diff --git a/ops/modules/restic.nix b/ops/modules/restic.nix index 869539603..06e470bb5 100644 --- a/ops/modules/restic.nix +++ b/ops/modules/restic.nix @@ -1,15 +1,13 @@ # Configure restic backups to S3-compatible storage, in our case -# GleSYS object storage. +# Yandex Cloud Storage. # -# Conventions: -# - restic's cache lives in /var/backup/restic/cache -# - repository password lives in /var/backup/restic/secret -# - object storage credentials in /var/backup/restic/glesys-key -{ config, lib, pkgs, ... }: +# When adding a new machine, the repository has to be initialised once. Refer to +# the Restic documentation for details on this process. +{ config, depot, lib, pkgs, ... }: let cfg = config.services.depot.restic; - description = "Restic backups to GleSYS"; + description = "Restic backups to Yandex Cloud"; mkStringOption = default: lib.mkOption { inherit default; type = lib.types.str; @@ -18,9 +16,9 @@ in { options.services.depot.restic = { enable = lib.mkEnableOption description; - bucketEndpoint = mkStringOption "objects.dc-sto1.glesys.net"; - bucketName = mkStringOption "aged-resonance"; - bucketCredentials = mkStringOption "/var/backup/restic/glesys-key"; + bucketEndpoint = mkStringOption "storage.yandexcloud.net"; + bucketName = mkStringOption "tvl-backups"; + bucketCredentials = mkStringOption "/run/agenix/yc-restic"; repository = mkStringOption config.networking.hostName; interval = mkStringOption "hourly"; @@ -36,15 +34,20 @@ in }; config = lib.mkIf cfg.enable { + age.secrets = { + restic-password.file = depot.ops.secrets."restic-${config.networking.hostName}.age"; + yc-restic.file = depot.ops.secrets."yc-restic.age"; + }; + systemd.services.restic = { - description = "Backups to GleSYS"; + description = "Backups to Yandex Cloud"; script = "${pkgs.restic}/bin/restic backup ${lib.concatStringsSep " " cfg.paths}"; environment = { RESTIC_REPOSITORY = "s3:${cfg.bucketEndpoint}/${cfg.bucketName}/${cfg.repository}"; AWS_SHARED_CREDENTIALS_FILE = cfg.bucketCredentials; - RESTIC_PASSWORD_FILE = "/var/backup/restic/secret"; + RESTIC_PASSWORD_FILE = "/run/agenix/restic-password"; RESTIC_CACHE_DIR = "/var/backup/restic/cache"; RESTIC_EXCLUDE_FILE = diff --git a/ops/secrets/restic-bugry.age b/ops/secrets/restic-bugry.age new file mode 100644 index 000000000..293203311 --- /dev/null +++ b/ops/secrets/restic-bugry.