feat: add backup with rustic for redshift

hosts/redshift/backups.nix

@@ -0,0 +1,77 @@
+{
+  config,
+  inputs,
+  secretsDir,
+  ...
+}:
+{
+  imports = [ inputs.ataraxiasjel-nur.nixosModules.rustic ];
+
+  sops.secrets.rustic-vps-pass.sopsFile = secretsDir + /rustic.yaml;
+  sops.secrets.rustic-backups-s3-env.sopsFile = secretsDir + /rustic.yaml;
+  services.rustic.backups = rec {
+    vps-backup = {
+      backup = true;
+      prune = false;
+      initialize = false;
+      pruneOpts = [ "--repack-cacheable-only=false" ];
+      environmentFile = config.sops.secrets.rustic-backups-s3-env.path;
+      timerConfig = {
+        OnCalendar = "01:00";
+        Persistent = true;
+      };
+      settings =
+        let
+          label = "vps-containers";
+        in
+        {
+          repository = {
+            repository = "opendal:s3";
+            password-file = config.sops.secrets.rustic-vps-pass.path;
+            options = {
+              root = label;
+              bucket = "ataraxia-rustic-backups";
+              region = "eu-central-003";
+              endpoint = "https://s3.eu-central-003.backblazeb2.com";
+            };
+          };
+          repository.options = {
+            timeout = "5min";
+            retry = "10";
+          };
+          backup = {
+            host = config.networking.hostName;
+            label = label;
+            ignore-devid = true;
+            group-by = "label";
+            skip-identical-parent = true;
+            snapshots = [
+              {
+                sources = [
+                  "/var/lib/tailscale"
+                  "/srv/marzban"
+                ];
+              }
+            ];
+          };
+          forget = {
+            filter-labels = [ label ];
+            group-by = "label";
+            prune = true;
+            keep-daily = 4;
+            keep-weekly = 2;
+            keep-monthly = 1;
+          };
+        };
+    };
+    vps-prune = vps-backup // {
+      backup = false;
+      prune = true;
+      createWrapper = false;
+      timerConfig = {
+        OnCalendar = "Mon, 02:00";
+        Persistent = true;
+      };
+    };
+  };
+}

hosts/redshift/default.nix

@@ -8,6 +8,7 @@
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
 
+    ./backups.nix
     ./disk-config.nix
     ./services.nix
   ];

