Skip to content

Commit 362dd60

Browse files
redxtechredxtech
committed
feat(backups): enable restic backups
1 parent 3330f5b commit 362dd60

File tree

6 files changed

+227
-109
lines changed

6 files changed

+227
-109
lines changed

hosts/bastion/default.nix

Lines changed: 24 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -50,15 +50,36 @@
5050
enable = true;
5151
subvolumes = { gabe-home = "/home/gabe"; };
5252
};
53+
54+
restic = {
55+
enable = true;
56+
backups = {
57+
config = {
58+
enable = true;
59+
repoFile = config.sops.secrets.restic_repository_config.path;
60+
passFile = config.sops.secrets.restic_password.path;
61+
};
62+
home = {
63+
enable = true;
64+
repoFile = config.sops.secrets.restic_repository_home.path;
65+
passFile = config.sops.secrets.restic_password.path;
66+
};
67+
};
68+
};
5369
};
5470

5571
nixpkgs.config.rocmSupport = true;
5672

5773
virtualisation.docker.storageDriver = "btrfs";
5874

59-
sops.secrets.cachix-agent = {
60-
path = "/etc/cachix-agent.token";
61-
sopsFile = ./secrets.yaml;
75+
sops.secrets = {
76+
cachix-agent = {
77+
path = "/etc/cachix-agent.token";
78+
sopsFile = ./secrets.yaml;
79+
};
80+
restic_password.sopsFile = ./secrets.yaml;
81+
restic_repository_config.sopsFile = ./secrets.yaml;
82+
restic_repository_home.sopsFile = ./secrets.yaml;
6283
};
6384

6485
system.stateVersion = "23.11";

