mail: add backups to garage bucket + storagebox

Restic backups to garage S3 bucket metronom-backups

hosts/metronom/backups.nix

@@ -1,13 +1,29 @@
-{ flake, ... }:
+{ config, flake, ... }:
 {
-  age.secrets."restic-repo-droppie" = {
-    file = "${flake.self}/secrets/restic-repo-droppie.age";
-    mode = "400";
-    owner = "root";
-  };
   age.secrets."restic-repo-storagebox" = {
     file = "${flake.self}/secrets/restic-repo-storagebox.age";
     mode = "400";
     owner = "root";
   };
+  age.secrets.restic-repo-garage-metronom = {
+    file = "${flake.self}/secrets/restic-repo-garage-metronom.age";
+    mode = "400";
+    owner = "root";
+  };
+  age.secrets.restic-repo-garage-metronom-env = {
+    file = "${flake.self}/secrets/restic-repo-garage-metronom-env.age";
+    mode = "400";
+    owner = "root";
+  };
+
+  pub-solar-os.backups.repos.storagebox = {
+    passwordFile = config.age.secrets."restic-repo-storagebox".path;
+    repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
+  };
+
+  pub-solar-os.backups.repos.garage = {
+    passwordFile = config.age.secrets."restic-repo-garage-metronom".path;
+    environmentFile = config.age.secrets."restic-repo-garage-metronom-env".path;
+    repository = "s3:https://buckets.pub.solar/metronom-backups";
+  };
 }

hosts/metronom/default.nix

@@ -7,6 +7,6 @@
 
     ./networking.nix
     ./wireguard.nix
-    #./backups.nix
+    ./backups.nix
   ];
 }

modules/mail/default.nix

@@ -67,4 +67,20 @@
   };
   security.acme.acceptTerms = true;
   security.acme.defaults.email = "security@pub.solar";
+
+  pub-solar-os.backups.restic.mail = {
+    paths = [
+      "/var/lib/vmail"
+      "/var/lib/dkim"
+    ];
+    timerConfig = {
+      OnCalendar = "*-*-* 02:00:00 Etc/UTC";
+    };
+    initialize = true;
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+    ];
+  };
 }

