feat: add restic backup to hetzner storage box

2025-10-11 07:10:39 +02:00 · 2024-01-15 01:42:04 +01:00 · 2024-01-15 01:42:04 +01:00 · 25eb9e3766
commit 25eb9e3766
parent a464c99fb8
9 changed files with 23 additions and 78 deletions
--- a/flake.lock
+++ b/flake.lock
@ -53,11 +53,11 @@
        "pre-commit-hooks": "pre-commit-hooks"
      },
      "locked": {
-        "lastModified": 1696078264,
+        "lastModified": 1705278709,
-        "narHash": "sha256-NF5G9CHaVWDD6DY0TP8z0cx30dAL1ciFYcVidVvb+NA=",
+        "narHash": "sha256-CNJSc6tp12UZKAprviztJ509yAblteK4GiWwKewWEPQ=",
        "owner": "oddlama",
        "repo": "agenix-rekey",
-        "rev": "e529da8197f024c0069c4fde6237505e305b8d0a",
+        "rev": "e02a57e08224422934974f19853d4d70ed7eaaaa",
        "type": "github"
      },
      "original": {
@ -981,11 +981,11 @@
        "pre-commit-hooks": "pre-commit-hooks_3"
      },
      "locked": {
-        "lastModified": 1704999567,
+        "lastModified": 1705279209,
-        "narHash": "sha256-Whj1PFPomS/f97OD30CRrETTH/dmnUJdjEevDLJG4MM=",
+        "narHash": "sha256-Lfd9gpDcsF5EaBdHNVrSQtXqs1B7wx1lXiW4nKvxrQw=",
        "owner": "oddlama",
        "repo": "nixos-extra-modules",
-        "rev": "4744a2844cd74ca9b122fbaaae5ae97159c0d30e",
+        "rev": "a776d7c47663029588aec52fb7ac941fa8bbd8bd",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -160,7 +160,11 @@
        ;
    }
    // flake-utils.lib.eachDefaultSystem (system: rec {
-      apps.setupHetznerStorageBoxes = import ./nix/setup-hetzner-storage-boxes.nix self;
+      apps.setupHetznerStorageBoxes = import (nixos-extra-modules + "/apps/setup-hetzner-storage-box.nix") {
        inherit pkgs;
        nixosConfigurations = self.nodes;
        decryptIdentity = builtins.head self.secretsConfig.masterIdentities;
      };
      pkgs = import nixpkgs {
        inherit system;
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@ -223,7 +223,7 @@ in {
      enable = true;
      inherit (box) mainUser;
      inherit (box.users.samba) subUid path;
-      sshPrivateKeyFile = config.age.secrets.restic-ssh-privkey.path;
+      sshPrivateKeyFile = config.age.secrets.restic-ssh-privkey.rekeyFile;
    };
    user = "root";
--- a/modules/default.nix
+++ b/modules/default.nix
@ -34,7 +34,6 @@
    ./oauth2-proxy.nix
    ./promtail.nix
    ./provided-domains.nix
    ./restic.nix
    ./secrets.nix
    ./telegraf.nix
    ./wireguard-proxy.nix
--- a/modules/restic.nix
+++ b/modules/restic.nix
@ -1,57 +0,0 @@
 {lib, ...}: let
  inherit
    (lib)
    mkEnableOption
    mkIf
    mkOption
    types
    ;
 in {
  options.services.restic.backups = {
    type = types.attrsOf (types.submodule ({config}: {
      options.hetznerStorageBox = {
        enable = mkEnableOption "Automatically configure this backup to use the given hetzner storage box. Will use SFTP via SSH.";
        mainUser = mkOption {
          type = types.str;
          description = ''
            The main user. While not technically required for restic, we still use it to
            derive the subuser name and it is required for the automatic setup script
            that creates the users.
          '';
        };
        subUid = mkOption {
          type = types.int;
          description = "The id of the subuser that was allocated on the hetzner server for this backup.";
        };
        path = mkOption {
          type = types.str;
          description = ''
            The remote path to backup into. While not technically required for restic
            (since the subuser is chrooted on the remote), we'll still use it to set
            a sane repository and it is required for the automatic setup script that
            creates the users.