hosts/bastion/secrets.yaml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
cachix-agent: ENC[AES256_GCM,data:mn2ydo+tqFz6CMTPYc+Ga0wXEZHTQctHPW9PKF/IXqEEFXc4I9u+SrPKMpbQHkwdiJVCOBpfriwNQKYP0QTLA+d4M8X4IgZMQUkrQ+LymiK18CW7VGh/8+3wV0nWRBodIDMpSeBkI/c6MTseG1NvkAOXZg17xTVR7mc5nJoC5UwQeimFDY5Uwqgkosca6MRI4JWgs5ifX9LhKELI6aWmTWZb+dz2O6GMSA==,iv:KyNwuHxtlXknMbPS8Bq5H6GJb8cdEKslxhZeEpfJt3k=,tag:v6HBT3E3E+8bzYx37fpM5g==,type:str]
22
cloudflared_tunnel_creds: ENC[AES256_GCM,data:eaYrIICADVbF4B/yUpss18DqTKEu93GpghKH5bN0f6SWawzv7jr22sRcJjFmBqf0euYZiWMdcl0JK7JOiLWWTzbIl3fXosUDYyl6pM5D7a0shWG7ZQMS9CvcG656sAGKfTiH4RlNp7Efxo1gH2w4vhJMItSyYDYG8QuERhlYwIcUAYAe4w8l/R1FoeoIPu8z2saCrsac91T3J2YW+1j7uvlESt8dpweIUqbzKPWJuw==,iv:MtKakUWwNLv4DYnJEdV5RfZNQJMlS/XteyAXju6kDBM=,tag:41Zn27Wh+Uf5WfLmZ3s1Zw==,type:str]
33
nix-serve-secret: ENC[AES256_GCM,data:E1klB7SxHBCnBW9F9rMvh+T5zRU4/6WeR/lPtrTP8ZS0GkYaC2ay3Hk3Zz+p5ZsLUN1LKbE0Nv/hvinB7GlgvsdYgO6NvwTk0H2Jb/FxlynMVQOxitlImulPJavboxIgJuS6gwPkntbkq7ZJ,iv:qb0HuEkJyE1YKl5bkZQwSFa7b04TE+J8hxhHWXEM/pE=,tag:wifK3ilWvcCJP/vBwoB3bw==,type:str]
4+
restic_password: ENC[AES256_GCM,data:e0pCh66D5URzNnOgzOUAIsQmv8eDVEN5,iv:1j4kvtenKJ4LHKJSNXZnrJ7ZMruWBz6BdR9hd7+EARY=,tag:NRUEZpneom7C8mB+NAFubQ==,type:str]
5+
restic_repository_config: ENC[AES256_GCM,data:KSx1mbnLeU1IUrTs2qZzSn666ivvfWhGoVTkZ0GghSbQONSDCjomu73ZniCwx7HyjSpm9mkWsdt52sA+OwaTttxYx1MbWTfqfZPv902U1AY=,iv:kSGt6vzynORaLEdAsCO4FW7BiroGJX/kAFoRR7KBkzM=,tag:REctRjwQuPY6tQfBqFFnzw==,type:str]
6+
restic_repository_home: ENC[AES256_GCM,data:m19t4kvArGqYmqbc+feHZV7fEiuZa2EjPpSWAhcQ9RpF3kJ2x8RMHnQr462+JqMsxWne/Mp96QaLtSDvC6hHHff08iymAY8JTdDoLPS0,iv:1sv+i4I6uJcDFBwur5T6sY1s3V1ea1hvPwZf91rqDGk=,tag:PcIoacP+skkguBsPpSIkfw==,type:str]
47
sops:
58
kms: []
69
gcp_kms: []
@@ -25,8 +28,8 @@ sops:
2528
Q1FIRFhGc0U0YVJ6YzM0NVpZWUp2ZWcKsQoGmo+WIjgPemJGDMmDvJF/kiSd9QJy
2629
FShaEJnhKGJrbfztGzqvSQ/sPo15NI97C0BtjV2MFWVHe7m/tCFIwg==
2730
-----END AGE ENCRYPTED FILE-----
28-
lastmodified: "2024-09-11T15:36:29Z"
29-
mac: ENC[AES256_GCM,data:rwmPZY+seq0SkZYHUfOEhk45/JUD2/LsA018wrxHQsPk3j67jV4xkhxoNP0gQ6Kv2YdRPT8qWKGIuueSKRNKVDqGGrojdzdO+un2c+0ReOC2vmhNdqbWYtphBFD0KIumBrfrLyER9ewn+1S+Iwp/2gOukNDXL8/cl+jTTi/AEHw=,iv:E0zM2sI7JCeFTtAZWbRZ+gGn94jjP4aT5rOK4UD0Rks=,tag:RdZcTi4lOUHFtlbUGTePKg==,type:str]
31+
lastmodified: "2024-09-27T01:16:12Z"
32+
mac: ENC[AES256_GCM,data:cX8wXw8r0Rn8OtLArcwODjAfdzOtbZHxU1pMiTngDG3wGxOR15dZn0W6ziXva4SFGCuPfGja1a0F7rzGPbRkPrDb6WnNlSbDJqCJQUlnfivhkixjkc1GOZ8IaMdYb+0X8FA/XBQStH5Lr1ZAD4LaZla34+QL9GF9oO5bN67J2Kg=,iv:aGnhewFzMk1Oycs4ExJktNRH7C7sSBc1orryTkiudfk=,tag:PRW+7iEgipzFrFYmXJcfFA==,type:str]
3033
pgp: []
3134
unencrypted_suffix: _unencrypted
3235
version: 3.9.0

hosts/quasar/default.nix

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -54,18 +54,35 @@
5454
monitoring.isHost = true;
5555

5656
backup = {
57+
restic = {
58+
enable = true;
59+
backups = {
60+
config = {
61+
enable = true;
62+
repoFile = config.sops.secrets.restic_repository_config.path;
63+
passFile = config.sops.secrets.restic_password.path;
64+
extraPaths = [ "/config" ];
65+
};
66+
};
67+
};
68+
5769
rsync = {
5870
enable = true;
59-
paths = [ "/config" ];
71+
paths = [ "/config" "/var/lib" ];
6072
destination = "rsync:/backups/${config.networking.hostName}";
6173
};
6274
};
6375

6476
hardware.nvidia-container-toolkit.enable = true;
6577

66-
sops.secrets.cachix-agent = {
67-
path = "/etc/cachix-agent.token";
68-
sopsFile = ./secrets.yaml;
78+
sops.secrets = {
79+
cachix-agent = {
80+
path = "/etc/cachix-agent.token";
81+
sopsFile = ./secrets.yaml;
82+
};
83+
restic_password.sopsFile = ./secrets.yaml;
84+
restic_repository_config.sopsFile = ./secrets.yaml;
85+
restic_repository_home.sopsFile = ./secrets.yaml;
6986
};
7087

