From 1bde04a4be0f21d7da47577e52073b1414ac398f Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Fri, 8 Mar 2024 01:48:06 +0100 Subject: [PATCH] defiant: initialize borg backup --- hosts/defiant/backup.nix | 62 ++++++++++++++++++++++++++++ hosts/defiant/configuration.nix | 1 + hosts/defiant/services/minecraft.nix | 2 - secrets/defiant/defiant.yaml | 7 +++- 4 files changed, 68 insertions(+), 4 deletions(-) create mode 100644 hosts/defiant/backup.nix diff --git a/hosts/defiant/backup.nix b/hosts/defiant/backup.nix new file mode 100644 index 0000000..93fdf09 --- /dev/null +++ b/hosts/defiant/backup.nix @@ -0,0 +1,62 @@ +{ config, pkgs, lib, ... }: +{ + services.borgbackup.jobs = + let + borgJob = name: { + environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1"; + environment.BORG_REMOTE_PATH = "/usr/local/bin/borg"; + repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/defiant/${name}"; + compression = "auto,zstd"; + }; + in { + postgresDaily = borgJob "postgres::daily" // { + paths = "/data/backup/postgresql"; + startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup + extraInitArgs = "--storage-quota 10G"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets."borg/postgres".path}"; + }; + }; + + postgresWeekly = borgJob "postgres::weekly" // { + paths = "/data/backup/postgresql"; + startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup + extraInitArgs = "--storage-quota 10G"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets."borg/postgres".path}"; + }; + }; + + gitea = borgJob "gitea::weekly" // { + paths = "/tank/services/gitea"; + startAt = "Mon *-*-* 05:15:00"; + extraInitArgs = "--storage-quota 20G"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets."borg/gitea".path}"; + }; + }; + + minecraft = borgJob "minecraft::weekly" // { + paths = "/var/lib/minecraft-wack"; + startAt = "weekly"; + extraInitArgs = "--storage-quota 20G"; + encryption.mode = "none"; + + preHook = '' + ${pkgs.mcrcon}/bin/mcrcon -p wack "say Starting Backup" "save-off" "save-all" + ''; + + postHook = '' + ${pkgs.mcrcon}/bin/mcrcon -p wack "save-all" "say Completed Backup" "save-on" "save-all" + ''; + }; + + }; + + # TODO: Matrix (keys,media,db), home-assistant, pihole, vaultwarden + sops.secrets."borg/postgres" = { }; + sops.secrets."borg/gitea" = { }; +} diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix index d6e318f..df9626c 100644 --- a/hosts/defiant/configuration.nix +++ b/hosts/defiant/configuration.nix @@ -8,6 +8,7 @@ ./hardware-configuration.nix # Infrastructure + ./backup.nix ./libvirt.nix ./services/nginx.nix ./services/pihole.nix diff --git a/hosts/defiant/services/minecraft.nix b/hosts/defiant/services/minecraft.nix index 5c5331d..f525893 100644 --- a/hosts/defiant/services/minecraft.nix +++ b/hosts/defiant/services/minecraft.nix @@ -61,8 +61,6 @@ }; }; - # TODO: Automated backup job (https://git.pvv.ntnu.no/Drift/pvv-nixos-config/src/commit/57d1dfd121fdb23fcef54e0632f6f6278c6bb753/hosts/greddost/services/minecraft/default.nix#L144) - nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "minecraft-server" ]; diff --git a/secrets/defiant/defiant.yaml b/secrets/defiant/defiant.yaml index cb43604..f9fc325 100644 --- a/secrets/defiant/defiant.yaml +++ b/secrets/defiant/defiant.yaml @@ -7,6 +7,9 @@ vaultwarden: admintoken: ENC[AES256_GCM,data:sUPOe3goxpJFpe5fBdwcM5Z6+DXNdZr5Xd6HzRUb7LtDk9IUtwL4wtlckwnMRoLF628XvCV3ObrX2UmTqUX/6pWqLkWL/vWb3C8ogq4=,iv:vvO9nEkCjcKvl+ILEMlMorMmvyNM1juRYRnEolwg9sQ=,tag:wFnz9oOA+ZGrb4UqKrtUcA==,type:str] microbin: secrets: ENC[AES256_GCM,data:B2yOSEXFyge7fgphtKcy8CjaeEiwmHAxgGoiqa4lmQtRtnxy5UuH3dFuCXHvbd3n6YA24zX3ANIQpj6ilT4I96+P+L9TjA==,iv:3mryQf3GdKCqBkLsfyqJk5ZN+/gOEbL/LmEzreINGME=,tag:YD8uvkS23c5B7J9srRrU9w==,type:str] +borg: + postgres: ENC[AES256_GCM,data:vwfLF2qkUMl9b/4oYVm+pzfbbw==,iv:+QlTXjowne2d+ufw9YbhgaAIVvYg78LkMS0BqfPwoRI=,tag:JAbR3/DbYp+vRApJteg4zA==,type:str] + gitea: ENC[AES256_GCM,data:GIZ/wkzEkm6DUZETv8GpXd8k5w==,iv:MLnVtrev+poT+3D5+o5UV8FBQWpvqlYAkcXMF53bKJw=,tag:89zkLJNZw04ZPyqvpspgsw==,type:str] sops: kms: [] gcp_kms: [] @@ -31,8 +34,8 @@ sops: RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-02-28T16:10:53Z" - mac: ENC[AES256_GCM,data:Yid2Q5JTjWTLeh3qR2K0cX/Fk2p78Asj3x+kCDLtwJoULiZ+7xJKi/h2X4sRYw+vUou7HO3u+b8/MPvEapNjvqLyf4gseuvqdr2m/vR8DqxOdtl0xvrMoE8bTTR6tuCCIGIKEcEA7VviU+aCIm68CLkgq03DkF3g3hyC/VSKo9Y=,iv:66FpFV7mdTv1r+o3p4cK7CigDxGJOW70JZaEJE+fSLA=,tag:gNyPFbRc8VP9vOYdTt2YZg==,type:str] + lastmodified: "2024-03-08T00:37:40Z" + mac: ENC[AES256_GCM,data:2S6Z4ZqffGA5Clz+h4J44s7yhb6lMFdUq9KpE4IJUu2cgJyD1Zsh0i1Z1ZwTiD7MH+F1UUMyVhBYk6Fkm1UY07wmDLodNkKfpKRnU2EGa4+yQudin2QHsId+k3C2iAI1UtGlL5Vi00p5VZfihuntcAbwn63RZriCrKn0ayzTQKw=,iv:bwQECQCQghG0DTeWrg73IlFwmz8Fob2ftLKM3kaKOE4=,tag:8HXjvNnzqmIprsXd5d/SmA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1