From 45c89ba6187774f6ecc0746678f6e61fa2eac9bd Mon Sep 17 00:00:00 2001
From: Ilan Joselevich <personal@ilanjoselevich.com>
Date: Mon, 24 Feb 2025 17:26:27 +0700
Subject: [PATCH] hosted: add restic backups

---
 hosted/flake-module.nix                          |   1 +
 hosted/restic.nix                                |  15 +++++++++++++++
 hosts/hetzner/hosted/default.nix                 |   1 +
 hosts/hetzner/hosted/kanidm.nix                  |   2 ++
 hosts/hetzner/hosted/ntfy.nix                    |   2 ++
 secrets/hetzner-restic-backups.age               |  11 +++++++++++
 secrets/hetzner-restic-default-env-file.age      |   9 +++++++++
 secrets/hetzner-restic-default-repo-password.age | Bin 0 -> 557 bytes
 secrets/secrets.nix                              |   2 ++
 9 files changed, 43 insertions(+)
 create mode 100644 hosted/restic.nix
 create mode 100644 secrets/hetzner-restic-backups.age
 create mode 100644 secrets/hetzner-restic-default-env-file.age
 create mode 100644 secrets/hetzner-restic-default-repo-password.age

diff --git a/hosted/flake-module.nix b/hosted/flake-module.nix
index fb8125f..3f93217 100644
--- a/hosted/flake-module.nix
+++ b/hosted/flake-module.nix
@@ -4,5 +4,6 @@
   flake.nixosModules = {
     hosted-nginx = lib.modules.importApply ./nginx.nix { inherit inputs; };
     hosted-node-exporter = ./node-exporter.nix;
+    hosted-restic = ./restic.nix;
   };
 } 
diff --git a/hosted/restic.nix b/hosted/restic.nix
new file mode 100644
index 0000000..42ac2cb
--- /dev/null
+++ b/hosted/restic.nix
@@ -0,0 +1,15 @@
+{ config, ... }:
+
+{
+  age.secrets = {
+    restic-default-env-file.file = ../secrets/${config.networking.hostName}-restic-default-env-file.age;
+    restic-default-repo-password.file = ../secrets/${config.networking.hostName}-restic-default-repo-password.age;
+  };
+
+  services.restic.backups.default = {
+    repository = "s3:https://s3.eu-central-003.backblazeb2.com/kranzes-backups/${config.networking.hostName}";
+    initialize = true;
+    environmentFile = config.age.secrets.restic-default-env-file.path;
+    passwordFile = config.age.secrets.restic-default-repo-password.path;
+  };
+}
diff --git a/hosts/hetzner/hosted/default.nix b/hosts/hetzner/hosted/default.nix
index 9f60288..cfb5698 100644
--- a/hosts/hetzner/hosted/default.nix
+++ b/hosts/hetzner/hosted/default.nix
@@ -9,5 +9,6 @@
     ./ntfy.nix
     inputs.self.nixosModules.hosted-nginx
     inputs.self.nixosModules.hosted-node-exporter
+    inputs.self.nixosModules.hosted-restic
   ];
 }
diff --git a/hosts/hetzner/hosted/kanidm.nix b/hosts/hetzner/hosted/kanidm.nix
index 8e1cecc..66a8cf9 100644
--- a/hosts/hetzner/hosted/kanidm.nix
+++ b/hosts/hetzner/hosted/kanidm.nix
@@ -103,4 +103,6 @@ in
       owner = "kanidm";
       group = "kanidm";
     });
+
+  services.restic.backups.default.paths = [ config.services.kanidm.serverSettings.online_backup.path ];
 }
diff --git a/hosts/hetzner/hosted/ntfy.nix b/hosts/hetzner/hosted/ntfy.nix
index c2fd518..c14290b 100644
--- a/hosts/hetzner/hosted/ntfy.nix
+++ b/hosts/hetzner/hosted/ntfy.nix
@@ -33,6 +33,8 @@ in
     };
   };
 
