diff --git a/hosted/flake-module.nix b/hosted/flake-module.nix index fb8125f..3f93217 100644 --- a/hosted/flake-module.nix +++ b/hosted/flake-module.nix @@ -4,5 +4,6 @@ flake.nixosModules = { hosted-nginx = lib.modules.importApply ./nginx.nix { inherit inputs; }; hosted-node-exporter = ./node-exporter.nix; + hosted-restic = ./restic.nix; }; } diff --git a/hosted/restic.nix b/hosted/restic.nix new file mode 100644 index 0000000..42ac2cb --- /dev/null +++ b/hosted/restic.nix @@ -0,0 +1,15 @@ +{ config, ... }: + +{ + age.secrets = { + restic-default-env-file.file = ../secrets/${config.networking.hostName}-restic-default-env-file.age; + restic-default-repo-password.file = ../secrets/${config.networking.hostName}-restic-default-repo-password.age; + }; + + services.restic.backups.default = { + repository = "s3:https://s3.eu-central-003.backblazeb2.com/kranzes-backups/${config.networking.hostName}"; + initialize = true; + environmentFile = config.age.secrets.restic-default-env-file.path; + passwordFile = config.age.secrets.restic-default-repo-password.path; + }; +} diff --git a/hosts/hetzner/hosted/default.nix b/hosts/hetzner/hosted/default.nix index 9f60288..cfb5698 100644 --- a/hosts/hetzner/hosted/default.nix +++ b/hosts/hetzner/hosted/default.nix @@ -9,5 +9,6 @@ ./ntfy.nix inputs.self.nixosModules.hosted-nginx inputs.self.nixosModules.hosted-node-exporter + inputs.self.nixosModules.hosted-restic ]; } diff --git a/hosts/hetzner/hosted/kanidm.nix b/hosts/hetzner/hosted/kanidm.nix index 8e1cecc..66a8cf9 100644 --- a/hosts/hetzner/hosted/kanidm.nix +++ b/hosts/hetzner/hosted/kanidm.nix @@ -103,4 +103,6 @@ in owner = "kanidm"; group = "kanidm"; }); + + services.restic.backups.default.paths = [ config.services.kanidm.serverSettings.online_backup.path ]; } diff --git a/hosts/hetzner/hosted/ntfy.nix b/hosts/hetzner/hosted/ntfy.nix index c2fd518..c14290b 100644 --- a/hosts/hetzner/hosted/ntfy.nix +++ b/hosts/hetzner/hosted/ntfy.nix @@ -33,6 +33,8 @@ in }; }; + services.restic.backups.default.paths = [ (dirOf config.services.ntfy-sh.settings.auth-file) ]; + services.grafana-to-ntfy = { enable = true; settings = { diff --git a/secrets/hetzner-restic-backups.age b/secrets/hetzner-restic-backups.age new file mode 100644 index 0000000..59e2b8a --- /dev/null +++ b/secrets/hetzner-restic-backups.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> piv-p256 gEKqGQ AlnPcxwsYxtvpGAwr6TaryiMNCwQnqjf46AYdkr+izA4 +s0/bMMUUN7KF1AJdntwacEI0yH+pyQFSTR2aLUSq0Ug +-> piv-p256 kHSiOQ AwoEA2gUz30o6fbqoBZ4lRWtAHox5S9qFqH59KyGxMlN +eIezvLipiJN6QzCWgJsOHrJEF4rBNBkUg/b6dLGZxnU +-> ssh-ed25519 bE1RAg bp2FTxVt0M9WzSXCDwPLwBqkkz9uQnHyq2x5u60Z8gs +sa4WU2CRqO+J40KMTdH4/v2PXKhK7D7wdEGX5DG5QDE +--- nAypvo3LfGGGjX8ut1NhmD44WIMkcHhSH01QnpFPIWk +Yw--G w.O +L +)3){2g6LX";4;SaFSè4%Z< \ No newline at end of file diff --git a/secrets/hetzner-restic-default-env-file.age b/secrets/hetzner-restic-default-env-file.age new file mode 100644 index 0000000..703e07b --- /dev/null +++ b/secrets/hetzner-restic-default-env-file.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> piv-p256 gEKqGQ AqGa+K1Rlj9ViuSBaQiajpAPfCVkIG/Ul7+68//MrTWQ +MaEjV75zncm+RmTP3rP4wt1G0wcfwRVoHnTP/pAd9y0 +-> piv-p256 kHSiOQ An9K5EugFeyDN3W7H+kDPmhkz0wuHzavtd6lyMFdac1V +LQSQ48o7K9A90oegJW6ZlKhFHwJs6h/SqEeKUoJVRhw +-> ssh-ed25519 bE1RAg rLqB0tZPIW7ADWU++OUkFEe4z+SZ/brv99kZhUcLpnM +DfmV8GSs8zYTEq8NjP1wnQvNGUdtpg9iQyG7PRdvpLk +--- xH5Xfj8ZNXqPG+fVol//HTv95l/VC/oTRYcaZuJep2c +*+m0R*m1 ].+ ktNF]H8hYt,-Nbgl_wftd1^cunBNăz~fy%4\|7GKQW_$Fii@ \ No newline at end of file diff --git a/secrets/hetzner-restic-default-repo-password.age b/secrets/hetzner-restic-default-repo-password.age new file mode 100644 index 0000000..8c3b48e Binary files /dev/null and b/secrets/hetzner-restic-default-repo-password.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 35c5693..e0b5af2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -33,6 +33,8 @@ in "hetzner-ntfy-sh-firebase-key.age".publicKeys = allUsers ++ [ systems.hetzner ]; "hetzner-grafana-to-ntfy-ntfy-pass.age".publicKeys = allUsers ++ [ systems.hetzner ]; "hetzner-grafana-to-ntfy-pass.age".publicKeys = allUsers ++ [ systems.hetzner ]; + "hetzner-restic-default-env-file.age".publicKeys = allUsers ++ [ systems.hetzner ]; + "hetzner-restic-default-repo-password.age".publicKeys = allUsers ++ [ systems.hetzner ]; # Pan "pan-cachix-deploy-agent.age".publicKeys = allUsers ++ [ systems.pan ]; }