Compare commits

..

No commits in common. "c056d9c35ea32e49ff9365aa879e19df954d4ba1" and "fb8ee1278aa116153e53f0e26470754f5d06e4bc" have entirely different histories.

8 changed files with 16 additions and 110 deletions

View file

@ -1,4 +1,4 @@
{ config, flake, ... }: { flake, ... }:
{ {
age.secrets."restic-repo-droppie" = { age.secrets."restic-repo-droppie" = {
file = "${flake.self}/secrets/restic-repo-droppie.age"; file = "${flake.self}/secrets/restic-repo-droppie.age";
@ -10,25 +10,4 @@
mode = "400"; mode = "400";
owner = "root"; owner = "root";
}; };
age.secrets.restic-repo-garage-nachtigall = {
file = "${flake.self}/secrets/restic-repo-garage-nachtigall.age";
mode = "400";
owner = "root";
};
age.secrets.restic-repo-garage-nachtigall-env = {
file = "${flake.self}/secrets/restic-repo-garage-nachtigall-env.age";
mode = "400";
owner = "root";
};
pub-solar-os.backups.repos.storagebox = {
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
};
pub-solar-os.backups.repos.garage = {
passwordFile = config.age.secrets."restic-repo-garage-nachtigall".path;
environmentFile = config.age.secrets."restic-repo-garage-nachtigall-env".path;
repository = "s3:https://buckets.pub.solar/nachtigall-backups";
};
} }

View file

@ -59,6 +59,11 @@
database-password-file = config.age.secrets.keycloak-database-password.path; database-password-file = config.age.secrets.keycloak-database-password.path;
}; };
pub-solar-os.backups.repos.storagebox = {
passwordFile = config.age.secrets."restic-repo-storagebox".path;
repository = "sftp:u377325@u377325.your-storagebox.de:/backups";
};
systemd.services.postgresql = { systemd.services.postgresql = {
after = [ "var-lib-postgresql.mount" ]; after = [ "var-lib-postgresql.mount" ];
requisite = [ "var-lib-postgresql.mount" ]; requisite = [ "var-lib-postgresql.mount" ];

View file

@ -39,15 +39,6 @@ in
example = "/etc/nixos/restic-password"; example = "/etc/nixos/restic-password";
}; };
environmentFile = mkOption {
type = with types; nullOr str;
default = null;
description = ''
Read repository secrets as environment variables from a file.
'';
example = "/etc/nixos/restic-env";
};
repository = mkOption { repository = mkOption {
type = with types; nullOr str; type = with types; nullOr str;
default = null; default = null;
@ -66,12 +57,11 @@ in
remotebackup = { remotebackup = {
repository = "sftp:backup@host:/backups/home"; repository = "sftp:backup@host:/backups/home";
passwordFile = "/etc/nixos/secrets/restic-password"; passwordFile = "/etc/nixos/secrets/restic-password";
environmentFile = "/etc/nixos/secrets/restic-env";
}; };
}; };
}; };
restic = mkOption { backups = mkOption {
description = '' description = ''
Periodic backups to create with Restic. Periodic backups to create with Restic.
''; '';
@ -184,7 +174,7 @@ in
runCheck = mkOption { runCheck = mkOption {
type = types.bool; type = types.bool;
default = (builtins.length config.pub-solar-os.backups.restic.${name}.checkOpts > 0); default = (builtins.length config.pub-solar-os.backups.backups.${name}.checkOpts > 0);
defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0''; defaultText = literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0'';
description = "Whether to run the `check` command with the provided `checkOpts` options."; description = "Whether to run the `check` command with the provided `checkOpts` options.";
example = true; example = true;
@ -266,17 +256,17 @@ in
services.restic.backups = services.restic.backups =
let let
repos = config.pub-solar-os.backups.repos; repos = config.pub-solar-os.backups.repos;
restic = config.pub-solar-os.backups.restic; backups = config.pub-solar-os.backups.backups;
repoNames = builtins.attrNames repos; storeNames = builtins.attrNames repos;
backupNames = builtins.attrNames restic; backupNames = builtins.attrNames backups;
createBackups = createBackups =
backupName: backupName:
map (repoName: { map (storeName: {
name = "${backupName}-${repoName}"; name = "${backupName}-${storeName}";
value = repos."${repoName}" // restic."${backupName}"; value = repos."${storeName}" // backups."${backupName}";
}) repoNames; }) storeNames;
in in
builtins.listToAttrs (lib.lists.flatten (map createBackups backupNames)); builtins.listToAttrs (lib.lists.flatten (map createBackups backupNames));

