From 25eb9e37669c2d133005c7b2d9a7b0a9cdeeebdd Mon Sep 17 00:00:00 2001 From: oddlama Date: Mon, 15 Jan 2024 01:42:04 +0100 Subject: [PATCH] feat: add restic backup to hetzner storage box --- flake.lock | 12 ++-- flake.nix | 6 +- hosts/sire/guests/samba.nix | 2 +- modules/default.nix | 1 - modules/restic.nix | 57 ------------------ nix/setup-hetzner-storage-boxes.nix | 12 ---- .../sire-samba/restic-encryption-password.age | Bin 0 -> 491 bytes .../sire-samba/restic-ssh-privkey.age | 11 ++++ users/myuser/secrets/user.nix.age | Bin 3115 -> 3146 bytes 9 files changed, 23 insertions(+), 78 deletions(-) delete mode 100644 modules/restic.nix delete mode 100644 nix/setup-hetzner-storage-boxes.nix create mode 100644 secrets/generated/sire-samba/restic-encryption-password.age create mode 100644 secrets/generated/sire-samba/restic-ssh-privkey.age diff --git a/flake.lock b/flake.lock index 8b3e6e9..530481c 100644 --- a/flake.lock +++ b/flake.lock @@ -53,11 +53,11 @@ "pre-commit-hooks": "pre-commit-hooks" }, "locked": { - "lastModified": 1696078264, - "narHash": "sha256-NF5G9CHaVWDD6DY0TP8z0cx30dAL1ciFYcVidVvb+NA=", + "lastModified": 1705278709, + "narHash": "sha256-CNJSc6tp12UZKAprviztJ509yAblteK4GiWwKewWEPQ=", "owner": "oddlama", "repo": "agenix-rekey", - "rev": "e529da8197f024c0069c4fde6237505e305b8d0a", + "rev": "e02a57e08224422934974f19853d4d70ed7eaaaa", "type": "github" }, "original": { @@ -981,11 +981,11 @@ "pre-commit-hooks": "pre-commit-hooks_3" }, "locked": { - "lastModified": 1704999567, - "narHash": "sha256-Whj1PFPomS/f97OD30CRrETTH/dmnUJdjEevDLJG4MM=", + "lastModified": 1705279209, + "narHash": "sha256-Lfd9gpDcsF5EaBdHNVrSQtXqs1B7wx1lXiW4nKvxrQw=", "owner": "oddlama", "repo": "nixos-extra-modules", - "rev": "4744a2844cd74ca9b122fbaaae5ae97159c0d30e", + "rev": "a776d7c47663029588aec52fb7ac941fa8bbd8bd", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 96cf412..0ea19ca 100644 --- a/flake.nix +++ b/flake.nix @@ -160,7 +160,11 @@ ; } // flake-utils.lib.eachDefaultSystem (system: rec { - apps.setupHetznerStorageBoxes = import ./nix/setup-hetzner-storage-boxes.nix self; + apps.setupHetznerStorageBoxes = import (nixos-extra-modules + "/apps/setup-hetzner-storage-box.nix") { + inherit pkgs; + nixosConfigurations = self.nodes; + decryptIdentity = builtins.head