add backups for owncast

2023-10-27 17:44:32 +01:00 · 2023-10-27 17:44:32 +01:00 · ac2d940df5
parent 4e5bec5588
commit ac2d940df5
10 changed files with 104 additions and 5 deletions
--- a/hosts/hetzner-arm/containers/owncast/default.nix
+++ b/hosts/hetzner-arm/containers/owncast/default.nix
@ -7,14 +7,14 @@
  config,
  ...
 }: let
-  containerName = "stream";
+  containerName = "owncast";

  containerAddresses = import "${hostPath}/data/containerAddresses.nix";

  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.${containerName};
 in {
-  containers.stream = {
+  containers.owncast = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
@ -33,9 +33,11 @@ in {
      imports = with tree;
        [
          presets.nixos.containerBase
+          ./secrets.nix
        ]
-        ++ (with hosts.hetzner-arm.containers.stream.profiles; [
+        ++ (with hosts.hetzner-arm.containers.owncast.profiles; [
          owncast
+          restic
        ]);

      networking.firewall.allowedTCPPorts = [
--- a/hosts/hetzner-arm/containers/owncast/profiles/owncast.nix
+++ b/hosts/hetzner-arm/containers/owncast/profiles/owncast.nix
--- a/hosts/hetzner-arm/containers/owncast/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/owncast/profiles/restic.nix
@ -0,0 +1,39 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  secrets = config.services.secrets.secrets;
+in {
+  environment.systemPackages = with pkgs; [
+    restic
+    (pkgs.writeShellScriptBin "restic-owncast" ''
+      env \
+        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
+        $(cat ${secrets.restic_env.path}) \
+      ${pkgs.restic}/bin/restic $@
+    '')
+  ];
+
+  services.restic.backups.owncast = {
+    user = "root";
+    paths = [
+      "/var/lib/owncast"
+    ];
+
+    # repository is overrided in environmentFile to contain auth
+    # make sure to keep up to date when changing repository
+    repository = "rest:https://storage-restic.owo.monster/Owncast";
+    passwordFile = "${secrets.restic_password.path}";
+    environmentFile = "${secrets.restic_env.path}";
+
+    pruneOpts = [
+      "--keep-last 5"
+    ];
+
+    timerConfig = {
+      OnBootSec = "10m";
+      OnCalendar = "8h";
+    };
+  };
+}
--- a/hosts/hetzner-arm/containers/owncast/secrets.nix
+++ b/hosts/hetzner-arm/containers/owncast/secrets.nix
@ -0,0 +1,37 @@
+{pkgs, ...}: {
+  services.secrets = {
+    enable = true;
+
+    vaultLogin = {
+      enable = true;
+      loginUsername = "hetzner-arm-container-owncast";
+    };
+
+    autoSecrets = {
+      enable = true;
+    };
+
+    requiredVaultPaths = [
+      "api-keys/data/storage/restic/Owncast"
+      "private-public-keys/data/restic/Owncast"
+    ];
+
+    secrets = {
+      vault_password = {
+        manual = true;
+      };
+
+      restic_password = {
+        fetchScript = ''
+          simple_get "/private-public-keys/restic/Owncast" .password > "$secretFile"
+        '';
+      };
+      restic_env = {
+        fetchScript = ''
+          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Owncast" .restic)
+          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Owncast" > "$secretFile"
+        '';
+      };
+    };
+  };
+}
--- a/hosts/hetzner-arm/containers/storage/data/ports.nix
+++ b/hosts/hetzner-arm/containers/storage/data/ports.nix
@ -17,6 +17,7 @@ in {
  restic_mail = restic + 5;
  restic_forgejo = restic + 6;
  restic_caldav = restic + 7;
+  restic_owncast = restic + 8;

  http_music = http + 0;
  http_public = http + 1;
--- a/hosts/hetzner-arm/containers/storage/default.nix
+++ b/hosts/hetzner-arm/containers/storage/default.nix
@ -98,6 +98,7 @@ in {
      "/Mail/".proxyPass = "http://${containerIP}:${toString ports.restic_mail}";
      "/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.restic_forgejo}";
      "/CalDAV/".proxyPass = "http://${containerIP}:${toString ports.restic_caldav}";
+      "/Owncast/".proxyPass = "http://${containerIP}:${toString ports.restic_owncast}";
    };
    extraConfig = ''
      client_max_body_size ${clientMaxBodySize};
--- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
+++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
@ -187,6 +187,16 @@ in {
          "--baseurl=/Forgejo/"
        ];
      }
+      {
+        id = "restic-owncast";
+        remote = "StorageBox:Backups/Restic/Owncast";
+        type = "restic";
+        extraArgs = [
+          "--addr=0.0.0.0:${toString ports.restic_owncast}"
+          "--htpasswd=${secrets.restic_owncast_htpasswd.path}"
+          "--baseurl=/Owncast/"
+        ];
+      }
    ];
  };
 }
--- a/hosts/hetzner-arm/containers/storage/secrets.nix
+++ b/hosts/hetzner-arm/containers/storage/secrets.nix
@ -31,6 +31,7 @@
      "api-keys/data/storage/restic/Mail"
      "api-keys/data/storage/restic/Forgejo"
      "api-keys/data/storage/restic/CalDAV"
+      "api-keys/data/storage/restic/Owncast"

      "api-keys/data/storage/webdav/Main"
      "api-keys/data/storage/webdav/Media"
@ -160,6 +161,14 @@
        '';
      };

+      restic_owncast_htpasswd = {
+        user = "storage";
+        group = "storage";
+        fetchScript = ''
+          simple_get_htpasswd "/api-keys/storage/restic/Owncast" "$secretFile"
+        '';
+      };
+
      webdav_main_htpasswd = {
        user = "storage";
        group = "storage";
--- a/hosts/hetzner-arm/data/containerAddresses.nix
+++ b/hosts/hetzner-arm/data/containerAddresses.nix
@ -9,6 +9,6 @@
    postgresql = "10.0.1.7";
    piped-fi = "10.0.1.8";
    caldav = "10.0.1.9";
-    stream = "10.0.1.10";
+    owncast = "10.0.1.10";
  };
 }
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -29,7 +29,7 @@ in {
      "mail"
      "forgejo"
      "caldav"
-      "stream"
+      "owncast"
    ] (name: ./containers + "/${name}"))
    ++ (with hosts.hetzner-arm.profiles; [
      staticSites