7188
system.stateVersion = "23.11";

hosts/quasar/secrets.yaml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@ mosquitto_homeassistant_password: ENC[AES256_GCM,data:dVSNJXRA2dP2G/kjmL1VUQatc1
2323
zigbee2mqtt_secrets: ENC[AES256_GCM,data:lAUr5mbPgPGxxI6YfvtLeE5VPALwW+qzIhYtRuA1hiaByN2dUePzlMvXCISmo8Clpcj32UjUH5W0/zD0nZ9dzIa5mVb5vvby3xvH64tQJFeCQUwv3k3CxYJWNaXn8T37GYLsWX/0fmuUkn3eIhnrxFbZSQ5yevj2m5sJMcNM85sJFYKUd3eXkmj+9Ogh8zWKUEa/duu/ipGt59EikZW9uWA=,iv:25jsLwl3ya4ZBqWZzncYiVHfSWqhjKGF4djKo/34kVA=,tag:Hf2Swh85SrObKmmZOO0DxQ==,type:str]
2424
navidrome_env: ENC[AES256_GCM,data:LR9bXWXJOo9cVwMw494raJA56jdk01W2HYR7IRgNp7el4IriqCTLh0rim6+qmXk6mD3nPcAGFgDdqKky+OsTrm2pzHVQJp0yGARy9BWHzhNp0JSFyVKjTCGQ8+/rzQ21w1571q+mn6pd9FEGmmFp2/lPNETSuBDd+N8aL/rr2JYqT7xbBjCjX2c7EAlCr1MWCksNcWohSCKoF/EFPCAdMZDuNJqLIfbrHnZNgrFDhvP4R96+YoZEda3txF+CgiN/6rFNH37GNtofQ2EXDQr19ZerkPJWYxT/zkFSPA33sC+HtTWDvOMChfzh4VzY5DItOl+iyB0ro81I3oa45DKfXN4sfiet3/2SqryhAQ==,iv:N1FcxWIo7O0672A24Dy7kNbXFB3xr3X36bQokphOCjk=,tag:JlwBrfJmaxwds24tX6Sv2w==,type:str]
2525
spotisub: ENC[AES256_GCM,data:GtxeKxcrt9Vk1p58d7iPHEiOtcuHsl4r5FpU+B/tDL8Plmq14ljekk6RCMEdQiAC4QCEWyn4d5psahBUIZ2OlNzVfIp43gcOiKviq4YFmMDZEDg3ZontnYFqhcuCYbaCLkaQz7/KG9HfiMfsX6J1JCw6+Z0+1s+qijMeVpNQi2ENIRI0CXm6iHeUJlTbLJejjnA60LUSePIDcV8GV2545CNzZb4XdqLYZrtORKbIsXV4PEpV2EvU15ZG0UrHP6h+Y//QgC+YeRtsC7LjmFgsodmTmR2Tt8xMfMHaSg5khRuDy63+822Vk0QVdsy3TWVK+AoCBnKRcphAjTV0BqARkqpFiWLfFw6uHh+bnXqJcfxBFpbqg5yZdJkIFFYisKm0,iv:qqP0hOqb+zT9wl7F2SXbgECG80wZMVZaUVQtPnHH/AM=,tag:Gx5KggG5vHxqZDfDP8ZRdw==,type:str]
26+
restic_password: ENC[AES256_GCM,data:/N+RUo9VNVyH0HZpkJycXskDmv4u0NeJ,iv:li0KwqWNCC2fwtaBPyWBMZa5HEC/BkPc6LkWo8JfYk4=,tag:9GmqmimXbhMOTO4BInCL+A==,type:str]
27+
restic_repository_config: ENC[AES256_GCM,data:V/122UxOOZ5cznghgcvKMU2K8BwwT1mJA3oESMnOmSK4DIwu3is0+TpdGQKnjv8f1GzkevFI5srs4TECmeHbCsldkbEQL/Z4t7x+sVL5ew==,iv:IG3QYTogxHi6iGFtzVxmuMT8xDt+n1ImwGkY+seJtMU=,tag:q+OosYsGfw0tXWD3l8rZAA==,type:str]
28+
restic_repository_home: ENC[AES256_GCM,data:ad9ukO9t1dot1jzH0iDlp5Pa3be77dq7LSV0AOZGWH+laSHIj6X5ltVVuyFhXpoErq6pULVSRH7kFvoOfABab6CWg5jYDvPM8fthvfA=,iv:zd74ZYt10pRdi8yv/mwNJYX3+OEJfu7uEFBAg8x85Ic=,tag:4QLvHG7omRMTOngSNZQlVQ==,type:str]
2629
