diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index 8aba34a..8baf83a 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -34,6 +34,8 @@ "prometheus-exporters" "loki" "promtail" + "restic" + # "immich" ] ++ [ ./disko.nix diff --git a/modules/restic/default.nix b/modules/restic/default.nix index 4496e61..52da5cf 100644 --- a/modules/restic/default.nix +++ b/modules/restic/default.nix @@ -3,43 +3,33 @@ pkgs, lib, ... -}: { - options.backup = { - paths = lib.mkOption { - type = lib.types.listOf lib.types.path; - default = []; +}: let + user = "u382036-sub1"; + host = "u382036.your-storagebox.de"; + port = "23"; +in { + age.secrets = { + HETZNER_STORAGE_BOX_SISKO_SSH_PASSWORD = { + file = ../../secrets/hetzner-storage-box-sisko-ssh-password.age; + owner = "root"; }; - }; - config.services.restic = { - backups = { - hetzner = { - paths = config.backup.paths; - passwordFile = config.age.secrets.restic-hetzner-password.path; - extraOptions = [ - # Use the host ssh key, for authorizing new hosts: - # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh -p23 u382036-sub1@u382036-sub1.your-storagebox.de install-ssh-key - "sftp.command='ssh -p23 u382036-sub1@u382036-sub1.your-storagebox.de -i /etc/ssh/ssh_host_ed25519_key -s sftp'" - ]; - repository = "sftp://u382036-sub1@u382036-sub1.your-storagebox.de:23/"; - initialize = true; - timerConfig.OnCalendar = "daily"; - timerConfig.RandomizedDelaySec = "1h"; - }; + SISKO_RESTIC_PASSWORD = { + file = ../../secrets/sisko-restic-password.age; + owner = "root"; }; }; - config.environment.systemPackages = builtins.map (path: - pkgs.writeShellApplication { - name = "restic-restore-${builtins.replaceStrings ["/"] ["-"] path}"; - runtimeInputs = with pkgs; [restic]; - text = '' - restic -r ${config.services.restic.backups.hetzner.repository} \ - ${lib.concatMapStringsSep ''\'' (option: "-o ${option}") config.services.restic.backups.hetzner.extraOptions} \ - --password-file ${config.services.restic.backups.hetzner.passwordFile} \ - restore latest \ - --path "${path}"\ - --target "$1" - ''; - }) - config.services.restic.backups.hetzner.paths; + services.openssh.knownHosts."${host}".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs"; + + services.restic.backups.sisko = { + paths = ["/persist"]; + passwordFile = config.age.secrets.SISKO_RESTIC_PASSWORD.path; + extraOptions = [ + "sftp.command='${lib.getExe pkgs.sshpass} -f ${config.age.secrets.HETZNER_STORAGE_BOX_SISKO_SSH_PASSWORD.path} ssh -p${port} ${user}@${host} -s sftp'" + ]; + repository = "sftp://${user}@${host}:${port}/"; + initialize = true; + timerConfig.OnCalendar = "daily"; + timerConfig.RandomizedDelaySec = "1h"; + }; } diff --git a/secrets/hetzner-storage-box-sisko-ssh-password.age b/secrets/hetzner-storage-box-sisko-ssh-password.age new file mode 100644 index 0000000..d2e9b5a Binary files /dev/null and b/secrets/hetzner-storage-box-sisko-ssh-password.