkgs,
config,
...
}: let
paths = ["/var/lib/vaultwarden"];
exclude = [];
secrets = config.sops.secrets;
in {
users.groups.restic = {};
users.users.restic = {
isSystemUser = true;
group = "restic";
};
security.wrappers.restic = {
source = "${pkgs.restic.out}/bin/restic";
owner = "restic";
group = "restic";
permissions = "u=rwx,g=,o=";
capabilities = "cap_dac_read_search=+ep";
};
services.restic.backups = {
s3 = {
inherit paths exclude;
user = "restic";
repositoryFile = secrets.restic-repository.path;
environmentFile = secrets.restic-env.path;
passwordFile = secrets.restic-password.path;
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
];
};
};
}

3
machines/lebesgue/config/secrets.nix
View file

@ -6,6 +6,9 @@
admin-password.neededForUsers = true; admin-password.neededForUsers = true;
tskey = {}; tskey = {};
vaultwarden-env = {}; vaultwarden-env = {};
restic-env = {owner = "restic";};
restic-password = {owner = "restic";};
restic-repository = {owner = "restic";};
}; };
}; };
} }

1
machines/lebesgue/config/state.nix
View file

@ -3,6 +3,7 @@
environment.persistence."/persist" = { environment.persistence."/persist" = {
directories = [ directories = [
"/var/cache/restic-backups-s3"
"/var/lib/tailscale" "/var/lib/tailscale"
"/var/log" "/var/log"
"/var/lib/nixos" "/var/lib/nixos"

