feat: borgmatic

2023-08-16 13:49:15 +02:00 · 2023-08-16 13:49:15 +02:00 · 1781b8adca
commit 1781b8adca
parent 98ce595512
4 changed files with 93 additions and 36 deletions
--- a/hosts/ds9/default.nix
+++ b/hosts/ds9/default.nix
@ -28,45 +28,65 @@ in
  ragon.agenix.secrets."ds9OffsiteBackupSSH" = { owner = config.services.syncoid.user; };
  ragon.agenix.secrets."ds9SyncoidHealthCheckUrl" = { owner = config.services.syncoid.user; mode = "444"; };
  ragon.agenix.secrets."gatebridgeHostKeys" = { owner = config.services.syncoid.user; };
-  services.syncoid =
-    let
-      datasets = {
-        backups = "rpool/content/local/backups";
-        data = "rpool/content/safe/data";
-        ds9persist2 = "spool/safe/persist";
-        hassosvm2 = "spool/safe/vms/hassos";
-      };
-    in
+  ragon.agenix.secrets."borgmaticEncryptionKey" = { };
+  # services.syncoid =
+  #   let
+  #     datasets = {
+  #       backups = "rpool/content/local/backups";
+  #       data = "rpool/content/safe/data";
+  #       ds9persist2 = "spool/safe/persist";
+  #       hassosvm2 = "spool/safe/vms/hassos";
+  #     };
+  #   in

-    lib.mkMerge (
-      [{
-        localSourceAllow = [
-          "hold"
-          "send"
-          "snapshot"
-          "destroy"
-          "mount"
-        ];
-        enable = true;
-        interval = "*-*-* 2:15:00";
-        commonArgs = [ "--sshoption" "GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path}" ];
-        sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
-      }] ++
-      (builtins.attrValues
-        (builtins.mapAttrs (n: v: { commands.${n} = { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }; }) (datasets))
-      )
-    );
-  systemd.services."syncoid-ds9persist2" = {
-    # ExecStartPost commands are only run if the ExecStart command succeeded
-    # serviceConfig.ExecStartPost = pkgs.writeShellScript "backupSuccessful" ''
-    #   ${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})
-    # '';
-    unitConfig.OnFailure = "backupFailure.service";
-  };
+  #   lib.mkMerge (
+  #     [{
+  #       localSourceAllow = [
+  #         "hold"
+  #         "send"
+  #         "snapshot"
+  #         "destroy"
+  #         "mount"
+  #       ];
+  #       enable = true;
+  #       interval = "*-*-* 2:15:00";
+  #       commonArgs = [ "--sshoption" "GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path}" ];
+  #       sshKey = lib.mkForce "${config.age.secrets.ds9OffsiteBackupSSH.path}";
+  #     }] ++
+  #     (builtins.attrValues
+  #       (builtins.mapAttrs (n: v: { commands.${n} = { target = "root@gatebridge:backup/${n}"; source = v; sendOptions = "w"; }; }) (datasets))
+  #     )
+  #   );
+  # systemd.services."syncoid-ds9persist2" = {
+  #   # ExecStartPost commands are only run if the ExecStart command succeeded
+  #   # serviceConfig.ExecStartPost = pkgs.writeShellScript "backupSuccessful" ''
+  #   #   ${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})
+  #   # '';
+  #   unitConfig.OnFailure = "backupFailure.service";
+  # };

-  systemd.services.backupFailure = {
+  # systemd.services.backupFailure = {
+  #   enable = true;
+  #   script = "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/fail";
+  # };
+
+  services.borgmatic = {
    enable = true;
-    script = "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/fail";
+    configurations."ds9-offsite" = {
+      location = {
+        source_directories = [ "/backups" "/data" "/persistent" ];
+        repositories = [ "root@gatebridge:/backup/ds9-offsite" ];
+      };
+      exclude_if_present = [ ".nobackup" ];
+      encryption_passcommand = "cat ${config.age.secrets.borgmaticEncryptionKey.path}";
+      compression = "zstd,10";
+      upload_rate_limit = "4000";
+      ssh_command = "ssh -o GlobalKnownHostsFile=${config.age.secrets.gatebridgeHostKeys.path} -i ${config.age.secrets.ds9OffsiteBackupSSH.path}";
+      before_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/start" ];
+      after_actions = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})" ];
+      on_error = [ "${pkgs.curl}/bin/curl -fss -m 10 --retry 5 -o /dev/null $(cat ${config.age.secrets.ds9SyncoidHealthCheckUrl.path})/fail" ];
+      postgresql_databases = [ "all" ];
+    };
  };

