Merge pull request 'feat: backups to hetzner storagebox' (#66) from feat/backups-to-storagebox into main

Reviewed-on: pub-solar/infra#66 Reviewed-by: b12f <b12f@noreply.git.pub.solar>
2023-11-18 22:13:17 +00:00 · 2023-11-18 22:13:17 +00:00 · 8bc731da6e
parent 40ed46b05b a461fc72f6
commit 8bc731da6e
8 changed files with 127 additions and 5 deletions
--- a/hosts/nachtigall/apps/forgejo.nix
+++ b/hosts/nachtigall/apps/forgejo.nix
@ -109,7 +109,7 @@
    GPG_TTY = "$(tty)";
  };

-  services.restic.backups.forgejo = {
+  services.restic.backups.forgejo-droppie = {
    paths = [
      "/var/lib/forgejo"
      "/tmp/forgejo-backup.sql"
@ -129,4 +129,23 @@
      rm /tmp/forgejo-backup.sql
    '';
  };
+
+  services.restic.backups.forgejo-storagebox = {
+    paths = [
+      "/var/lib/forgejo"
+      "/tmp/forgejo-backup.sql"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 04:20:00 Etc/UTC";
+    };
+    initialize = true;
+    passwordFile = config.age.secrets."restic-repo-storagebox".path;
+    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
+    backupPrepareCommand = ''
+      ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d gitea > /tmp/forgejo-backup.sql
+    '';
+    backupCleanupCommand = ''
+      rm /tmp/forgejo-backup.sql
+    '';
+  };
 }
--- a/hosts/nachtigall/apps/keycloak.nix
+++ b/hosts/nachtigall/apps/keycloak.nix
@ -47,7 +47,7 @@
    };
  };

-  services.restic.backups.keycloak = {
+  services.restic.backups.keycloak-droppie = {
    paths = [
      "/tmp/keycloak-backup.sql"
    ];
@ -66,4 +66,22 @@
      rm /tmp/keycloak-backup.sql
    '';
  };
+
+  services.restic.backups.keycloak-storagebox = {
+    paths = [
+      "/tmp/keycloak-backup.sql"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 04:10:00 Etc/UTC";
+    };
+    initialize = true;
+    passwordFile = config.age.secrets."restic-repo-storagebox".path;
+    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
+    backupPrepareCommand = ''
+      ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d keycloak > /tmp/keycloak-backup.sql
+    '';
+    backupCleanupCommand = ''
+      rm /tmp/keycloak-backup.sql
+    '';
+  };
 }
--- a/hosts/nachtigall/apps/mailman.nix
+++ b/hosts/nachtigall/apps/mailman.nix
@ -80,7 +80,7 @@
  #  ])
  #'';

-  services.restic.backups.mailman = {
+  services.restic.backups.mailman-droppie = {
    paths = [
      "/var/lib/mailman"
      "/var/lib/mailman-web/mailman-web.db"
@ -96,4 +96,19 @@
    passwordFile = config.age.secrets."restic-repo-droppie".path;
    repository = "sftp:yule@droppie.b12f.io:/media/internal/pub.solar";
  };
+
+  services.restic.backups.mailman-storagebox = {
+    paths = [
+      "/var/lib/mailman"
+      "/var/lib/mailman-web/mailman-web.db"
+      "/var/lib/mailman-web/settings_local.json"
+      "/var/lib/postfix/conf/aliases.db"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 04:15:00 Etc/UTC";
+    };
+    initialize = true;
+    passwordFile = config.age.secrets."restic-repo-storagebox".path;
+    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
+  };
 }
--- a/hosts/nachtigall/apps/mastodon.nix
+++ b/hosts/nachtigall/apps/mastodon.nix
@ -93,7 +93,7 @@
    };
  };

-  services.restic.backups.mastodon = {
+  services.restic.backups.mastodon-droppie = {
    paths = [
      "/tmp/mastodon-backup.sql"
    ];
@ -112,4 +112,22 @@
      rm /tmp/mastodon-backup.sql
    '';
  };
+
+  services.restic.backups.mastodon-storagebox = {
+    paths = [
+      "/tmp/mastodon-backup.sql"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 04:05:00 Etc/UTC";
+    };
+    initialize = true;
+    passwordFile = config.age.secrets."restic-repo-storagebox".path;
+    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
+    backupPrepareCommand = ''
+      ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mastodon > /tmp/mastodon-backup.sql
+    '';
+    backupCleanupCommand = ''
+      rm /tmp/mastodon-backup.sql
+    '';
+  };
 }
--- a/hosts/nachtigall/apps/nextcloud.nix
+++ b/hosts/nachtigall/apps/nextcloud.nix
@ -127,7 +127,7 @@
    database.createLocally = true;
  };

