From e2ba1aacf49a012acf75478c07679c9a778400e1 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sun, 25 Aug 2024 03:45:53 +0200 Subject: [PATCH 1/5] mail: add backups to garage bucket + storagebox Restic backups to garage S3 bucket metronom-backups --- hosts/metronom/backups.nix | 26 +++++++++--- hosts/metronom/configuration.nix | 8 ++++ hosts/metronom/default.nix | 2 +- modules/mail/default.nix | 16 +++++++ secrets/metronom-root-ssh-key.age | Bin 0 -> 2813 bytes secrets/restic-repo-garage-metronom-env.age | 44 ++++++++++++++++++++ secrets/restic-repo-garage-metronom.age | 43 +++++++++++++++++++ secrets/restic-repo-storagebox-metronom.age | 43 +++++++++++++++++++ secrets/restic-repo-storagebox.age | Bin 2467 -> 2576 bytes secrets/secrets.nix | 7 +++- 10 files changed, 182 insertions(+), 7 deletions(-) create mode 100644 secrets/metronom-root-ssh-key.age create mode 100644 secrets/restic-repo-garage-metronom-env.age create mode 100644 secrets/restic-repo-garage-metronom.age create mode 100644 secrets/restic-repo-storagebox-metronom.age diff --git a/hosts/metronom/backups.nix b/hosts/metronom/backups.nix index c5bf79b8..3512b7bb 100644 --- a/hosts/metronom/backups.nix +++ b/hosts/metronom/backups.nix @@ -1,13 +1,29 @@ -{ flake, ... }: +{ config, flake, ... }: { - age.secrets."restic-repo-droppie" = { - file = "${flake.self}/secrets/restic-repo-droppie.age"; + age.secrets."restic-repo-storagebox-metronom" = { + file = "${flake.self}/secrets/restic-repo-storagebox-metronom.age"; mode = "400"; owner = "root"; }; - age.secrets."restic-repo-storagebox" = { - file = "${flake.self}/secrets/restic-repo-storagebox.age"; + age.secrets.restic-repo-garage-metronom = { + file = "${flake.self}/secrets/restic-repo-garage-metronom.age"; mode = "400"; owner = "root"; }; + age.secrets.restic-repo-garage-metronom-env = { + file = "${flake.self}/secrets/restic-repo-garage-metronom-env.age"; + mode = "400"; + owner = "root"; + }; + + pub-solar-os.backups.repos.storagebox = { + passwordFile = config.age.secrets."restic-repo-storagebox-metronom".path; + repository = "sftp:u377325@u377325.your-storagebox.de:/metronom-backups"; + }; + + pub-solar-os.backups.repos.garage = { + passwordFile = config.age.secrets."restic-repo-garage-metronom".path; + environmentFile = config.age.secrets."restic-repo-garage-metronom-env".path; + repository = "s3:https://buckets.pub.solar/metronom-backups"; + }; } diff --git a/hosts/metronom/configuration.nix b/hosts/metronom/configuration.nix index a43c8360..72037463 100644 --- a/hosts/metronom/configuration.nix +++ b/hosts/metronom/configuration.nix @@ -23,6 +23,14 @@ pools = [ "root_pool" ]; }; + # Declarative SSH private key + age.secrets."metronom-root-ssh-key" = { + file = "${flake.self}/secrets/metronom-root-ssh-key.age"; + path = "/root/.ssh/id_ed25519"; + mode = "400"; + owner = "root"; + }; + # Declarative SSH private key #age.secrets."metronom-root-ssh-key" = { # file = "${flake.self}/secrets/metronom-root-ssh-key.age"; diff --git a/hosts/metronom/default.nix b/hosts/metronom/default.nix index a1699f15..581b1517 100644 --- a/hosts/metronom/default.nix +++ b/hosts/metronom/default.nix @@ -7,6 +7,6 @@ ./networking.nix ./wireguard.nix - #./backups.nix + ./backups.nix ]; } diff --git a/modules/mail/default.nix b/modules/mail/default.nix index 9b288166..ca261123 100644 --- a/modules/mail/default.nix +++ b/modules/mail/default.nix @@ -67,4 +67,20 @@ }; security.acme.acceptTerms = true; security.acme.defaults.email = "security@pub.solar"; + + pub-solar-os.backups.restic.mail = { + paths = [ + "/var/vmail" + "/var/dkim" + ]; + timerConfig = { + OnCalendar = "*-*-* 02:00:00 Etc/UTC"; + }; + initialize = true; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; + }; } diff --git a/secrets/metronom-root-ssh-key.age b/secrets/metronom-root-ssh-key.age new file mode 100644 index 0000000000000000000000000000000000000000..c07ac8df890795c0be86f4763ad2d14e72b62c7d GIT binary patch literal 2813 zcmZXV`|s-n8HWuT&>AGcTQH(u0Tr!>wp-h+a?#$_^|E$dyWR|X+OF%`b?a?y*J(VW z9Jy$~2&e%>4+;wL7Zegj5IGtz2quW2c#FhHKp=t_NJP}HCK!YN!27)Uy|P>!2xc7&Lx{a8i_t;2*RDXw+v4>y8&hpxz|b(y7s& zjr7D$$=MxU>UKi02d&VuhBt7duef<<;ZcCL@L**nFDKd#ErU*i?kI|3s2vuE3)Ijn zN`o@Hn+M&r9MKfI&Wh3kXJd0qhs{#S9RO`y+eb?*nd)nyoJ)~}#)t%t6l82Ag4V#I zkqQHWF?5G0R;F#tq(qyks;n%SmPdO)q$E-hENZcUgLJgE)i^?oISu!1-5mCHd)VNF z+Do)yR>CU}olY9Qb~1}yYlzFUb__tgmpL1Mh{6+9oNS{Orx)wXZ>3&3FNP;sZKRWT@dcD=u0cPH2AC=_NhGqAQwEQijx z9ji_P4G{rVc3N*sH&QvIC(u|YfWbzd;ZuQ2SccMS5#a|0UMlw1n>F^5fTwBN=yohY ziIp-!IFTYVvLl%!!`+yfWl0NwILlWSX>10ZvY^r7hMaa)Z8?a-g*=ml&CbR9kRk4j zMDFP|6*dcu3n5werY1>YP7XNgc!8zda3*l`T8kqaUyj`hF0phNbd>2BoDhh^vKq}T z|F_4>0i(erFv%MgGtjNuv|xzssHX9x5y!b(-6cl$z-POmj+#vX$7^0^60cbl3OG;`r7)J|eMq`?*a#Y>x zdp3>qWIzf_T-D(+Lsm$MCevTuCMcqp z3k~obGEKM?mql7oys5aaz*c3+NU*5P$v`_8R*3_9*1!Nqybh0aO6YaEHe@A<+fGyt z@R9+zub|q*yTQoj*K>2$5hP-rS~M=TnuXas#bL7B(|oWg(hNcvVXhaX)v&ZTvQ+>j zU?G?cy)AFk6}zsZAvQ=B!$b)jXvNRM?WSSva*MYCp~I{BkWo9)oF}%h(w!r*SpmT? znrmw`>@3B}02Gu;q;VzauZosmE0`WAy$oa)Mh8)10y4$rwnF^bz~sh^k~gb?4p{NF z4?A(SRMF6@rEtZMcROl2CC6!@cmH!U|7Gp+9E$c?dDnCba$_mAo>WUeW2FLOdW+@8Uj&uyVT+w2gehGI zyAF`{$KJjc`dU`!3v!MohS=jpx>I3PTy2!rHCwHS3DV*C=kN3RA8HRYr409Ui5Ju? zYcSJF8WM?^fRJ0Uq}l}%<84}@QY&N1R30psKv;C}jd^GLdmTgq>zV$Ut~C}&up zYUwlu%X&qaaIjl)m>AJb871q8I-RUfc-|Cc1#H9Cp9H?YgL?oU*g+iktgQpARC#iF?(8FLw;u`y&Oz7Z4_X7~UkjdP!0 z?qXY@zY{&r(?5RrqRW#DPPz2_H$1X&9`3ySrt_{m z`j+>c^2n2?|MQ~DxxZz-{*B)$j$U=>wbsE~?|$wt#0^7mv$^EAPc|q0^vI*8{Qd{Y zvnOYq{FHdvrP2D7!B_wG9HM;keSiG>W8c31^v|ka`uT0&_yuBLvyXZHkJ*nWt-UZ_;?mx5n?9)HF>gd&9yY}dD;BCk?#Z@9 z_5D-seBwL5+eOc)7ytI!iywdRWZ>p6T(r6V%)z@)dSHF<*GHObIwwAR0b{(i`SU%$ z|MZ<icg0=t&Og+D&-(Z_B* z_7jKUFMRazXOBDU;-9?h#cEL9ck2U#*Sz=aJMMn ssh-ed25519 UE5Ceg rpN1FsYIOjsiqPAt3iwd6l3ZEDYNomnzcvgowqS1CAI +A5+KU6SOzcZzTQPkEPp1wN6bq9junwauKDPhM1eKi+8 +-> ssh-ed25519 uYcDNw V/zOsw5KmaQUm1YsnJExXJThypfsxOu/CS+EQ2np7RQ +vMGUU/OPOoWiyR70xsXarqWN/AgegeKgTz5lOPa04CI +-> ssh-rsa f5THog +Z3tZv8bK67z15PAp4RgMEi1Ph4y5IFBIVNHdhENVTt2zS2TnzTBoUSypjaioRlGj +YKYuUl7+sFys6QRHOWTrUM6CFF6KQo/hYR5bsFG01xE9xoG7e4V5x0ts6sFp0Xme +0nl8NBfjbORhKYyCEye6p/9EvPwJ7qpRrQt6TUpnShv9BLrZZpEyw9sy7dXS3Sjp +btXgkOiRmIJqkYLyZ3fZF2uDlOiCVVQn/m0Bii+t0vsp4ZoyvMyc/ho3pN8i2GUV +QvUPAWzps4LTIKUf/0IYpHV4adyEfXD09/L/ShPxXJjLrYpT+4JjJqzIg5Gutbyk +QRBP52GFqyt3V6M2yM9THvdk88hhczsIH37VGLmdPH+vHDG1LIabgf9rJk14+FmM +h7/TE7M4EG9YHG//zLVI4WaVf64G9Oxet4y80BhCF4kpILWRm108mpwwzPL48tR3 +VMkiX0NpP0iOe22vV6u5zzugHQYqMvR6dPtrc4yBNUPgHhOLf6GWDhX12y478o91 +ILUM08J0R0PCJhH+8LARfc7wx1fjoxeJq468sw6znHqcqbIh7WPxarKaiTbTA5bj +06oA4YHzFbV53AbiWNHcrKCNvLaGWOw+2vtXRg8UMmbbGr8icqbLMYl7qY9kS7he +wINMQgMKD79Q+V3AweMqLuIn1AyLpqwVmh9Qon3Wzdk +-> ssh-rsa kFDS0A +ZpHhJzIt2oAC5Z/xJabaunnhXCE5Ijx+Uq/s07uow2tpautkMhmP6SbdgR6zGLFV +QJMgHmDgOqybYLhaP6t8KCygmeT9DjOB47H7mmZ8yvWAitPXTpbJzlFUls6YH3Ei +C4lxsEoCjbH+znVTKFd4220Cb4GGvnMS7tXuAnQ9GFMAn/90LFBzYjbqSvkDyv/n +9Ej1Nya5r0RQg/BcTKvppr0sfdk1wCEE5jDrHAR4zMmofFxuFi7V85IcRdsrU8ij +JawhvCYGfDM6G1Yh6j8V4oaqo3gAqki0CYF5gXED42sfPrxXLV2qtYMRJSua9z0i +Zo3SgDa9WVQslqL0VZoDXn/KyDqUYWYsfsVY0kXrMezlN9+Jm77MFVWMdXNI31eG +EIAWMr0f6nsTuXV58lwXoijSLy9Ap45TPjbVbp7+1JkD2X543DuJD3ONiNq01gey +a7aGLS492IByZx0mw6sb9xpTt8jP6enH+ltqcE6gMsEcxwXfmagVKTxtNrK0izWm +g2GdcpGnVqioj42lchUJzNt/PtPqutaraEvo2oq2cw1zxCjY4zxdyNO1RdaFV71b +fFj2JJCm67GFHWdlqbAePTx2SvUoFt3a3N8DMNFKThGQN/1LwOaKEd25ZSTNEuwO +1exQgJfC2kxrfypEmQP/whSrk2kR13NW40bBHvrZgjo +-> piv-p256 vRzPNw Awtb8p5KgsKIBUumqHnVMgux3dRS478DdNpCENgG3frB +wcIPacn7KP7gl0Z5SvtoYK0pnIjWLwUB2UvVQdWJfso +-> piv-p256 zqq/iw AgAk66eJ/xs+PqwTBzazW4HfK8dawj/3jx5opFOaGLSj +xThgJOorp+YXS8DvaULIoszFubEfACcKSy+vwf9KMSA +-> ssh-ed25519 YFSOsg p+/PUojxwOxpfBfaDOfEHMOGS1oVCrl9dskXgo+gOGI +PPYr0WVPDwRiFGo14Mx+Wv+gkZ91S7CKyYslGjCI/lQ +-> ssh-ed25519 iHV63A iXr8vgW9lHnX+rX/E9/NrKNbF+LyRpe0M44P0IxaBHo +/odvSKNzyS8ondJ0Tcuiry09NM4ozFn2qeVMqRgR17w +-> ssh-ed25519 BVsyTA CgGBOj8nDcfP7GBIMnFV89WF1CAoiOFbA/dUOWggmVE +V4CUV5WZbVTPm3AnoW6WfIqIdcMW/Sm/FTljx1awdeo +-> ssh-ed25519 +3V2lQ Jg+gASEMV3bi9eEB86rFfguh6Be/yOO2szI19Mk2BlY +q7vBOf0CFOUfxbpvwD8rpJH3asQqqNqWBJSzwYTBErs +--- KSBDnbS1GMq4I8FXEljleKo/pKvauq9T8vomtInIEOQ +~p +ўhAV>m< 1|Ly ssh-ed25519 UE5Ceg ys38fGOhLJNLg9zx9T3v2VgF2IbOr/Y/rj2+dWkcAlU +QwkMX8WKgcJeGUomDSLjijen2K5UcRnYYwtebrITDqU +-> ssh-ed25519 uYcDNw wF0oWExIUjlP32CQzOvp6MyEvFw33Sm8pHhYn3Sb0zE +RHslJJumyXoCLHLw4sGlSLK++UHmgq97KPkqCu77G3o +-> ssh-rsa f5THog +pFSH+qCW+oM9zn2j+830+bja2rTXFuzATqfMNAq3o38ssW8Nl7+0FpkdMam4iYXu +sw4Pcaj1QPTO8PbhkEvjoOU4f0bUsVuJSIvcour4k8SUOBgEMiW/98AVSTIk6KBX +PvA+4uZn2Is+bB2m9EGCguwLJ9zzzfbur+USMQvwkQexg0YRpSfhJsRbCplLXhE+ +ZU6ut4HjCP0XWwvxgFzKc6sY4X+/PeWFJOd+WkWy5lL6gcMqUz5DXoi1CeG11AR4 +/hQ5KSJBpVsxw/ib3lSkGjA/ktQzwp4hZTI0l/dH9VHOFQflM8/9hPCYT2gsLVpF +7F2N++tMjgqbMI6Jve0gXLixpWFflr7X5UIBFW96k7/Aq2G+WUch/COQA6wTmfqw +OeP1wGd4Ka7YsgGByH5kuL60xDvtHG6+fYlnPXZAB5Fn86Ct6vRmWw9KUvLC7LKU +iBXDccJliY/y4vGFZH74EYlimurEfaBPiT5sxAk0Ke6hoJued3sZ39Qi+wuxMxFH +pleoFR/n1gBq2bu8FqTQaaNXB2Rsy7q4r5Fy1FxRJqDPgHJEmPx1k4rmYPq1VIaP +/ScOstPQgdMNBqVsBGoNYq7vewkzoPl6MkEwh6gP7IjtC1nvYxxwlGh0gESe3RFm +4MRh78EZaY9pmqIRAf/sRzajky26Aw+DkphmWNUjMTA +-> ssh-rsa kFDS0A +XsOTwrszUoHm2k4XSxiLniJZNWYfJOEn7riuDaQSGSW6ZpjMloD8K1FsZ/ZbMoUP +S/QD71rnETAhfQc8JAAHANOarxMXmSw3y1tSmlbL2h+TRnSoq74a1nK4Ble3aszu +y7tlUuUn3vEX6BVPRNOWM3bGW3oWNe5m0sMUAc4YSUXryWF4V48c/GbUp3T0OrRS +jm+5DWOPxt4VcLuCqe4Nv1jrjPnb7oui/7grMuottf3JRJJQxv9qZolRwlhkG2RN +4fuUSuOYnFUuHuaF2cfuTpOPaowLbh5H/Y6ETzOp+z9yNSuxRsdNgA63GrTsAorI +2axdnMakUsP7m3Xxu6YsVu8xP+Sso1xzPZoEQKA+2eol0fZpQvRPrZ59bqaf9p5U +VTIKSqIAIxyr/XN/s8S4ygaNKQZW8yBColG7TlggTth5v3XqAZ8RhcFXUg6z5lSr +RErV6Bio9JIZofvNEiJaqrl8uTo8dU4ymVuYZoEiT/mW3noqBrZlKUh6XZFMplmk +5giRTDThA3mirSTTELFCsc08kJMXqgkOzkPk5xm5kgP7VD6t/0SfGxetVWXOlUNd +dbprg8Oko1hdlO+LePY1n50TTFKBl9TeZWhvcLOhUizc0bTowUcXm+04Taf+MDwa +TMxplrtahOdCTz8k38c/HwBeHtfXRevh8A8Y1qnJXJY +-> piv-p256 vRzPNw AqccwzdKUA4RP2LzIfcTlAN9LsoEB/b7tGYyM8bk39Pn +f0srD9t9HaGY8OIAVImqJSrvHZRhxfMXkYwot4LJGeM +-> piv-p256 zqq/iw Aj8544WraFJMX2S6qyzi6CTal6sRnunmzbMO4KUQhJOO +BFiQSdLgrmgPnynqmSLNBqiWkyBme3KavSbi86HHSck +-> ssh-ed25519 YFSOsg Zece1bOI+mVc6079POREAnnzSG7ZytiTRDm+NzbbhVE +alK4ODfwrgRSDGWzcZmIuyZ88axaiMzSNfeGspsgk70 +-> ssh-ed25519 iHV63A LwfUkisQGB3txmxYYLlZSG6ddxVNVC9+UokxPiXEjRc +yRmtdHT9uM0YkS/s80jetMr1baDjGsaRubVKbJVPpCk +-> ssh-ed25519 BVsyTA +8LVssLl+DiF2f3H0KhAhvzEvTjciIAcRM9ZYwrGQh0 +CcQxWwMBdyXXzDv10vUmXBifYLXsHKOFd2/L95RGT5U +-> ssh-ed25519 +3V2lQ RWquIefIO5crVvrUxdatV7OvTv1Jabyq4IF209Ezkw0 +0SM43tcO7m7FQlNJe9QnhC9J9PwHoVxucRtZGpcACUE +--- xx8BodL5hv2CyeZ8m0tGXNzmH2DGaCveUNobqbAQK8U +)\9ct4ʿ~eJ}<[+*x>;m/&I:ϑ3 \ No newline at end of file diff --git a/secrets/restic-repo-storagebox-metronom.age b/secrets/restic-repo-storagebox-metronom.age new file mode 100644 index 00000000..82e418e3 --- /dev/null +++ b/secrets/restic-repo-storagebox-metronom.age @@ -0,0 +1,43 @@ +age-encryption.org/v1 +-> ssh-ed25519 UE5Ceg Ut5S3qcz82qT9y6KnUG6WfgvhZ4Cq3akEnw6qkfOkHA +uwaOk4WQxkj/R8rw31ClUm7nS0nz5OFVyyqNdNjSKY0 +-> ssh-ed25519 uYcDNw kwQz6q16sYba+q2r/lH6Z0kSSXSxVrjGpK/3tPj4CT0 +nTo6jrcpQ9niGGxhuS7mZva6KnrYdjqvobW3yiZsYU4 +-> ssh-rsa f5THog +ugWQuX4fXVBJ/MWuVaM9Wj+kUFIpKV/+2C+Hxe4xg05/HmVWH95/TUE7QnhBKu1/ +Dda8oQL8xMSvThxUh0tY9pJjUMa/1ShfYpIAD6zE311bnPObDAZRBtS6fF5m5Vcj +9KL1ILwj7/Vj5/OMDM4BuEL1cmTmX2ohj/ho7hoWpU3ejohQKxpsH/atXAPevAgz +oajzoiQ2+qX18gW4tTLr9MqGuIQYDhj0f1YsPR5gMQEukwGJcQYaZZe78wRV/iGH +n4xbdRJGAxWyBZqKqeNKmh/VxdoC6wxIpAM3h/tchWA7RB2kn5rJBuk+XOF5pJLj +tOjMpoJClHwIgr8hmIMb5eI5bQdBZi8sIuwgaxe8GAjfy1fXt+XcR30pWW9xh/la +yLSEnz7OtjNPmHObWxMLmYkIX16qKXmdA1IMJib74THqboHOIFI08GVKWs6xCAr7 +9Mk4tFejwqPurFskwmX5Ubls8b5hNIO8Cz72RKwvGHwTFTtOR5Lzp/gRmCTD1qlb +aNYOZnduZ/ApxwG0OnNbC60C8+NB8EwRToiHmXLlnFP6WGlYKlSKy/WjJFjreFIJ +9hdiKCcHE87gsD2dEWHW4Hq4oZq/SwVL2FGCHC5dgohkY//i+aQVeSqAtvOR3tsb +CnKVhf+O6dMVZqNUeONGJ1oEaZwZJzBST9XXv6Yi2rY +-> ssh-rsa kFDS0A +EmZCGuxH9lUz/OuZKjKfkeone7oi+AETEpkUH909lc0LoTbk96Z9Q9IsRSxcrXh2 +CuQ9c8zZ3PgpwHRxLwwvCef4VMW2rgu98FLza3C41tww5ceudK/p/vwCPACUAV5e +T8fUGg2OTUFOvMpFtPejoD1fjrTHWahB4DW4r+ODbQM94fQiHjzq1qPDsFf4WpKF +1azagGfB6uejCewpQ+M+GnUZXDjOTi2IgA1+/dqQz5kGhVA9SnykfSxWGZKjcGPh +10EaBdrO5bqIh+Wf/b6GktFWKKTOipD6VzxiMbppMqr4pfRpFYy+okunl29ky+xk +6LTJHw5+19QB2YZMAbHCivmZpX+rfuCI/4JmUMfdAHrdkL56F/OWPx8j+2gFFkTm +qOUVKkuAKWfJFaUgfFbXtwwuE+JH/RuY1flG+PJjMr1xxnttFs3IYP4CVEH1j3Yg +APzd3PYpkW3fkCNT3PUJHDjVhzS3jvAjIgD2qDwc/AsQyMjJuyICSL8ciSb9PQMY +JeGX+4FjDpqgZeNYD1CIEEraAkoHoEBi2puNrsQY11qgnC/XXAfubz2XDtF4NhZS +Lr29oOuqwl9UglQq1yx0rmPyLvb5fstFvN1JELTuArOX9r7uyV4tEjhr1Emjcmlx +20XOvDtSRQNyG0JypayZcng4sXM8yLZngsUR+9kMZjo +-> piv-p256 vRzPNw AjEZFjCMWC+lzG6Mzn+yk1ylhtIS0rr8+uG3pONi8aUB +0dJi7kX8PFsGGo2nKxJ9DAi1Psz/Z93xusQ6hvgfo88 +-> piv-p256 zqq/iw AmPSSktHHwoEtSPexUIp4gro8kbxyiBi1F4I9PZBJXUN +SllB8/hq5mPkqidZnpSCktBs4IKyDn66Rq4Tn1CHjZ4 +-> ssh-ed25519 YFSOsg dQQ89fQbmnEc8ws1Ph1sBcnF9rLeOJHcT5aXzf3wdBQ +7Wve8saqRX4bbskIxPqbN6+danJimre2tNm5Y/nLBkI +-> ssh-ed25519 iHV63A 9Is8lLheIcDBr0A82rW+ercEGb4WOOHYu2ArrNuwWHQ +koc4Tp5KNMWlvqIY2Q5wGo1RV4PLLjbqZDH/te2+9vM +-> ssh-ed25519 