View file

@ -58,7 +58,7 @@
}; };
}; };
pub-solar-os.backups.restic.keycloak = { pub-solar-os.backups.backups.keycloak = {
paths = [ "/tmp/keycloak-backup.sql" ]; paths = [ "/tmp/keycloak-backup.sql" ];
timerConfig = { timerConfig = {
OnCalendar = "*-*-* 03:00:00 Etc/UTC"; OnCalendar = "*-*-* 03:00:00 Etc/UTC";

View file

@ -232,27 +232,4 @@ in
}; };
}; };
}; };
pub-solar-os.backups.restic.mediawiki = {
paths = [
"/var/lib/mediawiki/images"
"/var/lib/mediawiki/uploads"
"/tmp/mediawiki-backup.sql"
];
timerConfig = {
OnCalendar = "*-*-* 00:30:00 Etc/UTC";
};
initialize = true;
backupPrepareCommand = ''
${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump -d mediawiki > /tmp/mediawiki-backup.sql
'';
backupCleanupCommand = ''
rm /tmp/mediawiki-backup.sql
'';
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 4"
"--keep-monthly 3"
];
};
} }

View file

@ -1,43 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 iDKjwg yk6WgkJbk16Yqc/aWojwDePfNZN3XgaiacpZqufw1hc
qx3x0zCUB6l7qPS9R9xGO41s6ESGsNd/ixglY4gYDtY
-> ssh-ed25519 uYcDNw nDZXlykiDEZIA+Srg6imZFRLAzhykR3PDVrfWb693Sg
MBJrrXbtLzBozetgfZaE52o1ixsrPK6Ojdp8sXhI3dc
-> ssh-rsa f5THog
WngnjCboeUafoR5NOg/+NFeW/ILxonIrcl7iUQLXoObcFWtmgzEebcogo3kqnkdk
cj7NnqQ/sFiHdPCBr+VyiWcP4BJHJeWF/w+Ht9SYP5+WlHUkC2IPxlcMzJFyy2ro
9PDq8FaPX5ZqarOfBW+U1pQsegxG9wkfoSzoF8NVL0jU5mwubPc+1s0ycbjMcGzP
CSCpWY0OqqRbCXj8gVBNOOoELVhgbNCO0oRWh6Iafqjrx/rO4MNAdZmUF9DiTZML
8QQjBFR7G8/+4ehGHn/9PF/0yVVsnPaJTEo3juS/By+NVcCihwP3b0SgQkjtp73+
2QZL4XImwR0bBLDla86IjvZWH7GkLzR8iAw75FZ/FGIxZ/XgwRcUqtcI8m105KAD
iX1v7ai0LUYko4RPSqdDItEdGjK31Dl4bCdaLakO+aZdtc+60c7hx8uEoTp7JY9W
Qmyv4rt5bVUUAeH0IyR72vTDpTtXSkbp0vypk6Zq+yhYjbe0wmakAPCF4WbIV9gQ
YIoSyicQ3NYxfrQGcQvmct2dNXXZcCr8BW704/J5w7ngw44FiZDUIC2y562sHD84
9rFO0obVGERJa55+MnZB4UYMqU3eWs+mkxHgWotx5yEtO0wMpTP9IFk92scJeV8h
bdr6fq1p6gtFlSNlA7P8A0go1SWs+qIoO/PEPyznoss
-> ssh-rsa kFDS0A
RM1VIV11yDWaG7KDnXbVt+Qo9kIC5kPO1JwpROuxbTH8tDGbu7bC2mJ6qsZo1R5x
ewtmDVwv+Gogs2drjQeQgdZH3qN0cMt34micbW2lvBW4NmvAGKEQ+dkkUgIWIhy9