ghrunner-system-builder: ENC[AES256_GCM,data:oVjU2NXXVQqZlB/Njm0vnrK7odO0ucvv40M1N/z93jvgs4t0+57t0c37pIPMN4JzewFXYOZsIwzdhOIw7KuvgvLQtGPhm4poPGKgV4lCexAXm40QU1M7bncawY40,iv:S0o5WAzI+u8U6OZiBn2BGjV6bZ10zVrRyyEuURSkPpU=,tag:4HbKj9lJn2l8o1xPUEL+2g==,type:str]
2730
hercules-ci-agent-binary-caches: ENC[AES256_GCM,data:b5HRubUUa7WvMD4IQpPexjK4JAJt1vO2hiqAAvdPNpXhUEVuz9UN96kwy1VeLiy/SnJtC6kIQv/GxNzqHsrWl546nGtWbaj+DlJnqPgPBiINoVdUtS5mJFbTZA7N5zk/YfZWYLvvGN9Scb1ZGOt42+hK0csKfPeJPLsD+R/BHNoUYdjA+bHAwQBm240tBl5/ght+PA1r6BYS818TatIHiQ9sQtLp6JiWm2GkSff79ibVLOZ7b/348ycxFQ5CG8mQVoZYvF4RB56LPyjaPUIv1ksgRztnRl7PDsiPNkJgU+KP5Hk/9A0YS+VTsy9rtzdUySiOvB92ttv0xZXEvQhnNgPPWmAPpUgxahqYvtJwmydL5bEyQyf63vVmekC2bvYjLsguB0Vknaem/uHySRHJtolv2mI8hZ52NdmTdIdTu5aIMkiD5Eg=,iv:2NC1TVq84BDb91qRnVSrVJ+pqQ/Q0m98LC405xu4c0o=,tag:83T+IBXUbc7qSnoKHJjZBg==,type:str]
2831
hercules-ci-agent-join-token: ENC[AES256_GCM,data:8nn74KcRQFinwwA2uz3alQwlDKXBgdSXAzVSfffVGCUfO3AzOCGdxzZOmE0EkJ+HjKCk3khg6YPgc44F5aCmIZ4j1t0VhwDQ7BYvLJQmyNU9GdjY+OhKva21yss3kZjYFbfPaeonuq2CXLBLf6p5rmK1w8OQrlntmGL9SucX9ar+oGGRM4mBvlGuMZXKEMgg7xP0OJhWn5a9ktPUKFVfxmyLrsJUkShNJgCiau7i6K9/H9dmMWwwKQD/TvYsktEbhvdXcBcnKDMgQkNSHORjbnDVAmQP+9kbf6tfHiMkAOiHSfjvL+5/ScDRqw==,iv:5u75YVlH96ZvRtfTKpLZTKW8vyrwtdBNg5EkX52Y+10=,tag:0NCOvQeLY8Obp6oKYStjjg==,type:str]
@@ -51,8 +54,8 @@ sops:
5154
QUpPem9vRm1HSTY1YXVtOFowYU5OS1EKm98nwqf4NXJcXbLUeQbR901vNmt2GZ7n
5255
/yMN0X2c6qCTMYTi1b1oFD1mpcy8HasuIKz6/KDSQDFq9ivGWZBBSA==
5356
-----END AGE ENCRYPTED FILE-----
54-
lastmodified: "2024-09-19T03:28:46Z"
55-
mac: ENC[AES256_GCM,data:rLJIu5mZ480Nwuycg2ln/MR8NHSvhlUfQICy2N4CmAbJO4+EpUSF6ykyCmJEpSZ2JVAdfyGg0ZAIJm2xjcfpZnZJy2OARg3lV60Gdyg9QFiIXZkLVkgTpLshjbOtW+2RU94cygBL+6vkBeRyBc5f/EaRUdpVNLmgLPZmaZMlPu4=,iv:3KTwuEccJwQ1EoIVzP1Gc77sY8UA0Ou06FD/4T2wBUk=,tag:n9+3JB9sEDFXMsOMpOr8KA==,type:str]
57+
lastmodified: "2024-09-27T01:16:00Z"
58+
mac: ENC[AES256_GCM,data:ap++TRh/haaPON0jfUNE+OYodUkF3k2hpabiAwu0P7ksU50hETWYJ9dWv6PR6igUgd0qHLZARhxTeuJweM0dckXqj2DIr2WmMu9jGZ+FWiayxhhmYog7UkuBkd0rqOGbnh5mi9XoPsko403FSrZ7BJp/V7Rk7u+Uc0ZdtOnZ5vs=,iv:A2di/aGRtLwY8O1KUc5mWb7KgJGoqc8eNJVrZIzg6ho=,tag:3Mbu0f+djF/WSl8LR5olIw==,type:str]
5659
pgp: []
5760
unencrypted_suffix: _unencrypted
5861
version: 3.9.0