self.secretsConfig.masterIdentities; + }; pkgs = import nixpkgs { inherit system; diff --git a/hosts/sire/guests/samba.nix b/hosts/sire/guests/samba.nix index 1e9c9c7..0c2c601 100644 --- a/hosts/sire/guests/samba.nix +++ b/hosts/sire/guests/samba.nix @@ -223,7 +223,7 @@ in { enable = true; inherit (box) mainUser; inherit (box.users.samba) subUid path; - sshPrivateKeyFile = config.age.secrets.restic-ssh-privkey.path; + sshPrivateKeyFile = config.age.secrets.restic-ssh-privkey.rekeyFile; }; user = "root"; diff --git a/modules/default.nix b/modules/default.nix index d8c96bb..337663b 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -34,7 +34,6 @@ ./oauth2-proxy.nix ./promtail.nix ./provided-domains.nix - ./restic.nix ./secrets.nix ./telegraf.nix ./wireguard-proxy.nix diff --git a/modules/restic.nix b/modules/restic.nix deleted file mode 100644 index ab1697d..0000000 --- a/modules/restic.nix +++ /dev/null @@ -1,57 +0,0 @@ -{lib, ...}: let - inherit - (lib) - mkEnableOption - mkIf - mkOption - types - ; -in { - options.services.restic.backups = { - type = types.attrsOf (types.submodule ({config}: { - options.hetznerStorageBox = { - enable = mkEnableOption "Automatically configure this backup to use the given hetzner storage box. Will use SFTP via SSH."; - - mainUser = mkOption { - type = types.str; - description = '' - The main user. While not technically required for restic, we still use it to - derive the subuser name and it is required for the automatic setup script - that creates the users. - ''; - }; - - subUid = mkOption { - type = types.int; - description = "The id of the subuser that was allocated on the hetzner server for this backup."; - }; - - path = mkOption { - type = types.str; - description = '' - The remote path to backup into. While not technically required for restic - (since the subuser is chrooted on the remote), we'll still use it to set - a sane repository and it is required for the automatic setup script that - creates the users. - ''; - }; - - sshPrivateKeyFile = { - type = types.path; - description = "The path to the ssh private key to use for uploading backups. Don't use a path from the nix store!"; - }; - }; - - config = let - subUser = "${config.hetznerStorageBox.mainUser}-sub${toString config.hetznerStorageBox.subUid}"; - url = "${subUser}@${subUser}.your-storagebox.de"; - in - mkIf config.hetznerStorageBox.enable { - repository = "sftp://${url}:23${config.hetznerStorageBox.path}"; - extraOptions = [ - "sftp.command='ssh -s sftp -p 23 -i ${config.hetznerStorageBox.sshPrivateKeyFile} ${url}'" - ]; - }; - })); - }; -} diff --git a/nix/setup-hetzner-storage-boxes.nix b/nix/setup-hetzner-storage-boxes.nix deleted file mode 100644 index c39f4cd..0000000 --- a/nix/setup-hetzner-storage-boxes.nix +++ /dev/null @@ -1,12 +0,0 @@ -self: system: let - pkgs = self.pkgs.${system}; -in { - type = "app"; - drv = pkgs.writeShellApplication { - name = "setup-hetzner-storage-boxes"; - text = '' - set -euo pipefail - - ''; - }; -} diff --git a/secrets/generated/sire-samba/restic-encryption-password.age b/secrets/generated/sire-samba/restic-encryption-password.age new file mode 100644 index 0000000000000000000000000000000000000000..8eb5d950f9f4ced1a480f58a72aa19f58eb14b96 GIT binary patch literal 491 zcmWm9yNlCc008itgVPNnh!9W^3ArY1lk^+BBe|rHuW6g)YtlBjB)z;Y?Q6kwE=UIMaFgza~Dv8+Ch*3Fc#bxeGh_wV;zqIb| z-6Fk(V-*g5?@oSS$9gE9BBIGDRJYUvWg@hx5cUCB)4pq4%fr!3slqBWEn;7EWz#on z^u8EoZo~5+k=A%DTC}-zNjbu}lR3O-+ZCZh@c%KOwJ$JhML)hiz!e7|U% zUA*Krf8RWRe8WF|b^XUf1Wvv^d#|;&{+xXNm~38y+fOrj?`zpN<+tz7H1^54vHffJ N#rpi1MO*OGqkrcZsz3k$ literal 0 HcmV?d00001 diff --git a/secrets/generated/sire-samba/restic-ssh-privkey.age b/secrets/generated/sire-samba/restic-ssh-privkey.age new file mode 100644 index 0000000..62705eb --- /dev/null +++ b/secrets/generated/sire-samba/restic-ssh-privkey.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> X25519 0K6SeoPQ4PZEq1wtc/G8b7i1Yt058S9AAmOsq2PcNS8 ++nAjk48dcVmB+Hq176YIfIt3tLGJ6iNpu5JLqmUCtpk +-> piv-p256 xqSe8Q A9UeuVP5wOGWEIKsNv6W2ph7IyKbeGL+wpIUs7EgJ+YK +ZPPXzqPBqZrWOS9PTbwDOj/j7jdVx+lLaatWy6A80gs +-> o&IA4Bk-grease +BYDzN8CfuLcHoE5qwego27meyCd/JwHoJroG585ZCEKc7gefGZL1xnCI8AvZUoeI +/Q4CQpOmdFGCFDsTv17qIvt/EsBMU7b48EEgRg +--- X7tInW7b9ibkZpVVGD4+Y4q7b+ymjQCwpt/lUF/W1BA + ;Ze +\S~T47sg@(i(!\ V 6_.{$teWF&68ZWN̒=>2qX6To :p2GuMP,Uip߹v#VN8 \ No newline at end of file diff --git a/users/myuser/secrets/user.nix.age b/users/myuser/secrets/user.nix.age index 3fc0b5f6d1033cb8b0a963e9f3a1fa1b3a6ca013..025279d218a6db21d038848db2d3bce5353fbbc9 100644 GIT binary patch delta 3145 zcmV-P47T&D7|IxsAb(P6Sx8r5RCHlDZ+0|6Fi2)NR4+7HXGn2LD{f47aBgN!P*86} zacXu}NeXvjWl(8zIYD(vY)&{(YHeauGIcO3M_FYsHgi*9F;hZWQFtqOS8_IUcM2^& zAaH4REpRe5HXwL$Q)M_&AVGCbT48iTVnuK=D{e_uWi)9)Zhuy9PDV0qS~yB_MM^7W zM00p-a!