secrets/restic-repo-garage-metronom-env.age

@@ -0,0 +1,44 @@
+age-encryption.org/v1
+-> ssh-ed25519 UE5Ceg rpN1FsYIOjsiqPAt3iwd6l3ZEDYNomnzcvgowqS1CAI
+A5+KU6SOzcZzTQPkEPp1wN6bq9junwauKDPhM1eKi+8
+-> ssh-ed25519 uYcDNw V/zOsw5KmaQUm1YsnJExXJThypfsxOu/CS+EQ2np7RQ
+vMGUU/OPOoWiyR70xsXarqWN/AgegeKgTz5lOPa04CI
+-> ssh-rsa f5THog
+Z3tZv8bK67z15PAp4RgMEi1Ph4y5IFBIVNHdhENVTt2zS2TnzTBoUSypjaioRlGj
+YKYuUl7+sFys6QRHOWTrUM6CFF6KQo/hYR5bsFG01xE9xoG7e4V5x0ts6sFp0Xme
+0nl8NBfjbORhKYyCEye6p/9EvPwJ7qpRrQt6TUpnShv9BLrZZpEyw9sy7dXS3Sjp
+btXgkOiRmIJqkYLyZ3fZF2uDlOiCVVQn/m0Bii+t0vsp4ZoyvMyc/ho3pN8i2GUV
+QvUPAWzps4LTIKUf/0IYpHV4adyEfXD09/L/ShPxXJjLrYpT+4JjJqzIg5Gutbyk
+QRBP52GFqyt3V6M2yM9THvdk88hhczsIH37VGLmdPH+vHDG1LIabgf9rJk14+FmM
+h7/TE7M4EG9YHG//zLVI4WaVf64G9Oxet4y80BhCF4kpILWRm108mpwwzPL48tR3
+VMkiX0NpP0iOe22vV6u5zzugHQYqMvR6dPtrc4yBNUPgHhOLf6GWDhX12y478o91
+ILUM08J0R0PCJhH+8LARfc7wx1fjoxeJq468sw6znHqcqbIh7WPxarKaiTbTA5bj
+06oA4YHzFbV53AbiWNHcrKCNvLaGWOw+2vtXRg8UMmbbGr8icqbLMYl7qY9kS7he
+wINMQgMKD79Q+V3AweMqLuIn1AyLpqwVmh9Qon3Wzdk
+-> ssh-rsa kFDS0A
+ZpHhJzIt2oAC5Z/xJabaunnhXCE5Ijx+Uq/s07uow2tpautkMhmP6SbdgR6zGLFV
+QJMgHmDgOqybYLhaP6t8KCygmeT9DjOB47H7mmZ8yvWAitPXTpbJzlFUls6YH3Ei
+C4lxsEoCjbH+znVTKFd4220Cb4GGvnMS7tXuAnQ9GFMAn/90LFBzYjbqSvkDyv/n
+9Ej1Nya5r0RQg/BcTKvppr0sfdk1wCEE5jDrHAR4zMmofFxuFi7V85IcRdsrU8ij
+JawhvCYGfDM6G1Yh6j8V4oaqo3gAqki0CYF5gXED42sfPrxXLV2qtYMRJSua9z0i
+Zo3SgDa9WVQslqL0VZoDXn/KyDqUYWYsfsVY0kXrMezlN9+Jm77MFVWMdXNI31eG
+EIAWMr0f6nsTuXV58lwXoijSLy9Ap45TPjbVbp7+1JkD2X543DuJD3ONiNq01gey
+a7aGLS492IByZx0mw6sb9xpTt8jP6enH+ltqcE6gMsEcxwXfmagVKTxtNrK0izWm
+g2GdcpGnVqioj42lchUJzNt/PtPqutaraEvo2oq2cw1zxCjY4zxdyNO1RdaFV71b
+fFj2JJCm67GFHWdlqbAePTx2SvUoFt3a3N8DMNFKThGQN/1LwOaKEd25ZSTNEuwO
+1exQgJfC2kxrfypEmQP/whSrk2kR13NW40bBHvrZgjo
+-> piv-p256 vRzPNw Awtb8p5KgsKIBUumqHnVMgux3dRS478DdNpCENgG3frB
+wcIPacn7KP7gl0Z5SvtoYK0pnIjWLwUB2UvVQdWJfso
+-> piv-p256 zqq/iw AgAk66eJ/xs+PqwTBzazW4HfK8dawj/3jx5opFOaGLSj
+xThgJOorp+YXS8DvaULIoszFubEfACcKSy+vwf9KMSA
+-> ssh-ed25519 YFSOsg p+/PUojxwOxpfBfaDOfEHMOGS1oVCrl9dskXgo+gOGI
+PPYr0WVPDwRiFGo14Mx+Wv+gkZ91S7CKyYslGjCI/lQ
+-> ssh-ed25519 iHV63A iXr8vgW9lHnX+rX/E9/NrKNbF+LyRpe0M44P0IxaBHo
+/odvSKNzyS8ondJ0Tcuiry09NM4ozFn2qeVMqRgR17w
+-> ssh-ed25519 BVsyTA CgGBOj8nDcfP7GBIMnFV89WF1CAoiOFbA/dUOWggmVE
+V4CUV5WZbVTPm3AnoW6WfIqIdcMW/Sm/FTljx1awdeo
+-> ssh-ed25519 +3V2lQ Jg+gASEMV3bi9eEB86rFfguh6Be/yOO2szI19Mk2BlY
+q7vBOf0CFOUfxbpvwD8rpJH3asQqqNqWBJSzwYTBErs
+--- KSBDnbS1GMq4I8FXEljleKo/pKvauq9T8vomtInIEOQ
+–€³~pë
+âÑžh¤AVÖ>Üm
< 1|þùLyÈ<iïÒ<C3AF>‹·O!EËÄ[©ºt“›5?b
ùûKá\L@
ÿ­„ú<ÔÖ·5Dõš÷Èws6êá„&Ó2߬ò¯0¿F‰G0¢„&¡
®õe<C3B5>ü™«<0F>q“ºƒM	QÓt¶Ôk¥˜w-Ñ]‰6öÂ<C3B6>L­W:縰Ţ»