hosts/voyager/secrets.yaml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
11
cachix-agent: ENC[AES256_GCM,data:vebDSWhmVP+ue3dU38KndJSQEn3GXBL9wEQTe6+G9A/EgTEUhyT5yUOH6I0BlDQGoAk6632aK+RL/J9FdaPfULib72RU3scxnh2D7JSx7QDx6YzBdVTvemT2gDvSTHkDgenulNwb+ge3voLPoakl3fRZ+3ozxUyd1+O9oEcuQU9zYrNTeDlFUk7hwNyxc2TsvjA2dgpd2LOrqauedq01R0xjt/aTsRKFbw==,iv:X6ILCsWKXF2zTisHfRynbF02LNmqbQ5dnZla+vfYgeU=,tag:R1nfhjh//UIlcMlft9/A4w==,type:str]
2+
restic_password: ENC[AES256_GCM,data:WtAeygIwPsAThCwAKsnOvwH3GjGWZVeG,iv:9eRps9y3IHyVypWsndNl2PPAGqbhAnIWxnJPLAfEwX4=,tag:IZ8KE0MPTSaK6znAUyHNrQ==,type:str]
3+
restic_repository_config: ENC[AES256_GCM,data:YpsTlypDM0pO9E58uKUE/TM5P6mVM2cHZPjKQt55mzgTLutQl+WBHTO+PBnNd86aceBZcutP9111KIs9dD9A6khK4m5J5VCh9XtpjfL5DOA=,iv:3hzH7/2wnq0/yKbgscRByUffHbP+gxG5pdnjiVEH/Uo=,tag:bYgHgRGvGsqM5ePGR9R3Qw==,type:str]
4+
restic_repository_home: ENC[AES256_GCM,data:yGjVcg+db1eT+Q+u4bI09ZxEvZI2/AoTCK3e051YszlVHIchB1zuR3BtwmKr3s8f7eftyFUmtSGsvWe23nDFxhRR9LFTit9T2QeE6qJi,iv:383UVvwhESXl8ma/dT5g+KPdtKvjyyUJ3WGNiJB1qGQ=,tag:dV2tfktGUcecraLUd8TpOw==,type:str]
25
sops:
36
kms: []
47
gcp_kms: []
@@ -23,8 +26,8 @@ sops:
2326
UisyTHNZZXBScFUwY3VLYU1od21DTXMK0k+HjlXJVByf6Pbzy24clWE0l29ALZXQ
2427
4T5dM6fHdqR/09ds7p6RY0mowm0aUnakdOKRJEgwXBNL0UOu0mm8kQ==
2528
-----END AGE ENCRYPTED FILE-----
26-
lastmodified: "2024-07-20T23:24:34Z"
27-
mac: ENC[AES256_GCM,data:cjOZvJqVB1gKcMCpsIPtTFE/kxk+Rj+vO4RRECVdthf9ASAQLq3aEOd0LdhgNVc1jvrRqASj5Adhas8rbU10oXxii/MFK1xVZfYtjx/bQ4CaPiWhEIUL1upxiGLTNZVcyzVoyuGyfbfB3qMNuI+JA40xGly1EsaZVKJ9TbzVkDg=,iv:4Ak7h3Pn4M/hU7BA6W7iv9eusWHw0R/7Lm44FPtSUOI=,tag:2TjyrVlNyroawudHFI9kvg==,type:str]
29+
lastmodified: "2024-09-27T01:15:44Z"
30+
mac: ENC[AES256_GCM,data:FEDjsH867zbc3i7xgrnA9St/4BOjSv/VuACPk0Q9ZaeyDdcdzEaRJoFk9SD55LG7FXngX5/gcYt1XtRfq4l5fNy8hW81+RpTLdPr2XToA6yXpUBtR54zt5RQzX4RqKMoK1QdTSivNI1chdQ01g5niX+gnrFfr8HxTGzXeeGKP5A=,iv:yDA1rm1ECTmmk9bGTiYktSDmiFo91HJ3Nl1EI/YfEqk=,tag:9VhQlIzfuZIXI7GOTKrxrA==,type:str]
2831
pgp: []
2932
unencrypted_suffix: _unencrypted
3033
version: 3.9.0

0 commit comments

Comments
 (0)