add backups for forgejo
This commit is contained in:
parent
7fb14454fd
commit
31d7ebfad8
|
|
@ -37,9 +37,11 @@ in {
|
|||
presets.nixos.containerBase
|
||||
profiles.sshd
|
||||
profiles.firewallAllow.ssh
|
||||
./secrets.nix
|
||||
]
|
||||
++ (with hosts.hetzner-arm.containers.forgejo; [
|
||||
profiles.forgejo
|
||||
++ (with hosts.hetzner-arm.containers.forgejo.profiles; [
|
||||
forgejo
|
||||
restic
|
||||
]);
|
||||
|
||||
networking.firewall.allowedTCPPorts = [2222];
|
||||
|
|
|
|||
|
|
@ -53,13 +53,6 @@
|
|||
ENABLE = false;
|
||||
};
|
||||
};
|
||||
|
||||
dump = {
|
||||
enable = true;
|
||||
interval = "hourly";
|
||||
file = "forgejo-dump";
|
||||
type = "tar.zst";
|
||||
};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
|
|
|
|||
39
hosts/hetzner-arm/containers/forgejo/profiles/restic.nix
Normal file
39
hosts/hetzner-arm/containers/forgejo/profiles/restic.nix
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
...
|
||||
}: let
|
||||
secrets = config.services.secrets.secrets;
|
||||
in {
|
||||
environment.systemPackages = with pkgs; [
|
||||
restic
|
||||
(pkgs.writeShellScriptBin "restic-forgejo" ''
|
||||
env \
|
||||
RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
|
||||
$(cat ${secrets.restic_env.path}) \
|
||||
${pkgs.restic}/bin/restic $@
|
||||
'')
|
||||
];
|
||||
|
||||
services.restic.backups.forgejo = {
|
||||
user = "root";
|
||||
paths = [
|
||||
"/var/lib/forgejo"
|
||||
];
|
||||
|
||||
# repository is overrided in environmentFile to contain auth
|
||||
# make sure to keep up to date when changing repository
|
||||
repository = "rest:https://storage-restic.owo.monster/Forgejo";
|
||||
passwordFile = "${secrets.restic_password.path}";
|
||||
environmentFile = "${secrets.restic_env.path}";
|
||||
|
||||
pruneOpts = [
|
||||
"--keep-last 50"
|
||||
];
|
||||
|
||||
timerConfig = {
|
||||
OnBootSec = "1m";
|
||||
OnCalendar = "4h";
|
||||
};
|
||||
};
|
||||
}
|
||||
42
hosts/hetzner-arm/containers/forgejo/secrets.nix
Normal file
42
hosts/hetzner-arm/containers/forgejo/secrets.nix
Normal file
|
|
@ -0,0 +1,42 @@
|
|||
{pkgs, ...}: {
|
||||
services.secrets = {
|
||||
enable = true;
|
||||
|
||||
vaultLogin = {
|
||||
enable = true;
|
||||
loginUsername = "hetzner-arm-container-forgejo";
|
||||
};
|
||||
|
||||
autoSecrets = {
|
||||
enable = true;
|
||||
};
|
||||
|
||||
requiredVaultPaths = [
|
||||
"api-keys/data/storage/restic/Forgejo"
|
||||
"private-public-keys/data/restic/Forgejo"
|
||||
];
|
||||
|
||||
packages = with pkgs; [
|
||||
apacheHttpd
|
||||
];
|
||||
|
||||
secrets = {
|
||||
vault_password = {
|
||||
manual = true;
|
||||
};
|
||||
|
||||
restic_password = {
|
||||
fetchScript = ''
|
||||
simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile"
|
||||
'';
|
||||
};
|
||||
restic_env = {
|
||||
fetchScript = ''
|
||||
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Forgejo" .username)
|
||||
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Forgejo" .password)
|
||||
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Forgejo" > "$secretFile"
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -41,12 +41,12 @@ in {
|
|||
environmentFile = "${secrets.restic_env.path}";
|
||||
|
||||
pruneOpts = [
|
||||
"--keep-last 5"
|
||||
"--keep-last 100"
|
||||
];
|
||||
|
||||
timerConfig = {
|
||||
OnBootSec = "1m";
|
||||
OnCalendar = "daily";
|
||||
OnCalendar = "8h";
|
||||
};
|
||||
|
||||
inherit backupPrepareCommand;
|
||||
|
|
|
|||
|
