nyancat/flake
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nixos: add restic

Browse source
This commit is contained in:
Guanran Wang 2024-09-22 16:31:23 +08:00
parent 2721eaeecf
commit d784867779
Signed by: nyancat
GPG key ID: 91F97D9ED12639CF
6 changed files with 92 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
.sops.yaml
View file

@ -17,6 +17,12 @@ creation_rules:
- age: - age:
- *guanranwang - *guanranwang
- *tyo0 - *tyo0
- path_regex: ^nixos/profiles/restic/secrets.yaml$
key_groups:
- age:
- *guanranwang
- *dust
- *sin0
- path_regex: ^nixos/profiles/sing-box/secrets.yaml$ - path_regex: ^nixos/profiles/sing-box/secrets.yaml$
key_groups: key_groups:
- age: - age:

3
hosts/dust/default.nix
View file

@ -8,6 +8,7 @@
{ {
imports = imports =
[ [
../../nixos/profiles/restic
../../nixos/profiles/sing-box ../../nixos/profiles/sing-box
../../nixos/profiles/wireless ../../nixos/profiles/wireless
@ -231,4 +232,6 @@
}; };
}; };
}; };
services.restic.backups.persist.exclude = [ "/persist/home/guanranwang/.local/share/Steam" ];
} }

2
hosts/vultr/common/default.nix
View file

@ -12,6 +12,8 @@
./disko.nix ./disko.nix
./preservation.nix ./preservation.nix
../../../nixos/profiles/restic
] ]
++ (with inputs; [ ++ (with inputs; [
disko.nixosModules.disko disko.nixosModules.disko

3
infra/vultr.tf
View file

@ -30,3 +30,6 @@ module "vultr" {
script = vultr_startup_script.script.id script = vultr_startup_script.script.id
} }
resource "vultr_object_storage" "storage" {
cluster_id = 4 # sgp1.vultrobjects.com
}

27
nixos/profiles/restic/default.nix Normal file
View file

@ -0,0 +1,27 @@
{ config, ... }:
{
sops.secrets = builtins.mapAttrs (_n: v: v // { sopsFile = ./secrets.yaml; }) {
"restic/environment" = { };
"restic/password" = { };
"restic/repository" = { };
};
services.restic.backups.persist = {
environmentFile = config.sops.secrets."restic/environment".path;
passwordFile = config.sops.secrets."restic/password".path;
repositoryFile = config.sops.secrets."restic/repository".path;
paths = [ "/persist" ];
extraBackupArgs = [
"--one-file-system"
"--exclude-caches"
"--no-scan"
"--retry-lock 2h"
];
timerConfig = {
OnCalendar = "daily";
RandomizedDelaySec = "4h";
FixedRandomDelay = true;
Persistent = true;
};
};
}

51
nixos/profiles/restic/secrets.yaml Normal file
View file

@ -0,0 +1,51 @@
restic:
environment: ENC[AES256_GCM,data:7XdLf6C3ojLWxQJtQv+Fkof5GUZDpRhgsdwtMFKGJYwHQKhPfmmghlEWxXMi7HuWHCBxlvEKDU/8L9RnsWPHBG8yiZbuaqQWJna/PH0M69i2ZMHgXqRf433zxUAkCY8ULl2UGH7P,iv:hx9k/6gGTuC353j8JL2qHRgKFHY4/b7nA+ILjxXTbB0=,tag:dTFrmwIJLrcn4Ga6lzZQmQ==,type:str]
password: ENC[AES256_GCM,data:79+ZXif/zXiQ/0xJJxW4v5NOcOnAIFM+QeYNd9HVlBgF,iv:0W02zdfR6aS/E/vnEXdqQd7NF21VY5osdpP8s5muM6c=,tag:k+5ObQGcam67NWkiuE6Eaw==,type:str]
repository: ENC[AES256_GCM,data:jbeQ8oQrcT/q89vvI7tZs3WMsKK78jHEGqbuhf5v4KBz9voVHOVVPSLxXrk=,iv:a01YaOfIYldkFYFpY2KdDW4yzQij1JrdLMMbn/MkW9g=,tag:nZlGzftlnqHGJ+kDLllQXw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bTRYdi84N1VrcXhFZzRQ
ZGVBV3pMUkxxTjZWcTBEVllhZzJCMkhtaGg4CjZYakRGODhLa3Rkb3lDQy9oVjFV
SCtJUGtMcFMybGRIbmhIQUNQQ2I0dGMKLS0tIFAyZURTVFNQZml1d0JGYWZYQS84
bnkrVUZvY3YwTVpUZHlzcTFvR1pNbkUKcVP66FDXJFN8tsprjwx7E+eSCb/qCe+F
7HxC1Aele3vdu3GpJinArWblpXBoc66P6+5UHHop/O6c4p3dEjrCRQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjT2swWFRaZnJyZW5XanNj
VUE1OVNCOGRjRytab0g4MDdXRnVXdHIwSkVVCk1CNXlIVkU5WVRBQlg1cmtIS3dy
MlkvUzkxTGtWOTBMRWs3MmJPV2tGWEEKLS0tIEl4a0N2NUdscnNlWEc2TmNzNGUr
bFNTcHFWU2hlTXBjK0Rha2ZFNTFCcncKyI2b4FGDX3XI0jw9Wj6Skv/VfiFi8Upu
HXCUovZqdWZBCtmNIXQSKjjTYizKAoTFK6YFqA8CKzNcRrq3vBRhcw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsczZ6QVpRQUtqVDhnYjJF
dlRnT1pvWXdGaW9Ta1NZODJTTXU3aktrZUcwCm01V1RnR0RCcmZXYkRGN2U0M3k4
WnhJbXl3UkNKcEtjaGkzellsUW84aGMKLS0tIEQweVdZTDFMZHlFT21LbDgva0x5
NTlFcjArSzhYRzNCMG9EbmR2d1lVaXcKxvQMdsDAVSwStg1cr6sA55bkWIIEdhjj
TObLtnZMdXskrcm7vRU8h8JpacTntSkjtQPYd04pBIItRIunE0DJJA==
-----END AGE ENCRYPTED FILE-----
- recipient: age12un5sgwu73ufgtd3e439fttek5yfem3m9twq9p7wx95kakmz3cyq5gm3et
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYnQ3OFZCcmVPTXZ3djBJ
NTJvd0pobzh5TzNxN0pneExwcExEQzRSbEVnCjVtTTdRSk85YzVhVDFBWmYrdk0x
RHNmUlREOEppWm1OQnR5eENPeFV2UWMKLS0tIGYxZ0RmTGRLaTBCdTkyMXk2MVUr
VFFJTFRQWnFFV0MxbWpSUGNyUy83dHcKbl2wtGFCvh4m0/aKGQneWSV3cKdU7AbT
11piv6jq54GNdq6QtbuX4MlbOsDO18jm29WZ2sbbHANnU70jyybIIA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-22T05:18:57Z"
mac: ENC[AES256_GCM,data:NaA8s3PRyhD9oVQr2DhsjuMVxT97SFwmH7hzRmq9eNXenwAsuJtJLV1MS9O9MW94rQo9aMeA5e//1jodTlkOgznnDoebX1m1cjXD88HMI3+NXu7f509HSlTKMopjst2PpOPGRq3Vt+SPHc9hV363O/rQBXiohCQ1o/YII1PBm1c=,iv:oqIeyit/UeISNrS6M6KZxJnzyk6f07NOa7dPK/VrtyM=,tag:CUEYuuNuvQeFJvat6tOpeQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0