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fb8e4df..b41e70e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -28,6 +28,8 @@ in "forgejo-runners-token.age".publicKeys = [ccr-ssh ccr-gpg picard]; "forgejo-nix-access-tokens.age".publicKeys = [ccr-ssh ccr-gpg picard]; "garmin-collector-environment.age".publicKeys = [ccr-ssh ccr-gpg sisko]; + "hetzner-storage-box-sisko-ssh-password.age".publicKeys = [ccr-ssh ccr-gpg sisko]; + "sisko-restic-password.age".publicKeys = [ccr-ssh ccr-gpg sisko]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard]; diff --git a/secrets/sisko-restic-password.age b/secrets/sisko-restic-password.age new file mode 100644 index 0000000..c754950 --- /dev/null +++ b/secrets/sisko-restic-password.age @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-rsa /AagBw +TKW/pV8ANvSWay5wTsFhV0CDSqn/wZAzNRP0WgRzBJbsrFP2/YYkhRHFtwkMjeXm +qEJPeXYdpgT6+FXq3nfhTaK/AbeebBRWO7dgGfKBosJ6Mc+PMhephrQ+oH6/zbG5 +l5QclAZ4NOfkD3f/nnqog13nKTijHjHcTnEWYZZz8RowaUEkEjo4Xbgw1MUbC8yJ +khyqZOTVFnfKgcSW5rlnsbrZKkmwYYY8mej27I9AFeSLgE0DOF3OWxrNxuPdxICp +h/kfQ2lPw75TWX5vj8WKOOxjAvheIiJDAAdfOoroK1BqKAUmpC6HjpC3cJZhrMmE +Xtob+esC39M8QBO1vUB639/I0AKAMbn3rE617StUr2QyyyNahnOOOPaZplCk/uM8 +Sde8d+VwTuvJXosuxi7Z+lQbeyCg7WmRigRoSiL6+9HcdMtDMDRjtloVq1o+iHXc +5A99Eeq0D/rBVSDmXKkVpcwLfruWL1v061+K7PPnjKa2CjnoEjAZDfqeQI+OBLZP +zqJ1CcQUnujYEpyhy4YV1ZpLZYOt48osEhUvG/eFnfymeDeAVAts725uzboN3uX8 +ETM5k0cW1ElSTL0BltRn8hRs8BSVXtKIucRXERomIwK+45ux8DHFS2NQlEHs2x1g +d4coPbCgMt7nBPYGnAUOYaWyw6dcaCAPNoVVIyUP1ps +-> ssh-rsa QHr3/A +GM2npxcLnNk81fSJUW9tcDnaKcx42cuxaObl8oCB43GIFm7K5L89FHj4Ww9RUJy0 +V41RQ802OBgudJqOI63DcW7mZ905fqLTnKZ75EJJSGgqjY0EcCOc2Oy8kV/BidWP +scmDbd+mQ1INuZBr9GBkD1brESh4vHtByPD6wkFKXlVkVTL49EQt8uBw8/0+uF0B +5a1aRQ09IkVPjluDMy2fc4VpgvkdnuXsMRD8vPk6gGzVlii72htGwYYWtIP9CgpY +trp85RxVGuqUTULFBOGXcc7YjfE1DWkPoeokCL8m7aVzdasZl+cl/Ick6rJueuQI +5ESvYKqRTfZ+oA8MapNtAZ7Nl8CT8VJoRyI6IQvPynRXCBK9D6gEAWc5l6Kv15Fl +73c8Q5I2oIaLOfeMYcZ1bL5Zvspa6Rsb5BtvOuOkacxx7GjMar1G2tUY4W3vFqn9 +yf8/Uc61LU6BYVvFh6DI6TwHp6xp/DrWZYhXCvNfirMn1NSw+8q0EEcIr2sUdkbx +gf2onMjtRP/Mki0oqkMTXnIsCzL/Y7D13GdouVqz0Ttbg/BEa8RnSaJxDIwQ1Wlz +VCC+oK/jTr+0pfP+3iR75WuGC0ce+muEN/L29H6wFk4N2oar/r0BYZZ6BtV9I9kS +8xnIxKvrcJ4O5dYy4f/lMeTRlPp6pz1jjtb6AVcNzHE +-> ssh-ed25519 +vdRnA qQe9nesjyr3dCtSa7xfgsw1RjKx5UGTzg+/XrcDzl0A +912JZmwcsvsg2D8G9LakTfOa70hCkk4DALZP1fKcw2A +--- GzPDMAdvn0Gvp+gqVd/1EKvMPtqPhIjpVYRDAcvhwaU +Ș x +ydOSa)avGჳMX %O=`~$  \ No newline at end of file