|
@ -51,10 +51,10 @@ in {
|
|||
|
||||
./secrets.nix
|
||||
]
|
||||
++ (with hosts.hetzner-arm.containers.music; [
|
||||
profiles.mpd
|
||||
profiles.musicSync
|
||||
profiles.soulseek
|
||||
++ (with hosts.hetzner-arm.containers.music.profiles; [
|
||||
mpd
|
||||
musicSync
|
||||
soulseek
|
||||
]);
|
||||
|
||||
networking.firewall.allowedTCPPorts = with ports; [
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@
|
|||
rclone_serve_restic_quassel = 4213;
|
||||
rclone_serve_restic_piped = 4214;
|
||||
rclone_serve_restic_mail = 4215;
|
||||
rclone_serve_restic_forgejo = 4216;
|
||||
|
||||
rclone_serve_http_music = 4220;
|
||||
rclone_serve_http_public = 4221;
|
||||
|
|
|
|||
|
|
@ -97,6 +97,7 @@ in {
|
|||
"/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}";
|
||||
"/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}";
|
||||
"/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}";
|
||||
"/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_forgejo}";
|
||||
};
|
||||
extraConfig = ''
|
||||
client_max_body_size ${clientMaxBodySize};
|
||||
|
|
|
|||
|
|
@ -136,6 +136,16 @@ in {
|
|||
"--baseurl=/Mail/"
|
||||
];
|
||||
}
|
||||
{
|
||||
id = "restic-forgejo";
|
||||
remote = "StorageBox:Backups/Restic/Forgejo";
|
||||
type = "restic";
|
||||
extraArgs = [
|
||||
"--addr=0.0.0.0:${toString ports.rclone_serve_restic_forgejo}"
|
||||
"--htpasswd=${secrets.restic_forgejo_htpasswd.path}"
|
||||
"--baseurl=/Forgejo/"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ sha1sum_command = sha1 -r
|
|||
# after deploy or redeploying with different alias if storagebox breaks
|
||||
[StorageBox-Remote]
|
||||
type = alias
|
||||
remote = StorageBox-Remote-SFTP:
|
||||
remote = StorageBox-Remote-WebDAV:
|
||||
|
||||
[StorageBox-Hasher]
|
||||
type = hasher
|
||||
|
|
|
|||
|
|
@ -30,6 +30,7 @@
|
|||
"api-keys/data/storage/restic/Quassel"
|
||||
"api-keys/data/storage/restic/Piped"
|
||||
"api-keys/data/storage/restic/Mail"
|
||||
"api-keys/data/storage/restic/Forgejo"
|
||||
|
||||
"api-keys/data/storage/webdav/main"
|
||||
"api-keys/data/storage/webdav/media"
|
||||
|
|
@ -137,6 +138,16 @@
|
|||
'';
|
||||
};
|
||||
|
||||
restic_forgejo_htpasswd = {
|
||||
user = "storage";
|
||||
group = "storage";
|
||||
fetchScript = ''
|
||||
username=$(simple_get "/api-keys/storage/restic/Forgejo" .username)
|
||||
password=$(simple_get "/api-keys/storage/restic/Forgejo" .password)
|
||||
htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
|
||||
'';
|
||||
};
|
||||
|
||||
webdav_main_htpasswd = {
|
||||
user = "storage";
|
||||
group = "storage";
|
||||
|
|
|
|||
|
|
@ -7,10 +7,10 @@
|
|||
in {
|
||||
services.restic.backups.vault = {
|
||||
user = "root";
|
||||
paths = ["/var/lib/vault" "/var/lib/acme"];
|
||||
paths = ["/var/lib/vault"];
|
||||
timerConfig = {
|
||||
OnBootSec = "1m";
|
||||
OnCalendar = "daily";
|
||||
OnCalendar = "6h";
|
||||
};
|
||||
# env contains fixed repository with auth
|
||||
repository = "rest:https://storage-restic.owo.monster/Vault";
|
||||
|
|
|
|||
|
|
@ -140,7 +140,7 @@ in
|
|||
# All machines/containers with secrets.nix
|
||||
machines = rec {
|
||||
"hetzner-arm" = {
|
||||
containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi"];
|
||||
containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi" "forgejo"];
|
||||
sshAddress = "hetzner-arm.servers.genderfucked.monster";
|
||||
};
|
||||
"vault" = {
|
||||
|
|
|
|||
Loading…
Reference in a new issue