tlaternet/tlaternet-server
1
0
Fork 0
Code Issues10 Pull requests Releases Activity

backups: Switch to hetzner storage box

Browse source
This commit is contained in:
Tristan Daniël Maat 2024-03-18 05:05:54 +01:00
parent f43f8742d9
commit c161eeb056
Signed by: tlater
GPG key ID: 49670FD774E43268
3 changed files with 63 additions and 29 deletions
configuration
services
backups.nix
sops.nix

76
configuration/services/backups.nix
View file

@ -24,6 +24,24 @@
inherit name text;
runtimeInputs = packages;
});
# *NOT* a TOML file, for some reason quotes are interpreted
# *literally
rcloneConfig = pkgs.writeText "rclone.conf" ''
[storagebox]
type = sftp
user = u395933
host = u395933.your-storagebox.de
port = 23
key_file = ${config.sops.secrets."restic/storagebox-ssh-key".path}
shell_type = unix
'';
resticEnv = {
RESTIC_PASSWORD_FILE = config.sops.secrets."restic/storagebox-backups".path;
RESTIC_REPOSITORY = "rclone:storagebox:backups";
RCLONE_CONFIG = rcloneConfig;
};
in {
options = {
services.backups = lib.mkOption {
@ -120,13 +138,11 @@ in {
# Doesn't hurt to finish the ongoing prune
restartIfChanged = false;
environment = {
RESTIC_PASSWORD_FILE = config.sops.secrets."restic/local-backups".path;
RESTIC_REPOSITORY = "/var/lib/backups/";
RESTIC_CACHE_DIR = "%C/restic-prune";
};
environment = resticEnv;
path = with pkgs; [
openssh
rclone
restic
];
@ -145,11 +161,6 @@ in {
CacheDirectory = "restic-prune";
CacheDirectoryMode = "0700";
ReadWritePaths = "/var/lib/backups/";
# Ensure we don't leave behind any files with the
# temporary UID of this service.
ExecStopPost = "+${pkgs.coreutils}/bin/chown -R root:backup /var/lib/backups/";
};
};
}
@ -158,17 +169,24 @@ in {
# Don't want to restart mid-backup
restartIfChanged = false;
environment = {
RESTIC_CACHE_DIR = "%C/backup-${name}";
RESTIC_PASSWORD_FILE = config.sops.secrets."restic/local-backups".path;
# TODO(tlater): If I ever add more than one repo, service
# shutdown/restarting will potentially break if multiple
# backups for the same service overlap. A more clever
# sentinel file with reference counts would probably solve
# this.
RESTIC_REPOSITORY = "/var/lib/backups/";
};
environment =
resticEnv
// {
RESTIC_CACHE_DIR = "%C/backup-${name}";
};
path = with pkgs; [
coreutils
openssh
rclone
restic
];
# TODO(tlater): If I ever add more than one repo, service
# shutdown/restarting will potentially break if multiple
# backups for the same service overlap. A more clever
# sentinel file with reference counts would probably solve
# this.
serviceConfig = {
User = backup.user;
Group = "backup";
@ -183,8 +201,8 @@ in {
ExecStartPre =
map (service: "+${mkShutdownScript service}") backup.pauseServices
++ singleton (writeScript "backup-${name}-repo-init" [pkgs.restic pkgs.coreutils] ''
restic snapshots || (restic init && chmod -R g+rwx "$RESTIC_REPOSITORY"/*)
++ singleton (writeScript "backup-${name}-repo-init" [] ''
restic snapshots || restic init
'')
++ optional (backup.preparation.text != null)
(writeScript "backup-${name}-prepare" backup.preparation.packages backup.preparation.text);
@ -220,10 +238,14 @@ in {
})
config.services.backups;
users.groups.backup = {};
systemd.tmpfiles.rules = [
"d /var/lib/backups/ 0770 root backup"
];
users = {
# This user is only used to own the ssh key, because apparently
# the ssh client checks file permissions and is stuck in 1980.
users.backup = {
group = "backup";
isSystemUser = true;
};
groups.backup = {};
};
};
}

10
configuration/sops.nix
View file

@ -36,6 +36,16 @@
group = "backup";
mode = "0440";
};
"restic/storagebox-backups" = {
owner = "root";
group = "backup";
mode = "0440";
};
"restic/storagebox-ssh-key" = {
owner = "backup";
group = "backup";
mode = "0040";
};
# Steam
"steam/tlater" = {};