Commit e327c95

HPCesia <me@hpcesia.com>
2025-10-05 13:35:20
refactor: migrate restic
1 parent da73e80
hosts/chaser-pardofelis/restic.nix
@@ -1,48 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: {
-  services.restic.backups."${config.modules.currentHost}-backup" = {
-    initialize = true;
-    passwordFile = config.sops.secrets.restic-backup-password.path;
-    rcloneConfigFile = config.sops.templates."rclone-restic-backup.conf".path;
-    repository = "rclone:Backup:/Backups/${config.modules.currentHost}-backup/";
-    paths =
-      (lib.mapAttrsToList (n: v: "/var/lib/authelia-${n}") config.services.authelia.instances)
-      ++ [
-        config.services.artalk.workdir
-        "/var/lib/fail2ban"
-        config.services.freshrss.dataDir
-        "/var/lib/goatcounter"
-        "/var/lib/gotosocial"
-        config.services.grafana.dataDir
-        "/var/lib/${config.services.victoriametrics.stateDir}"
-      ];
-    exclude = [
-      "tmp"
-      ".git"
-      "cache"
-      ".cache"
-      "*_cache"
-    ];
-    timerConfig = {
-      OnCalendar = "04:00";
-      RandomizedDelaySec = "1h";
-    };
-    pruneOpts = [
-      "--keep-daily 3"
-      "--keep-weekly 3"
-      "--keep-monthly 3"
-      "--keep-yearly 3"
-    ];
-  };
-
-  sops.templates."rclone-restic-backup.conf".content = ''
-    [Backup]
-    type = onedrive
-    drive_id = 52CE3DAB18B4C557
-    drive_type = personal
-    token = ${config.sops.placeholder.rclone-restic-backup-token}
-  '';
-}
modules/hosts/chaser-pardofelis/default.nix
@@ -29,6 +29,7 @@
           "goatcounter"
           "gotosocial"
           "podman"
+          "restic"
           "vaultwarden"
         ]
       )
modules/services/artalk/default.nix
@@ -94,6 +94,11 @@
         reverse_proxy ${localAddress}
       '');
 
+    services.restic.backups."${config.networking.hostName}-backup".paths =
+      lib.mkIf
+      (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+      [config.services.artalk.workdir];
+
     vaultix.secrets = lib.mkMerge (builtins.map (s: {
         "artalk-${s}" = {
           file = lib.path.append ./. "${s}.age";
modules/services/freshrss/default.nix
@@ -1,4 +1,4 @@
-{
+{lib, ...}: {
   flake.modules.nixos."services/freshrss" = {config, ...}: {
     services.freshrss = {
       enable = true;
@@ -12,6 +12,11 @@
       database.type = "sqlite";
     };
 
+    services.restic.backups."${config.networking.hostName}-backup".paths =
+      lib.mkIf
+      (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+      [config.services.freshrss.dataDir];
+
     vaultix.secrets.freshrss-admin-password = {
       file = ./admin-password.age;
       owner = "root";
modules/services/gotosocial/default.nix
@@ -52,6 +52,11 @@
         reverse_proxy ${localAddress}
       '');
 
+    services.restic.backups."${config.networking.hostName}-backup".paths =
+      lib.mkIf
+      (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+      ["/var/lib/gotosocial"];
+
     vaultix.secrets.gotosocial-s3-endpoint.file = ./s3-endpoint.age;
     vaultix.secrets.gotosocial-s3-access-key.file = ./s3-access-key.age;
     vaultix.secrets.gotosocial-s3-secret-key.file = ./s3-secret-key.age;
modules/services/restic/backup.nix
@@ -0,0 +1,40 @@
+{
+  flake.modules.nixos."services/restic" = {config, ...}: {
+    services.restic.backups."${config.networking.hostName}-backup" = {
+      initialize = true;
+      passwordFile = config.vaultix.secrets.restic-backup-password.path;
+      rcloneConfigFile = config.vaultix.templates."restic-backup-rclone.conf".path;
+      repository = "rclone:Backup:/Backups/${config.networking.hostName}-backup/";
+      paths = [
+      ];
+      exclude = [
+        "tmp"
+        ".git"
+        "cache"
+        ".cache"
+        "*_cache"
+      ];
+      timerConfig = {
+        OnCalendar = "04:00";
+        RandomizedDelaySec = "1h";
+      };
+      pruneOpts = [
+        "--keep-daily 3"
+        "--keep-weekly 3"
+        "--keep-monthly 3"
+        "--keep-yearly 3"
+      ];
+    };
+
+    vaultix.templates."restic-backup-rclone.conf".content = ''
+      [Backup]
+      type = onedrive
+      drive_id = 52CE3DAB18B4C557
+      drive_type = personal
+      token = ${config.vaultix.placeholder.restic-backup-rclone-token}
+    '';
+
+    vaultix.secrets.restic-backup-password.file = ./password.age;
+    vaultix.secrets.restic-backup-rclone-token.file = ./rclone-token.age;
+  };
+}
modules/services/restic/password.age
Binary file
modules/services/restic/rclone-token.age
Binary file
modules/services/fail2ban.nix
@@ -1,5 +1,5 @@
-{
-  flake.modules.nixos."services/fail2ban" = _: {
+{lib, ...}: {
+  flake.modules.nixos."services/fail2ban" = {config, ...}: {
     services.fail2ban = {
       enable = true;
       maxretry = 3;
@@ -12,5 +12,10 @@
     };
 
     networking.firewall.enable = true;
+
+    services.restic.backups."${config.networking.hostName}-backup".paths =
+      lib.mkIf
+      (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+      ["/var/lib/fail2ban"];
   };
 }
modules/services/goatcounter.nix
@@ -16,5 +16,10 @@
         encode zstd gzip
         reverse_proxy ${localAddress}
       '');
+
+    services.restic.backups."${config.networking.hostName}-backup".paths =
+      lib.mkIf
+      (builtins.hasAttr "${config.networking.hostName}-backup" config.services.restic.backups)
+      ["/var/lib/goatcounter"];
   };
 }
secrets/cache/pardofelis/12c95a2987d42ac3394061ab7463c311c16b8afb49bc9895d40d9f101ebf9a4c
Binary file
secrets/cache/pardofelis/3852ac196fda405c1c69e0591acf40e4eb7cfccb96fed10ac8c6d2e2c9190fcd
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw 4uRgu50ASXO45+l0iR3GRyIQgknJo9B7oIZ1xdXfCy0
+UlE1wC/rsiT5t6pRuJUyE9Qwhymk/dwn4kJ7u0gszZc
+-> 2`$1/_>+-grease v(P)
+uGfiBSTzLpbG
+--- 6HCKVrQql/JjvtMoYHQIU8TkD3Y3RotL+Ex9KOdQI+Q
+#�P�T���>��馘����;���{�
1}`���Jl/,8������*�$����s�el4����
\ No newline at end of file