secrets/rustic.yaml

@@ -0,0 +1,39 @@
+rustic-backups-s3-env: ENC[AES256_GCM,data:XTUTtAmjBiy5mdlwT53Z9IDycs0s069182Emd0M6TSpPScqce3kxoN+hH8vgaOLU0b1jF3d9pkO0PpwfnUr2IkMpTd7ZKHeqHbYzS4gpKFnkQMhDexHLFBrQIfBrTbCGzspl83q5ksU9ENuY+sdkKXBhn99ja2mAFdfOVyNRttVNwKuv5/e8Bh0ySyTkogOgLyttLWo+pqKuvBP96BvSLOiGqfYBMgZU6uncg4YbdmOWPnvnTRPWHwIAyyXOSv56Sw36XfBkCBhZk2fmDRVJyRkuFthkhb6b2LkxhWFofilJupGTaQUHuZ3Efq9+eS5n1zOnudL7Gp7MmaQ4Hz3tQnzML16pJW1UcyT11uvWl8Zz5h+VlwJAfM7VNVaOs2FjEEy5imcUWurhIgRcrKHYc3mKNk5XYuvCI93aX9/LKEyeGQ==,iv:sPwKIYu/RyZQHYmz7aSYFhmx2ZqlH+RHRbdkOHGCa1s=,tag:eD5vRFkwEw4i97UQyRk6Hw==,type:str]
+rustic-postgresql-s3-env: ENC[AES256_GCM,data:m0G4G+i3fJo34rUGnQ0HOsA1GlOpLnJXDJltXFM5URUFaK1Jh5pGnOsYAiU2410enKafdf5eneW31j9r2GWmEFOoX89+yLmQxe22YnfLcFfaBdskVeaz/6HY2FK5euwdy70ZPNb05uYaS1QXPABJCS8p2APjx9bcz4MPSGgN6Ed/h7NdEU1FXgEfQZj9cysoVN9Qf3zYP4oqTBFVq11bV1yj0dsBMxHmY92aAdwUJWqjk4w2vi90zYxWNYk5PzNCh7qURtfmfNTHfEy55umbDayWjxZAsNgGOtxUsArUNSIU12GeBx7VCxepbNbDiej9fNnNqYvYnRspscag5w0oHSPa8a/qPY+R/imKqLU15xCG2EfnBm310zPyI9o/lgiU9Ua8z4cfuU5FcKr7ICIr5OdupiWy6aC1KYhkBZVViXEz3A==,iv:Hu9Bbynj5D9k2Rj0NWYZuuHQzcrauGyMmPex+T+VKIg=,tag:IAXAGK//SW890ZBKkUr8gw==,type:str]
+rustic-minecraft-s3-env: ENC[AES256_GCM,data:04sIa/w5exYkgUrAiaBuPJ8JaP8pNmAgbbToO54v1jHPCBmcuSLw1ncUi/jqUtJBTvj+8WRYUxe0a0ssPid28N8229yv1IbhDxvoosJj43SEnmbRtgegHLnrtLdd1y6cL6tDj/e2qFgC1LQvnPmkKe9YThyGAc4=,iv:WE1XNQTZGKhw7yN4THL4/gA1CD9oSmJ0TtCtxOcOQbE=,tag:7rHN2i7GGawhHY9ZcjuqIg==,type:str]
+rustic-nas-pass: ENC[AES256_GCM,data:uDiQQRxlpBfbwihXDR32aGjP41iZ,iv:qx6FJEllahkP9BPYFFfv9LHnnVTOl6B7Jv9OSfNkPok=,tag:MBUT77ccG/acr/U/X2zrCA==,type:str]
+rustic-vps-pass: ENC[AES256_GCM,data:LMdVK6j/TV9JLAxwWUtIfF//nf6r,iv:PjOYcNeLjlRx6uoZo+jr0oA9N60NJNNPloc9fc44raw=,tag:AjOzsfVIhDCb5a5D3yIdUA==,type:str]
+rustic-postgresql-pass: ENC[AES256_GCM,data:oUHakvIPSwkNy1lkQ4k14+CWIofO,iv:v3EFeZCkFyeY/ADK8vqYvAD0XDmnQFIq6XGd9B8jvXY=,tag:6+kGWMq+9iVLSf5p/TIp8g==,type:str]
+rustic-workstation-pass: ENC[AES256_GCM,data:dVuq75mlHStFO+k97yV0kUUqFtjF,iv:p2ApGtzHO9XUQJnnSyIMs1Cr6ODIt6RnBf2SXNrRbTk=,tag:b8WRap8QUtQrsYXVYdeRUw==,type:str]
+rustic-minio-secret-key: ENC[AES256_GCM,data:Jkn0mHcLFWS/euPCYtEF3hXN4Jx8PHZHA3RtZiMshuZdZTv0Y+tHteZB2i27Ka+u,iv:R2FEEhe+EoqFDQYbLJ3hrb+ENVvsP2c++WA0z3QQrxA=,tag:bifjyNyNouUhFGV6SpAg7Q==,type:str]