7
machines/lebesgue/secrets/main.yaml
View file

@ -1,6 +1,9 @@
admin-password: ENC[AES256_GCM,data:Uc5c1Z9yiU+zwXn5c8S7w3jpw3TNzvsznbNJ7Ay9SV+F8itPTjIwFzp+KHwZaWRFdv6joAwj5ZVgqmhghSG1JA56qJW4PVs+Mw==,iv:Aj+YoV9mDB+nIwiT80sd2EhMGerDq9HC+Hypq/5+6hc=,tag:616ws4u6hyuwEmwMPvUucA==,type:str] admin-password: ENC[AES256_GCM,data:Uc5c1Z9yiU+zwXn5c8S7w3jpw3TNzvsznbNJ7Ay9SV+F8itPTjIwFzp+KHwZaWRFdv6joAwj5ZVgqmhghSG1JA56qJW4PVs+Mw==,iv:Aj+YoV9mDB+nIwiT80sd2EhMGerDq9HC+Hypq/5+6hc=,tag:616ws4u6hyuwEmwMPvUucA==,type:str]
tskey: ENC[AES256_GCM,data:iJdTZHoakbQQ6e1qZDEyVnB3mtJdGKQd1gVV03VTUeiulqeeK20MDZvZ32XveNwJ32D//BKGV/gaOdYOEE4=,iv:1vdI8UMz0KwsyLJ3t5elIkXc/xHITmV5T4+IWdqYdyE=,tag:V+b6Z9+f5LqqAJP46kDEww==,type:str] tskey: ENC[AES256_GCM,data:iJdTZHoakbQQ6e1qZDEyVnB3mtJdGKQd1gVV03VTUeiulqeeK20MDZvZ32XveNwJ32D//BKGV/gaOdYOEE4=,iv:1vdI8UMz0KwsyLJ3t5elIkXc/xHITmV5T4+IWdqYdyE=,tag:V+b6Z9+f5LqqAJP46kDEww==,type:str]
vaultwarden-env: ENC[AES256_GCM,data:A1iRHxFxgI5P8DtsXQa1KvEKKnF+qZY7LVuJba00CLj7kp7EdiWBV8cXyHs189ncJ/vG02QCkrv46BH2eBN6kq4eHhefAoklS8kT0v9/7w==,iv:JrWh/0/arWoXOFhtgC+s/eoRDV9tppGXblZR3YOrTZg=,tag:3+wVYTlOodSwkLzApAsLOg==,type:str] vaultwarden-env: ENC[AES256_GCM,data:A1iRHxFxgI5P8DtsXQa1KvEKKnF+qZY7LVuJba00CLj7kp7EdiWBV8cXyHs189ncJ/vG02QCkrv46BH2eBN6kq4eHhefAoklS8kT0v9/7w==,iv:JrWh/0/arWoXOFhtgC+s/eoRDV9tppGXblZR3YOrTZg=,tag:3+wVYTlOodSwkLzApAsLOg==,type:str]
restic-password: ENC[AES256_GCM,data:Ympe5/hJxOzJp7IeJy5mZy0fMIrnV+3cWJo1uKwbHHDJ0G4TNivMNrHEdff6CjVnAbkVgjkR90z1FJOpExd+KQ==,iv:CRJaA3fTG8B/qBDkwctgma4DaGDjoyk4eX6/SynIcLE=,tag:pJW45ijV+wVTR+4IRnLcsw==,type:str]
restic-repository: ENC[AES256_GCM,data:KkFaam8iltY9nz89sVxk4u0xZ46Sq+7UsOY/9wieASD5A2FRruou7BiudX9X4hRA2RMTctO8aqYkrg==,iv:mIZ9z7BJV9s+wSiVMnzYAWM1/zsa6C+RCK1UhSiJVxI=,tag:S7tedxcfd/UaQ5hMEYfBVQ==,type:str]
restic-env: ENC[AES256_GCM,data:KW9ma36zmHJF3xBStpoStDRQqg34wlMJMVSYfbLSnWq26R6e6eGf3+kTVkobhn/bqL6ZYi8ctlyvDS8IOz8VveYogsqxZ7/LK62mA0d9I3xEZMG7eNQ8M1PdeZ9RqAUgFJU=,iv:RxwvZ2vNuwmUc3haK2Ub8vHk9UQhjepLCwsfIcSJg9s=,tag:Tvq2RDh8mJ3jGhmpL1uuCA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -16,8 +19,8 @@ sops:
L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7 L2VhMXV4WityYUFDZytxVTJHOXZGVVkKgbKR56dsru6U7I4KpnxfxQsswFwJsTM7
8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw== 8dzAaFl30mdRwFIH9kzdY3XxyYsJ0Yr0x3xwJ8mI4rjgpI8S9ihJFw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-03T23:49:44Z" lastmodified: "2025-02-06T23:41:49Z"
mac: ENC[AES256_GCM,data:gtH6PMQzxRGMpFI2hAka/MpXeLEivczq+L4Vruo1Vdain9f7iIdvATjomYO+NwkWUiDNWXqzU3VBb8NoyfqDeywtbu6GaUhmAUgVEFt0W2ceyqSF8qje+inI8rCjduodzIRG8XFgHoCvR8iQOtYWseyo6oOHFqBGiw1cBr/ciW8=,iv:9SeerJbjF3LTbjnAkvqqg4ceGJQCJScRBg1rG+xJ5dk=,tag:09H9oJU25ApddCgiMGIQFg==,type:str] mac: ENC[AES256_GCM,data:r8T1Yn5UjKy9zBbFUf9fMVQxy7iyAu1LZINeDQtHuU/tCpn2cqs8FHqhSbtKdFTSPeq3KUe3RTMcbWV17iIoo2CPX+Q9PGQMiN6Wai1CJY5ybr43op7U/WntC3ui/5BGODGbL8EWCc4SHuedqfXTtt8tWIN+qbONzQltP1spVbk=,iv:g9kdAU7bNUdLE+Cr3OhO9IFL2EKKAT2ty05OOoLMOdU=,tag:6JhgR8vqjOBA/VPV9TEK1A==,type:str]
pgp: pgp:
- created_at: "2025-02-03T18:58:54Z" - created_at: "2025-02-03T18:58:54Z"
enc: |- enc: |-