chaos/nixfiles
1
0
Fork 0
Code Issues 2 Releases Activity

add backups for forgejo

Browse source
This commit is contained in:
chaos 2023-09-30 16:49:52 +01:00
parent 7fb14454fd
commit 31d7ebfad8
No known key found for this signature in database
13 changed files with 118 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
hosts/hetzner-arm/containers/forgejo/default.nix
View file

@ -37,9 +37,11 @@ in {
presets.nixos.containerBase presets.nixos.containerBase
profiles.sshd profiles.sshd
profiles.firewallAllow.ssh profiles.firewallAllow.ssh
./secrets.nix
] ]
++ (with hosts.hetzner-arm.containers.forgejo; [ ++ (with hosts.hetzner-arm.containers.forgejo.profiles; [
profiles.forgejo forgejo
restic
]); ]);
networking.firewall.allowedTCPPorts = [2222]; networking.firewall.allowedTCPPorts = [2222];

7
hosts/hetzner-arm/containers/forgejo/profiles/forgejo.nix
View file

@ -53,13 +53,6 @@
ENABLE = false; ENABLE = false;
}; };
}; };
dump = {
enable = true;
interval = "hourly";
file = "forgejo-dump";
type = "tar.zst";
};
}; };
environment.systemPackages = [ environment.systemPackages = [

39
hosts/hetzner-arm/containers/forgejo/profiles/restic.nix Normal file
View file

@ -0,0 +1,39 @@
{
pkgs,
config,
...
}: let
secrets = config.services.secrets.secrets;
in {
environment.systemPackages = with pkgs; [
restic
(pkgs.writeShellScriptBin "restic-forgejo" ''
env \
RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
$(cat ${secrets.restic_env.path}) \
${pkgs.restic}/bin/restic $@
'')
];
services.restic.backups.forgejo = {
user = "root";
paths = [
"/var/lib/forgejo"
];
# repository is overrided in environmentFile to contain auth
# make sure to keep up to date when changing repository
repository = "rest:https://storage-restic.owo.monster/Forgejo";
passwordFile = "${secrets.restic_password.path}";
environmentFile = "${secrets.restic_env.path}";
pruneOpts = [
"--keep-last 50"
];
timerConfig = {
OnBootSec = "1m";
OnCalendar = "4h";
};
};
}

42
hosts/hetzner-arm/containers/forgejo/secrets.nix Normal file
View file

@ -0,0 +1,42 @@
{pkgs, ...}: {
services.secrets = {
enable = true;
vaultLogin = {
enable = true;
loginUsername = "hetzner-arm-container-forgejo";
};
autoSecrets = {
enable = true;
};
requiredVaultPaths = [
"api-keys/data/storage/restic/Forgejo"
"private-public-keys/data/restic/Forgejo"
];
packages = with pkgs; [
apacheHttpd
];
secrets = {
vault_password = {
manual = true;
};
restic_password = {
fetchScript = ''
simple_get "/private-public-keys/restic/Forgejo" .password > "$secretFile"
'';
};
restic_env = {
fetchScript = ''
RESTIC_USERNAME=$(simple_get "/api-keys/storage/restic/Forgejo" .username)
RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Forgejo" .password)
echo "RESTIC_REPOSITORY=rest:https://$RESTIC_USERNAME:$RESTIC_PASSWORD@storage-restic.owo.monster/Forgejo" > "$secretFile"
'';
};
};
};
}

4
hosts/hetzner-arm/containers/mail/profiles/restic.nix
View file

@ -41,12 +41,12 @@ in {
environmentFile = "${secrets.restic_env.path}"; environmentFile = "${secrets.restic_env.path}";
pruneOpts = [ pruneOpts = [
"--keep-last 5" "--keep-last 100"
]; ];
timerConfig = { timerConfig = {
OnBootSec = "1m"; OnBootSec = "1m";
OnCalendar = "daily"; OnCalendar = "8h";
}; };
inherit backupPrepareCommand; inherit backupPrepareCommand;

8
hosts/hetzner-arm/containers/music/default.nix
View file

@ -51,10 +51,10 @@ in {
./secrets.nix ./secrets.nix
] ]
++ (with hosts.hetzner-arm.containers.music; [ ++ (with hosts.hetzner-arm.containers.music.profiles; [
profiles.mpd mpd
profiles.musicSync musicSync
profiles.soulseek soulseek
]); ]);
networking.firewall.allowedTCPPorts = with ports; [ networking.firewall.allowedTCPPorts = with ports; [

