aciceri/nixfleet
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Restic for sisko

Browse source
This commit is contained in:
Andrea Ciceri 2024-07-25 16:43:58 +02:00
parent 865274a2df
commit 71a3654e9a
Signed by: aciceri
SSH key fingerprint: SHA256:/AagBweyV4Hlfg9u092n8hbHwD5fcB6A3qhDiDA65Rg
5 changed files with 59 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
hosts/sisko/default.nix
View file

@ -34,6 +34,8 @@
"prometheus-exporters" "prometheus-exporters"
"loki" "loki"
"promtail" "promtail"
"restic"
# "immich"
] ]
++ [ ++ [
./disko.nix ./disko.nix

60
modules/restic/default.nix
View file

@ -3,43 +3,33 @@
pkgs, pkgs,
lib, lib,
... ...
}: { }: let
options.backup = { user = "u382036-sub1";
paths = lib.mkOption { host = "u382036.your-storagebox.de";
type = lib.types.listOf lib.types.path; port = "23";
default = []; in {
age.secrets = {
HETZNER_STORAGE_BOX_SISKO_SSH_PASSWORD = {
file = ../../secrets/hetzner-storage-box-sisko-ssh-password.age;
owner = "root";
}; };
}; SISKO_RESTIC_PASSWORD = {
config.services.restic = { file = ../../secrets/sisko-restic-password.age;
backups = { owner = "root";
hetzner = {
paths = config.backup.paths;
passwordFile = config.age.secrets.restic-hetzner-password.path;
extraOptions = [
# Use the host ssh key, for authorizing new hosts:
# cat /etc/ssh/ssh_host_ed25519_key.pub | ssh -p23 u382036-sub1@u382036-sub1.your-storagebox.de install-ssh-key
"sftp.command='ssh -p23 u382036-sub1@u382036-sub1.your-storagebox.de -i /etc/ssh/ssh_host_ed25519_key -s sftp'"
];
repository = "sftp://u382036-sub1@u382036-sub1.your-storagebox.de:23/";
initialize = true;
timerConfig.OnCalendar = "daily";
timerConfig.RandomizedDelaySec = "1h";
};
}; };
}; };
config.environment.systemPackages = builtins.map (path: services.openssh.knownHosts."${host}".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
pkgs.writeShellApplication {
name = "restic-restore-${builtins.replaceStrings ["/"] ["-"] path}"; services.restic.backups.sisko = {
runtimeInputs = with pkgs; [restic]; paths = ["/persist"];
text = '' passwordFile = config.age.secrets.SISKO_RESTIC_PASSWORD.path;
restic -r ${config.services.restic.backups.hetzner.repository} \ extraOptions = [
${lib.concatMapStringsSep ''\'' (option: "-o ${option}") config.services.restic.backups.hetzner.extraOptions} \ "sftp.command='${lib.getExe pkgs.sshpass} -f ${config.age.secrets.HETZNER_STORAGE_BOX_SISKO_SSH_PASSWORD.path} ssh -p${port} ${user}@${host} -s sftp'"
--password-file ${config.services.restic.backups.hetzner.passwordFile} \ ];
restore latest \ repository = "sftp://${user}@${host}:${port}/";
--path "${path}"\ initialize = true;
--target "$1" timerConfig.OnCalendar = "daily";
''; timerConfig.RandomizedDelaySec = "1h";
}) };
config.services.restic.backups.hetzner.paths;
} }

BIN
secrets/hetzner-storage-box-sisko-ssh-password.age Normal file
View file

Binary file not shown.

2
secrets/secrets.nix
View file

@ -28,6 +28,8 @@ in
"forgejo-runners-token.age".publicKeys = [ccr-ssh ccr-gpg picard]; "forgejo-runners-token.age".publicKeys = [ccr-ssh ccr-gpg picard];
"forgejo-nix-access-tokens.age".publicKeys = [ccr-ssh ccr-gpg picard]; "forgejo-nix-access-tokens.age".publicKeys = [ccr-ssh ccr-gpg picard];
"garmin-collector-environment.age".publicKeys = [ccr-ssh ccr-gpg sisko]; "garmin-collector-environment.age".publicKeys = [ccr-ssh ccr-gpg sisko];
"hetzner-storage-box-sisko-ssh-password.age".publicKeys = [ccr-ssh ccr-gpg sisko];
"sisko-restic-password.age".publicKeys = [ccr-ssh ccr-gpg sisko];
# WireGuard # WireGuard
"picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard]; "picard-wireguard-private-key.age".publicKeys = [ccr-ssh ccr-gpg picard];

