defiant: initialize borg backup

2024-03-08 01:48:06 +01:00 · 2024-03-08 01:48:06 +01:00 · 1bde04a4be
commit 1bde04a4be
parent f37c981182
4 changed files with 68 additions and 4 deletions
--- a/hosts/defiant/backup.nix
+++ b/hosts/defiant/backup.nix
@ -0,0 +1,62 @@
+{ config, pkgs, lib, ... }:
+{
+  services.borgbackup.jobs =
+    let
+      borgJob = name: {
+        environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
+        environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
+        repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/defiant/${name}";
+        compression = "auto,zstd";
+      };
+    in {
+      postgresDaily = borgJob "postgres::daily" // {
+        paths = "/data/backup/postgresql";
+        startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
+        extraInitArgs = "--storage-quota 10G";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
+        };
+      };
+
+      postgresWeekly = borgJob "postgres::weekly" // {
+        paths = "/data/backup/postgresql";
+        startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
+        extraInitArgs = "--storage-quota 10G";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
+        };
+      };
+
+      gitea = borgJob "gitea::weekly" // {
+        paths = "/tank/services/gitea";
+        startAt = "Mon *-*-* 05:15:00";
+        extraInitArgs = "--storage-quota 20G";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat ${config.sops.secrets."borg/gitea".path}";
+        };
+      };
+
+      minecraft = borgJob "minecraft::weekly" // {
+        paths = "/var/lib/minecraft-wack";
+        startAt = "weekly";
+        extraInitArgs = "--storage-quota 20G";
+        encryption.mode = "none";
+
+        preHook = ''
+          ${pkgs.mcrcon}/bin/mcrcon -p wack "say Starting Backup" "save-off" "save-all"
+        '';
+
+        postHook = ''
+          ${pkgs.mcrcon}/bin/mcrcon -p wack "save-all" "say Completed Backup" "save-on" "save-all"
+        '';
+      };
+
+    };
+
+  # TODO: Matrix (keys,media,db), home-assistant, pihole, vaultwarden
+  sops.secrets."borg/postgres" = { };
+  sops.secrets."borg/gitea" = { };
+}
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@ -8,6 +8,7 @@
      ./hardware-configuration.nix

      # Infrastructure
+      ./backup.nix
      ./libvirt.nix
      ./services/nginx.nix
      ./services/pihole.nix
--- a/hosts/defiant/services/minecraft.nix
+++ b/hosts/defiant/services/minecraft.nix
@ -61,8 +61,6 @@
    };
  };

-  # TODO: Automated backup job (https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/commit/57d1dfd121fdb23fcef54e0632f6f6278c6bb753/hosts/greddost/services/minecraft/default.nix#L144)
-
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "minecraft-server"
  ];
--- a/secrets/defiant/defiant.yaml
+++ b/secrets/defiant/defiant.yaml
@ -7,6 +7,9 @@ vaultwarden:
    admintoken: ENC[AES256_GCM,data:sUPOe3goxpJFpe5fBdwcM5Z6+DXNdZr5Xd6HzRUb7LtDk9IUtwL4wtlckwnMRoLF628XvCV3ObrX2UmTqUX/6pWqLkWL/vWb3C8ogq4=,iv:vvO9nEkCjcKvl+ILEMlMorMmvyNM1juRYRnEolwg9sQ=,tag:wFnz9oOA+ZGrb4UqKrtUcA==,type:str]
 microbin:
    secrets: ENC[AES256_GCM,data:B2yOSEXFyge7fgphtKcy8CjaeEiwmHAxgGoiqa4lmQtRtnxy5UuH3dFuCXHvbd3n6YA24zX3ANIQpj6ilT4I96+P+L9TjA==,iv:3mryQf3GdKCqBkLsfyqJk5ZN+/gOEbL/LmEzreINGME=,tag:YD8uvkS23c5B7J9srRrU9w==,type:str]
+borg:
+    postgres: ENC[AES256_GCM,data:vwfLF2qkUMl9b/4oYVm+pzfbbw==,iv:+QlTXjowne2d+ufw9YbhgaAIVvYg78LkMS0BqfPwoRI=,tag:JAbR3/DbYp+vRApJteg4zA==,type:str]
+    gitea: ENC[AES256_GCM,data:GIZ/wkzEkm6DUZETv8GpXd8k5w==,iv:MLnVtrev+poT+3D5+o5UV8FBQWpvqlYAkcXMF53bKJw=,tag:89zkLJNZw04ZPyqvpspgsw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -31,8 +34,8 @@ sops:
            RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
            fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-28T16:10:53Z"
-    mac: ENC[AES256_GCM,data:Yid2Q5JTjWTLeh3qR2K0cX/Fk2p78Asj3x+kCDLtwJoULiZ+7xJKi/h2X4sRYw+vUou7HO3u+b8/MPvEapNjvqLyf4gseuvqdr2m/vR8DqxOdtl0xvrMoE8bTTR6tuCCIGIKEcEA7VviU+aCIm68CLkgq03DkF3g3hyC/VSKo9Y=,iv:66FpFV7mdTv1r+o3p4cK7CigDxGJOW70JZaEJE+fSLA=,tag:gNyPFbRc8VP9vOYdTt2YZg==,type:str]
+    lastmodified: "2024-03-08T00:37:40Z"
+    mac: ENC[AES256_GCM,data:2S6Z4ZqffGA5Clz+h4J44s7yhb6lMFdUq9KpE4IJUu2cgJyD1Zsh0i1Z1ZwTiD7MH+F1UUMyVhBYk6Fkm1UY07wmDLodNkKfpKRnU2EGa4+yQudin2QHsId+k3C2iAI1UtGlL5Vi00p5VZfihuntcAbwn63RZriCrKn0ayzTQKw=,iv:bwQECQCQghG0DTeWrg73IlFwmz8Fob2ftLKM3kaKOE4=,tag:8HXjvNnzqmIprsXd5d/SmA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1