From 84bdb1e89a3d5f1c51dc4f6ce699fb5c752fbd7b Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Sun, 2 Feb 2025 13:04:18 +0300
Subject: [PATCH] feat(ops/restic): configure backups to Yandex Cloud

Backups are moving from GleSYS to Yandex Cloud (is this motivated by me not
having to pay for them in that case? Maybe!); this changes the default backup
location to accommodate that.

I also noticed that we previously manually placed the backup key on whitby, so
the new key is going into agenix instead, as well as the secrets for protecting
the repositories.

Change-Id: Ibe5dbfec6784345f020a8b4d92bb01c6ad719a89
Reviewed-on: https://cl.tvl.fyi/c/depot/+/13096
Tested-by: BuildkiteCI
Reviewed-by: sterni <sternenseemann@systemli.org>
---
 ops/modules/restic.nix         |  27 +++++++++++++++------------
 ops/secrets/restic-bugry.age   |  17 +++++++++++++++++
 ops/secrets/restic-nevsky.age  |  17 +++++++++++++++++
 ops/secrets/restic-sanduny.age | Bin 0 -> 913 bytes
 ops/secrets/secrets.nix        |   4 ++++
 ops/secrets/yc-restic.age      | Bin 0 -> 1209 bytes
 6 files changed, 53 insertions(+), 12 deletions(-)
 create mode 100644 ops/secrets/restic-bugry.age
 create mode 100644 ops/secrets/restic-nevsky.age
 create mode 100644 ops/secrets/restic-sanduny.age
 create mode 100644 ops/secrets/yc-restic.age

diff --git a/ops/modules/restic.nix b/ops/modules/restic.nix
index 869539603..06e470bb5 100644
--- a/ops/modules/restic.nix
+++ b/ops/modules/restic.nix
@@ -1,15 +1,13 @@
 # Configure restic backups to S3-compatible storage, in our case
-# GleSYS object storage.
+# Yandex Cloud Storage.
 #
-# Conventions:
-# - restic's cache lives in /var/backup/restic/cache
-# - repository password lives in /var/backup/restic/secret
-# - object storage credentials in /var/backup/restic/glesys-key
-{ config, lib, pkgs, ... }:
+# When adding a new machine, the repository has to be initialised once. Refer to
+# the Restic documentation for details on this process.
+{ config, depot, lib, pkgs, ... }:
 
 let
   cfg = config.services.depot.restic;
-  description = "Restic backups to GleSYS";
+  description = "Restic backups to Yandex Cloud";
   mkStringOption = default: lib.mkOption {
     inherit default;
     type = lib.types.str;
@@ -18,9 +16,9 @@ in
 {
   options.services.depot.restic = {
     enable = lib.mkEnableOption description;
-    bucketEndpoint = mkStringOption "objects.dc-sto1.glesys.net";
-    bucketName = mkStringOption "aged-resonance";
-    bucketCredentials = mkStringOption "/var/backup/restic/glesys-key";
+    bucketEndpoint = mkStringOption "storage.yandexcloud.net";
+    bucketName = mkStringOption "tvl-backups";
+    bucketCredentials = mkStringOption "/run/agenix/yc-restic";
     repository = mkStringOption config.networking.hostName;
     interval = mkStringOption "hourly";
 
@@ -36,15 +34,20 @@ in
   };
 
   config = lib.mkIf cfg.enable {
+    age.secrets = {
+      restic-password.file = depot.ops.secrets."restic-${config.networking.hostName}.age";
+      yc-restic.file = depot.ops.secrets."yc-restic.age";
+    };
+
     systemd.services.restic = {
-      description = "Backups to GleSYS";
+      description = "Backups to Yandex Cloud";
 
       script = "${pkgs.restic}/bin/restic backup ${lib.concatStringsSep " " cfg.paths}";
 
       environment = {
         RESTIC_REPOSITORY = "s3:${cfg.bucketEndpoint}/${cfg.bucketName}/${cfg.repository}";
         AWS_SHARED_CREDENTIALS_FILE = cfg.bucketCredentials;
-        RESTIC_PASSWORD_FILE = "/var/backup/restic/secret";
+        RESTIC_PASSWORD_FILE = "/run/agenix/restic-password";
         RESTIC_CACHE_DIR = "/var/backup/restic/cache";
 