ªÎUkíËŒ8%QEF€ÉËŽBâ‚‚Ngc|¡@þ"d<ÁÅíÒ§›Š4\Ù¥ÓV\1xw•ÿ

secrets/restic-repo-garage-metronom.age

@@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 UE5Ceg ys38fGOhLJNLg9zx9T3v2VgF2IbOr/Y/rj2+dWkcAlU
+QwkMX8WKgcJeGUomDSLjijen2K5UcRnYYwtebrITDqU
+-> ssh-ed25519 uYcDNw wF0oWExIUjlP32CQzOvp6MyEvFw33Sm8pHhYn3Sb0zE
+RHslJJumyXoCLHLw4sGlSLK++UHmgq97KPkqCu77G3o
+-> ssh-rsa f5THog
+pFSH+qCW+oM9zn2j+830+bja2rTXFuzATqfMNAq3o38ssW8Nl7+0FpkdMam4iYXu
+sw4Pcaj1QPTO8PbhkEvjoOU4f0bUsVuJSIvcour4k8SUOBgEMiW/98AVSTIk6KBX
+PvA+4uZn2Is+bB2m9EGCguwLJ9zzzfbur+USMQvwkQexg0YRpSfhJsRbCplLXhE+
+ZU6ut4HjCP0XWwvxgFzKc6sY4X+/PeWFJOd+WkWy5lL6gcMqUz5DXoi1CeG11AR4
+/hQ5KSJBpVsxw/ib3lSkGjA/ktQzwp4hZTI0l/dH9VHOFQflM8/9hPCYT2gsLVpF
+7F2N++tMjgqbMI6Jve0gXLixpWFflr7X5UIBFW96k7/Aq2G+WUch/COQA6wTmfqw
+OeP1wGd4Ka7YsgGByH5kuL60xDvtHG6+fYlnPXZAB5Fn86Ct6vRmWw9KUvLC7LKU
+iBXDccJliY/y4vGFZH74EYlimurEfaBPiT5sxAk0Ke6hoJued3sZ39Qi+wuxMxFH
+pleoFR/n1gBq2bu8FqTQaaNXB2Rsy7q4r5Fy1FxRJqDPgHJEmPx1k4rmYPq1VIaP
+/ScOstPQgdMNBqVsBGoNYq7vewkzoPl6MkEwh6gP7IjtC1nvYxxwlGh0gESe3RFm
+4MRh78EZaY9pmqIRAf/sRzajky26Aw+DkphmWNUjMTA
+-> ssh-rsa kFDS0A
+XsOTwrszUoHm2k4XSxiLniJZNWYfJOEn7riuDaQSGSW6ZpjMloD8K1FsZ/ZbMoUP
+S/QD71rnETAhfQc8JAAHANOarxMXmSw3y1tSmlbL2h+TRnSoq74a1nK4Ble3aszu
+y7tlUuUn3vEX6BVPRNOWM3bGW3oWNe5m0sMUAc4YSUXryWF4V48c/GbUp3T0OrRS
+jm+5DWOPxt4VcLuCqe4Nv1jrjPnb7oui/7grMuottf3JRJJQxv9qZolRwlhkG2RN
+4fuUSuOYnFUuHuaF2cfuTpOPaowLbh5H/Y6ETzOp+z9yNSuxRsdNgA63GrTsAorI
+2axdnMakUsP7m3Xxu6YsVu8xP+Sso1xzPZoEQKA+2eol0fZpQvRPrZ59bqaf9p5U
+VTIKSqIAIxyr/XN/s8S4ygaNKQZW8yBColG7TlggTth5v3XqAZ8RhcFXUg6z5lSr
+RErV6Bio9JIZofvNEiJaqrl8uTo8dU4ymVuYZoEiT/mW3noqBrZlKUh6XZFMplmk
+5giRTDThA3mirSTTELFCsc08kJMXqgkOzkPk5xm5kgP7VD6t/0SfGxetVWXOlUNd
+dbprg8Oko1hdlO+LePY1n50TTFKBl9TeZWhvcLOhUizc0bTowUcXm+04Taf+MDwa
+TMxplrtahOdCTz8k38c/HwBeHtfXRevh8A8Y1qnJXJY
+-> piv-p256 vRzPNw AqccwzdKUA4RP2LzIfcTlAN9LsoEB/b7tGYyM8bk39Pn
+f0srD9t9HaGY8OIAVImqJSrvHZRhxfMXkYwot4LJGeM
+-> piv-p256 zqq/iw Aj8544WraFJMX2S6qyzi6CTal6sRnunmzbMO4KUQhJOO
+BFiQSdLgrmgPnynqmSLNBqiWkyBme3KavSbi86HHSck
+-> ssh-ed25519 YFSOsg Zece1bOI+mVc6079POREAnnzSG7ZytiTRDm+NzbbhVE
+alK4ODfwrgRSDGWzcZmIuyZ88axaiMzSNfeGspsgk70
+-> ssh-ed25519 iHV63A LwfUkisQGB3txmxYYLlZSG6ddxVNVC9+UokxPiXEjRc
+yRmtdHT9uM0YkS/s80jetMr1baDjGsaRubVKbJVPpCk
+-> ssh-ed25519 BVsyTA +8LVssLl+DiF2f3H0KhAhvzEvTjciIAcRM9ZYwrGQh0
+CcQxWwMBdyXXzDv10vUmXBifYLXsHKOFd2/L95RGT5U
+-> ssh-ed25519 +3V2lQ RWquIefIO5crVvrUxdatV7OvTv1Jabyq4IF209Ezkw0
+0SM43tcO7m7FQlNJe9QnhC9J9PwHoVxucRtZGpcACUE
+--- xx8BodL5hv2CyeZ8m0tGXNzmH2DGaCveUNobqbAQK8U
+)ŠÐÑ\³“9°c½ùt4Ê¿Á~ÁÆëºùeJ¥}<Ó¼Š§Å[‘¸Ø+*x’£>;m/ «&I»–÷Ò:Ï‘óÛ3

secrets/secrets.nix

@@ -70,8 +70,10 @@ in
 
   "searx-environment.age".publicKeys = nachtigallKeys ++ adminKeys;
 
+  "restic-repo-garage-metronom.age".publicKeys = metronomKeys ++ adminKeys;
+  "restic-repo-garage-metronom-env.age".publicKeys = metronomKeys ++ adminKeys;
   "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys;
-  "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "restic-repo-storagebox.age".publicKeys = metronomKeys ++ nachtigallKeys ++ adminKeys;
   "restic-repo-garage-nachtigall.age".publicKeys = nachtigallKeys ++ adminKeys;
   "restic-repo-garage-nachtigall-env.age".publicKeys = nachtigallKeys ++ adminKeys;