feat(ops/restic): configure backups to Yandex Cloud

Backups are moving from GleSYS to Yandex Cloud (is this motivated by me not
having to pay for them in that case? Maybe!); this changes the default backup
location to accommodate that.

I also noticed that we previously manually placed the backup key on whitby, so
the new key is going into agenix instead, as well as the secrets for protecting
the repositories.

Change-Id: Ibe5dbfec6784345f020a8b4d92bb01c6ad719a89
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13096
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
This commit is contained in:
Vincent Ambo 2025-02-02 13:04:18 +03:00 committed by tazjin
parent 7851917ebf
commit 84bdb1e89a
6 changed files with 53 additions and 12 deletions

View file

@ -1,15 +1,13 @@
# Configure restic backups to S3-compatible storage, in our case
# GleSYS object storage.
# Yandex Cloud Storage.
#
# Conventions:
# - restic's cache lives in /var/backup/restic/cache
# - repository password lives in /var/backup/restic/secret
# - object storage credentials in /var/backup/restic/glesys-key
{ config, lib, pkgs, ... }:
# When adding a new machine, the repository has to be initialised once. Refer to
# the Restic documentation for details on this process.
{ config, depot, lib, pkgs, ... }:
let
cfg = config.services.depot.restic;
description = "Restic backups to GleSYS";
description = "Restic backups to Yandex Cloud";
mkStringOption = default: lib.mkOption {
inherit default;
type = lib.types.str;
@ -18,9 +16,9 @@ in
{
options.services.depot.restic = {
enable = lib.mkEnableOption description;
bucketEndpoint = mkStringOption "objects.dc-sto1.glesys.net";
bucketName = mkStringOption "aged-resonance";
bucketCredentials = mkStringOption "/var/backup/restic/glesys-key";
bucketEndpoint = mkStringOption "storage.yandexcloud.net";
bucketName = mkStringOption "tvl-backups";
bucketCredentials = mkStringOption "/run/agenix/yc-restic";
repository = mkStringOption config.networking.hostName;
interval = mkStringOption "hourly";
@ -36,15 +34,20 @@ in
};
config = lib.mkIf cfg.enable {
age.secrets = {
restic-password.file = depot.ops.secrets."restic-${config.networking.hostName}.age";
yc-restic.file = depot.ops.secrets."yc-restic.age";
};
systemd.services.restic = {
description = "Backups to GleSYS";
description = "Backups to Yandex Cloud";
script = "${pkgs.restic}/bin/restic backup ${lib.concatStringsSep " " cfg.paths}";
environment = {
RESTIC_REPOSITORY = "s3:${cfg.bucketEndpoint}/${cfg.bucketName}/${cfg.repository}";
AWS_SHARED_CREDENTIALS_FILE = cfg.bucketCredentials;
RESTIC_PASSWORD_FILE = "/var/backup/restic/secret";
RESTIC_PASSWORD_FILE = "/run/agenix/restic-password";
RESTIC_CACHE_DIR = "/var/backup/restic/cache";
RESTIC_EXCLUDE_FILE =

View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 wI5oAA TDjaldqySaCEFAPuoUBVMR342403nhkawwtXbsJJenQ
eoeL2v5mCLksay/24miqYkWLJLLhrUIny4p1/e3/iTY
-> ssh-ed25519 dcsaLw /KSRH3XUGU7P+Ckpk86PFl8oRfPP/dlLb6zLUW04iH8
e2nXDvjkd5lzmXflhd820XmGvo/agSxDtfejxM45nhY
-> ssh-ed25519 zcCuhA pIxJxTWsOyH6Zqunv427jdy1G7BV7Dpjpp2l+HEe/3s
rxyoDZTQmsGwNB0nCTXNHhc7VCsb11/ynManfsbf5Ss
-> ssh-ed25519 1SxhRA K8DkqAk5gPfsjTQiTjLGRNR+63uG9ogacsrH69/afGs
LAt97AuWaPEYG7IlFiIOll9s02cQ+qhrpr0GVXX+e/o
-> ssh-ed25519 ch/9tw 6eG9psphjjfW6TRTYxqozX9WLhQgC9u2ngR35rpXiH4
9dFgdqSDKRXAotKKR19l9gqWlTNxuv9r/IcaMZeO9Oc
-> ssh-ed25519 CpJBgQ /t2M57kxjKDq/UMoh9UnmQvlETqiwqClt0Lg6quqKRk
oDblqLXxyJ7gTtZzhbStHep62oZK0iXikJ6fi6EW0gM
-> ssh-ed25519 aXKGcg DVn6XZGaBHAeL4pGMaolO8cSOIKRIhmuDycV65pfxhs
M6XVDk1Z9BdCoCvK30NDJsKKnURk/XUcRP4t5pZ7JFk
--- H3D9jfLkrsDOgWfNhUJHZcVGa9dPqr4EuuBU40iJbJs
{:jІ ¿÷pVF´x'`è×5Lz# yµìÈìÀ¿|"²öÕòû/>èô"QX¹ ÓÅJe<4A>þ W*œ‚¸?ðñ