  programs.mosh.enable = true;
--- a/secrets/borgmaticEncryptionKey.age
+++ b/secrets/borgmaticEncryptionKey.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 IbXxfw k4uXEfppfN96XQ7MhpaDZ3FcvBZT5OJn6LND/xwLiHY
+2vxRylbF5H1oYUbzjMPEUG15mX60oJJuGcB9xynLF2o
+-> ssh-ed25519 ugHWWw weUpwSEi8txtdKt+rZRSgjH/PL+v3yKES233cT6Oy3A
+qVHvFQyE/5eRiqBPRw2OotCiS0+oQOEH+dfSpFgVPOU
+-> ssh-ed25519 UU9RSA OYrony2IUeUPIFTeMFHtBcFEAOg6ut87EsreW+zV/jY
+gtG2J1FAhLJjiC8nvkYC1cUCgdXcCl0hTBed/G8vH6E
+-> ssh-ed25519 RJI3BA R6WsUbhSVM8DL4oHftdcR7cZLQxsol3vhBXX0G7Qsjg
+/sUmjdPVsJn0KS2kVbo95+JTyi8DItgHmGlbX1hP/3M
+-> ssh-ed25519 XnvJKw viG+VfIRbA9WM9cQ8u9Hva0xo99EOQQrtt2N1LNOUBw
+QuKRRugApdK/jkpD3BB9X2ZtxHdUIInfir+9tYYBf3A
+-> ssh-ed25519 7NL5Ng oyFD59r3iTxlbU0iCPFUye8skSGIEloc+9reWwMar14
+WHuSFIDVtGOu/es5dINTqEp3v9ctX5dSkrVXyZynLn4
+-> Uw7#-grease wOL`6 ^! kqdZb=" *0)=!b|r
+2ZZ7UvRHfh9OOP9OAWYiXjZFTAzYXf/gRjPDx0g
+--- YO75SInSUIoHwLH4SMtHwNRYzTXPr8AMEqNRCTT4Gho
+cÇø ÊÅ¹92ŒÃŒRÆ}%‚enS9›ŒYûo3Úopàü!Íº	ÿ3—PÊz¨ÛðŽHX‡l9`/ Gm²ÃËT8f™ü¢RÍ±3kÕ~.<{ñ‰óbR}&$¢"›%ö^ÐàSÖ"RÝíV_ÑÈŠ-Ñu´æÀW‰ð(°IþþÛˆ;è~ttT•8Î¯†ÍqhB£Ý<Óâ©ÈÕ¿
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -12,6 +12,7 @@ in
  "ragonPasswd.age".publicKeys = pubkeys.ragon.computers;
  "tailscaleKey.age".publicKeys = pubkeys.ragon.computers;
  "paperlessAdminPW.age".publicKeys = pubkeys.ragon.host "ds9";
+  "borgmaticEncryptionKey.age".publicKeys = pubkeys.ragon.host "ds9";
  "photoprismEnv.age".publicKeys = pubkeys.ragon.host "ds9";
  "ds9OffsiteBackupSSH.age".publicKeys = pubkeys.ragon.host "ds9";
  "ds9SyncoidHealthCheckUrl.age".publicKeys = pubkeys.ragon.host "ds9";
@ -24,6 +25,7 @@ in
  "gitlabDBFile.age".publicKeys = pubkeys.ragon.host "picard";
  "gitlabOTPFile.age".publicKeys = pubkeys.ragon.host "picard";
  "prometheusBlackboxConfig.yaml.age".publicKeys = pubkeys.ragon.host "beliskner";
+  "vpnConfig.age".publicKeys = pubkeys.ragon.host "beliskner";
  "gitlabJWSFile.age".publicKeys = pubkeys.ragon.host "picard";
  "nextcloudAdminPass.age".publicKeys = pubkeys.ragon.host "picard";
  "picardResticSSHKey.age".publicKeys = pubkeys.ragon.host "picard";
--- a/secrets/vpnConfig.age
+++ b/secrets/vpnConfig.age
@ -0,0 +1,18 @@
+age-encryption.org/v1
+-> ssh-ed25519 ILWjJw JFlwQs4oiPmf/VRrOHLmf6ZUP3cZNWNb9Fw2CQyA610
+gC4CU+S0njS0Buebc2kBF3yMXO0TRL136rzrpNASHG0
+-> ssh-ed25519 ugHWWw LbFC1YPVN1z7QRWzp8BYCHnQtkdYPMnxY904lSiDrHU
+B3gmZl7/fM2Gz88sbMY6m8r+XAtAINQ1CyysvlsiaWA
+-> ssh-ed25519 UU9RSA AEq8ss3f+8eCgQ9qzNbCf1ibgGNREtQEDitwgGktMio
+lCbDc7t7ZurZ0RU5Sd1yc3LS+5yvv5z3jhT18KzBZxE
+-> ssh-ed25519 RJI3BA Pk7DdEs02hc7FIyFDyuhNW5vLJszul5D0q/59Yb8Bi0
+VgR8z/D7dNDqEd2zhMio8SKg1n6YsCyidgLryOMoXzc
+-> ssh-ed25519 XnvJKw Fl630kayN8b8h9+tAZT1xpDm0+lu3neU8c/mTRlC2X4
+fABfYTPCWIRCdVPhSemxIzWLGlgHWklo50hacVR7GnE
+-> ssh-ed25519 7NL5Ng RIKEkshpLlOuXoazpNRtmw4olpYTS/r3YhO68YeYvUo
+3itvS7ivVE860SgJJ+Ea8ne9buzlib2WvXJx0WuVsPk
+-> n<z-grease
+WstvdfGV30XTRkPteDFLUJqlHl20JfQg99SlT2jBC6SHCvm1+iozof5FolKCB831
+FJZG
+--- axy07eb2MqmnSazV2BcwEZ6vkBiaEZiqi0RE2p52rvk
+%ªÒbè,’hN<68>À%•R‹ö6áÿk•±Ö&îê_0‰Vwö