From 71a3654e9a14db142fdc17f5105c44abe0a27732 Mon Sep 17 00:00:00 2001 From: Andrea Ciceri Date: Thu, 25 Jul 2024 16:43:58 +0200 Subject: [PATCH] Restic for `sisko` --- hosts/sisko/default.nix | 2 + modules/restic/default.nix | 60 ++++++++---------- ...hetzner-storage-box-sisko-ssh-password.age | Bin 0 -> 1653 bytes secrets/secrets.nix | 2 + secrets/sisko-restic-password.age | 30 +++++++++ 5 files changed, 59 insertions(+), 35 deletions(-) create mode 100644 secrets/hetzner-storage-box-sisko-ssh-password.age create mode 100644 secrets/sisko-restic-password.age diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix index 8aba34a..8baf83a 100644 --- a/hosts/sisko/default.nix +++ b/hosts/sisko/default.nix @@ -34,6 +34,8 @@ "prometheus-exporters" "loki" "promtail" + "restic" + # "immich" ] ++ [ ./disko.nix diff --git a/modules/restic/default.nix b/modules/restic/default.nix index 4496e61..52da5cf 100644 --- a/modules/restic/default.nix +++ b/modules/restic/default.nix @@ -3,43 +3,33 @@ pkgs, lib, ... -}: { - options.backup = { - paths = lib.mkOption { - type = lib.types.listOf lib.types.path; - default = []; +}: let + user = "u382036-sub1"; + host = "u382036.your-storagebox.de"; + port = "23"; +in { + age.secrets = { + HETZNER_STORAGE_BOX_SISKO_SSH_PASSWORD = { + file = ../../secrets/hetzner-storage-box-sisko-ssh-password.age; + owner = "root"; }; - }; - config.services.restic = { - backups = { - hetzner = { - paths = config.backup.paths; - passwordFile = config.age.secrets.restic-hetzner-password.path; - extraOptions = [ - # Use the host ssh key, for authorizing new hosts: - # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh -p23 u382036-sub1@u382036-sub1.your-storagebox.de install-ssh-key - "sftp.command='ssh -p23 u382036-sub1@u382036-sub1.your-storagebox.de -i /etc/ssh/ssh_host_ed25519_key -s sftp'" - ]; - repository = "sftp://u382036-sub1@u382036-sub1.your-storagebox.de:23/"; - initialize = true; - timerConfig.OnCalendar = "daily"; - timerConfig.RandomizedDelaySec = "1h"; - }; + SISKO_RESTIC_PASSWORD = { + file = ../../secrets/sisko-restic-password.age; + owner = "root"; }; }; - config.environment.systemPackages = builtins.map (path: - pkgs.writeShellApplication { - name = "restic-restore-${builtins.replaceStrings ["/"] ["-"] path}"; - runtimeInputs = with pkgs; [restic]; - text = '' - restic -r ${config.services.restic.backups.hetzner.repository} \ - ${lib.concatMapStringsSep ''\'' (option: "-o ${option}") config.services.restic.backups.hetzner.extraOptions} \ - --password-file ${config.services.restic.backups.hetzner.passwordFile} \ - restore latest \ - --path "${path}"\ - --target "$1" - ''; - }) - config.services.restic.backups.hetzner.paths; + services.openssh.knownHosts."