         RESTIC_EXCLUDE_FILE =
diff --git a/ops/secrets/restic-bugry.age b/ops/secrets/restic-bugry.age
new file mode 100644
index 000000000..293203311
--- /dev/null
+++ b/ops/secrets/restic-bugry.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 wI5oAA TDjaldqySaCEFAPuoUBVMR342403nhkawwtXbsJJenQ
+eoeL2v5mCLksay/24miqYkWLJLLhrUIny4p1/e3/iTY
+-> ssh-ed25519 dcsaLw /KSRH3XUGU7P+Ckpk86PFl8oRfPP/dlLb6zLUW04iH8
+e2nXDvjkd5lzmXflhd820XmGvo/agSxDtfejxM45nhY
+-> ssh-ed25519 zcCuhA pIxJxTWsOyH6Zqunv427jdy1G7BV7Dpjpp2l+HEe/3s
+rxyoDZTQmsGwNB0nCTXNHhc7VCsb11/ynManfsbf5Ss
+-> ssh-ed25519 1SxhRA K8DkqAk5gPfsjTQiTjLGRNR+63uG9ogacsrH69/afGs
+LAt97AuWaPEYG7IlFiIOll9s02cQ+qhrpr0GVXX+e/o
+-> ssh-ed25519 ch/9tw 6eG9psphjjfW6TRTYxqozX9WLhQgC9u2ngR35rpXiH4
+9dFgdqSDKRXAotKKR19l9gqWlTNxuv9r/IcaMZeO9Oc
+-> ssh-ed25519 CpJBgQ /t2M57kxjKDq/UMoh9UnmQvlETqiwqClt0Lg6quqKRk
+oDblqLXxyJ7gTtZzhbStHep62oZK0iXikJ6fi6EW0gM
+-> ssh-ed25519 aXKGcg DVn6XZGaBHAeL4pGMaolO8cSOIKRIhmuDycV65pfxhs
+M6XVDk1Z9BdCoCvK30NDJsKKnURk/XUcRP4t5pZ7JFk
+--- H3D9jfLkrsDOgWfNhUJHZcVGa9dPqr4EuuBU40iJbJs
+{:jÐ† ‚¿÷pVF´x'`è×5Lz‹#yµìÈìÀ¿|"²öÕòû/>èô"QX¹ÓÅJe‰þW*œ‚¸?ðñ
\ No newline at end of file
diff --git a/ops/secrets/restic-nevsky.age b/ops/secrets/restic-nevsky.age
new file mode 100644
index 000000000..f06347b38
--- /dev/null
+++ b/ops/secrets/restic-nevsky.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 xR+E/Q iVPpAC04Up8hrFvnh2RsAXgfrFv2QNk0kwydlGrVslg
+2McWSNxxnPypGs9HKMNCjpHe+g2kxA86G6Drt2HWOeU
+-> ssh-ed25519 dcsaLw Xuw5V21UrJcIwWEoRyI+h60RaoJUdBAJJPqN12TY93U
+X4Wxo2qdBgtzQ8ct2UySnvXr9x0EzqBzSoHTBq9jQ9A
+-> ssh-ed25519 zcCuhA GPMgbaoLctcsQxVtoIPvXUvpfTZEUA2QnvgTXDUiJRI
+wnzHlJC8F45s/VzBjy9xfvDujtH+9uBmoX5OrzXapBA
+-> ssh-ed25519 1SxhRA 3GuXyDOYy6tur+nThpBLKMCvk/2c44XeR+NrLKj3G1Q
+LoVYepF0BiZ4E29ZMzXgOAyloK+UhX+FqiM9pPgngZ4
