diff --git a/hosts/redshift/backups.nix b/hosts/redshift/backups.nix new file mode 100644 index 0000000..d11a08b --- /dev/null +++ b/hosts/redshift/backups.nix @@ -0,0 +1,77 @@ +{ + config, + inputs, + secretsDir, + ... +}: +{ + imports = [ inputs.ataraxiasjel-nur.nixosModules.rustic ]; + + sops.secrets.rustic-vps-pass.sopsFile = secretsDir + /rustic.yaml; + sops.secrets.rustic-backups-s3-env.sopsFile = secretsDir + /rustic.yaml; + services.rustic.backups = rec { + vps-backup = { + backup = true; + prune = false; + initialize = false; + pruneOpts = [ "--repack-cacheable-only=false" ]; + environmentFile = config.sops.secrets.rustic-backups-s3-env.path; + timerConfig = { + OnCalendar = "01:00"; + Persistent = true; + }; + settings = + let + label = "vps-containers"; + in + { + repository = { + repository = "opendal:s3"; + password-file = config.sops.secrets.rustic-vps-pass.path; + options = { + root = label; + bucket = "ataraxia-rustic-backups"; + region = "eu-central-003"; + endpoint = "https://s3.eu-central-003.backblazeb2.com"; + }; + }; + repository.options = { + timeout = "5min"; + retry = "10"; + }; + backup = { + host = config.networking.hostName; + label = label; + ignore-devid = true; + group-by = "label"; + skip-identical-parent = true; + snapshots = [ + { + sources = [ + "/var/lib/tailscale" + "/srv/marzban" + ]; + } + ]; + }; + forget = { + filter-labels = [ label ]; + group-by = "label"; + prune = true; + keep-daily = 4; + keep-weekly = 2; + keep-monthly = 1; + }; + }; + }; + vps-prune = vps-backup // { + backup = false; + prune = true; + createWrapper = false; + timerConfig = { + OnCalendar = "Mon, 02:00"; + Persistent = true; + }; + }; + }; +} diff --git a/hosts/redshift/default.nix b/hosts/redshift/default.nix index 2643e24..776ec04 100644 --- a/hosts/redshift/default.nix +++ b/hosts/redshift/default.nix @@ -8,6 +8,7 @@ imports = [ (modulesPath + "/profiles/qemu-guest.nix") + ./backups.nix ./disk-config.nix ./services.nix ]; diff --git a/secrets/rustic.yaml b/secrets/rustic.yaml new file mode 100644 index 0000000..e08b28a --- /dev/null +++ b/secrets/rustic.yaml @@ -0,0 +1,39 @@ +rustic-backups-s3-env: ENC[AES256_GCM,data:XTUTtAmjBiy5mdlwT53Z9IDycs0s069182Emd0M6TSpPScqce3kxoN+hH8vgaOLU0b1jF3d9pkO0PpwfnUr2IkMpTd7ZKHeqHbYzS4gpKFnkQMhDexHLFBrQIfBrTbCGzspl83q5ksU9ENuY+sdkKXBhn99ja2mAFdfOVyNRttVNwKuv5/e8Bh0ySyTkogOgLyttLWo+pqKuvBP96BvSLOiGqfYBMgZU6uncg4YbdmOWPnvnTRPWHwIAyyXOSv56Sw36XfBkCBhZk2fmDRVJyRkuFthkhb6b2LkxhWFofilJupGTaQUHuZ3Efq9+eS5n1zOnudL7Gp7MmaQ4Hz3tQnzML16pJW1UcyT11uvWl8Zz5h+VlwJAfM7VNVaOs2FjEEy5imcUWurhIgRcrKHYc3mKNk5XYuvCI93aX9/LKEyeGQ==,iv:sPwKIYu/RyZQHYmz7aSYFhmx2ZqlH+RHRbdkOHGCa1s=,tag:eD5vRFkwEw4i97UQyRk6Hw==,type:str] +rustic-postgresql-s3-env: ENC[AES256_GCM,data:m0G4G+i3fJo34rUGnQ0HOsA1GlOpLnJXDJltXFM5URUFaK1Jh5pGnOsYAiU2410enKafdf5eneW31j9r2GWmEFOoX89+yLmQxe22YnfLcFfaBdskVeaz/6HY2FK5euwdy70ZPNb05uYaS1QXPABJCS8p2APjx9bcz4MPSGgN6Ed/h7NdEU1FXgEfQZj9cysoVN9Qf3zYP4oqTBFVq11bV1yj0dsBMxHmY92aAdwUJWqjk4w2vi90zYxWNYk5PzNCh7qURtfmfNTHfEy55umbDayWjxZAsNgGOtxUsArUNSIU12GeBx7VCxepbNbDiej9fNnNqYvYnRspscag5w0oHSPa8a/qPY+R/imKqLU15xCG2EfnBm310zPyI9o/lgiU9Ua8z4cfuU5FcKr7ICIr5OdupiWy6aC1KYhkBZVViXEz3A==,iv:Hu9Bbynj5D9k2Rj0NWYZuuHQzcrauGyMmPex+T+VKIg=,tag:IAXAGK//SW890ZBKkUr8gw==,type:str] +rustic-minecraft-s3-env: ENC[AES256_GCM,data:04sIa/w5exYkgUrAiaBuPJ8JaP8pNmAgbbToO54v1jHPCBmcuSLw1ncUi/jqUtJBTvj+8WRYUxe0a0ssPid28N8229yv1IbhDxvoosJj43SEnmbRtgegHLnrtLdd1y6cL6tDj/e2qFgC1LQvnPmkKe9YThyGAc4=,iv:WE1XNQTZGKhw7yN4THL4/gA1CD9oSmJ0TtCtxOcOQbE=,tag:7rHN2i7GGawhHY9ZcjuqIg==,type:str] +rustic-nas-pass: ENC[AES256_GCM,data:uDiQQRxlpBfbwihXDR32aGjP41iZ,iv:qx6FJEllahkP9BPYFFfv9LHnnVTOl6B7Jv9OSfNkPok=,tag:MBUT77ccG/acr/U/X2zrCA==,type:str] +rustic-vps-pass: ENC[AES256_GCM,data:LMdVK6j/TV9JLAxwWUtIfF//nf6r,iv:PjOYcNeLjlRx6uoZo+jr0oA9N60NJNNPloc9fc44raw=,tag:AjOzsfVIhDCb5a5D3yIdUA==,type:str] +rustic-postgresql-pass: ENC[AES256_GCM,data:oUHakvIPSwkNy1lkQ4k14+CWIofO,iv:v3EFeZCkFyeY/ADK8vqYvAD0XDmnQFIq6XGd9B8jvXY=,tag:6+kGWMq+9iVLSf5p/TIp8g==,type:str] +rustic-workstation-pass: ENC[AES256_GCM,data:dVuq75mlHStFO+k97yV0kUUqFtjF,iv:p2ApGtzHO9XUQJnnSyIMs1Cr6ODIt6RnBf2SXNrRbTk=,tag:b8WRap8QUtQrsYXVYdeRUw==,type:str] +rustic-minio-secret-key: ENC[AES256_GCM,data:Jkn0mHcLFWS/euPCYtEF3hXN4Jx8PHZHA3RtZiMshuZdZTv0Y+tHteZB2i27Ka+u,iv:R2FEEhe+EoqFDQYbLJ3hrb+ENVvsP2c++WA0z3QQrxA=,tag:bifjyNyNouUhFGV6SpAg7Q==,type:str] +rclone-s3-sync: ENC[AES256_GCM,data:oBDntYhuThzmImRgpBSsgqDwXs4+wJxAOZKH3vlKfH+9CXYNI1ks92t8Ywr/wltikvXiVbKuztY7Iuqe4Mkl0K9onYYcmrMDqyuLXRV/WPXNaAwyOyFUS17dxcqoyG51T0zzb1l4LH+GTrLw7m7RD7y7XFU/uidAUuBnQHAQpu8xRI/5PLcSaae+KfmoJGpZBX4BawXMHzRKKo462Muw/1FbBQpC0ERvTd34oSke32+Ni3MNdg/nOVyczYIQ+TPNhtgiSNXFJFPaXWMrIh29jhyJv7M2k4nYzNzb3A2miGCxWRDNy7bxZTDeVLgJUZT3KJNyb8BGLhu2v54WSbm01I1pP+//xYSZI0JER4fCZpdGodr2TV6u7YOyVxa1pZ7C7O9T/dd2O9NbgQY1Azc9MhiIXZnT58j72SNvhDNtCloM50R0LYmagCj2alP3Z4W7L+BdtaU58hWFCM2P8EIYbPkz8wK4/i1XARvZU9i+cRWZCoKi+yi0cV2yKOYlFEW0RmO9G3rC6a31YITwfpHhQw9IFuZXwdwZdf4OIuw12BIXfeUQJWqIl4QRSnOSzCggSZngwhoq/r46Oh2Jn9xXuVO6Hlod8pGyxKovO9bGQl3ioIU/KAhKp88k/BDS7YM4HhAEPNjvsSZgRGf21G7Z4ypi6a2grMTGgIKbOA3KEe2CKrSEVq7JRF5m1uAPJ2zrgbBrSwI0qkhGfn+SERMVtyzkIvTQkEQJ/g==,iv:jWhHLIccl1Pgr55xEMd2ED8FS3pvRjnuugMJ0sHnuW4=,tag:upgyBz2AA2zhidFIkcVrpw==,type:str] +sops: + shamir_threshold: 1 + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1n0prg9vynuwc56gn0xfe5qde8wqcd4uzg5ghhhetu2024ckvjyvqxf49el + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeWJOVEFXTXJrcGYyWWlp + TkxrTmpNanR5QmVaYUlKV1JXYnh0L0ViRmdvCmtTR3hUUExkejBkcVNuYUpqRjdZ + dlQ4SkRyL2txM2FSK201SU9adUQ2NUEKLS0tIDN0eDRLZGZWMnFUQWFjZnpjWk9J + VjBGTVZpYm1kOWw0aGlNaURvb2Q0aVUKPZ2BkHEWV1qsOcEIvF6iiLV0ZSJ7kGT3 + B7LZx44DUIFuwEXzmnzKf6BkdFNpCqSqWODxTYHm3UcHU2qshux+0g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1d4mqql020mpne9r3vtt4l9ywfzfq7zpa3mad33syxln2kldkjsxqgju90f + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMMzFGQ3pzbTNoR25pOTRx + QUk3TzgzeUhCNzg2ODg2SENZbkJpTDREK2dzCnZQdkxMQ1RhaFdCZDlZellYd25K + RTBCNDJWUFoyZTJ3dWtqYlJFSU5uc0UKLS0tIENKYmlKUjB2ZjFmZzZpQ3V4dDQ0 + eklFdUdEOWlnWndpai94QnFUU1F3NmMKVOQtq31dODV1rK7hZMfw295OkQeXq81u + VBQVVcYaup6IynBuQYE9eNL5euMwsV/pCv9N+PC3J6WdhdK336ZCDQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-08T15:01:54Z" + mac: ENC[AES256_GCM,data:euc66CxC9LHiJYKiMaEWunIZCHd2ZGl1YcFIJWmv2/x1pMRSnQ85yCL5Fpu8crjaayDYGJJVmMBVeU8trmaoqzYE1pWtUSIQo2QligJ1k8T5erdakSwv6keHrxczS1gEkS1Ygl6xieZUY5mcwY1Wyz7ZMeAeiIpIaraSf8Uydu8=,iv:OMGVEmOHnJbFzVpfCtvt3jrw6vP5dCib/HfcKpbSZ7k=,tag:wTtzNCE6BB3S7x2wWNYq1A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1