From b17ff565c366ec12445714bb447665b9f2ccb49c Mon Sep 17 00:00:00 2001 From: Felix Albrigtsen Date: Sat, 5 Oct 2024 10:53:54 +0200 Subject: [PATCH] defiant: Fix nfs-client, replace borg with restic --- hosts/defiant/backup.nix | 82 ++++++++------------------- hosts/defiant/configuration.nix | 11 +--- hosts/defiant/filesystems.nix | 29 ++++++++++ hosts/defiant/services/postgresql.nix | 2 +- secrets/defiant/defiant.yaml | 12 ++-- 5 files changed, 63 insertions(+), 73 deletions(-) create mode 100644 hosts/defiant/filesystems.nix diff --git a/hosts/defiant/backup.nix b/hosts/defiant/backup.nix index 93fdf09..df263d5 100644 --- a/hosts/defiant/backup.nix +++ b/hosts/defiant/backup.nix @@ -1,62 +1,30 @@ { config, pkgs, lib, ... }: { - services.borgbackup.jobs = - let - borgJob = name: { - environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1"; - environment.BORG_REMOTE_PATH = "/usr/local/bin/borg"; - repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/defiant/${name}"; - compression = "auto,zstd"; - }; - in { - postgresDaily = borgJob "postgres::daily" // { - paths = "/data/backup/postgresql"; - startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup - extraInitArgs = "--storage-quota 10G"; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat ${config.sops.secrets."borg/postgres".path}"; - }; - }; - - postgresWeekly = borgJob "postgres::weekly" // { - paths = "/data/backup/postgresql"; - startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup - extraInitArgs = "--storage-quota 10G"; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat ${config.sops.secrets."borg/postgres".path}"; - }; - }; - - gitea = borgJob "gitea::weekly" // { - paths = "/tank/services/gitea"; - startAt = "Mon *-*-* 05:15:00"; - extraInitArgs = "--storage-quota 20G"; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat ${config.sops.secrets."borg/gitea".path}"; - }; - }; - - minecraft = borgJob "minecraft::weekly" // { - paths = "/var/lib/minecraft-wack"; - startAt = "weekly"; - extraInitArgs = "--storage-quota 20G"; - encryption.mode = "none"; - - preHook = '' - ${pkgs.mcrcon}/bin/mcrcon -p wack "say Starting Backup" "save-off" "save-all" - ''; - - postHook = '' - ${pkgs.mcrcon}/bin/mcrcon -p wack "save-all" "say Completed Backup" "save-on" "save-all" - ''; - }; - + services.restic.backups = let + localJob = name: paths: { + inherit paths; + repository = "/mnt/feal-syn1/backup/defiant/${name}"; + passwordFile = config.sops.secrets."restic/${name}".path; + initialize = true; + pruneOpts = [ + "--keep-daily 3" + "--keep-weekly 4" + "--keep-monthly 3" + ]; + }; + in { + postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // { + timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup }; - # TODO: Matrix (keys,media,db), home-assistant, pihole, vaultwarden - sops.secrets."borg/postgres" = { }; - sops.secrets."borg/gitea" = { }; + gitea = (localJob "gitea" [ "/tank/services/gitea" ]); + matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]); + vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]); + }; + + # TODO: home-assistant, pihole + sops.secrets."restic/postgres" = { }; + sops.secrets."restic/gitea" = { }; + sops.secrets."restic/matrix-synapse" = { }; + sops.secrets."restic/vaultwarden" = { }; } diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix index 78f473d..246146f 100644 --- a/hosts/defiant/configuration.nix +++ b/hosts/defiant/configuration.nix @@ -5,6 +5,7 @@ [ ../../base.nix ../../common/metrics-exporters.nix + ./filesystems.nix ./hardware-configuration.nix # Infrastructure @@ -44,16 +45,6 @@ sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml; environment.variables = { EDITOR = "vim"; }; - environment.systemPackages = with pkgs; [ - zfs - ]; - - boot = { - zfs.extraPools = [ "tank" ]; - supportedFilesystems = [ "zfs" ]; - kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; - }; - services.prometheus.exporters.zfs.enable = true; virtualisation.docker.enable = true; virtualisation.oci-containers.backend = "docker"; diff --git a/hosts/defiant/filesystems.nix b/hosts/defiant/filesystems.nix new file mode 100644 index 0000000..06343bb --- /dev/null +++ b/hosts/defiant/filesystems.nix @@ -0,0 +1,29 @@ +{ config, pkgs, lib, ... }: +{ + # Boot drives are defined in ./hardware-configuration.nix + + boot = { + zfs.extraPools = [ "tank" ]; + supportedFilesystems = [ "zfs" ]; + kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + }; + services.prometheus.exporters.zfs.enable = true; + + environment.systemPackages = with pkgs; [ + cifs-utils + zfs + ]; + + fileSystems = { + "/mnt/feal-syn1/backup" = { + device = "feal-syn1.home.feal.no:/volume2/backup"; + fsType = "nfs"; + options = [ + "defaults" + "noatime" + "rw" + "nfsvers=3" + ]; + }; + }; +} diff --git a/hosts/defiant/services/postgresql.nix b/hosts/defiant/services/postgresql.nix index 0336210..9a0d3f7 100644 --- a/hosts/defiant/services/postgresql.nix +++ b/hosts/defiant/services/postgresql.nix @@ -7,7 +7,7 @@ services.postgresqlBackup = { enable = true; - location = "/data/backup/postgresql/"; + location = "/tank/backup/postgresql"; startAt = "*-*-* 03:15:00"; # Each service is registered in its own configuration file diff --git a/secrets/defiant/defiant.yaml b/secrets/defiant/defiant.yaml index 59936e3..4a0594a 100644 --- a/secrets/defiant/defiant.yaml +++ b/secrets/defiant/defiant.yaml @@ -11,9 +11,11 @@ vaultwarden: admintoken: ENC[AES256_GCM,data:sUPOe3goxpJFpe5fBdwcM5Z6+DXNdZr5Xd6HzRUb7LtDk9IUtwL4wtlckwnMRoLF628XvCV3ObrX2UmTqUX/6pWqLkWL/vWb3C8ogq4=,iv:vvO9nEkCjcKvl+ILEMlMorMmvyNM1juRYRnEolwg9sQ=,tag:wFnz9oOA+ZGrb4UqKrtUcA==,type:str] microbin: secrets: ENC[AES256_GCM,data:B2yOSEXFyge7fgphtKcy8CjaeEiwmHAxgGoiqa4lmQtRtnxy5UuH3dFuCXHvbd3n6YA24zX3ANIQpj6ilT4I96+P+L9TjA==,iv:3mryQf3GdKCqBkLsfyqJk5ZN+/gOEbL/LmEzreINGME=,tag:YD8uvkS23c5B7J9srRrU9w==,type:str] -borg: - postgres: ENC[AES256_GCM,data:vwfLF2qkUMl9b/4oYVm+pzfbbw==,iv:+QlTXjowne2d+ufw9YbhgaAIVvYg78LkMS0BqfPwoRI=,tag:JAbR3/DbYp+vRApJteg4zA==,type:str] - gitea: ENC[AES256_GCM,data:GIZ/wkzEkm6DUZETv8GpXd8k5w==,iv:MLnVtrev+poT+3D5+o5UV8FBQWpvqlYAkcXMF53bKJw=,tag:89zkLJNZw04ZPyqvpspgsw==,type:str] +restic: + gitea: ENC[AES256_GCM,data:3RqbDR8h+htdKoThpp2mptB3QuMmNSaFIw6ORGMxpcs=,iv:ZqG4zlsMPh9PmsCZ/deEON6weY+p5rAUN2dEJGzEfOY=,tag:4jN00VnwOpId+Zp8qF5tmQ==,type:str] + matrix-synapse: ENC[AES256_GCM,data:wJMtOS8IH6lY8ni2h5hO0zJN6JbJUpfeSp44iTpEcZM=,iv:45BBv5kPCmbW68k59FuuVf22JTrWtDWNEiovPuCOn/M=,tag:sslqD1foO8FeD7Oll8sGFg==,type:str] + postgres: ENC[AES256_GCM,data:FsXVw4nd+7bwaX4UL0/ShuQRDbLJEPlAasMaV4LNP88=,iv:/0GLzTyrJB5+DQcsxFJxuDVQpsj87levnKUd+/T6rAw=,tag:ndE3UJpMW/mLot4Ar8xY1A==,type:str] + vaultwarden: ENC[AES256_GCM,data:tZKf1jeQPBASruDP67NrVfwFoAZ20whQIHf1SWIQz0s=,iv:kyfqvEf/DiAGHAU99HVGri15kluewijkSPOCGKjxIaQ=,tag:tmDQPH2IjjUV5wLegXXybg==,type:str] keycloak: postgres: ENC[AES256_GCM,data:OYvpSyBAQfAJg4/syz1r,iv:Ge6m63YPl+gJPepIRmBz747bXqUo65MHQaRn1S/8m2I=,tag:18bFwYtmcslXlgflfYqM8w==,type:str] sops: @@ -40,8 +42,8 @@ sops: RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-25T17:49:30Z" - mac: ENC[AES256_GCM,data:17W0WL9NkwEi/zofBffNtns4kxykfpOV05ukHDpkNjmlrRKxTJtlpRLdSb0JGaAxPm15f2fdjDmKl7gkDm09SRXMRwxyntix2ZjvMPx9pXgoMfiZfc6Cn3GwGco3Eajvpm8tS7DKaWfToC+XYvxjeHhyFhDbI7xMf7LcB2s+OOI=,iv:v5rAcMz5142AKKx7CQLTRBR3tGMWe1LSM0VHaDI5Nbk=,tag:GxoQjPE8ox45Udx/id+Y/g==,type:str] + lastmodified: "2024-10-05T08:43:32Z" + mac: ENC[AES256_GCM,data:UMaxVqcS9SK/OclUe5k547zScx5BhAJt4f87Sfw2Ctdx6ZJRbju4310TeZUygzge4/OrCywD+9R09FzR65OBvIDxvUIqOblqzrYiHK6xRUSkUtLJEb8gzD7ycsccHaHpLYom0zbSixmMUDSthn2rexQixin9gUGVq+x9I3Z/sPk=,iv:oZAcTHjeFQjxZrNmQmJS3kJiXs1IcDbYJOo44kI3f5Y=,tag:7GINKR+6WMhlDAzeDOyrog==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1