diff options
Diffstat (limited to '')
| -rw-r--r-- | docs/backups.org | 18 | ||||
| -rw-r--r-- | nix/machines/vm-synology/backups.nix | 43 | ||||
| -rw-r--r-- | nix/users/fcuny/shell.nix | 1 | ||||
| -rw-r--r-- | secrets/restic_gcs_credentials.age | bin | 2688 -> 2661 bytes |
4 files changed, 49 insertions, 13 deletions
diff --git a/docs/backups.org b/docs/backups.org index 605ba55..f9906f1 100644 --- a/docs/backups.org +++ b/docs/backups.org @@ -1,13 +1,15 @@ * General -Backups are managed with =restic= and are stored directly to a Google Cloud Storage Bucket. +Backups are managed with =restic= and are stored locally and also on a Google Cloud Storage Bucket. These are two different backups, they are executed at different time, and there should be no assumptions that they are identical. -Access to the bucket is managed via service account. +There's a single password for all the repositories, it's managed with =agenix=, and the file is under secrets (=restic_password.age=). +** Remote backup +Access to the bucket is managed via service account. Each machine has its own repository. -Each machine has its own repository. +The service account key is stored in JSON and also encrypted with =agenix=. -There's a single password for all the repositories, it's managed with =agenix=, and the file is under secrets (=restic_password.age=). The service account key is stored in JSON and also encrypted with =agenix=. +| bucket | [[https://console.cloud.google.com/storage/browser/fcuny-infra-backups;tab=objects?forceOnBucketsSortingFiltering=true&hl=en&inv=1&invt=Ab2J4Q&project=fcuny-infra&prefix=&forceOnObjectsSortingFiltering=false][fcuny-infra-backups]] | +| project | fcuny-infra | +| service account | [[https://console.cloud.google.com/iam-admin/serviceaccounts/details/118261378048653759345?inv=1&invt=Ab2J-w&project=fcuny-infra&supportedpurview=project][restic]] | -|-----------------+----------------------| -| bucket | [[https://console.cloud.google.com/storage/browser/fcuny-backup/vm-synology/data/c1?pageState=(%22StorageObjectListTable%22:(%22f%22:%22%255B%255D%22))&inv=1&invt=Ab1hkA&project=fcuny-backups-464518&supportedpurview=project][fcuny-backup]] | -| project | fcuny-backups-464518 | -| service account | [[https://console.cloud.google.com/iam-admin/serviceaccounts?inv=1&invt=Ab1hkA&project=fcuny-backups-464518&supportedpurview=project][restic]] | +* Managing backups +The path to the repository and the password file are exported as environment variables, to make it easier to interact with the backups. diff --git a/nix/machines/vm-synology/backups.nix b/nix/machines/vm-synology/backups.nix index 69dcb6e..cf3c65b 100644 --- a/nix/machines/vm-synology/backups.nix +++ b/nix/machines/vm-synology/backups.nix @@ -1,22 +1,45 @@ { - pkgs, config, + pkgs, ... }: let environmentFile = toString ( pkgs.writeText "restic-gcs-env" '' - GOOGLE_PROJECT_ID=fcuny-backups-464518 + GOOGLE_PROJECT_ID=fcuny-infra GOOGLE_APPLICATION_CREDENTIALS=${config.age.secrets.restic_gcs_credentials.path} '' ); in { - # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix - services.restic.backups.git = { + services.restic.backups.local = { + passwordFile = config.age.secrets.restic_password.path; + repository = "/srv/data/backups/"; + initialize = true; + paths = [ "/var/lib/gitolite" ]; + exclude = [ + "/var/lib/gitolite/.bash_history" + "/var/lib/gitolite/.ssh" + "/var/lib/gitolite/.viminfo" + ]; + extraBackupArgs = [ + "--exclude-caches" + "--compression=max" + ]; + timerConfig = { + OnCalendar = "daily"; + }; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 3" + ]; + }; + + services.restic.backups.gcs = { passwordFile = config.age.secrets.restic_password.path; environmentFile = environmentFile; - repository = "gs:fcuny-backup:/vm-synology"; + repository = "gs:fcuny-infra-backups:/vm-synology/"; initialize = true; paths = [ "/var/lib/gitolite" ]; exclude = [ @@ -37,4 +60,14 @@ in "--keep-monthly 3" ]; }; + + environment = { + sessionVariables = { + RESTIC_REPOSITORY = "/srv/data/backups"; + RESTIC_PASSWORD_FILE = config.age.secrets.restic_password.path; + }; + systemPackages = with pkgs; [ + restic + ]; + }; } diff --git a/nix/users/fcuny/shell.nix b/nix/users/fcuny/shell.nix index d54e7e0..994570b 100644 --- a/nix/users/fcuny/shell.nix +++ b/nix/users/fcuny/shell.nix @@ -19,6 +19,7 @@ in jless # jless - a better cat jq # jq - a better json procs # procs - a better ps + restic # to manage backups ripgrep # ripgrep - a better grep shellcheck # shell script linter tree # tree - a better ls diff --git a/secrets/restic_gcs_credentials.age b/secrets/restic_gcs_credentials.age Binary files differindex 7debd57..8ee6981 100644 --- a/secrets/restic_gcs_credentials.age +++ b/secrets/restic_gcs_credentials.age |