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 wI5oAA TDjaldqySaCEFAPuoUBVMR342403nhkawwtXbsJJenQ +eoeL2v5mCLksay/24miqYkWLJLLhrUIny4p1/e3/iTY +-> ssh-ed25519 dcsaLw /KSRH3XUGU7P+Ckpk86PFl8oRfPP/dlLb6zLUW04iH8 +e2nXDvjkd5lzmXflhd820XmGvo/agSxDtfejxM45nhY +-> ssh-ed25519 zcCuhA pIxJxTWsOyH6Zqunv427jdy1G7BV7Dpjpp2l+HEe/3s +rxyoDZTQmsGwNB0nCTXNHhc7VCsb11/ynManfsbf5Ss +-> ssh-ed25519 1SxhRA K8DkqAk5gPfsjTQiTjLGRNR+63uG9ogacsrH69/afGs +LAt97AuWaPEYG7IlFiIOll9s02cQ+qhrpr0GVXX+e/o +-> ssh-ed25519 ch/9tw 6eG9psphjjfW6TRTYxqozX9WLhQgC9u2ngR35rpXiH4 +9dFgdqSDKRXAotKKR19l9gqWlTNxuv9r/IcaMZeO9Oc +-> ssh-ed25519 CpJBgQ /t2M57kxjKDq/UMoh9UnmQvlETqiwqClt0Lg6quqKRk +oDblqLXxyJ7gTtZzhbStHep62oZK0iXikJ6fi6EW0gM +-> ssh-ed25519 aXKGcg DVn6XZGaBHAeL4pGMaolO8cSOIKRIhmuDycV65pfxhs +M6XVDk1Z9BdCoCvK30NDJsKKnURk/XUcRP4t5pZ7JFk +--- H3D9jfLkrsDOgWfNhUJHZcVGa9dPqr4EuuBU40iJbJs +{:jІpVFx'`5Lz# y|"/>"QX Je W*? \ No newline at end of file diff --git a/ops/secrets/restic-nevsky.age b/ops/secrets/restic-nevsky.age new file mode 100644 index 000000000..f06347b38 --- /dev/null +++ b/ops/secrets/restic-nevsky.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 xR+E/Q iVPpAC04Up8hrFvnh2RsAXgfrFv2QNk0kwydlGrVslg +2McWSNxxnPypGs9HKMNCjpHe+g2kxA86G6Drt2HWOeU +-> ssh-ed25519 dcsaLw Xuw5V21UrJcIwWEoRyI+h60RaoJUdBAJJPqN12TY93U +X4Wxo2qdBgtzQ8ct2UySnvXr9x0EzqBzSoHTBq9jQ9A +-> ssh-ed25519 zcCuhA GPMgbaoLctcsQxVtoIPvXUvpfTZEUA2QnvgTXDUiJRI +wnzHlJC8F45s/VzBjy9xfvDujtH+9uBmoX5OrzXapBA +-> ssh-ed25519 1SxhRA 3GuXyDOYy6tur+nThpBLKMCvk/2c44XeR+NrLKj3G1Q +LoVYepF0BiZ4E29ZMzXgOAyloK+UhX+FqiM9pPgngZ4 +-> ssh-ed25519 ch/9tw ihNjsBfasDmfW3Kcg8vQ1tpym9HKIL/qEzwpO7ye0Cg +brnJzK7V4OV5jLfCFYqNue1oLSpJ88rRNN19KDcMdeM +-> ssh-ed25519 CpJBgQ SvLMx+bG59LPZNI4EctDnFutMXoh4Otk2yFd17dXVQ4 ++LO4a5ARK1mpYaenS1P13ajhpNtxndFvin2Po1h0cwM +-> ssh-ed25519 aXKGcg VdaJIfDpeet7fzesJ3FGwZhQiAKNzEJMVUXNtbwm8UU +rMqLrCdx55rzkuqJ3/9SrY6BKdSgHCLgAx8E0rrYVfY +--- jNvJTcOvsKU6YkgEDBiOI27GBEzNlEg4JymqeKYa/fA +ؽV(idTL\'HGgD^vܽ11c`}V=zK & \ No newline at end of file diff --git a/ops/secrets/restic-sanduny.age b/ops/secrets/restic-sanduny.age new file mode 100644 index 000000000..578871ff1 Binary files /dev/null and b/ops/secrets/restic-sanduny.age differ diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix index cae95ce5e..f1b3c0555 100644 --- a/ops/secrets/secrets.nix +++ b/ops/secrets/secrets.nix @@ -53,6 +53,9 @@ in "nix-cache-pub.age" = for [ whitby nevsky ]; "owothia.age" = for [ whitby nevsky ]; "panettone.age" = for [ whitby nevsky ]; + "restic-bugry.age" = for [ bugry ]; + "restic-nevsky.age" = for [ nevsky ]; + "restic-sanduny.age" = for [ sanduny ]; "smtprelay.age" = for [ whitby nevsky ]; "teleirc.age" = for [ whitby nevsky ]; "tf-buildkite.age" = for [ /* humans only */ ]; @@ -61,4 +64,5 @@ in "tvl-alerts-bot-telegram-token.age" = for [ whitby nevsky ]; "wg-bugry.age" = for [ bugry ]; "wg-nevsky.age" = for [ nevsky ]; + "yc-restic.age" = for [ nevsky sanduny bugry ]; } diff --git a/ops/secrets/yc-restic.age b/ops/secrets/yc-restic.age new file mode 100644 index 000000000..7ba554f3a Binary files /dev/null and b/ops/secrets/yc-restic.age differ