+-> ssh-ed25519 ch/9tw ihNjsBfasDmfW3Kcg8vQ1tpym9HKIL/qEzwpO7ye0Cg
+brnJzK7V4OV5jLfCFYqNue1oLSpJ88rRNN19KDcMdeM
+-> ssh-ed25519 CpJBgQ SvLMx+bG59LPZNI4EctDnFutMXoh4Otk2yFd17dXVQ4
++LO4a5ARK1mpYaenS1P13ajhpNtxndFvin2Po1h0cwM
+-> ssh-ed25519 aXKGcg VdaJIfDpeet7fzesJ3FGwZhQiAKNzEJMVUXNtbwm8UU
+rMqLrCdx55rzkuqJ3/9SrY6BKdSgHCLgAx8E0rrYVfY
+--- jNvJTcOvsKU6YkgEDBiOI27GBEzNlEg4JymqeKYa/fA
+ˆØ½±V(idóT”L\‚©¯ä°'£çHŽßGgD‘÷^‰vÜ½í1×1c»ñ`®}ž†šêV¢™¦=zàK&ˆ´èÅ
\ No newline at end of file
diff --git a/ops/secrets/restic-sanduny.age b/ops/secrets/restic-sanduny.age
new file mode 100644
index 0000000000000000000000000000000000000000..578871ff117fe22caa2aa6ed6ec63f7ba14d07db
GIT binary patch
literal 913
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4iYO?_4OGZ?DbI+^
zv<S~G%`}UODkv>0@^TBS$S^B*4f4+|sBlU$HSzH>aJER#FyX2!@h?mF%1;c)a4I(o
z4+-{hH8(UViZu3dPcACUEe|g&3Ug0RDReP3wm`QnCAm1!r(B`9%27WtJHRbFF+0yA
zw>Ue^**!8iFxM$0Dy=xA$jjL&J<vb7EZ8T)z<|rKC_l_UFgM4{rK~W~!Z9y7qR>Ai
z)6X+4Ehr)<ve3NJNIxhe)7>nfC?DOns$}QV3`d0`=k$UcWB(8rFaOL`M^F7Q$6S-_
zpb+=Kg22S&Y{McK6VJ-349B39Y!fb%!b<bNqN0$hFc)pZO6}Z&G&64_uf!7L$co4e
z#|S59SAWwgvs738QUi3`41+5&f*ci!67$maeFBV)!@W}jOtX`dy~_hVqw>8gDl1LW
z&4PTKLkzORLJiDJGt;@sGfK^}Q{AJA3yr*-JuA{Z(z5c6Lk;{h-6FCr4LyoegDcGa
z(u*sjaxp?OIYZyFq+G!~$T!g=Gt4C;JTtA*(>>hZ#MdjtFe522%gxo;Tieml+uSqL
zJut_h(v{1#FeN42wJ;;V+ae|0&&8x5SKlbPGBdX{B`nM}L)*(!yV&2w#oOQ1FB#o$
z&IMjh>46HS;V!xURc@s&M!xCprh&!&As%L7QDKz^#vxhxsVRXuMeau4$;OUOF6CS~
z+EpQ$#RW;GMUjR^;kii_+AbNMmQJO?&Jq6U9)_OUrBx;&VOf^tdD-Z;B}RC=C#Nfz
z6?>T!MwI3TxVlz`B&VjkWMozpnpWutn3)#&MdU@6xjL8RMiuIp86|TWW*Qci`xGZT
znOB)+B}E#VX6A;O`iE8~Sr(KhhgSNSmAIQ&hWlAM<|T9K>gp<(hnl)ulqRLPxd!Eg
z=4P6t23w>U8b_6dWheVr7Uwz}hWI9%21SGfy7_W3G}||(Im@uTG23&h!gI;)RQWsC
zZ)`p+7hS$1Uhl=>nAIDNwqK4{6O@}*I3YjzYuan6={Fx8TNUNIEUJ4=)SZRZP2%%U
JuYD)51^}auGD`pe

