From 06c4c7bc13b3d6d0daa6c2c2cc6735aac032d3e0 Mon Sep 17 00:00:00 2001 From: James Eversole Date: Wed, 14 Aug 2024 22:19:20 -0500 Subject: [PATCH] Setup restic backup service; enable postgresql for general use --- flake.lock | 26 +++++++++++++------------- flake.nix | 2 ++ nix/application/postgresql.nix | 6 ++++++ nix/system/age.nix | 3 +++ nix/system/backups.nix | 28 ++++++++++++++++++++++++++++ secrets.nix | 3 +++ secrets/restic/env.age | 10 ++++++++++ secrets/restic/password.age | 7 +++++++ secrets/restic/repo.age | Bin 0 -> 365 bytes 9 files changed, 72 insertions(+), 13 deletions(-) create mode 100644 nix/application/postgresql.nix create mode 100644 nix/system/backups.nix create mode 100644 secrets/restic/env.age create mode 100644 secrets/restic/password.age create mode 100644 secrets/restic/repo.age diff --git a/flake.lock b/flake.lock index db411fb..bf862e2 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1720546205, - "narHash": "sha256-boCXsjYVxDviyzoEyAk624600f3ZBo/DKtUdvMTpbGY=", + "lastModified": 1723293904, + "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=", "owner": "ryantm", "repo": "agenix", - "rev": "de96bd907d5fbc3b14fc33ad37d1b9a3cb15edc6", + "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41", "type": "github" }, "original": { @@ -63,11 +63,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1720691131, - "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=", + "lastModified": 1723556749, + "narHash": "sha256-+CHVZnTnIYRLYsARInHYoWkujzcRkLY/gXm3s5bE52o=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4", + "rev": "4a92571f9207810b559c9eac203d1f4d79830073", "type": "github" }, "original": { @@ -78,14 +78,14 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1719876945, - "narHash": "sha256-Fm2rDDs86sHy0/1jxTOKB1118Q0O3Uc7EC0iXvXKpbI=", + "lastModified": 1722555339, + "narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5daf0514482af3f97abaefc78a6606365c9108e2.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz" } }, "parts": { @@ -93,11 +93,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1719994518, - "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "lastModified": 1722555600, + "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "rev": "8471fe90ad337a8074e957b69ca4d0089218391d", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 377bf74..2228d36 100644 --- a/flake.nix +++ b/flake.nix @@ -52,12 +52,14 @@ ./nix/application/containers.nix ./nix/application/miniflux.nix ./nix/application/nginx.nix + ./nix/application/postgresql.nix ./nix/monitoring/nginx.nix ./nix/monitoring/grafana.nix ./nix/monitoring/prometheus.nix ./nix/system/age.nix + ./nix/system/backups.nix ./nix/system/dns.nix ./nix/system/hardware.nix ./nix/system/nix-conf.nix diff --git a/nix/application/postgresql.nix b/nix/application/postgresql.nix new file mode 100644 index 0000000..f5c4fb8 --- /dev/null +++ b/nix/application/postgresql.nix @@ -0,0 +1,6 @@ +{ pkgs, config, ...}: { + services.postgresql = { + enable = true; + settings.port = 5432; + }; +} diff --git a/nix/system/age.nix b/nix/system/age.nix index 9404b5a..73c463b 100644 --- a/nix/system/age.nix +++ b/nix/system/age.nix @@ -20,6 +20,9 @@ miniflux.file = ../../secrets/miniflux.age; bitwarden-env.file = ../../secrets/bitwarden-env.age; transmission-env.file = ../../secrets/transmission-env.age; + "restic/env".file = ../../secrets/restic/env.age; + "restic/password".file = ../../secrets/restic/env.age; + "restic/repo".file = ../../secrets/restic/env.age; }; identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; }; diff --git a/nix/system/backups.nix b/nix/system/backups.nix new file mode 100644 index 0000000..38b7314 --- /dev/null +++ b/nix/system/backups.nix @@ -0,0 +1,28 @@ +{ pkgs, config, ...}: { + services.restic.backups = { + daily = { + initialize = true; + + environmentFile = config.age.secrets."restic/env".path; + passwordFile = config.age.secrets."restic/password".path; + repository = "s3:https://s3.amazonaws.com/matricxbackups"; + + paths = [ + "${config.users.users.sezycei.home}/srv" + "${config.users.users.sezycei.home}/nix" + "${config.users.users.sezycei.home}/keys" + "${config.users.users.sezycei.home}/dev" + ]; + + exclude = [ + "*minecraft/OLD*" + ]; + + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + ]; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index b9af65d..2610cb6 100644 --- a/secrets.nix +++ b/secrets.nix @@ -15,4 +15,7 @@ in "secrets/miniflux.age" = { publicKeys = all; }; "secrets/bitwarden-env.age" = { publicKeys = all; }; "secrets/transmission-env.age" = { publicKeys = all; }; + "secrets/restic/env.age" = { publicKeys = all; }; + "secrets/restic/repo.age" = { publicKeys = all; }; + "secrets/restic/password.age" = { publicKeys = all; }; } diff --git a/secrets/restic/env.age b/secrets/restic/env.age new file mode 100644 index 0000000..4f15c75 --- /dev/null +++ b/secrets/restic/env.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 dQ70Fw hMZ1BRCxnZFhadsHa+UwDcB+kkVWbTh82EuqNJPZ5zs +ESCOn4IDH8L69yNmE3vl9ORK0vKkIqG6dFTnawc9irg +-> ssh-ed25519 ZIoeGg yluZnRqV6HL0TNvFqZCEIYW4W8f6f9EJ3K7nAz/dazE +XpYM/h/jvO1MrS6v1PicZ4sTqCld84vhvXTI6AimnMU +--- nLun26t45i7mAuT4w6JH3jbdPU8hjzINsHriqRA/T0o +S9nzu836#L[25 ){z(hů'.$ދPOg]= >y)]04ē/IW4`R6a B8[~ʂo mͫ}  ~aЫ@Sʸʈ isc, +^G]|N4-Ѫ)Gbõ:0IgG\" +f +{{Z'V>s4A \ No newline at end of file diff --git a/secrets/restic/password.age b/secrets/restic/password.age new file mode 100644 index 0000000..1293f6f --- /dev/null +++ b/secrets/restic/password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 dQ70Fw SztmSLi86IFvNJY13Pu7qJC8LDXeoEZsbCLl78su6wg +f/uDl6KymRxVngdnhEYOxiL9I0JUZCYI3XThrn57+YQ +-> ssh-ed25519 ZIoeGg wzOmbThAqyO47PQ2wQY0MoNsXcyMkoi4/+wGY15Xfns +UvMwHPWytwvf0hNMiDKdONo1u09pICQ6/7EtECYDWbw +--- IS6+hxeJQ3yIphn7Q0XxZvO2Zn+F1bX7oIgkZSkCQHU + \\ w"Tp;Ge=DfYnxs&F+kj^wg1O)2m;alDo3|1$}>OJJzc@oL_5dBGc+}|xXi^X zFFPP3!y>Gp%q1ly%GtuRDmx=0DatE3ys*qHJe@1Vu-LQIJSx=D&m`N=C#xdIM?Wke zrOG5Jy`&K?S69K`+`=frsU*uiC^VqZBQQ6ztRT>$Al)U* zJ20|5E5biNBP6oiDA}i~IG?LdXT}@t`3w`