BVsyTA SbXK3Qyz2KIN5+SuYQri6oQSVRFTsekvtCRissDF7nQ +EOuZGw1k2Ql6co/WFeEn2TmfGWN1ThCkksa1RD30yTE +-> ssh-ed25519 +3V2lQ HRGVqQxpU9SCs0tD2gSuqKz92HE3paG0JsHru3eliEE +U1z/FTfrf4sb4/gpEjHmpX559JSn7zsaiQUeej8ofpA +--- V+P4YcVeFP56hwKuk4ZLSzE/zCSvYyCTrKKRj48AuMA +%GY5fv]W1t]/M8U=bK[P1iϗ'yPU]6' fmey \ No newline at end of file diff --git a/secrets/restic-repo-storagebox.age b/secrets/restic-repo-storagebox.age index 47a89e538f0369f3c30fd40e3772360fb2019aa1..64252211dbeadfacc3e87550d95245b853eccce8 100644 GIT binary patch literal 2576 zcmZXWxy$?r8OH?+A%!3)tYGn?D6;W2lVoxstR$0UCii_zx=gOgeNHafKfq!IMG(|N z#bfQ=!bU8%6~spD6&7T1LG2WL6;|YD`BWbs_&%TS6K2VC(nQ17O?lgVxg9cShJoid zp2qS1oWux*!PJw(VW%W}GRHIJC5GFmIbv+KN?kU7xT+v`k#KjFTdt8)qNq=}?*Nx= z82X!ADd&Bc&{=lT6bd|YN~2;DhyubCFwc}C7#r?YTFy$vl0Es1X-tln3t?J`aL;F& zEfNHrROEMmmV_tkCu7 zS80!H#Hz~^wyOR(7BO(gf z=BeEjHqB>|$tq$!O`QY^%K_ZtOEhhlP<+k8O$ z7%_>{!@I-fT=Wm*P}v3=WP949RlzLcKn;=r@Rft#r<{sZX%j*geBe7K9i%Q#rS9Yh zX{nJ1kqizSZ_IPPgs+gr}S_yTe@qu&c-@5ZKQwP~OaTSQBp_yHTUG8_|kqoPI z=kxIhV)%`)j;T3V*yQBYEo$K_tCfrg%u;8TIfqaDR97Ky2G%(uXu3h5mWy}am!?cd zg*A&WQnC3nl~3JnUN=iNHGfIP7PwKYwq;B`8Y~^goV)vNt3rC??oq{U=YyAHJ`Xl_ zd*cjt+lk1xyfy@-2ihcI!|s5h@`&%VC`2Qrjz8)}ohPC9kS#3f+76c5<<`=XB=ziU zP_;W(wD4&oDC&pE_zdF$ZpXmax)6w-2Q4WORpO*35{);Zoa#iqACIoPYvT_3GLIN^ z3DKFPOZP{dVdi`zY#?^LgMwxbWOsEAdzpSzq@pTKm7urDJ-BjsuF&{6M(CKW@Z3or z$waC{sl)ZQm{$UD&7u@Es|Ddfwj4Z{GlYvL2Q3uUTH2`yLBr!JFI2Uovs#pN(Wrta zX_ZAU81c}2z|c>Hr;v@AoE_HT&MUGlCu>~bFqy?TnM5t@+bX4_>hQlgE_v2E(7?qK z9BT}SK$KC36mPO+QFodzioDbqb0D12pLRW@s7!mH-Mtl5PcuB0sbrH68_fcO>LG@~ z+;mLA^9wJA9$_V#z-+wL5p1Hwmz`RP2@(xSZ+#6mB$9;aru+86{>(#&^$*$M)uQI=1! zvVY7l*V$mWfhb3=Z9m8l%ZgA)@Z1|W=vNjmoUvM^&=3a{*c;hCU5(CAUgm%{=hR`P zyH08GVIV@9R!JpX2CwLr+3G{XG0CaXCqWUi#z!!<15VyiSyVZFENMj{1HGJI%u*>y z<n~32ZjrMV5FG zm%;EJsr);~T|Pf|2!=n+=B~e}pN4D5)LSu#c4#$eRmNx!K9xmYGwXp!vsNpLi%lJ4 zY>xo!Fb6xesbs~&*GY&n>|xm?b#{xs$d#jXILGKBlp;(2r)mDn+WQ{LUszOW1(lFT z>+yVU?=pQ}aHU4jg>kM4Q3ZL1yEEhx3f;B9afD`unMu3|!{DY2lX%Qmt4edlZim<* z%0TP|jg~kk`tUwKZ0svtli=mNedBv{8PGV+7`BqS)ahT9tDhbF% z0D_Im7No9(kip!1Icvc=m-3wI8TicB)v^SQhg17@kDXU(`NhRi`l%d*p$slK9UP52 za@0kB(m}5yucsA5qKLY3${00jCeRLGkEgol1qR#&WFj`W!p@T%+xu>30y|z*%PjBw zG#ENRzDi@&UdDLq+XF2~KRU8J5lJ{4JJK=vr#10Sq$dwwy6k zr>*Q$%TwBU5zCZs;a0GxrOY^}H4~>P_5b@1K-5JlXK6PO~n&(fWWmD z6dGHwA(y$ERMYVFG3G50&pIWob9)ahoOZoSX)jQQiY@<;=|WQ8}GZ#GON5twnIOVF4)L96$NS7ytD4Z-4Nef4=kf zZ@yk{KRLf1SwHyEFFsxV>V4_gl>3QK{Ucpo``~r$3t#&2_ul>Nd%yhcAAkPN_3h96 z@ZC47zkT(0U#Y(N@t=L;^Yyp>@cY-^`r7q#%18c8yl1}k-S@x$(~ti3FCY6C5bsrj literal 2467 zcmZA3yX*8=83%AtM2L2ah22jtZuC^Lgd%osL8IuI6Ay8ywNCB-kIyC%Z;|^j$95rk` zq5y4a*Y@ml%`)J{91_7Qghs{t;)E3$u9k8LDyq0r96Pr$7K-}?cNTrH@Q-Y5ET>l;g}u3!=PJ5Gm+yi7J9iGZ1pJfekzeNWmMncXvi5g-JAAE+q&Gk)iYlJlx=BHrBXk9c3XTg&Z7Nf)cts*FR^CMaiY=Su+vzQ^zMEa;Q%hj!bYp}sO+M^CF zCyCwwmAin=X}Fp#F?L*sS{b4o^JZ}a8d(_2Gj_kdq@jIh?TQ>QT!qD91@jmeLo0Fd z1>j3w=h&Q;vm47^Px4(jwocE$It(TGMn%@zf{Yy(Ga53$s_a#qv%**$Ndrn%i+7x?u^dDjW1Jg>NPonbgTK*a0mY^hd% zRU(&7iaDn#=P*C;!8^(GtRY|F-lbQ+2pBJe6{~T95YaJ+{&-Fnpk+Ru2Mah$#&31&#Ng@yF zi6RFura3|-!%z^YmYrf{LxZATYq`R28I`aQpg4I~3**&mIsvN}Nft1+`uw9JQUyjB_?9s%Z`-dYJkJI@a+(bRaGaKfRp*~-c zh?cMM7$P6}I+{>QlH)%pD|P z%dAe@c;=l8{19BI3r^%M0Me_1)4ZTi_ftC|>B`58LwV?G>lIsaqRQumn8MwO)p<6R zkv5pPbuBR-WLpQSxdMeeoKsC?7cp*IlP5>Dxp0Q#r^N!5&*cUyW2cREQd|O)T8)sg zBmy}u&(g>SZhLlX=dfVw15<}2xaP(|g`*nE`6aq5V$%!EyedM5`JT&-%7HWUp1SxQ z$dRm$O@KqIM=6l!