-  services.restic.backups.nextcloud = {
+  services.restic.backups.nextcloud-droppie = {
    paths = [
      "/var/lib/nextcloud/data"
      "/tmp/nextcloud-backup.sql"
@ -147,4 +147,23 @@
      rm /tmp/nextcloud-backup.sql
    '';
  };
+
+  services.restic.backups.nextcloud-storagebox = {
+    paths = [
+      "/var/lib/nextcloud/data"
+      "/tmp/nextcloud-backup.sql"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 04:00:00 Etc/UTC";
+    };
+    initialize = true;
+    passwordFile = config.age.secrets."restic-repo-storagebox".path;
+    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
+    backupPrepareCommand = ''
+      ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d nextcloud > /tmp/nextcloud-backup.sql
+    '';
+    backupCleanupCommand = ''
+      rm /tmp/nextcloud-backup.sql
+    '';
+  };
 }
--- a/hosts/nachtigall/backups.nix
+++ b/hosts/nachtigall/backups.nix
@ -4,4 +4,9 @@
    mode = "400";
    owner = "root";
  };
+  age.secrets."restic-repo-storagebox" = {
+    file = "${flake.self}/secrets/restic-repo-storagebox.age";
+    mode = "400";
+    owner = "root";
+  };
 }
--- a/secrets/restic-repo-storagebox.age
+++ b/secrets/restic-repo-storagebox.age
@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg G30n55ZAQdPKSHqDyAv42h2RyX67tW/Giq47A189CnY
+XgXVZolY+DjIpfQYpkWcpbmo9ikbAexAV6amuwcK4f4
+-> ssh-ed25519 uYcDNw y+amMdymUI72L6mfmruyiOfYS0p+mmTxxfGB7DKMdGs
+oO3/sPGgppRWnVGsL9/3NpPJEQqr8p1h3hyJ9+7gLXM
+-> ssh-rsa kFDS0A
+B2kcpfc+92kPSds7zaFW+KrwU+oEUn8kdLCy/swjaNlV2NETzXJNAx/xSDlylRTm
+5TZcLCs106B1JxVr9Ir61WTyTb1PppLJVh0BRrDDfE+m5678M+KW2RrXrPm1IrHt
+0al0gSt0qG07RvETzjKwWOm3NdzKNvVbeiLrBxXIPow3zBzE/pCgK/RARVmsLflb
+MBU88tYAoHw8N5Ba+5Lnh/V80K+DEtPGFTROyKDgaXZtVfLNU331m3dbEG1FRi/n
+JQBBY80m2yylP24YFxJwCVkresIutjJ3OOk8nth5lgbgqHRW/Z+n6FZIs7L6SV8f
+D6qNDB1qcqLk7qMZNDEhjntwcxhHQ80bXnOMdU+p+7/fc2VGw+VgkKpjj3u+xkh4
+x0rJAS3edE6ysaIwRAZgGhobHxXBjnWHJp0dRz2+eeVfeomrT4BwT4zPDqkM2EvM
+x4wsUh1qBhiJn3lkuyTKD7fXAk91tS+8iFF5Bp/cue8QIIJoXD6hs6AXRcR9OdZQ
+vQuGqB9AxRYAUFqxhXGFUEvpvOh6/Mt4daO1fqGkkSeQK88TdKgVgvemf0cAX4sQ
+OWgFaK8bLqls7MX7rp57vlhEqhBY29bdMKRUG4hGxnUxH/JmVI3oJ3PoYz93ayb8
+P0w8L/wlGRfJdSSqSFuZrAFhQ41xjbq2z09kQQr6FVw
+-> ssh-ed25519 YFSOsg NjG+pG/FEkrqIx4YhPlS3gGE7LgKBJTUOOE+kW0OBCo
+J0h7GHWTC/S23F/QGBj54fr2YUMCOnolRKWSS9zrjzk
+-> ssh-ed25519 iHV63A LOzrqEfJ5jFMLtV8QAbVbj9ikDE/lhBzqwjXWqJcb3w
+bgk0mxpif2wtDaS94OJ/uPVZBJZoIh2Eq5M8xRW/a/s
+-> ssh-ed25519 BVsyTA JGE9eWZ1la2zSayjcGGRcPYXBTxsfvOxphDLndhYMHo
+Xor0OLMsXTU4MmkyvoYoU2tHGwDla/GbbW6AI+Fptuc
+-> 6>G-grease ^'eq
+vOuziQ8uC81Tflh6vzXJJIqrCgh3UEZhs2tBkB9QwPww+Q
+--- BpmRwNLuZ7Za7VA6xb4UWzjaSha6vpZcki868ZBpORo
+w÷Q€ër¾lo\nàßãOíÃíì6ÑælË…,l±ª™Ì>”œÜšÝ÷,Ø/¾œØ<C593><0B>ñß73|Rw@V—`ß¥÷
0o¥˜“ÓLù‡¤qåÎŠ)E›<45>ïc7¶öG[÷Gí
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -51,6 +51,7 @@ in {
  "searx-environment.age".publicKeys = nachtigallKeys ++ baseKeys;

  "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ baseKeys;
+  "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ baseKeys;

  "drone-db-secrets.age".publicKeys = flora6Keys ++ baseKeys;
  "drone-secrets.age".publicKeys = flora6Keys ++ baseKeys;