From 2fea088019526095aad0a1287656518d90cd1e6c Mon Sep 17 00:00:00 2001 From: xunuwu Date: Thu, 5 Jun 2025 08:14:16 +0200 Subject: [PATCH] enable backups for rackserv --- sys/machines/rackserv/backups.nix | 18 ++++++++++++++++++ sys/machines/rackserv/default.nix | 1 + sys/profiles/secrets/rackserv/default.nix | 4 ++++ sys/profiles/secrets/rackserv/restic-password | 19 +++++++++++++++++++ 4 files changed, 42 insertions(+) create mode 100644 sys/machines/rackserv/backups.nix create mode 100644 sys/profiles/secrets/rackserv/restic-password diff --git a/sys/machines/rackserv/backups.nix b/sys/machines/rackserv/backups.nix new file mode 100644 index 0000000..84d0b07 --- /dev/null +++ b/sys/machines/rackserv/backups.nix @@ -0,0 +1,18 @@ +{config, ...}: { + services.restic.backups.rackserv = { + initialize = true; + inhibitsSleep = true; + repository = "rest:http://nixdesk:8000/rackserv"; + passwordFile = config.sops.secrets.restic-password.path; + timerConfig = { + OnCalendar = "18:00"; + Persistent = true; + RandomizedDelaySec = "1h"; + }; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 3" + ]; + }; +} diff --git a/sys/machines/rackserv/default.nix b/sys/machines/rackserv/default.nix index 06195f0..5301313 100644 --- a/sys/machines/rackserv/default.nix +++ b/sys/machines/rackserv/default.nix @@ -11,6 +11,7 @@ ./disk-config.nix ./fail2ban.nix ./wireguard-server.nix + ./backups.nix ] ++ (map (x: systemProfiles + x) [ /secrets/default.nix diff --git a/sys/profiles/secrets/rackserv/default.nix b/sys/profiles/secrets/rackserv/default.nix index 6f36a5a..a45238c 100644 --- a/sys/profiles/secrets/rackserv/default.nix +++ b/sys/profiles/secrets/rackserv/default.nix @@ -5,5 +5,9 @@ sopsFile = ./wireguard-private; owner = "systemd-network"; }; + restic-password = { + format = "binary"; + sopsFile = ./restic-password; + }; }; } diff --git a/sys/profiles/secrets/rackserv/restic-password b/sys/profiles/secrets/rackserv/restic-password new file mode 100644 index 0000000..cb8381b --- /dev/null +++ b/sys/profiles/secrets/rackserv/restic-password @@ -0,0 +1,19 @@ +{ + "data": "ENC[AES256_GCM,data:GtEAo16tS2QVw1mpLXOczNmeIrLHL5lTl2tOkv9W1s8mweJs+NNcPvLufahPpzkYjPJ3lzsddsGAik/8pIQOd1M=,iv:PB2JWrO9hESVFQX/ijX7gm5H6ZgnS9p3aYXPFMFF7fw=,tag:hPyuipGMXo0GHw0ehMN5aA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Rm82d0tWdlBpUDQ4NXNO\nQ0VQVEpzSmRDbkg2MTRRMUFERm11WDB6bkhBCmw4a1VnU0dwSGw4SXdURDZPVXRh\nMlBXQTB5MFFTaGZwclhwVTUzQUR5RkEKLS0tIHBlT3h0alY1cGlSSGp1a05NTlA3\nOXBtMDZ0b3hQRitrS0xzTDdjM21mTmcKh6j0rsHkIaNG3M20vPQrKGPivYwIFLh7\nDGecOfJifAbB6N/3tLOlasK63QPqU31pbuOjOiuqN7LlyzoDv5I0gA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zutg3s4nth679a6av9xqw4km0ezmfkxlnusu78demf0rzazqn3pqk9exgj", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrWDZoQWRxSkhNRFpkWUZi\nTW04Tlp1OWdWaTZhcTVLYjdTNjNJTEVrZHlzCndGcVd3SzFhUkFWOFUzaTJhTENH\ncStGdGRnRExQSzhJVklMSmNWbFpQS1EKLS0tIDl0cW1OMXE5QVJHN2dmV0ZJZnM1\nMmhXTFQ3K3BoQjQ2djN5d1pSWHJzczQK6VaOBuuL9MGqDznSR3g5J+T9fpkzTAqq\nxFIwARv4JyQchEBT1HpQuwMKi+xeZLZ/woBdwQF93MIminz1xYNcQw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-06-05T06:17:34Z", + "mac": "ENC[AES256_GCM,data:J0ITSB6sQRd/iIXVGvtuX6hiybcIiOlAgfdi4Wk77e7Ck6XSJ2000ktzp4DEYr6UIUhbV8quOHRYlPZsfbP78rSaIVmsaQR4hlk8Lnffiw9U1CjZjVOsZYNAMryMdpW9mfwfY1lehSAeUEHgrEpbvuuiuzk6WRtwwGtLqeonOjI=,iv:Y3oCNj/qoajF6mOURtHTnPAQRacPIGtBeGMYdoaGKuw=,tag:K+KmAhDMBQC9On91o5Knog==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +}