Commit e327c95
Changed files (12)
hosts
chaser-pardofelis
modules
hosts
chaser-pardofelis
services
artalk
freshrss
gotosocial
hosts/chaser-pardofelis/restic.nix
@@ -1,48 +0,0 @@
-{
- config,
- lib,
- ...
-}: {
- services.restic.backups."${config.modules.currentHost}-backup" = {
- initialize = true;
- passwordFile = config.sops.secrets.restic-backup-password.path;
- rcloneConfigFile = config.sops.templates."rclone-restic-backup.conf".path;
- repository = "rclone:Backup:/Backups/${config.modules.currentHost}-backup/";
- paths =
- (lib.mapAttrsToList (n: v: "/var/lib/authelia-${n}") config.services.authelia.instances)
- ++ [
- config.services.artalk.workdir
- "/var/lib/fail2ban"
- config.services.freshrss.dataDir
- "/var/lib/goatcounter"
- "/var/lib/gotosocial"
- config.services.grafana.dataDir
- "/var/lib/${config.services.victoriametrics.stateDir}"
- ];
- exclude = [
- "tmp"
- ".git"
- "cache"
- ".cache"
- "*_cache"
- ];
- timerConfig = {
- OnCalendar = "04:00";
- RandomizedDelaySec = "1h";
- };
- pruneOpts = [
- "--keep-daily 3"
- "--keep-weekly 3"
- "--keep-monthly 3"
- "--keep-yearly 3"
- ];
- };
-
- sops.templates."rclone-restic-backup.conf".content = ''
- [Backup]
- type = onedrive
- drive_id = 52CE3DAB18B4C557
- drive_type = personal
- token = ${config.sops.placeholder.rclone-restic-backup-token}
- '';
-}
modules/hosts/chaser-pardofelis/default.nix
@@ -29,6 +29,7 @@
"goatcounter"
"gotosocial"
"podman"
+ "restic"
"vaultwarden"
]
)
modules/services/artalk/default.nix
@@ -94,6 +94,11 @@
reverse_proxy ${localAddress}
'');
+ services.restic.backups."${config.networking.hostName}-backup".paths =
+ lib.mkIf
+ (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+ [config.services.artalk.workdir];
+
vaultix.secrets = lib.mkMerge (builtins.map (s: {
"artalk-${s}" = {
file = lib.path.append ./. "${s}.age";
modules/services/freshrss/default.nix
@@ -1,4 +1,4 @@
-{
+{lib, ...}: {
flake.modules.nixos."services/freshrss" = {config, ...}: {
services.freshrss = {
enable = true;
@@ -12,6 +12,11 @@
database.type = "sqlite";
};
+ services.restic.backups."${config.networking.hostName}-backup".paths =
+ lib.mkIf
+ (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+ [config.services.freshrss.dataDir];
+
vaultix.secrets.freshrss-admin-password = {
file = ./admin-password.age;
owner = "root";
modules/services/restic/backup.nix
@@ -0,0 +1,40 @@
+{
+ flake.modules.nixos."services/restic" = {config, ...}: {
+ services.restic.backups."${config.networking.hostName}-backup" = {
+ initialize = true;
+ passwordFile = config.vaultix.secrets.restic-backup-password.path;
+ rcloneConfigFile = config.vaultix.templates."restic-backup-rclone.conf".path;
+ repository = "rclone:Backup:/Backups/${config.networking.hostName}-backup/";
+ paths = [
+ ];
+ exclude = [
+ "tmp"
+ ".git"
+ "cache"
+ ".cache"
+ "*_cache"
+ ];
+ timerConfig = {
+ OnCalendar = "04:00";
+ RandomizedDelaySec = "1h";
+ };
+ pruneOpts = [
+ "--keep-daily 3"
+ "--keep-weekly 3"
+ "--keep-monthly 3"
+ "--keep-yearly 3"
+ ];
+ };
+
+ vaultix.templates."restic-backup-rclone.conf".content = ''
+ [Backup]
+ type = onedrive
+ drive_id = 52CE3DAB18B4C557
+ drive_type = personal
+ token = ${config.vaultix.placeholder.restic-backup-rclone-token}
+ '';
+
+ vaultix.secrets.restic-backup-password.file = ./password.age;
+ vaultix.secrets.restic-backup-rclone-token.file = ./rclone-token.age;
+ };
+}
modules/services/restic/password.age
Binary file
modules/services/restic/rclone-token.age
Binary file
modules/services/fail2ban.nix
@@ -1,5 +1,5 @@
-{
- flake.modules.nixos."services/fail2ban" = _: {
+{lib, ...}: {
+ flake.modules.nixos."services/fail2ban" = {config, ...}: {
services.fail2ban = {
enable = true;
maxretry = 3;
@@ -12,5 +12,10 @@
};
networking.firewall.enable = true;
+
+ services.restic.backups."${config.networking.hostName}-backup".paths =
+ lib.mkIf
+ (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+ ["/var/lib/fail2ban"];
};
}
modules/services/goatcounter.nix
@@ -16,5 +16,10 @@
encode zstd gzip
reverse_proxy ${localAddress}
'');
+
+ services.restic.backups."${config.networking.hostName}-backup".paths =
+ lib.mkIf
+ (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+ ["/var/lib/goatcounter"];
};
}
secrets/cache/pardofelis/12c95a2987d42ac3394061ab7463c311c16b8afb49bc9895d40d9f101ebf9a4c
Binary file
secrets/cache/pardofelis/3852ac196fda405c1c69e0591acf40e4eb7cfccb96fed10ac8c6d2e2c9190fcd
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw 4uRgu50ASXO45+l0iR3GRyIQgknJo9B7oIZ1xdXfCy0
+UlE1wC/rsiT5t6pRuJUyE9Qwhymk/dwn4kJ7u0gszZc
+-> 2`$1/_>+-grease v(P)
+uGfiBSTzLpbG
+--- 6HCKVrQql/JjvtMoYHQIU8TkD3Y3RotL+Ex9KOdQI+Q
+#�P�T���>��馘����;���{�
1}`���Jl/,8������*�$����s�el4����
\ No newline at end of file