backup the VM to Google Cloud Storage

For now we only backup git repositories.

4 files changed, 54 insertions, 37 deletions

diff --git a/nix/lib/mkSystem.nix b/nix/lib/mkSystem.nix
index 2bd36bd..c069a3f 100644
--- a/nix/lib/mkSystem.nix
+++ b/nix/lib/mkSystem.nix
@@ -36,6 +36,7 @@ systemFunc rec {
     { nixpkgs.overlays = overlays; }
 
     inputs.disko.nixosModules.disko
+    inputs.agenix.nixosModules.default
 
     machineConfig
     userOSConfig
diff --git a/nix/machines/vm-synology/backups.nix b/nix/machines/vm-synology/backups.nix
new file mode 100644
index 0000000..69dcb6e
--- /dev/null
+++ b/nix/machines/vm-synology/backups.nix
@@ -0,0 +1,40 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+let
+  environmentFile = toString (
+    pkgs.writeText "restic-gcs-env" ''
+      GOOGLE_PROJECT_ID=fcuny-backups-464518
+      GOOGLE_APPLICATION_CREDENTIALS=${config.age.secrets.restic_gcs_credentials.path}
+    ''
+  );
+in
+{
+  # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix
+  services.restic.backups.git = {
+    passwordFile = config.age.secrets.restic_password.path;
+    environmentFile = environmentFile;
+    repository = "gs:fcuny-backup:/vm-synology";
+    initialize = true;
+    paths = [ "/var/lib/gitolite" ];
+    exclude = [
+      "/var/lib/gitolite/.bash_history"
+      "/var/lib/gitolite/.ssh"
+      "/var/lib/gitolite/.viminfo"
+    ];
+    extraBackupArgs = [
+      "--exclude-caches"
+      "--compression=max"
+    ];
+    timerConfig = {
+      OnCalendar = "daily";
+    };
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+    ];
+  };
+}
diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix
index 8ced4e1..dd004f6 100644
--- a/nix/machines/vm-synology/default.nix
+++ b/nix/machines/vm-synology/default.nix
@@ -1,8 +1,20 @@
 { pkgs, ... }:
 {
+  age = {
+    secrets = {
+      restic_gcs_credentials = {
+        file = ../../../secrets/restic_gcs_credentials.age;
+      };
+      restic_password = {
+        file = ../../../secrets/restic_password.age;
+      };
+    };
+  };
+
   imports = [
-    ./hardware.nix
+    ./backups.nix
     ./git.nix
+    ./hardware.nix
   ];
 
   # Use the systemd-boot EFI boot loader.
diff --git a/nix/machines/vm-synology/git.nix b/nix/machines/vm-synology/git.nix
index 6ca6ec7..27eebc7 100644
--- a/nix/machines/vm-synology/git.nix
+++ b/nix/machines/vm-synology/git.nix
@@ -1,6 +1,5 @@
 { pkgs, ... }:
 {
-
   services.gitolite = {
     enable = true;
     adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
@@ -23,39 +22,4 @@
       	defaultBranch = main
     ''}"
   ];
-
-  # # TODO also rsync the backups to the nas
-  # # TODO need the ssh key for the nas for rsync ?
-  # age.secrets.restic = {
-  #   file = ../../../secrets/restic-backups.age;
-  #   owner = "root";
-  #   group = "root";
-  #   path = "/etc/restic/secret";
-  #   mode = "600";
-  # };
-
-  # # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix
-  # services.restic.backups.git = {
-  #   passwordFile = "/etc/restic/secret";
-  #   repository = "/srv/backups/git";
-  #   initialize = true;
-  #   paths = [ "/var/lib/gitolite" ];
-  #   exclude = [
-  #     "/var/lib/gitolite/.bash_history"
-  #     "/var/lib/gitolite/.ssh"
-  #     "/var/lib/gitolite/.viminfo"
-  #   ];
-  #   extraBackupArgs = [
-  #     "--exclude-caches"
-  #     "--compression=max"
-  #   ];
-  #   timerConfig = {
-  #     OnCalendar = "daily";
-  #   };
-  #   pruneOpts = [
-  #     "--keep-daily 7"
-  #     "--keep-weekly 4"
-  #     "--keep-monthly 3"
-  #   ];
-  # };
 }