@!mQcMb3Ofgw^a5*_)WKvF5Npn+qRYOB^O;%7sD|$CHNHuG9R!n*_Xf!i# zP&5iHJ|JvlUM**GWnpt=ATdW|VRaxtIB8T>R&Qb;ZBAWSAShXAKtVDnLJDU|O?Yxw zGEP}pPcTe)Qh#fBR!?(rN=#H@K`Uo%GHo+w zOJ{CNY(XzgYe`RbZ&x=~Q)db-EiE8%ZFWm|O-N!`QGY^7VrVrmS}!(PG)+`Aa!YV? zY*#s0P&rv=OmBE|XhTs7Yg^NToBS*M0NlJ;K`4WVk9CfJj`Z;5W2BjX|5_aD(e{%S zXSbiWmw4gxK)oMQ(OjjcyQ+m;cN2W2bkel+&vBQ=wACOfk>1aoAtZmq@1kr@Iy|6* z0S>TI^?!>MhpuU9Q5;|aLje{8;Zm`p7=);^7mVRLIdhTq{3tdbeOk=xM{Zo&Lt&2p zTyI2o0Pc{Nc?4KnTaiL8u~MsNYqm{FS-x$h!GGlY@4ay8Fz9CTZ;J&7!WwBFaBMAU zta(Sg+E~U|Y?$>tIXt?pxYmCx8_=L$oqPiE+$vlgLg<5WlfuFd@Dn&he%E29t}2|` zZP&q3Z&zX1Alwnvo6e*^HuCZ&JNU5D^A_8h8rgu*E%`Qs$z18H<9S-@p>;d!zvv6unun?U%t^bd8!yh9m7p?p(Q^ zn*Z0z8UIJQBaEQ2P7%WHcnDR&+O`fIPZ|V{TZmVJ4(bDjiD72 zr1}_!Tk&rzTp8!xA6Jk!Y)3Tewm>(9Ab%Z5k-VI(J5bC&5N2M$0|C^CuwTQx!ck9H zUHKVFXD_S*%{T*g2NJ(HdIpj_`G9)USA;`%=J{NyDHn^@r6fUtZfXjMcD8xvuSrmF zY~LF&Tc+k{4TT#bgc(PV-GeA!oxRR%^B4;4>y^X^$RNW6rz46~B!hw-)T_SLU4Oh> zr3dy)Xi_9MezU;ADo&$(ew~PbN0fR{Q1(dkzzRB~SAHH_$NvWl73831F>qwzHW&Vw zmv&~qgIfh3Xxe{9dX2U=8E>(@6xp! zyXVGBH6{QSSynVr6<%<(K|<^2Io^nh!bZP32dPqC2Aj>-1|TY`$MOT@FC~-8;8_MSsRz5NWX59_AwxVTVFGiRz&&6+)sVowkWrm1{PI-{6_k zUllG0%Y-!9tagVmvocMxLzn)<8rzS5pmM6bJ48VxUAYVXw<-i&z1JsxJ1T}id;s;F zl(RvBV?wAP+pRdiWBM??^0arzu@8-+FRf&J99kL;sQ)_>QdJ<$_W*O03_&oH^~=Nw z1fB@1t}@q&z1?*UH-Ge7LMdx3|8VH3Ix=M2p*5w@lVgupe7!RE>i_Y&?)`gJDE~In zs6E$rO<;o_4bKix>eXLwx;hgL6Lc9mi+e4E2ajeog){Z#ccgT*%11uL>7ofv|M zhEcNyc?Pf@*w`s8EYQ{6rT+3iMRQ&RL+W7>1-Pf}cFNyOP7);B^`VijAX@Z0AWr%r z^;&GAPp)jMlxnx&<}=+A9lXX(j_9xfp9pj5`Uat=EjjMOmh#0UDIY{TuYi;#-2S-h zV8}$1x_^zrT2C8JbWCQrVaAgbM(LDwGqW zEbAaND~d`G{jb?!n!FO6jVi^!QEmf|V1ab@lpb-RN|PrW#;wf0LBo%oR=Y=gLxMc) z%71%BTI;bHF|5KBjS{^3BCYG~+jL|b9#XAt;0W}p3UkTB9bq$N?4v_?&qDeOzCS`L zTvdyefVf~)_&C*mwo}GEV5%qT<^>H$0k*H$fmO;ob|_)aHm_b0HHO;R&uNbgjov{# zk*pylfXuq+k_c$>yyN!o8c?{cU=kIm&42!UzcfZ*AtrHFLmHucPW8^wMvs~1*I9g3 z_|2U2@5t^Pmso1aoA=}T_ezm$D30-g#u>3PQqZDP`PUlCX$K;7js7BfnI0a$eP&UUCMG1y)h>BWXb6uu)6>~@rs(Z@GQ`Y?4NfQ_AIiO=_ zsf`UWQYY1nrth#_Q(@_ca-6x#Du%gS?u-sHm3Gs7nHn-I|HTRNP>sM^Z+gSoBZd8%)UyDnmG$)|hm2%Y2awYt(V4ljxvT%TF1gp}yuK zYapGo>0=HlB%@F**~pkNFhoD|lELQlg-F?!SRt4l)EJWSm#x>HXuWjr%zu%?Xi3a4 zbFeim?@b_hPFv<<%z!KOHY(yKdK>Hh;N?AT)mki?pas49q+-W-j}6ef4L7g25xfiSTnr^d96R;Y`c-U?uf*OvrKTlu>Eg%c%EjT19u^@HHedA# z7imc)VRK4Q#VQ~XUu_->_d7^@hNAb)yPZc12mS50taLT6`LXLnj+SaU0CVL5VFD|KoySy@p>M{Pn% zVOTF{V+wRmNJ?TvQ$ubMPg7cScM2^& zAaH4REpRe5HXwL$Q)M_&AVFtCZgNg!VL47Ua&Bf?Qbsm1MSpriXG|+hZc}Yx$QbkL1!JhDX>op$wJ%}x>R%6#Dv0Va#c9O!Q%^KwW-hRr z;2J9GVSjteI!3TrxDpx)m{7J^-pSY#ppvJH^m8qVgN;|8VC*KDcQQcUP(>h7y4)JN zHKIvtduUY~NC(iAA)V{Or=aR811n)gaE&lP2noe*j{c=r;JCKz97SL?fX#g1%=+BN z;p}ZIDSn;|Y5#BU2pN>=)VgRsF26?>FNxxOLw|3Wr=MCbcn)3Kmc~_eZ$+y^%u6s0 z3uI>#v@HKjR@N2%s-ND#LGS;|VNGQF{rDu+$omSu7Z<{!wgPK$V_S~AgL?rPo9v=_?M9{tuEH!jyjFLE|`^4=6+JCl9KCejX&O0C`@eDxnC9^EQW(WL{Sa33x zu{%u*1K1f!UPwhlChyw~fK?y|H1@@3M|0?c$Wga}7ml0RvE}7$5F}T1cRfdn~N*d+s$wPEH&j7$MC-jV)r|1@Qck;j=HHdw7ro-da}B4 zu87T_G!36=giaZv4yeEH&CWuF6My0;Fh3Q)4?pL>CyT4VsR;|ZEB~V3EkMID5LUcO zCy-#y%(bGxh%^4i!<=mh-)1HMWvOGrwq?R7&C&3L()>IxX8J@OOHLW!MRE^YGJ-aB zm}KsVZDZdKHY)8h($EM6%BpKX1BV1{nNJw*pqx3q^6BK(jI1Y@%>PeCZhwVB-R|(O z0k}_`sJ~KpI~a-~#pG4h(z>e<_lPT2W_>7JzXmxY=}l&KhUeQ-WTV2%N6CI7MWbdQ z7>F!X{9vBlJ9BsC2OuR?(kmP+t132lR*u)Wp)ZN$?*mj8bI=!(;11t`E652wzx^<&TbNR^({76dP7{40!44sf z{UX>Efgu`D4g$Y&>Bn6@jY?mwI+$e@>=jNqyL7#9#OP$4{2w+p zuiix)1%oZ)3S&-1Sbs=ZTrs;(G&KoH@Od_;RNT<)LKUF$=hr@;)Sy7hg8ZXlmEqAh zU4iQS-Bk7ZgmMj^H+37@?`NRY#Z%PlWyZu$dgQZpy8(}2<_Df5Ss|*ONiV+I!O-;9 zo$7zCk%fxYeeM4so{V?86NCpcjr}F9~JxLHY zICaDIM3;?SP9)vr1i6)`cTFEtQr!|q*YjUti$7rjq^h_nIuw0Mz^X!!F-ztcxu}?Z zJYPnAYTnMOh=0PIevtV7FnuKA;L3e&PSWZDGVKFv$Q#jqmG=F31Pa9i_>jsrKsX;O zQAr!XS1KTz#yuAo=9-M1>oQ!5bb?n~Tf5VX^!ERfR?1j_#qU-B&EEqDt|VH7m2#&W zXrj;g#SQ@j)V7r}W9ShT963gc`0fEt7%RN=0PJYqD}Sf!wVm1o!|W8c@wG^WxGzcA zDreUb%%M|0;tF#NdIOk2(Hm-6acAEx;$cVa-JOFX=*jG1^xY|Zb#rtMizo|5h?=;cU?@co(J_tL_9!5+mX_5ZJODowRwaYnA+)QTy3L+;JktUa^m*Vh+!=ZJe;ya>4Dek3l?D!q<3)i8^z0KB@*&Ul6c z+D0pf&Khs7^f#0;XmIK*6DWdiE<7FrWIV6a4S#GuSVEv1r9cI=x9C{O=iL^o*tagI zOIc+D^xz~LlUo|K$1m*>uHY;x?j$@aUS2ZLyqI|m@tRqRHLa#5ovl+la}{zE+wBD- z%L_je4(2GU@3V)CvjGjh0>NtZm1%U<6+0|6i0sD#1_dLiKw(7*=KxH+Rxa9$&#$^z zDSuS~y6LS{Z#ePC1cmtVY;GFZA`hneC$ zQoRg9)SJl6|FSBp56ES_`9=WapN>jqbpjIfm3xDB_+Z@2k#ly}KqkY>*$X=HU7R}e+$?kO* zb9uA~moE3C$Vr49+L*n0z+~`^>FTXmbS_#DmPQ0Q#6bG@#PLmr)|z^IrCi6>LoA1SmKLLixGC2=?BowS_x${%aPmpiqoZ5Lo0Maz8o@7a zRIc8=&Xgp?bx0G z^L@nB2TOjYvu~fhS*$>x_@4{Ff2!C_jsn&9f&S`u5HNx8yL2Vu^Gn5d9$}~*E=B-t zeL1!9C z%7b6EsB&k>Ok9t11Z-YTM}k-0bzAD@pT zT!ZEBem=>Px#