${host}".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs"; + + services.restic.backups.sisko = { + paths = ["/persist"]; + passwordFile = config.age.secrets.SISKO_RESTIC_PASSWORD.path; + extraOptions = [ + "sftp.command='${lib.getExe pkgs.sshpass} -f ${config.age.secrets.HETZNER_STORAGE_BOX_SISKO_SSH_PASSWORD.path} ssh -p${port} ${user}@${host} -s sftp'" + ]; + repository = "sftp://${user}@${host}:${port}/"; + initialize = true; + timerConfig.OnCalendar = "daily"; + timerConfig.RandomizedDelaySec = "1h"; + }; } diff --git a/secrets/hetzner-storage-box-sisko-ssh-password.age b/secrets/hetzner-storage-box-sisko-ssh-password.age new file mode 100644 index 0000000000000000000000000000000000000000..d2e9b5acf5f88f348d9ca9895dfbe1ef5e530b04 GIT binary patch literal 1653 zcmYk5Im`440flXBfAy$4|e^bNMmN(HDr03T6i$ZQs@j z6Yvgk<4yl6#O!9!BZ6rYnX`(#i%0pSN%Tx5IEuqXb3ptQWry;WBMy%qcsxQZ>SkUK z`gWz+AfT4FPB2cXI}q6krsgIE!3%1Cdpn%Ido}4Q6vrv7VInjkbbvpH$k>Y$zQqnj zKBvzPsa4H2y}6>H4!qkC@JfehA>^ijl;&xcb&^s?o|3R`4l2;5d*C5to#2&NDbaeW zOV$)QnfA~|^orq+&g+mnW%cyAF;9l9`0lwdi-JGN7FKA0H9ety7a}>5V`Z$h$Ay9| zxudUC?(J$0!U|?bmPd8v$^7X|14J1wI+YE~#|_lrfsnlsPU90<@OIHoUokmlJQA~3 zh==K1_86Qc@M8Re6w35c-#o4T}TR&ug|D* zO_gK8M{(agv9QnTs<(s{wMJGR1iU!jmajmC@xm!tgVl0Eipoj0p0DUKeCg#A7J=}h zPV>HD_FgEy3 z^Gz$_m%rHR#>^&y?mg52X!l)TEf|W6B zqDZTbZ}m}uw9OjXs-~aic&R``I|-M?Ja*q(M)x>tXJ9yUEy7l@+}1v!JW$)VE4C{B z-(%xB-60w%a)?Mz@V-!V^xhb+lhCQ+D#%vyY!ag3{mS#iNdo(NF#bT_2y4`zujaw& z4PNo94#YPcnmcDYERMVRe38}=V;s!g+ooL$Ro|YX|1w`NzZ7~3p<`a%`K0fl*@#E* zz<@xD@)1EEB8{2NJ1Q_aho6k@g7XExjn_dD_ywm_6CYZuYxryQ4o#fhV(+!yyRr)C z6&&rRsdQH6xpa~`=Tfb@)ldqdK=%8I*P#&9!mBxu*vFnA20>Zf+ej`J9k`MZP-%{+ zta=g}qAff~0}}5T213vtu@;C#7tz70zp8mRB9?cchI~U(e(lP#irvYxgj2v6) z8`xy0BbLeiz9^O)yr|sNRyN-rD(TWrw)jmrsHi#j~G-G^2t zDY0)x%PmuyA>hic1e<;Q@ZIr=`5q#NOZio{1K zt@d&~&4Rj6oDf59h|Nu@+hMW81owIt+K1btmc>h%G#UXquRE70AOtBf>rhEfhrbMV z+2VoaCr>jUnreIUjf$c}9w<~Elc8flE zC3TCGPU>AVm3jH9$^Utrr3i+>)E96|&5r(J>#LkZfmv1bQe_%tGSX=W-lKW8HfA$^ zWVx&comXiD0RHMyx#=H<2W50&zqD5)>7fheDI1u%6gX8T&IQZA&Ib7S`1n#$Hwe;6 zM1wlFUS-sM(P9KQV_JA#-TKL5HS84#v60ZgKlGoYzx(bl-}~Wje(;C+pMU?