30
secrets/sisko-restic-password.age Normal file
View file

@ -0,0 +1,30 @@
age-encryption.org/v1
-> ssh-rsa /AagBw
TKW/pV8ANvSWay5wTsFhV0CDSqn/wZAzNRP0WgRzBJbsrFP2/YYkhRHFtwkMjeXm
qEJPeXYdpgT6+FXq3nfhTaK/AbeebBRWO7dgGfKBosJ6Mc+PMhephrQ+oH6/zbG5
l5QclAZ4NOfkD3f/nnqog13nKTijHjHcTnEWYZZz8RowaUEkEjo4Xbgw1MUbC8yJ
khyqZOTVFnfKgcSW5rlnsbrZKkmwYYY8mej27I9AFeSLgE0DOF3OWxrNxuPdxICp
h/kfQ2lPw75TWX5vj8WKOOxjAvheIiJDAAdfOoroK1BqKAUmpC6HjpC3cJZhrMmE
Xtob+esC39M8QBO1vUB639/I0AKAMbn3rE617StUr2QyyyNahnOOOPaZplCk/uM8
Sde8d+VwTuvJXosuxi7Z+lQbeyCg7WmRigRoSiL6+9HcdMtDMDRjtloVq1o+iHXc
5A99Eeq0D/rBVSDmXKkVpcwLfruWL1v061+K7PPnjKa2CjnoEjAZDfqeQI+OBLZP
zqJ1CcQUnujYEpyhy4YV1ZpLZYOt48osEhUvG/eFnfymeDeAVAts725uzboN3uX8
ETM5k0cW1ElSTL0BltRn8hRs8BSVXtKIucRXERomIwK+45ux8DHFS2NQlEHs2x1g
d4coPbCgMt7nBPYGnAUOYaWyw6dcaCAPNoVVIyUP1ps
-> ssh-rsa QHr3/A
GM2npxcLnNk81fSJUW9tcDnaKcx42cuxaObl8oCB43GIFm7K5L89FHj4Ww9RUJy0
V41RQ802OBgudJqOI63DcW7mZ905fqLTnKZ75EJJSGgqjY0EcCOc2Oy8kV/BidWP
scmDbd+mQ1INuZBr9GBkD1brESh4vHtByPD6wkFKXlVkVTL49EQt8uBw8/0+uF0B
5a1aRQ09IkVPjluDMy2fc4VpgvkdnuXsMRD8vPk6gGzVlii72htGwYYWtIP9CgpY
trp85RxVGuqUTULFBOGXcc7YjfE1DWkPoeokCL8m7aVzdasZl+cl/Ick6rJueuQI
5ESvYKqRTfZ+oA8MapNtAZ7Nl8CT8VJoRyI6IQvPynRXCBK9D6gEAWc5l6Kv15Fl
73c8Q5I2oIaLOfeMYcZ1bL5Zvspa6Rsb5BtvOuOkacxx7GjMar1G2tUY4W3vFqn9
yf8/Uc61LU6BYVvFh6DI6TwHp6xp/DrWZYhXCvNfirMn1NSw+8q0EEcIr2sUdkbx
gf2onMjtRP/Mki0oqkMTXnIsCzL/Y7D13GdouVqz0Ttbg/BEa8RnSaJxDIwQ1Wlz
VCC+oK/jTr+0pfP+3iR75WuGC0ce+muEN/L29H6wFk4N2oar/r0BYZZ6BtV9I9kS
8xnIxKvrcJ4O5dYy4f/lMeTRlPp6pz1jjtb6AVcNzHE
-> ssh-ed25519 +vdRnA qQe9nesjyr3dCtSa7xfgsw1RjKx5UGTzg+/XrcDzl0A
912JZmwcsvsg2D8G9LakTfOa70hCkk4DALZP1fKcw2A
--- GzPDMAdvn0Gvp+gqVd/1EKvMPtqPhIjpVYRDAcvhwaU
Ș xó•²
O<>SaÐ)avŠëâGœÎ÷ჳMXü %OÍ=¶Ü`~$ ªÁù