From d784867779a8480cac37f284db02e6e8b83170f7 Mon Sep 17 00:00:00 2001 From: Guanran Wang Date: Sun, 22 Sep 2024 16:31:23 +0800 Subject: [PATCH] nixos: add restic --- .sops.yaml | 6 ++++ hosts/dust/default.nix | 3 ++ hosts/vultr/common/default.nix | 2 ++ infra/vultr.tf | 3 ++ nixos/profiles/restic/default.nix | 27 ++++++++++++++++ nixos/profiles/restic/secrets.yaml | 51 ++++++++++++++++++++++++++++++ 6 files changed, 92 insertions(+) create mode 100644 nixos/profiles/restic/default.nix create mode 100644 nixos/profiles/restic/secrets.yaml diff --git a/.sops.yaml b/.sops.yaml index 53354d8..f9b5666 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -17,6 +17,12 @@ creation_rules: - age: - *guanranwang - *tyo0 + - path_regex: ^nixos/profiles/restic/secrets.yaml$ + key_groups: + - age: + - *guanranwang + - *dust + - *sin0 - path_regex: ^nixos/profiles/sing-box/secrets.yaml$ key_groups: - age: diff --git a/hosts/dust/default.nix b/hosts/dust/default.nix index 0aa097c..4694752 100644 --- a/hosts/dust/default.nix +++ b/hosts/dust/default.nix @@ -8,6 +8,7 @@ { imports = [ + ../../nixos/profiles/restic ../../nixos/profiles/sing-box ../../nixos/profiles/wireless @@ -231,4 +232,6 @@ }; }; }; + + services.restic.backups.persist.exclude = [ "/persist/home/guanranwang/.local/share/Steam" ]; } diff --git a/hosts/vultr/common/default.nix b/hosts/vultr/common/default.nix index 76ff2bc..f81d9f6 100644 --- a/hosts/vultr/common/default.nix +++ b/hosts/vultr/common/default.nix @@ -12,6 +12,8 @@ ./disko.nix ./preservation.nix + + ../../../nixos/profiles/restic ] ++ (with inputs; [ disko.nixosModules.disko diff --git a/infra/vultr.tf b/infra/vultr.tf index b561993..1900787 100644 --- a/infra/vultr.tf +++ b/infra/vultr.tf @@ -30,3 +30,6 @@ module "vultr" { script = vultr_startup_script.script.id } +resource "vultr_object_storage" "storage" { + cluster_id = 4 # sgp1.vultrobjects.com +} diff --git a/nixos/profiles/restic/default.nix b/nixos/profiles/restic/default.nix new file mode 100644 index 0000000..e34e82e --- /dev/null +++ b/nixos/profiles/restic/default.nix @@ -0,0 +1,27 @@ +{ config, ... }: +{ + sops.secrets = builtins.mapAttrs (_n: v: v // { sopsFile = ./secrets.yaml; }) { + "restic/environment" = { }; + "restic/password" = { }; + "restic/repository" = { }; + }; + + services.restic.backups.persist = { + environmentFile = config.sops.secrets."restic/environment".path; + passwordFile = config.sops.secrets."restic/password".path; + repositoryFile = config.sops.secrets."restic/repository".path; + paths = [ "/persist" ]; + extraBackupArgs = [ + "--one-file-system" + "--exclude-caches" + "--no-scan" + "--retry-lock 2h" + ]; + timerConfig = { + OnCalendar = "daily"; + RandomizedDelaySec = "4h"; + FixedRandomDelay = true; + Persistent = true; + }; + }; +} diff --git a/nixos/profiles/restic/secrets.yaml b/nixos/profiles/restic/secrets.yaml new file mode 100644 index 0000000..f818e74 --- /dev/null +++ b/nixos/profiles/restic/secrets.yaml @@ -0,0 +1,51 @@ +restic: + environment: ENC[AES256_GCM,data:7XdLf6C3ojLWxQJtQv+Fkof5GUZDpRhgsdwtMFKGJYwHQKhPfmmghlEWxXMi7HuWHCBxlvEKDU/8L9RnsWPHBG8yiZbuaqQWJna/PH0M69i2ZMHgXqRf433zxUAkCY8ULl2UGH7P,iv:hx9k/6gGTuC353j8JL2qHRgKFHY4/b7nA+ILjxXTbB0=,tag:dTFrmwIJLrcn4Ga6lzZQmQ==,type:str] + password: ENC[AES256_GCM,data:79+ZXif/zXiQ/0xJJxW4v5NOcOnAIFM+QeYNd9HVlBgF,iv:0W02zdfR6aS/E/vnEXdqQd7NF21VY5osdpP8s5muM6c=,tag:k+5ObQGcam67NWkiuE6Eaw==,type:str] + repository: ENC[AES256_GCM,data:jbeQ8oQrcT/q89vvI7tZs3WMsKK78jHEGqbuhf5v4KBz9voVHOVVPSLxXrk=,iv:a01YaOfIYldkFYFpY2KdDW4yzQij1JrdLMMbn/MkW9g=,tag:nZlGzftlnqHGJ+kDLllQXw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bTRYdi84N1VrcXhFZzRQ + ZGVBV3pMUkxxTjZWcTBEVllhZzJCMkhtaGg4CjZYakRGODhLa3Rkb3lDQy9oVjFV + SCtJUGtMcFMybGRIbmhIQUNQQ2I0dGMKLS0tIFAyZURTVFNQZml1d0JGYWZYQS84 + bnkrVUZvY3YwTVpUZHlzcTFvR1pNbkUKcVP66FDXJFN8tsprjwx7E+eSCb/qCe+F + 7HxC1Aele3vdu3GpJinArWblpXBoc66P6+5UHHop/O6c4p3dEjrCRQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjT2swWFRaZnJyZW5XanNj + VUE1OVNCOGRjRytab0g4MDdXRnVXdHIwSkVVCk1CNXlIVkU5WVRBQlg1cmtIS3dy + MlkvUzkxTGtWOTBMRWs3MmJPV2tGWEEKLS0tIEl4a0N2NUdscnNlWEc2TmNzNGUr + bFNTcHFWU2hlTXBjK0Rha2ZFNTFCcncKyI2b4FGDX3XI0jw9Wj6Skv/VfiFi8Upu + HXCUovZqdWZBCtmNIXQSKjjTYizKAoTFK6YFqA8CKzNcRrq3vBRhcw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsczZ6QVpRQUtqVDhnYjJF + dlRnT1pvWXdGaW9Ta1NZODJTTXU3aktrZUcwCm01V1RnR0RCcmZXYkRGN2U0M3k4 + WnhJbXl3UkNKcEtjaGkzellsUW84aGMKLS0tIEQweVdZTDFMZHlFT21LbDgva0x5 + NTlFcjArSzhYRzNCMG9EbmR2d1lVaXcKxvQMdsDAVSwStg1cr6sA55bkWIIEdhjj + TObLtnZMdXskrcm7vRU8h8JpacTntSkjtQPYd04pBIItRIunE0DJJA== + -----END AGE ENCRYPTED FILE----- + - recipient: age12un5sgwu73ufgtd3e439fttek5yfem3m9twq9p7wx95kakmz3cyq5gm3et + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYnQ3OFZCcmVPTXZ3djBJ + NTJvd0pobzh5TzNxN0pneExwcExEQzRSbEVnCjVtTTdRSk85YzVhVDFBWmYrdk0x + RHNmUlREOEppWm1OQnR5eENPeFV2UWMKLS0tIGYxZ0RmTGRLaTBCdTkyMXk2MVUr + VFFJTFRQWnFFV0MxbWpSUGNyUy83dHcKbl2wtGFCvh4m0/aKGQneWSV3cKdU7AbT + 11piv6jq54GNdq6QtbuX4MlbOsDO18jm29WZ2sbbHANnU70jyybIIA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-22T05:18:57Z" + mac: ENC[AES256_GCM,data:NaA8s3PRyhD9oVQr2DhsjuMVxT97SFwmH7hzRmq9eNXenwAsuJtJLV1MS9O9MW94rQo9aMeA5e//1jodTlkOgznnDoebX1m1cjXD88HMI3+NXu7f509HSlTKMopjst2PpOPGRq3Vt+SPHc9hV363O/rQBXiohCQ1o/YII1PBm1c=,iv:oqIeyit/UeISNrS6M6KZxJnzyk6f07NOa7dPK/VrtyM=,tag:CUEYuuNuvQeFJvat6tOpeQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0