1
hosts/hetzner-arm/containers/storage/data/ports.nix
View file

@ -9,6 +9,7 @@
rclone_serve_restic_quassel = 4213; rclone_serve_restic_quassel = 4213;
rclone_serve_restic_piped = 4214; rclone_serve_restic_piped = 4214;
rclone_serve_restic_mail = 4215; rclone_serve_restic_mail = 4215;
rclone_serve_restic_forgejo = 4216;
rclone_serve_http_music = 4220; rclone_serve_http_music = 4220;
rclone_serve_http_public = 4221; rclone_serve_http_public = 4221;

1
hosts/hetzner-arm/containers/storage/default.nix
View file

@ -97,6 +97,7 @@ in {
"/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}"; "/Quassel/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_quassel}";
"/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}"; "/Piped/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_piped}";
"/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}"; "/Mail/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_mail}";
"/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.rclone_serve_restic_forgejo}";
}; };
extraConfig = '' extraConfig = ''
client_max_body_size ${clientMaxBodySize}; client_max_body_size ${clientMaxBodySize};

10
hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
View file

@ -136,6 +136,16 @@ in {
"--baseurl=/Mail/" "--baseurl=/Mail/"
]; ];
} }
{
id = "restic-forgejo";
remote = "StorageBox:Backups/Restic/Forgejo";
type = "restic";
extraArgs = [
"--addr=0.0.0.0:${toString ports.rclone_serve_restic_forgejo}"
"--htpasswd=${secrets.restic_forgejo_htpasswd.path}"
"--baseurl=/Forgejo/"
];
}
]; ];
}; };
} }

2
hosts/hetzner-arm/containers/storage/rclone_config.template
View file

@ -20,7 +20,7 @@ sha1sum_command = sha1 -r
# after deploy or redeploying with different alias if storagebox breaks # after deploy or redeploying with different alias if storagebox breaks
[StorageBox-Remote] [StorageBox-Remote]
type = alias type = alias
remote = StorageBox-Remote-SFTP: remote = StorageBox-Remote-WebDAV:
[StorageBox-Hasher] [StorageBox-Hasher]
type = hasher type = hasher

11
hosts/hetzner-arm/containers/storage/secrets.nix
View file

@ -30,6 +30,7 @@
"api-keys/data/storage/restic/Quassel" "api-keys/data/storage/restic/Quassel"
"api-keys/data/storage/restic/Piped" "api-keys/data/storage/restic/Piped"
"api-keys/data/storage/restic/Mail" "api-keys/data/storage/restic/Mail"
"api-keys/data/storage/restic/Forgejo"
"api-keys/data/storage/webdav/main" "api-keys/data/storage/webdav/main"
"api-keys/data/storage/webdav/media" "api-keys/data/storage/webdav/media"
@ -137,6 +138,16 @@
''; '';
}; };
restic_forgejo_htpasswd = {
user = "storage";
group = "storage";
fetchScript = ''
username=$(simple_get "/api-keys/storage/restic/Forgejo" .username)
password=$(simple_get "/api-keys/storage/restic/Forgejo" .password)
htpasswd -bc "$secretFile" "$username" "$password" 2>/dev/null
'';
};
webdav_main_htpasswd = { webdav_main_htpasswd = {
user = "storage"; user = "storage";
group = "storage"; group = "storage";

4
hosts/vault/profiles/restic.nix
View file

@ -7,10 +7,10 @@
in { in {
services.restic.backups.vault = { services.restic.backups.vault = {
user = "root"; user = "root";
paths = ["/var/lib/vault" "/var/lib/acme"]; paths = ["/var/lib/vault"];
timerConfig = { timerConfig = {
OnBootSec = "1m"; OnBootSec = "1m";
OnCalendar = "daily"; OnCalendar = "6h";
}; };
# env contains fixed repository with auth # env contains fixed repository with auth
repository = "rest:https://storage-restic.owo.monster/Vault"; repository = "rest:https://storage-restic.owo.monster/Vault";

2
outputs.nix
View file

@ -140,7 +140,7 @@ in
# All machines/containers with secrets.nix # All machines/containers with secrets.nix
machines = rec { machines = rec {
"hetzner-arm" = { "hetzner-arm" = {
containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi"]; containers = ["storage" "music" "quassel" "social" "mail" "piped-db" "piped-fi" "forgejo"];
sshAddress = "hetzner-arm.servers.genderfucked.monster"; sshAddress = "hetzner-arm.servers.genderfucked.monster";
}; };
"vault" = { "vault" = {