From 31d7ebfad8f2216aefdb156eca40c7e9f8156288 Mon Sep 17 00:00:00 2001 From: chaos Date: Sat, 30 Sep 2023 16:49:52 +0100 Subject: [PATCH] add backups for forgejo --- .../containers/forgejo/default.nix | 6 ++- .../containers/forgejo/profiles/forgejo.nix | 7 ---- .../containers/forgejo/profiles/restic.nix | 39 +++++++++++++++++ .../containers/forgejo/secrets.nix | 42 +++++++++++++++++++ .../containers/mail/profiles/restic.nix | 4 +- .../hetzner-arm/containers/music/default.nix | 8 ++-- .../containers/storage/data/ports.nix | 1 + .../containers/storage/default.nix | 1 + .../storage/profiles/rcloneServe.nix | 10 +++++ .../containers/storage/rclone_config.template | 2 +- .../containers/storage/secrets.nix | 11 +++++ hosts/vault/profiles/restic.nix | 4 +- outputs.nix | 2 +- 13 files changed, 118 insertions(+), 19 deletions(-) create mode 100644 hosts/hetzner-arm/containers/forgejo/profiles/restic.nix create mode 100644 hosts/hetzner-arm/containers/forgejo/secrets.nix diff --git a/hosts/hetzner-arm/containers/forgejo/default.nix b/hosts/hetzner-arm/containers/forgejo/default.nix index 3ee3e67..7a4ead9 100644 --- a/hosts/hetzner-arm/containers/forgejo/default.nix +++ b/hosts/hetzner-arm/containers/forgejo/default.nix @@ -37,9 +37,11 @@ in { presets.nixos.containerBase profiles.sshd profiles.firewallAllow.ssh + ./secrets.nix ] - ++ (with hosts.hetzner-arm.containers.forgejo; [ - profiles.forgejo + ++ (with hosts.hetzner-arm.containers.forgejo.profiles; [ + forgejo + restic ]); networking.firewall.allowedTCPPorts = [2222]; diff --git a/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix b/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix index fa68989..52ab6d6 100644 --- a/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix +++ b/hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix @@ -53,13 +53,6 @@ ENABLE = false; }; }; - - dump = { - enable = true; - interval = "hourly"; - file = "forgejo-dump"; - type = "tar.zst"; - }; }; environment.systemPackages = [ diff --git a/hosts/hetzner-arm/containers/forgejo/profiles/restic.nix b/hosts/hetzner-arm/containers/forgejo/profiles/restic.nix new file mode 100644 index 0000000..1cba92c --- /dev/null +++ b/hosts/hetzner-arm/containers/forgejo/profiles/restic.nix @@ -0,0 +1,39 @@ +{ + pkgs, + config, + ... +}: let + secrets = config.services.secrets.secrets; +in { + environment.systemPackages = with pkgs; [ + restic + (pkgs.writeShellScriptBin "restic-forgejo" '' + env \ + RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \ + $(cat ${secrets.restic_env.path}) \ + ${pkgs.restic}/bin/restic $@ + '') + ]; + + services.restic.backups.forgejo = { + user = "root"; + paths = [ + "/var/lib/forgejo" + ]; + + # repository is overrided in environmentFile to contain auth + # make sure to keep up to date when changing repository + repository = "rest:https://storage-restic.owo.monster/Forgejo"; + passwordFile = "${secrets.restic_password.path}"; + environmentFile = "${secrets.restic_env.path}"; + + pruneOpts = [ + "--keep-last 50" + ]; + + timerConfig = { + OnBootSec = "1m"; + OnCalendar = "4h"; + }; + }; +} diff --git a/hosts/hetzner-arm/containers/forgejo/secrets.nix b/hosts/hetzner-arm/containers/forgejo/secrets.nix new file mode 100644 index 0000000..06d5033 --- /dev/null +++ b/hosts/hetzner-arm/containers/forgejo/secrets.nix @@ -0,0 +1,42 @@ +{pkgs, ...}: { + services.secrets = { + enable = true; + + vaultLogin = { + enable = true; + loginUsername = "hetzner-arm-container-forgejo"; + }; + + autoSecrets = { + enable = true; + }; + + requiredVaultPaths = [ + "api-keys/data/storage/restic/Forgejo" + "private-public-keys/data/restic/Forgejo" + ]; + + packages = with pkgs; [ + apacheHttpd + ]; + + secrets = { + vault_password = { + manual = true; + }; + + restic_password = { + fetchScript = '' + simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile" + ''; + }; + restic_env = { + fetchScript = '' + RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Forgejo" .username) + RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Forgejo" .password) + echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Forgejo" > "$secretFile" + ''; + }; + }; + }; +} diff --git a/hosts/hetzner-arm/containers/mail/profiles/restic.nix b/hosts/hetzner-arm/containers/mail/profiles/restic.nix index b5512d1..131aed4 100644 --- a/hosts/hetzner-arm/containers/mail/profiles/restic.nix +++ b/hosts/hetzner-arm/containers/mail/profiles/restic.nix @@ -41,12 +41,12 @@ in { environmentFile = "${secrets.restic_env.path}"; pruneOpts = [ - "--keep-last 5" + "--keep-last 100" ]; timerConfig = { OnBootSec = "1m"; - OnCalendar = "daily"; + OnCalendar = "8h"; }; inherit backupPrepareCommand; diff --git a/hosts/hetzner-arm/containers/music/default.nix b/hosts/hetzner-arm/containers/music/default.nix index fa15178..0e646ba 100644 --- a/hosts/hetzner-arm/containers/music/default.nix +++ b/hosts/hetzner-arm/containers/music/default.nix @@ -51,10 +51,10 @@ in { ./secrets.nix ] - ++ (with hosts.hetzner-arm.containers.music; [ - profiles.mpd - profiles.musicSync - profiles.soulseek + ++ (with hosts.hetzner-arm.containers.music.profiles; [ + mpd + musicSync + soulseek ]); networking.firewall.allowedTCPPorts = with ports; [ diff --git a/hosts/hetzner-arm/containers/storage/data/ports.nix b/hosts/hetzner-arm/containers/storage/data/ports.nix index febd1fb..30bab1d 100644 --- a/hosts/hetzner-arm/containers/storage/data/ports.nix +++ b/hosts/hetzner-arm/containers/storage/data/ports.nix @@ -9,6 +9,7 @@ rclone_serve_restic_quassel = 4213; rclone_serve_restic_piped = 4214; rclone_serve_restic_mail = 4215; + rclone_serve_restic_forgejo = 4216; rclone_serve_http_music = 4220; rclone_serve_http_public = 4221; diff --git a/hosts/hetzner-arm/containers/storage/default.nix b/hosts/hetzner-arm/containers/storage/default.nix index ca1a57e..761bf16 100644 --- a/hosts/hetzner-arm/containers/storage/default.nix +++ b/hosts/hetzner-arm/containers/storage/default.nix @@ -97,6 +97,7 @@ in { "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}"; "/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}"; "/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}"; + "/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_forgejo}"; }; extraConfig = '' client_max_body_size ${clientMaxBodySize}; diff --git a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix index 7bff24b..43c953c 100644 --- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix +++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix @@ -136,6 +136,16 @@ in { "--baseurl=/Mail/" ]; } + { + id = "restic-forgejo"; + remote = "StorageBox:Backups/Restic/Forgejo"; + type = "restic"; + extraArgs = [ + "--addr=0.0.0.0:${toString ports.rclone_serve_restic_forgejo}" + "--htpasswd=${secrets.restic_forgejo_htpasswd.path}" + "--baseurl=/Forgejo/" + ]; + } ]; }; } diff --git a/hosts/hetzner-arm/containers/storage/rclone_config.template b/hosts/hetzner-arm/containers/storage/rclone_config.template index 952d75d..8efe071 100644 --- a/hosts/hetzner-arm/containers/storage/rclone_config.template +++ b/hosts/hetzner-arm/containers/storage/rclone_config.template @@ -20,7 +20,7 @@ sha1sum_command = sha1 -r # after deploy or redeploying with different alias if storagebox breaks [StorageBox-Remote] type = alias -remote = StorageBox-Remote-SFTP: +remote = StorageBox-Remote-WebDAV: [StorageBox-Hasher] type = hasher diff --git a/hosts/hetzner-arm/containers/storage/secrets.nix b/hosts/hetzner-arm/containers/storage/secrets.nix index 072c441..4675e92 100644 --- a/hosts/hetzner-arm/containers/storage/secrets.nix +++ b/hosts/hetzner-arm/containers/storage/secrets.nix @@ -30,6 +30,7 @@ "api-keys/data/storage/restic/Quassel" "api-keys/data/storage/restic/Piped" "api-keys/data/storage/restic/Mail" + "api-keys/data/storage/restic/Forgejo" "api-keys/data/storage/webdav/main" "api-keys/data/storage/webdav/media" @@ -137,6 +138,16 @@ ''; }; + restic_forgejo_htpasswd = { + user = "storage"; + group = "storage"; + fetchScript = '' + username=$(simple_get "/api-keys/storage/restic/Forgejo" .username) + password=$(simple_get "/api-keys/storage/restic/Forgejo" .password) + htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null + ''; + }; + webdav_main_htpasswd = { user = "storage"; group = "storage"; diff --git a/hosts/vault/profiles/restic.nix b/hosts/vault/profiles/restic.nix index 7bf4f44..916774e 100644 --- a/hosts/vault/profiles/restic.nix +++ b/hosts/vault/profiles/restic.nix @@ -7,10 +7,10 @@ in { services.restic.backups.vault = { user = "root"; - paths = ["/var/lib/vault" "/var/lib/acme"]; + paths = ["/var/lib/vault"]; timerConfig = { OnBootSec = "1m"; - OnCalendar = "daily"; + OnCalendar = "6h"; }; # env contains fixed repository with auth repository = "rest:https://storage-restic.owo.monster/Vault"; diff --git a/outputs.nix b/outputs.nix index d78d0d7..850ebc8 100644 --- a/outputs.nix +++ b/outputs.nix @@ -140,7 +140,7 @@ in # All machines/containers with secrets.nix machines = rec { "hetzner-arm" = { - containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi"]; + containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi" "forgejo"]; sshAddress = "hetzner-arm.servers.genderfucked.monster"; }; "vault" = {