feat: add vaultwarden restic backups

2025-10-10 23:00:39 +02:00 · 2024-01-15 03:28:53 +01:00 · 2024-01-15 03:28:53 +01:00 · b162b20241
commit b162b20241
parent 25eb9e3766
7 changed files with 200 additions and 102 deletions
--- a/flake.lock
+++ b/flake.lock
@ -66,28 +66,6 @@
        "type": "github"
      }
    },
-    "alejandra": {
-      "inputs": {
-        "flakeCompat": "flakeCompat",
-        "nixpkgs": [
-          "wired-notify",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1652974241,
-        "narHash": "sha256-0AolxQtKj3Oek0WSbODDpPVO5Ih8PXHOA3qXEKPB4dQ=",
-        "owner": "kamadorueda",
-        "repo": "alejandra",
-        "rev": "0be1462419fc73270a5dc0f84f8092603890b029",
-        "type": "github"
-      },
-      "original": {
-        "owner": "kamadorueda",
-        "repo": "alejandra",
-        "type": "github"
-      }
-    },
    "base16": {
      "inputs": {
        "fromYaml": "fromYaml"
@ -315,11 +293,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704648272,
-        "narHash": "sha256-zCDhWGl3bVpBKpDZ0p3NuGksZVg69BAChsY5W4KARL4=",
+        "lastModified": 1705240333,
+        "narHash": "sha256-s9h2h44fCi54sSIT9ktd3eDik9JDpQE9DeYuXcA44u4=",
        "owner": "numtide",
        "repo": "devshell",
-        "rev": "f54745fd4aae92443817ddc566ce06572b178b5a",
+        "rev": "ca1ff587c602b934afe830ea3cb26d0fbde4c395",
        "type": "github"
      },
      "original": {
@ -357,11 +335,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704741201,
-        "narHash": "sha256-Y420NeqPWRSpxHpXsxhKILfTxT5exjtTgCgDwSpcEfU=",
+        "lastModified": 1705281959,
+        "narHash": "sha256-9NZiSMAduz4qbFu77Cg9RNFcrjgS9UOjriD+v8FeueY=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "f0a3425a7b173701922e7959d8bfb136ef53aa54",
+        "rev": "2a561be6b5dd049182af1973bb7e28f7a0ac9be2",
        "type": "github"
      },
      "original": {
@ -476,11 +454,11 @@
    "flake-compat_6": {
      "flake": false,
      "locked": {
-        "lastModified": 1673956053,
-        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
@ -534,6 +512,24 @@
          "nixpkgs"
        ]
      },
+      "locked": {
+        "lastModified": 1704982712,
+        "narHash": "sha256-2Ptt+9h8dczgle2Oo6z5ni5rt/uLMG47UFTR1ry/wgg=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "07f6395285469419cf9d078f59b5b49993198c00",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_3": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib_2"
+      },
      "locked": {
        "lastModified": 1704152458,
        "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
@ -638,19 +634,21 @@
        "type": "github"
      }
    },
-    "flakeCompat": {
-      "flake": false,
+    "flake-utils_6": {
+      "inputs": {
+        "systems": "systems_9"
+      },
      "locked": {
-        "lastModified": 1648199409,
-        "narHash": "sha256-JwPKdC2PoVBkG6E+eWw3j6BMR6sL3COpYWfif7RVb8Y=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "64a525ee38886ab9028e6f61790de0832aa3ef03",
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
        "type": "github"
      },
      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
+        "owner": "numtide",
+        "repo": "flake-utils",
        "type": "github"
      }
    },
@ -744,11 +742,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1660459072,
-        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "lastModified": 1703887061,
+        "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
-        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5",
        "type": "github"
      },
      "original": {
@ -764,11 +762,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704809957,
-        "narHash": "sha256-Z8sBeoeeY2O+BNqh5C+4Z1h1F1wQ2mij7yPZ2GY397M=",
+        "lastModified": 1705269478,
+        "narHash": "sha256-j7Rp8Y3ckBHOlIzqe0g2+/BVce9SU/dVtn4Eb0rMuY4=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "e13aa9e287b3365473e5897e3667ea80a899cdfb",