+  services.restic.backups.default.paths = [ (dirOf config.services.ntfy-sh.settings.auth-file) ];
+
   services.grafana-to-ntfy = {
     enable = true;
     settings = {
diff --git a/secrets/hetzner-restic-backups.age b/secrets/hetzner-restic-backups.age
new file mode 100644
index 0000000..59e2b8a
--- /dev/null
+++ b/secrets/hetzner-restic-backups.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> piv-p256 gEKqGQ AlnPcxwsYxtvpGAwr6TaryiMNCwQnqjf46AYdkr+izA4
+s0/bMMUUN7KF1AJdntwacEI0yH+pyQFSTR2aLUSq0Ug
+-> piv-p256 kHSiOQ AwoEA2gUz30o6fbqoBZ4lRWtAHox5S9qFqH59KyGxMlN
+eIezvLipiJN6QzCWgJsOHrJEF4rBNBkUg/b6dLGZxnU
+-> ssh-ed25519 bE1RAg bp2FTxVt0M9WzSXCDwPLwBqkkz9uQnHyq2x5u60Z8gs
+sa4WU2CRqO+J40KMTdH4/v2PXKhK7D7wdEGX5DG5QDE
+--- nAypvo3LfGGGjX8ut1NhmD44WIMkcHhSH01QnpFPIWk
+Yw“éÙ--˜ãñGw.´O
+LÚ
+)Á3){Ï2g´Ã6LÅXé»"ÝÅ;4Š;SaÎFSÃ¨ü4%Zœ< 
\ No newline at end of file
diff --git a/secrets/hetzner-restic-default-env-file.age b/secrets/hetzner-restic-default-env-file.age
new file mode 100644
index 0000000..703e07b
--- /dev/null
+++ b/secrets/hetzner-restic-default-env-file.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> piv-p256 gEKqGQ AqGa+K1Rlj9ViuSBaQiajpAPfCVkIG/Ul7+68//MrTWQ
+MaEjV75zncm+RmTP3rP4wt1G0wcfwRVoHnTP/pAd9y0
+-> piv-p256 kHSiOQ An9K5EugFeyDN3W7H+kDPmhkz0wuHzavtd6lyMFdac1V
+LQSQ48o7K9A90oegJW6ZlKhFHwJs6h/SqEeKUoJVRhw
+-> ssh-ed25519 bE1RAg rLqB0tZPIW7ADWU++OUkFEe4z+SZ/brv99kZhUcLpnM
+DfmV8GSs8zYTEq8NjP1wnQvNGUdtpg9iQyG7PRdvpLk
+--- xH5Xfj8ZNXqPG+fVol//HTv95l/VC/oTRYcaZuJep2c
+ž*+m0†Rä*m‘1ü]îÍò.„+©è¤kçtNØF]H8¾hYÔt,À-ºNbglŒÏÇÙë_wƒŠftd1È^c¶ÐÈñ’ÿuù®nÚB•µéÔëNôÄƒz~æÄfy%ˆà4\|7ÇGÝñëK£ÕQWµè_Ð$F¨×ii@ª
\ No newline at end of file
diff --git a/secrets/hetzner-restic-default-repo-password.age b/secrets/hetzner-restic-default-repo-password.age
new file mode 100644
index 0000000000000000000000000000000000000000..8c3b48e10e5a4507ef619be899de504e21a0ee5d
GIT binary patch
literal 557
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14$Sl(>Ffuh$NO$!vbPrT;tn!E`@y-qn
zHO-GSsPHOCEe<g7PsuGPckw7J(Rb2M&CpIx_A$;+_An3Qay5=L5A!cJPfBsgc5?9y
z4=eJh$TxE-2s83@^C>XONr^1>&GRiSO)@h<u`AmnIMW|!S7}vFl$&3fUu2MbqFIW2
zNLabHTXvdPRc>L9m$|8BrE5WQUW8#}cxI|US9y7MvX^m%i(6$<MM!Z{U}`{kRj$9j
zab}R4XNs#~No7*1rD2$<N1{<W$gbkz4BgZeBU4jDONAs?!yw0Wg~UvApHiR90+X<U
zBq!G_pK?n-V@tn+{3Peh3|GJOJk#PF|9ls(<nSO9t`J{e%TTA_DCff9$`q5}<RlN5
z@I3u6*W3svU$f+b@Q`GWLi5t}Of%PfE?r$+1@F=VcZ14+K&Ps(Fh9@2fIzoGKfm0}
zR6l2Tvy`gfNYmiTT$73_qm0aauEUca=dMa#f03DSzS-d^Iu*t4(`IS~9xpgtcBzKN
zNU8sERGWw0<1~k!Jv!g!=I$3|<yUo+Q`1_u*kPsDvzdHWQ`Tt4z589~x>;|B+naB-
zkJeh33CYDu>T#cvfALyYfq&7~V5LPtArG3x=D!YOSYXO6Wq8hXr5mg3Nw!%G=?cN;
m9G@=`ypZ7Vd)aJ-pVFEgcMIl;&%fa<*R|OEPS|QG^XmYh<H#!j

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 35c5693..e0b5af2 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -33,6 +33,8 @@ in
   "hetzner-ntfy-sh-firebase-key.age".publicKeys = allUsers ++ [ systems.hetzner ];
   "hetzner-grafana-to-ntfy-ntfy-pass.age".publicKeys = allUsers ++ [ systems.hetzner ];
   "hetzner-grafana-to-ntfy-pass.age".publicKeys = allUsers ++ [ systems.hetzner ];
+  "hetzner-restic-default-env-file.age".publicKeys = allUsers ++ [ systems.hetzner ];
+  "hetzner-restic-default-repo-password.age".publicKeys = allUsers ++ [ systems.hetzner ];
   # Pan
   "pan-cachix-deploy-agent.age".publicKeys = allUsers ++ [ systems.pan ];
 }