          '';
        };
        sshPrivateKeyFile = {
          type = types.path;
          description = "The path to the ssh private key to use for uploading backups. Don't use a path from the nix store!";
        };
      };
      config = let
        subUser = "${config.hetznerStorageBox.mainUser}-sub${toString config.hetznerStorageBox.subUid}";
        url = "${subUser}@${subUser}.your-storagebox.de";
      in
        mkIf config.hetznerStorageBox.enable {
          repository = "sftp://${url}:23${config.hetznerStorageBox.path}";
          extraOptions = [
            "sftp.command='ssh -s sftp -p 23 -i ${config.hetznerStorageBox.sshPrivateKeyFile} ${url}'"
          ];
        };
    }));
  };
 }
--- a/nix/setup-hetzner-storage-boxes.nix
+++ b/nix/setup-hetzner-storage-boxes.nix
@ -1,12 +0,0 @@
 self: system: let
  pkgs = self.pkgs.${system};
 in {
  type = "app";
  drv = pkgs.writeShellApplication {
    name = "setup-hetzner-storage-boxes";
    text = ''
      set -euo pipefail
    '';
  };
 }
--- a/secrets/generated/sire-samba/restic-encryption-password.age
+++ b/secrets/generated/sire-samba/restic-encryption-password.age
--- a/secrets/generated/sire-samba/restic-ssh-privkey.age
+++ b/secrets/generated/sire-samba/restic-ssh-privkey.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> X25519 0K6SeoPQ4PZEq1wtc/G8b7i1Yt058S9AAmOsq2PcNS8
 +nAjk48dcVmB+Hq176YIfIt3tLGJ6iNpu5JLqmUCtpk
 -> piv-p256 xqSe8Q A9UeuVP5wOGWEIKsNv6W2ph7IyKbeGL+wpIUs7EgJ+YK
 ZPPXzqPBqZrWOS9PTbwDOj/j7jdVx+lLaatWy6A80gs
 -> o&IA4Bk-grease
 BYDzN8CfuLcHoE5qwego27meyCd/JwHoJroG585ZCEKc7gefGZL1xnCI8AvZUoeI
 /Q4CQpOmdFGCFDsTv17qIvt/EsBMU7b48EEgRg
 --- X7tInW7b9ibkZpVVGD4+Y4q7b+ymjQCwpt/lUF/W1BA
 Ý ’;Zÿûòeþ
 Ã\S–~ìT47ºsêg®@¶(®i(Š!\V‡ß6ó_.°{$Æte¡<q_,¼È9[Vô\-¡Þ¿|&D¿";üÄu<&""´³ÎN4ü1Ý¨ƒ#]Q½g¦!hÕÞV‚=îNp%ãµª–ô�§çëið;Ê$•�kÀÅé+(}AL³—°=zª@¼SiLuã¨ý.Æ»ù/�¥øòø¤:OÂ¯µ¯Á0�§KÓä¿—ü˜?ƒ3oz@7Áý!Eðö„^“žã^µï;ÇRx”Î8êORWt?d3G(�S†àJn%*O‰/ú«M/p]ÝV¥¿m*äÑ[ÿ&.ÀÀçûYã[ÄãðÉ][ˆªÃÇÏ£;þbD£kÙ¸v{QºÂ�j…÷¬Dý(½©Ä×,²Xvd¬ÏKàì"GÇ:îSqÂ¨YÑíxÿ1Ò! —%ÎÁ7‰¬ÀÄ¥£©>WFõ&Ó6ý8äZ“…WNÞÌ’³Çõ=>ˆ²Ç2òq¡XÑ6íTo	…��:Êpú‹¬‡™ü÷ðî2GÄuM¨PÞ,UâiÇp”Çß¹v“¿#ÔVN8°ü
--- a/users/myuser/secrets/user.nix.age
+++ b/users/myuser/secrets/user.nix.age