+cRx9Q nJ#*`y)8GFL{PC~4fB)^TuRneL<@f*iE&0vIzkd7m7vg^a{xc;i literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fb8e4df..b41e70e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -28,6 +28,8 @@ in "forgejo-runners-token.age".publicKeys = [ccr-ssh ccr-gpg picard]; "forgejo-nix-access-tokens.age".publicKeys = [ccr-ssh ccr-gpg picard]; "garmin-collector-environment.age".publicKeys = [ccr-ssh ccr-gpg sisko]; + "hetzner-storage-box-sisko-ssh-password.age".publicKeys = [ccr-ssh ccr-gpg sisko]; + "sisko-restic-password.age".publicKeys = [ccr-ssh ccr-gpg sisko]; # WireGuard "picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard]; diff --git a/secrets/sisko-restic-password.age b/secrets/sisko-restic-password.age new file mode 100644 index 0000000..c754950 --- /dev/null +++ b/secrets/sisko-restic-password.age @@ -0,0 +1,30 @@ +age-encryption.org/v1 +-> ssh-rsa /AagBw +TKW/pV8ANvSWay5wTsFhV0CDSqn/wZAzNRP0WgRzBJbsrFP2/YYkhRHFtwkMjeXm +qEJPeXYdpgT6+FXq3nfhTaK/AbeebBRWO7dgGfKBosJ6Mc+PMhephrQ+oH6/zbG5 +l5QclAZ4NOfkD3f/nnqog13nKTijHjHcTnEWYZZz8RowaUEkEjo4Xbgw1MUbC8yJ +khyqZOTVFnfKgcSW5rlnsbrZKkmwYYY8mej27I9AFeSLgE0DOF3OWxrNxuPdxICp +h/kfQ2lPw75TWX5vj8WKOOxjAvheIiJDAAdfOoroK1BqKAUmpC6HjpC3cJZhrMmE +Xtob+esC39M8QBO1vUB639/I0AKAMbn3rE617StUr2QyyyNahnOOOPaZplCk/uM8 +Sde8d+VwTuvJXosuxi7Z+lQbeyCg7WmRigRoSiL6+9HcdMtDMDRjtloVq1o+iHXc +5A99Eeq0D/rBVSDmXKkVpcwLfruWL1v061+K7PPnjKa2CjnoEjAZDfqeQI+OBLZP +zqJ1CcQUnujYEpyhy4YV1ZpLZYOt48osEhUvG/eFnfymeDeAVAts725uzboN3uX8 +ETM5k0cW1ElSTL0BltRn8hRs8BSVXtKIucRXERomIwK+45ux8DHFS2NQlEHs2x1g +d4coPbCgMt7nBPYGnAUOYaWyw6dcaCAPNoVVIyUP1ps +-> ssh-rsa QHr3/A +GM2npxcLnNk81fSJUW9tcDnaKcx42cuxaObl8oCB43GIFm7K5L89FHj4Ww9RUJy0 +V41RQ802OBgudJqOI63DcW7mZ905fqLTnKZ75EJJSGgqjY0EcCOc2Oy8kV/BidWP +scmDbd+mQ1INuZBr9GBkD1brESh4vHtByPD6wkFKXlVkVTL49EQt8uBw8/0+uF0B +5a1aRQ09IkVPjluDMy2fc4VpgvkdnuXsMRD8vPk6gGzVlii72htGwYYWtIP9CgpY +trp85RxVGuqUTULFBOGXcc7YjfE1DWkPoeokCL8m7aVzdasZl+cl/Ick6rJueuQI +5ESvYKqRTfZ+oA8MapNtAZ7Nl8CT8VJoRyI6IQvPynRXCBK9D6gEAWc5l6Kv15Fl +73c8Q5I2oIaLOfeMYcZ1bL5Zvspa6Rsb5BtvOuOkacxx7GjMar1G2tUY4W3vFqn9 +yf8/Uc61LU6BYVvFh6DI6TwHp6xp/DrWZYhXCvNfirMn1NSw+8q0EEcIr2sUdkbx +gf2onMjtRP/Mki0oqkMTXnIsCzL/Y7D13GdouVqz0Ttbg/BEa8RnSaJxDIwQ1Wlz +VCC+oK/jTr+0pfP+3iR75WuGC0ce+muEN/L29H6wFk4N2oar/r0BYZZ6BtV9I9kS +8xnIxKvrcJ4O5dYy4f/lMeTRlPp6pz1jjtb6AVcNzHE +-> ssh-ed25519 +vdRnA qQe9nesjyr3dCtSa7xfgsw1RjKx5UGTzg+/XrcDzl0A +912JZmwcsvsg2D8G9LakTfOa70hCkk4DALZP1fKcw2A +--- GzPDMAdvn0Gvp+gqVd/1EKvMPtqPhIjpVYRDAcvhwaU +Ș x +ydOSa)avGჳMX %O=`~$  \ No newline at end of file