+rclone-s3-sync: ENC[AES256_GCM,data:oBDntYhuThzmImRgpBSsgqDwXs4+wJxAOZKH3vlKfH+9CXYNI1ks92t8Ywr/wltikvXiVbKuztY7Iuqe4Mkl0K9onYYcmrMDqyuLXRV/WPXNaAwyOyFUS17dxcqoyG51T0zzb1l4LH+GTrLw7m7RD7y7XFU/uidAUuBnQHAQpu8xRI/5PLcSaae+KfmoJGpZBX4BawXMHzRKKo462Muw/1FbBQpC0ERvTd34oSke32+Ni3MNdg/nOVyczYIQ+TPNhtgiSNXFJFPaXWMrIh29jhyJv7M2k4nYzNzb3A2miGCxWRDNy7bxZTDeVLgJUZT3KJNyb8BGLhu2v54WSbm01I1pP+//xYSZI0JER4fCZpdGodr2TV6u7YOyVxa1pZ7C7O9T/dd2O9NbgQY1Azc9MhiIXZnT58j72SNvhDNtCloM50R0LYmagCj2alP3Z4W7L+BdtaU58hWFCM2P8EIYbPkz8wK4/i1XARvZU9i+cRWZCoKi+yi0cV2yKOYlFEW0RmO9G3rC6a31YITwfpHhQw9IFuZXwdwZdf4OIuw12BIXfeUQJWqIl4QRSnOSzCggSZngwhoq/r46Oh2Jn9xXuVO6Hlod8pGyxKovO9bGQl3ioIU/KAhKp88k/BDS7YM4HhAEPNjvsSZgRGf21G7Z4ypi6a2grMTGgIKbOA3KEe2CKrSEVq7JRF5m1uAPJ2zrgbBrSwI0qkhGfn+SERMVtyzkIvTQkEQJ/g==,iv:jWhHLIccl1Pgr55xEMd2ED8FS3pvRjnuugMJ0sHnuW4=,tag:upgyBz2AA2zhidFIkcVrpw==,type:str]
+sops:
+    shamir_threshold: 1
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1n0prg9vynuwc56gn0xfe5qde8wqcd4uzg5ghhhetu2024ckvjyvqxf49el
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxeWJOVEFXTXJrcGYyWWlp
+            TkxrTmpNanR5QmVaYUlKV1JXYnh0L0ViRmdvCmtTR3hUUExkejBkcVNuYUpqRjdZ
+            dlQ4SkRyL2txM2FSK201SU9adUQ2NUEKLS0tIDN0eDRLZGZWMnFUQWFjZnpjWk9J
+            VjBGTVZpYm1kOWw0aGlNaURvb2Q0aVUKPZ2BkHEWV1qsOcEIvF6iiLV0ZSJ7kGT3
+            B7LZx44DUIFuwEXzmnzKf6BkdFNpCqSqWODxTYHm3UcHU2qshux+0g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1d4mqql020mpne9r3vtt4l9ywfzfq7zpa3mad33syxln2kldkjsxqgju90f
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMMzFGQ3pzbTNoR25pOTRx
+            QUk3TzgzeUhCNzg2ODg2SENZbkJpTDREK2dzCnZQdkxMQ1RhaFdCZDlZellYd25K
+            RTBCNDJWUFoyZTJ3dWtqYlJFSU5uc0UKLS0tIENKYmlKUjB2ZjFmZzZpQ3V4dDQ0
+            eklFdUdEOWlnWndpai94QnFUU1F3NmMKVOQtq31dODV1rK7hZMfw295OkQeXq81u
+            VBQVVcYaup6IynBuQYE9eNL5euMwsV/pCv9N+PC3J6WdhdK336ZCDQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-08T15:01:54Z"
+    mac: ENC[AES256_GCM,data:euc66CxC9LHiJYKiMaEWunIZCHd2ZGl1YcFIJWmv2/x1pMRSnQ85yCL5Fpu8crjaayDYGJJVmMBVeU8trmaoqzYE1pWtUSIQo2QligJ1k8T5erdakSwv6keHrxczS1gEkS1Ygl6xieZUY5mcwY1Wyz7ZMeAeiIpIaraSf8Uydu8=,iv:OMGVEmOHnJbFzVpfCtvt3jrw6vP5dCib/HfcKpbSZ7k=,tag:wTtzNCE6BB3S7x2wWNYq1A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1