add backups for owncast

2023-10-27 17:44:32 +01:00 · 2023-10-27 17:44:32 +01:00 · ac2d940df5
parent 4e5bec5588
commit ac2d940df5
10 changed files with 104 additions and 5 deletions
--- a/hosts/hetzner-arm/containers/owncast/default.nix
+++ b/hosts/hetzner-arm/containers/owncast/default.nix
@ -7,14 +7,14 @@
  config,
  ...
 }: let
-  containerName = "stream";
+  containerName = "owncast";
  containerAddresses = import "${hostPath}/data/containerAddresses.nix";
  hostIP = containerAddresses.host;
  containerIP = containerAddresses.containers.${containerName};
 in {
-  containers.stream = {
+  containers.owncast = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = hostIP;
@ -33,9 +33,11 @@ in {
      imports = with tree;
        [
          presets.nixos.containerBase
          ./secrets.nix
        ]
-        ++ (with hosts.hetzner-arm.containers.stream.profiles; [
+        ++ (with hosts.hetzner-arm.containers.owncast.profiles; [
          owncast
          restic
        ]);
      networking.firewall.allowedTCPPorts = [
--- a/hosts/hetzner-arm/containers/owncast/profiles/owncast.nix
+++ b/hosts/hetzner-arm/containers/owncast/profiles/owncast.nix
--- a/hosts/hetzner-arm/containers/owncast/profiles/restic.nix
+++ b/hosts/hetzner-arm/containers/owncast/profiles/restic.nix
@ -0,0 +1,39 @@
 {
  pkgs,
  config,
  ...
 }: let
  secrets = config.services.secrets.secrets;
 in {
  environment.systemPackages = with pkgs; [
    restic
    (pkgs.writeShellScriptBin "restic-owncast" ''
      env \
        RESTIC_PASSWORD_FILE=${secrets.restic_password.path} \
        $(cat ${secrets.restic_env.path}) \
      ${pkgs.restic}/bin/restic $@
    '')
  ];
  services.restic.backups.owncast = {
    user = "root";
    paths = [
      "/var/lib/owncast"
    ];
    # repository is overrided in environmentFile to contain auth
    # make sure to keep up to date when changing repository
    repository = "rest:https://storage-restic.owo.monster/Owncast";
    passwordFile = "${secrets.restic_password.path}";
    environmentFile = "${secrets.restic_env.path}";
    pruneOpts = [
      "--keep-last 5"
    ];
    timerConfig = {
      OnBootSec = "10m";
      OnCalendar = "8h";
    };
  };
 }
--- a/hosts/hetzner-arm/containers/owncast/secrets.nix
+++ b/hosts/hetzner-arm/containers/owncast/secrets.nix
@ -0,0 +1,37 @@
 {pkgs, ...}: {
  services.secrets = {
    enable = true;
    vaultLogin = {
      enable = true;
      loginUsername = "hetzner-arm-container-owncast";
    };
    autoSecrets = {
      enable = true;
    };
    requiredVaultPaths = [
      "api-keys/data/storage/restic/Owncast"
      "private-public-keys/data/restic/Owncast"
    ];
    secrets = {
      vault_password = {
        manual = true;
      };
      restic_password = {
        fetchScript = ''
          simple_get "/private-public-keys/restic/Owncast" .password > "$secretFile"
        '';
      };
      restic_env = {
        fetchScript = ''
          RESTIC_PASSWORD=$(simple_get "/api-keys/storage/restic/Owncast" .restic)
          echo "RESTIC_REPOSITORY=rest:https://restic:$RESTIC_PASSWORD@storage-restic.owo.monster/Owncast" > "$secretFile"
        '';
      };
    };
  };
 }
--- a/hosts/hetzner-arm/containers/storage/data/ports.nix
+++ b/hosts/hetzner-arm/containers/storage/data/ports.nix
@ -17,6 +17,7 @@ in {
  restic_mail = restic + 5;
  restic_forgejo = restic + 6;
  restic_caldav = restic + 7;
  restic_owncast = restic + 8;
  http_music = http + 0;
  http_public = http + 1;
--- a/hosts/hetzner-arm/containers/storage/default.nix
+++ b/hosts/hetzner-arm/containers/storage/default.nix
@ -98,6 +98,7 @@ in {
      "/Mail/".proxyPass = "http://${containerIP}:${toString ports.restic_mail}";
      "/Forgejo/".proxyPass = "http://${containerIP}:${toString ports.restic_forgejo}";
      "/CalDAV/".proxyPass = "http://${containerIP}:${toString ports.restic_caldav}";
      "/Owncast/".proxyPass = "http://${containerIP}:${toString ports.restic_owncast}";
    };
    extraConfig = ''
      client_max_body_size ${clientMaxBodySize};
--- a/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
+++ b/hosts/hetzner-arm/containers/storage/profiles/rcloneServe.nix
@ -187,6 +187,16 @@ in {
          "--baseurl=/Forgejo/"
        ];
      }
      {
        id = "restic-owncast";
        remote = "StorageBox:Backups/Restic/Owncast";
        type = "restic";
        extraArgs = [
          "--addr=0.0.0.0:${toString ports.restic_owncast}"
          "--htpasswd=${secrets.restic_owncast_htpasswd.path}"
          "--baseurl=/Owncast/"
        ];
      }
    ];
  };
 }
--- a/hosts/hetzner-arm/containers/storage/secrets.nix
+++ b/hosts/hetzner-arm/containers/storage/secrets.nix
@ -31,6 +31,7 @@
      "api-keys/data/storage/restic/Mail"
      "api-keys/data/storage/restic/Forgejo"
      "api-keys/data/storage/restic/CalDAV"
      "api-keys/data/storage/restic/Owncast"
      "api-keys/data/storage/webdav/Main"
      "api-keys/data/storage/webdav/Media"
@ -160,6 +161,14 @@
        '';
      };
      restic_owncast_htpasswd = {
        user = "storage";
        group = "storage";
        fetchScript = ''
          simple_get_htpasswd "/api-keys/storage/restic/Owncast" "$secretFile"
        '';
      };
      webdav_main_htpasswd = {
        user = "storage";
        group = "storage";
--- a/hosts/hetzner-arm/data/containerAddresses.nix
+++ b/hosts/hetzner-arm/data/containerAddresses.nix
@ -9,6 +9,6 @@
    postgresql = "10.0.1.7";
    piped-fi = "10.0.1.8";
    caldav = "10.0.1.9";
-    stream = "10.0.1.10";
+    owncast = "10.0.1.10";
  };
 }
--- a/hosts/hetzner-arm/hetzner-arm.nix
+++ b/hosts/hetzner-arm/hetzner-arm.nix
@ -29,7 +29,7 @@ in {
      "mail"
      "forgejo"
      "caldav"
-      "stream"
+      "owncast"
    ] (name: ./containers + "/${name}"))
    ++ (with hosts.hetzner-arm.profiles; [
      staticSites