(ey};6l&6@hA}!jNMmNQcAsvJ=Ugxcoige_Iqu8lMUP;or^Vd$ z=ck`)_=jewYQ@-AiR%~q}v{YTAkrl z$J;RbOj2X^4Nw_pO*owPX(Fy#u(;2N2O_5{2hVBOEuPIT=TvS4j9y>%=gS!y@Rl~^ zPnr@`TYN|*DTgkagZTZR(ih2J7}qWzfkSR=!EwEA3ISkrJu@}9=3lEKQq@}oktcr& z(cbVpT0MuaG$e|?s+FR9I#N$IBgu1`5C+1-gC2(Zx%Kzp`E<==-j1EW>&v#O zhRoUoU|n~prdp?NwMN19?18}ed7rC|n&Yl-yQ^VydB?@XK)kBa?zGv|(}ovKmm{2y zj%7Km>ERGR-~4lwd$-m*b`C&uh{9FBxf0+6$6Ai(F3LpavKA-5K+_D`=rjvxN|mw$Ns zTi@qD^N+(PmQVitwdC_({?|X>{M}Ff_})7oe$M{kPv8FgSHJnG-@9M?!Uu1>`;o7| k|FiDf;p>(0qqqGZy!YDQKK?8Foxi^IXZNjd{PvB11M&(p*Z=?k diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 66221cfe..50a52965 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -36,6 +36,8 @@ in { # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBB5XaH02a6+TchnyQED2VwaltPgeFCbildbE2h6nF5e root@nachtigall "nachtigall-root-ssh-key.age".publicKeys = nachtigallKeys ++ adminKeys; + # ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDeKXqbhNzbXk15h2k8wGBByxMDCC6HE1/fwa4j6ECu root@metronom + "metronom-root-ssh-key.age".publicKeys = metronomKeys ++ adminKeys; "nachtigall-wg-private-key.age".publicKeys = nachtigallKeys ++ adminKeys; "tankstelle-wg-private-key.age".publicKeys = tankstelleKeys ++ adminKeys; @@ -70,8 +72,11 @@ in "searx-environment.age".publicKeys = nachtigallKeys ++ adminKeys; + "restic-repo-garage-metronom.age".publicKeys = metronomKeys ++ adminKeys; + "restic-repo-garage-metronom-env.age".publicKeys = metronomKeys ++ adminKeys; "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys; - "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys; + "restic-repo-storagebox.age".publicKeys = metronomKeys ++ nachtigallKeys ++ adminKeys; + "restic-repo-storagebox-metronom.age".publicKeys = metronomKeys ++ adminKeys; "restic-repo-garage-nachtigall.age".publicKeys = nachtigallKeys ++ adminKeys; "restic-repo-garage-nachtigall-env.age".publicKeys = nachtigallKeys ++ adminKeys; From 2e16c77956e9c8182f9c1d9df883a93f186c9d63 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 29 Aug 2024 16:22:58 +0200 Subject: [PATCH 2/5] secrets: rename restic-repo-storagebox{,-nachtigall} To use a restic repository per host --- hosts/nachtigall/backups.nix | 6 +++--- hosts/tankstelle/backups.nix | 4 ++-- modules/forgejo/default.nix | 2 +- modules/mailman/default.nix | 2 +- modules/mastodon/default.nix | 2 +- modules/matrix/default.nix | 2 +- modules/nextcloud/default.nix | 2 +- ...ox.age => restic-repo-storagebox-nachtigall.age} | Bin secrets/secrets.nix | 2 +- 9 files changed, 11 insertions(+), 11 deletions(-) rename secrets/{restic-repo-storagebox.age => restic-repo-storagebox-nachtigall.age} (100%) diff --git a/hosts/nachtigall/backups.nix b/hosts/nachtigall/backups.nix index 46757bc3..e910d0bc 100644 --- a/hosts/nachtigall/backups.nix +++ b/hosts/nachtigall/backups.nix @@ -5,8 +5,8 @@ mode = "400"; owner = "root"; }; - age.secrets."restic-repo-storagebox" = { - file = "${flake.self}/secrets/restic-repo-storagebox.age"; + age.secrets."restic-repo-storagebox-nachtigall" = { + file = "${flake.self}/secrets/restic-repo-storagebox-nachtigall.age"; mode = "400"; owner = "root"; }; @@ -22,7 +22,7 @@ }; pub-solar-os.backups.repos.storagebox = { - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; }; diff --git a/hosts/tankstelle/backups.nix b/hosts/tankstelle/backups.nix index c5bf79b8..ea42f3bf 100644 --- a/hosts/tankstelle/backups.nix +++ b/hosts/tankstelle/backups.nix @@ -5,8 +5,8 @@ mode = "400"; owner = "root"; }; - age.secrets."restic-repo-storagebox" = { - file = "${flake.self}/secrets/restic-repo-storagebox.age"; + age.secrets."restic-repo-storagebox-tankstelle" = { + file = "${flake.self}/secrets/restic-repo-storagebox-tankstelle.age"; mode = "400"; owner = "root"; }; diff --git a/modules/forgejo/default.nix b/modules/forgejo/default.nix index dee6d122..d99abdd2 100644 --- a/modules/forgejo/default.nix +++ b/modules/forgejo/default.nix @@ -182,7 +182,7 @@ OnCalendar = "*-*-* 00:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d gitea > /tmp/forgejo-backup.sql diff --git a/modules/mailman/default.nix b/modules/mailman/default.nix index 3db13b64..e5e2903b 100644 --- a/modules/mailman/default.nix +++ b/modules/mailman/default.nix @@ -91,7 +91,7 @@ OnCalendar = "*-*-* 02:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; pruneOpts = [ "--keep-daily 7" diff --git a/modules/mastodon/default.nix b/modules/mastodon/default.nix index 85210e07..a26d7dd9 100644 --- a/modules/mastodon/default.nix +++ b/modules/mastodon/default.nix @@ -106,7 +106,7 @@ OnCalendar = "*-*-* 04:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mastodon > /tmp/mastodon-backup.sql diff --git a/modules/matrix/default.nix b/modules/matrix/default.nix index 66b071f8..3165911c 100644 --- a/modules/matrix/default.nix +++ b/modules/matrix/default.nix @@ -295,7 +295,7 @@ in OnCalendar = "*-*-* 05:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d matrix > /tmp/matrix-synapse-backup.sql diff --git a/modules/nextcloud/default.nix b/modules/nextcloud/default.nix index 0f81781c..662d1ce7 100644 --- a/modules/nextcloud/default.nix +++ b/modules/nextcloud/default.nix @@ -145,7 +145,7 @@ OnCalendar = "*-*-* 01:00:00 Etc/UTC"; }; initialize = true; - passwordFile = config.age.secrets."restic-repo-storagebox".path; + passwordFile = config.age.secrets."restic-repo-storagebox-nachtigall".path; repository = "sftp:u377325@u377325.your-storagebox.de:/backups"; backupPrepareCommand = '' ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d nextcloud > /tmp/nextcloud-backup.sql diff --git a/secrets/restic-repo-storagebox.age b/secrets/restic-repo-storagebox-nachtigall.age similarity index 100% rename from secrets/restic-repo-storagebox.age rename to secrets/restic-repo-storagebox-nachtigall.age diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 50a52965..0da78920 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -75,7 +75,7 @@ in "restic-repo-garage-metronom.age".publicKeys = metronomKeys ++ adminKeys; "restic-repo-garage-metronom-env.age".publicKeys = metronomKeys ++ adminKeys; "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys; - "restic-repo-storagebox.age".publicKeys = metronomKeys ++ nachtigallKeys ++ adminKeys; + "restic-repo-storagebox-nachtigall.age".publicKeys = nachtigallKeys ++ adminKeys; "restic-repo-storagebox-metronom.age".publicKeys = metronomKeys ++ adminKeys; "restic-repo-garage-nachtigall.age".publicKeys = nachtigallKeys ++ adminKeys; "restic-repo-garage-nachtigall-env.age".publicKeys = nachtigallKeys ++ adminKeys; From 77b642f64676ac00fa48666475a887028a4ce95c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 29 Aug 2024 16:23:57 +0200 Subject: [PATCH 3/5] garage: increase nginx client_body_size to 64m To make bigger garage uploads work well, avoiding error HTTP 413 Entity Too Large --- modules/garage/default.