literal 0
HcmV?d00001

diff --git a/ops/secrets/secrets.nix b/ops/secrets/secrets.nix
index cae95ce5e..f1b3c0555 100644
--- a/ops/secrets/secrets.nix
+++ b/ops/secrets/secrets.nix
@@ -53,6 +53,9 @@ in
   "nix-cache-pub.age" = for [ whitby nevsky ];
   "owothia.age" = for [ whitby nevsky ];
   "panettone.age" = for [ whitby nevsky ];
+  "restic-bugry.age" = for [ bugry ];
+  "restic-nevsky.age" = for [ nevsky ];
+  "restic-sanduny.age" = for [ sanduny ];
   "smtprelay.age" = for [ whitby nevsky ];
   "teleirc.age" = for [ whitby nevsky ];
   "tf-buildkite.age" = for [ /* humans only */ ];
@@ -61,4 +64,5 @@ in
   "tvl-alerts-bot-telegram-token.age" = for [ whitby nevsky ];
   "wg-bugry.age" = for [ bugry ];
   "wg-nevsky.age" = for [ nevsky ];
+  "yc-restic.age" = for [ nevsky sanduny bugry ];
 }
diff --git a/ops/secrets/yc-restic.age b/ops/secrets/yc-restic.age
new file mode 100644
index 0000000000000000000000000000000000000000..7ba554f3a2694ee0995ba7dd246ad750e4ccaac6
GIT binary patch
literal 1209
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTy2-0@d4^*ghtH|;;
z_jD_8^Yym$)=n&|G%q$Z*LRJ~4Azbc_RKCxD$veK49xK}%IC813oEfmtnza8GV-x3
z$}IH?uFN+J$_<W)a&!*yHTTF$@rtTUbTUiRPe-@SDWaexH&7uY%hx^CJ4nBz($hP#
zAWXk3ry|2MFgH2SGSbN;EkDpFB|9QmJIJ*x!j&u7*x4+*!r!AXFF3H&IMFBDJgPF+
z(X%WdEWo0`FvQfc+{HE2u&Bg1(-+;ga!=EIM@NOM!sK-0oRU(f;&eZ^z<`1>SC^zn
z=X8_s3YVNr{R+<#^E{{2$dddpw{k9h|H_<1!=&UeM;9lTFoOywFTa4yOy_`#{J=cV
z{NzjvqdfhJGBdLXpK^5DQj&`keaaQek^(*RqRNBa@>7hHEOVng()`QHokI*<OZ=lM
zoDEZ*Q@uQrqrA+@a?80Yom@hS1C8`EiwYgH65UG7@&YV#D@;-oT`D8fTzoPs!*cwR
z^&JZXeKA6^D%rU-!%?B!EF&kaB&}4xtgt-O$l1U=uQD<%J;*R6)iOQQv)C}*Jh{-R
z#3;kXz=SK@&od;@%&5Z8r`SKuyrR;jD%deN)7ZlzE7CjA)iB%9+(0|eAS>6?#RT1N
zhQSpXL5>O@<u2i#?kS#`8Nqq_&gtofC1s9Yl}`S_zDZ$8rm4Ys#y(CV?jgQ@mA+hA
zk>%cgeuk-0-Y({T-We{*`hID~<pq`ng_TuanI?%jVJ3#*-bHzpVae#WC1>bcmXs?L
z8JHH8n+7Ghns{iN8%Cy^1%~IFL|LRHyPJ4A8zvc)Sp=6FIi;9qx<_)kdb(7Z>0A0{
zco;^R1%w*scvV^^<~T;08AOH#S!PES6&0ozrFcY{l{uo@=3L<Alpd&HTJGgo98{U?
zpOKduVrHJLUmETeW$NMPZ62AHnw?!@;u%~J>{Maq9AdzgX6RF(uWeBkW>n;5;p`d^
z6zE&wlUb4BlAl=Ml9XH;=~o&W=pI~L6`GH3TVjN_dvdyhezs##vPpPOaZ+hoaj9Eq
znMqc9cwmmVzQ2=mj!#&nMPNx$Zbo2Ql7|IXWn@`JW>#foiBXnmK#+g7g@2HxU$JX}
zrF%t|Ns@brv6p{Ngr~lHu7@L+uCA_vTcw|KVM$V8n74_Eet2P2g=b{2TbPBTNls*N
zvA%gon3H#8N_nAgx`6?g(WcZCwp}x}_RVvU>NnZ-y=|H1{_Qi`CrDi^_%~DYu)Oee
zyTrMY`Yn6?B>AVc^6!1EWcyf8jY&~)qanl5rvA=2-qZyr8_KR_B#1rYo1*pW_EW|?
zGM4qmX9c%py|-6=bz{bjEw63LFSpxlPx}7FZ$nx`=#ozd?QTu!o!D7qFYU6QrE&51
Vz8#Fc?gHDwKPYg0-s{3G0RTwXm?{7O

literal 0
HcmV?d00001