dNuFBCHAGqfw7FDqvX1Mm3e50CsbIVqpurBXe882seMjm/nSVzGgjOOQVaQKmNSg
04s0gsLzN1f98kQtKuNPlG8Fun9y1bKLzWpBT2iriQInkhcWSwYqg1M0yM7U01j3
Kcxn4LJmgB9qNkloEKNpHCze5fgIGyOf+MsG4VN90CvwpNxy/EHrEyncXDxSxiCt
A81PVHCZfC7fQTR+hF2s1xGcW9mmtRpPPSEUrGY84cW2k8m4E5A9J7MJZ7FOKe6C
OY3LoU5KCV292ujHqYs1c7JSJRqVq4IMCupsNL6afzB/Fe+cV6GX7bXh1ZUl9HT7
B6j1QH2xA9OGz+6VDrB+B6cdnxp02zRZpuS19uPTJqpIg4Sgc4vvw7YFQfz8AfUD
/SafkBpVKznEHl1/gO7bOMa1nTkNBicUp6d2Z/zNtJ75NJPb3qYc4aVsaEuyMPts
ieMR/iieeiDOMPhedtibfCWZ+0YrtyIrkkUsPK5yG76VbJgMjSRyEP+bXTedih/b
bTkE78BoV5DmNxGEAva2BJpMKtn3Or8dCgSudoSlI14
-> piv-p256 vRzPNw Al8mhhyZ/0YFf7OSKeGm3LZhowpCdcITOhtjmky7Ygnq
CxFNUst8+6e6Cra/j7Pa2lZs3lHGLCOWRInb1VZTr2M
-> piv-p256 zqq/iw A+r/W9OhuPjuGXRuhp1vW45k/QzCFO6VLfp1W6l7RJVU
GxunFSBPJnzd5t5Ar42vr06tyJkJvZhljlGkHVZOFOQ
-> ssh-ed25519 YFSOsg e7udSQwtwKETHB0Re59fb1DdiBBPLDbV/JHmUUI4GSU
054wi1iKJm8lnWDjONCk+h2vea0setKqdCpXHuJaecI
-> ssh-ed25519 iHV63A S2sle86zYVPjtCozODRjqtTs6a5GksTpJHkmO/WYzHU
7h5kS8Hc3BiyhiWerEa9xPX6o+D/bxoJLK1fXFq1jWc
-> ssh-ed25519 BVsyTA 7meQJdKDB4JLKsYmBPgDBUnWhil1fKnoijm+uzHDemY
1bxklkYv5KYab9fXjMtz/w5QTUYMlZFTQG/khBftlWo
-> ssh-ed25519 +3V2lQ n1bF6+o/16zx7dEt/Um1gL30mARiuPaE6z3N+qjFZx4
7ZjmhkuJDYXLcMoUEA0wosWcWZ1T1oR45kVhFyQwN1E
--- TbpcaLv/1jF23nynpaw1XjSKsO2t9hAxovPQHKhXAoQ
P‰^¢f«E~¢÷ß6ÿO[Ö-cf]øÄ9eÓ6Ñû4Eÿl2=sÿßW‡…O¿QFCzcõbÖTšÎÉÿ;[a

View file

@ -54,8 +54,6 @@ in
"restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys; "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ adminKeys;
"restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys; "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ adminKeys;
"restic-repo-garage-nachtigall.age".publicKeys = nachtigallKeys ++ adminKeys;
"restic-repo-garage-nachtigall-env.age".publicKeys = nachtigallKeys ++ adminKeys;
"drone-db-secrets.age".publicKeys = flora6Keys ++ adminKeys; "drone-db-secrets.age".publicKeys = flora6Keys ++ adminKeys;
"drone-secrets.age".publicKeys = flora6Keys ++ adminKeys; "drone-secrets.age".publicKeys = flora6Keys ++ adminKeys;