View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> ssh-ed25519 xR+E/Q iVPpAC04Up8hrFvnh2RsAXgfrFv2QNk0kwydlGrVslg
2McWSNxxnPypGs9HKMNCjpHe+g2kxA86G6Drt2HWOeU
-> ssh-ed25519 dcsaLw Xuw5V21UrJcIwWEoRyI+h60RaoJUdBAJJPqN12TY93U
X4Wxo2qdBgtzQ8ct2UySnvXr9x0EzqBzSoHTBq9jQ9A
-> ssh-ed25519 zcCuhA GPMgbaoLctcsQxVtoIPvXUvpfTZEUA2QnvgTXDUiJRI
wnzHlJC8F45s/VzBjy9xfvDujtH+9uBmoX5OrzXapBA
-> ssh-ed25519 1SxhRA 3GuXyDOYy6tur+nThpBLKMCvk/2c44XeR+NrLKj3G1Q
LoVYepF0BiZ4E29ZMzXgOAyloK+UhX+FqiM9pPgngZ4
-> ssh-ed25519 ch/9tw ihNjsBfasDmfW3Kcg8vQ1tpym9HKIL/qEzwpO7ye0Cg
brnJzK7V4OV5jLfCFYqNue1oLSpJ88rRNN19KDcMdeM
-> ssh-ed25519 CpJBgQ SvLMx+bG59LPZNI4EctDnFutMXoh4Otk2yFd17dXVQ4
+LO4a5ARK1mpYaenS1P13ajhpNtxndFvin2Po1h0cwM
-> ssh-ed25519 aXKGcg VdaJIfDpeet7fzesJ3FGwZhQiAKNzEJMVUXNtbwm8UU
rMqLrCdx55rzkuqJ3/9SrY6BKdSgHCLgAx8E0rrYVfY
--- jNvJTcOvsKU6YkgEDBiOI27GBEzNlEg4JymqeKYa/fA
ˆØ½±V(idóT”L\‚©¯ä°'£çHŽßGgD‘÷^‰vܽí1×1c»ñ`®}ž†šêV¢™¦=zàK &ˆ´èÅ

Binary file not shown.

View file

@ -53,6 +53,9 @@ in
"nix-cache-pub.age" = for [ whitby nevsky ];
"owothia.age" = for [ whitby nevsky ];
"panettone.age" = for [ whitby nevsky ];
"restic-bugry.age" = for [ bugry ];
"restic-nevsky.age" = for [ nevsky ];
"restic-sanduny.age" = for [ sanduny ];
"smtprelay.age" = for [ whitby nevsky ];
"teleirc.age" = for [ whitby nevsky ];
"tf-buildkite.age" = for [ /* humans only */ ];
@ -61,4 +64,5 @@ in
"tvl-alerts-bot-telegram-token.age" = for [ whitby nevsky ];
"wg-bugry.age" = for [ bugry ];
"wg-nevsky.age" = for [ nevsky ];
"yc-restic.age" = for [ nevsky sanduny bugry ];
}

BIN
ops/secrets/yc-restic.age Normal file

Binary file not shown.