hosted: add restic backups

Kranzes · Feb 24, 2025 · 45c89ba · 45c89ba
1 parent 4f5aa93
commit 45c89ba
Show file tree

Hide file tree

Showing 9 changed files with 43 additions and 0 deletions.
diff --git a/hosted/flake-module.nix b/hosted/flake-module.nix
@@ -4,5 +4,6 @@
   flake.nixosModules = {
     hosted-nginx = lib.modules.importApply ./nginx.nix { inherit inputs; };
     hosted-node-exporter = ./node-exporter.nix;
+    hosted-restic = ./restic.nix;
   };
 } 
diff --git a/hosted/restic.nix b/hosted/restic.nix
@@ -0,0 +1,15 @@
+{ config, ... }:
+
+{
+  age.secrets = {
+    restic-default-env-file.file = ../secrets/${config.networking.hostName}-restic-default-env-file.age;
+    restic-default-repo-password.file = ../secrets/${config.networking.hostName}-restic-default-repo-password.age;
+  };
+
+  services.restic.backups.default = {
+    repository = "s3:https://s3.eu-central-003.backblazeb2.com/kranzes-backups/${config.networking.hostName}";
+    initialize = true;
+    environmentFile = config.age.secrets.restic-default-env-file.path;
+    passwordFile = config.age.secrets.restic-default-repo-password.path;
+  };
+}
diff --git a/hosts/hetzner/hosted/default.nix b/hosts/hetzner/hosted/default.nix
@@ -9,5 +9,6 @@
     ./ntfy.nix
     inputs.self.nixosModules.hosted-nginx
     inputs.self.nixosModules.hosted-node-exporter
+    inputs.self.nixosModules.hosted-restic
   ];
 }
diff --git a/hosts/hetzner/hosted/kanidm.nix b/hosts/hetzner/hosted/kanidm.nix
@@ -103,4 +103,6 @@ in
       owner = "kanidm";
       group = "kanidm";
     });
+
+  services.restic.backups.default.paths = [ config.services.kanidm.serverSettings.online_backup.path ];
 }
diff --git a/hosts/hetzner/hosted/ntfy.nix b/hosts/hetzner/hosted/ntfy.nix
@@ -33,6 +33,8 @@ in
     };
   };
 
+  services.restic.backups.default.paths = [ (dirOf config.services.ntfy-sh.settings.auth-file) ];
+
   services.grafana-to-ntfy = {
     enable = true;
     settings = {

diff --git a/secrets/hetzner-restic-backups.age b/secrets/hetzner-restic-backups.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 gEKqGQ AlnPcxwsYxtvpGAwr6TaryiMNCwQnqjf46AYdkr+izA4
+s0/bMMUUN7KF1AJdntwacEI0yH+pyQFSTR2aLUSq0Ug
+-> piv-p256 kHSiOQ AwoEA2gUz30o6fbqoBZ4lRWtAHox5S9qFqH59KyGxMlN
+eIezvLipiJN6QzCWgJsOHrJEF4rBNBkUg/b6dLGZxnU
+-> ssh-ed25519 bE1RAg bp2FTxVt0M9WzSXCDwPLwBqkkz9uQnHyq2x5u60Z8gs
+sa4WU2CRqO+J40KMTdH4/v2PXKhK7D7wdEGX5DG5QDE
+--- nAypvo3LfGGGjX8ut1NhmD44WIMkcHhSH01QnpFPIWk
+Yw���--���Gw.�O
+L�
+)�3){�2g��6L�X��"��;4�;Sa�FSè�4%Z�<�
diff --git a/secrets/hetzner-restic-default-env-file.age b/secrets/hetzner-restic-default-env-file.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 gEKqGQ AqGa+K1Rlj9ViuSBaQiajpAPfCVkIG/Ul7+68//MrTWQ
+MaEjV75zncm+RmTP3rP4wt1G0wcfwRVoHnTP/pAd9y0
+-> piv-p256 kHSiOQ An9K5EugFeyDN3W7H+kDPmhkz0wuHzavtd6lyMFdac1V
+LQSQ48o7K9A90oegJW6ZlKhFHwJs6h/SqEeKUoJVRhw
+-> ssh-ed25519 bE1RAg rLqB0tZPIW7ADWU++OUkFEe4z+SZ/brv99kZhUcLpnM
+DfmV8GSs8zYTEq8NjP1wnQvNGUdtpg9iQyG7PRdvpLk
+--- xH5Xfj8ZNXqPG+fVol//HTv95l/VC/oTRYcaZuJep2c
+�*+m0�R�*m�1�]���.�+���k�tN�F]H8�hY�t,�-�Nbgl�����_w��ftd1�^c�����u��n�B�����N�ăz~��fy%��4\|�7�G���K��QW��_�$F��ii@�

diff --git a/secrets/hetzner-restic-default-repo-password.age b/secrets/hetzner-restic-default-repo-password.age
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -33,6 +33,8 @@ in
   "hetzner-ntfy-sh-firebase-key.age".publicKeys = allUsers ++ [ systems.hetzner ];
   "hetzner-grafana-to-ntfy-ntfy-pass.age".publicKeys = allUsers ++ [ systems.hetzner ];
   "hetzner-grafana-to-ntfy-pass.age".publicKeys = allUsers ++ [ systems.hetzner ];
+  "hetzner-restic-default-env-file.age".publicKeys = allUsers ++ [ systems.hetzner ];
+  "hetzner-restic-default-repo-password.age".publicKeys = allUsers ++ [ systems.hetzner ];
   # Pan
   "pan-cachix-deploy-agent.age".publicKeys = allUsers ++ [ systems.pan ];
 }