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/garage/default.nix b/modules/garage/default.nix index f2e538ce..f50d6870 100644 --- a/modules/garage/default.nix +++ b/modules/garage/default.nix @@ -69,6 +69,7 @@ locations."/" = { proxyPass = "http://s3_backend"; extraConfig = '' + client_max_body_size 64m; proxy_max_temp_file_size 0; ''; }; From 2eb54a331e01fca77c9a23e54eacfda02d5eaa6a Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 29 Aug 2024 16:28:17 +0200 Subject: [PATCH 4/5] backups: add storagebox to programs.ssh.knownHosts --- modules/backups/default.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/modules/backups/default.nix b/modules/backups/default.nix index 04b8324c..26549ab4 100644 --- a/modules/backups/default.nix +++ b/modules/backups/default.nix @@ -280,5 +280,11 @@ in in builtins.listToAttrs (lib.lists.flatten (map createBackups backupNames)); + + # Used for pub-solar-os.backups.repos.storagebox + programs.ssh.knownHosts = { + "u377325.your-storagebox.de".publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw=="; + "[u377325.your-storagebox.de]:23".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs"; + }; }; } From 09804f5c250463f3f924d249bdd5774c9eab906c Mon Sep 17 00:00:00 2001 From: teutat3s Date: Thu, 29 Aug 2024 16:29:33 +0200 Subject: [PATCH 5/5] docs: how-to add backups for new hosts --- docs/backups.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 docs/backups.md diff --git a/docs/backups.md b/docs/backups.md new file mode 100644 index 00000000..ccce5f99 --- /dev/null +++ b/docs/backups.md @@ -0,0 +1,36 @@ +# Backups + +We use [Restic](https://restic.readthedocs.io/en/stable/) to create backups and push them to two repositories. +Check `./modules/backups.nix` and `./hosts/nachtigall/backups.nix` for working examples. + +### Hetzner Storagebox + +- Uses SFTP for transfer of backups + +Adding a new host SSH public key to the storagebox: + +First, [SSH to nachtigall](./administrative-access.md#ssh-access), then become root and add the new SSH public key + +``` +sudo -i +echo '' | ssh -p23 u377325@u377325.your-storagebox.de install-ssh-key +``` + +[Link to Hetzner storagebox docs](https://docs.hetzner.com/robot/storage-box/backup-space-ssh-keys). + +### Garage S3 buckets + +- Uses S3 for transfer of backups +- One bucket per host, e.g. `nachtigall-backups`, `metronom-backups` + +To start transfering backups from a new hosts, this is how to create a new bucket: + +First, [SSH to trinkgenossin](./administrative-access.md#ssh-access), then use the `garage` CLI to create a new key and bucket: + +``` +export GARAGE_RPC_SECRET= + +garage bucket create -backups +garage key create -backups-key +garage bucket allow -backups --read --write --key -backups-key +```