+        "rev": "846200eb574faa2af808ed02e653c2b8ed51fd71",
        "type": "github"
      },
      "original": {
@ -785,11 +783,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704498488,
-        "narHash": "sha256-yINKdShHrtjdiJhov+q0s3Y3B830ujRoSbHduUNyKag=",
+        "lastModified": 1705104164,
+        "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "51e44a13acea71b36245e8bd8c7db53e0a3e61ee",
+        "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd",
        "type": "github"
      },
      "original": {
@ -856,11 +854,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1704120350,
-        "narHash": "sha256-s5BOPAnVc4e/4WvGDeeF3VSLAWzBUB+YW6fJb3pFbRw=",
+        "lastModified": 1705263072,
+        "narHash": "sha256-DCqqaNWn9G81U+0Myyr36JrOKitcmS34oBWxqiHjabk=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "d5553b1388f2947915c4cec6249b89474046573a",
+        "rev": "088ba565537eaef1041a87be5a44ca0daa4e1908",
        "type": "github"
      },
      "original": {
@ -898,11 +896,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1703466376,
-        "narHash": "sha256-Wy8iF8u5KSzrTxg1hStTBmUjzzKdKyCyMOg8b/eTvVQ=",
+        "lastModified": 1705080892,
+        "narHash": "sha256-TLj334vRwFtSym3m+NnKcNCnKKPNoTC/TDZL40vmOso=",
        "owner": "nix-community",
        "repo": "nix-eval-jobs",
-        "rev": "64104a3c55593c903af78af86a4c9d2e5487a2d7",
+        "rev": "69371f7bae49d5d55bcee9fd829585148215bedb",
        "type": "github"
      },
      "original": {
@ -940,11 +938,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704596958,
-        "narHash": "sha256-BK3Ohsz7m8X6qVKFxDtr8KVcHipfr5hYE9PDIJevHbQ=",
+        "lastModified": 1705282324,
+        "narHash": "sha256-LnURMA7yCM5t7et9O2+2YfGQh0FKAfE5GyahNDDzJVM=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "f46800ac5a6e9f892fe36e50821c5d85794ecc62",
+        "rev": "49aaeecf41ae0a0944e2c627cb515bcde428a1d1",
        "type": "github"
      },
      "original": {
@ -981,11 +979,11 @@
        "pre-commit-hooks": "pre-commit-hooks_3"
      },
      "locked": {
-        "lastModified": 1705279209,
-        "narHash": "sha256-Lfd9gpDcsF5EaBdHNVrSQtXqs1B7wx1lXiW4nKvxrQw=",
+        "lastModified": 1705283066,
+        "narHash": "sha256-uYvo7hr28saTQuzZ+t0v2dPAxfcVLs4WirMuFl/ykAA=",
        "owner": "oddlama",
        "repo": "nixos-extra-modules",
-        "rev": "a776d7c47663029588aec52fb7ac941fa8bbd8bd",
+        "rev": "cab2f4b0408cc072a8f9405daa542298b11ea87b",
        "type": "github"
      },
      "original": {
@ -1017,11 +1015,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1704786394,
-        "narHash": "sha256-aJM0ln9fMGWw1+tjyl5JZWZ3ahxAA2gw2ZpZY/hkEMs=",
+        "lastModified": 1705187059,
+        "narHash": "sha256-dSj+iIYqLA+7/5rLXWfUxw9IXRm0w8Mrm39af8klUH0=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "b34a6075e9e298c4124e35c3ccaf2210c1f3a43b",
+        "rev": "ef811636cc847355688804593282078bac7758d4",
        "type": "github"
      },
      "original": {
@ -1053,11 +1051,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1704722960,
-        "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=",
+        "lastModified": 1705133751,
+        "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d",
+        "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d",
        "type": "github"
      },
      "original": {
@ -1082,6 +1080,24 @@
        "type": "github"
      }
    },
+    "nixpkgs-lib_2": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1703961334,
+        "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1685801374,
@ -1132,16 +1148,16 @@
    },
    "nixpkgs-stable_4": {
      "locked": {
-        "lastModified": 1685801374,
-        "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=",
+        "lastModified": 1704874635,
+        "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c37ca420157f4abc31e26f436c1145f8951ff373",
+        "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-23.05",
+        "ref": "nixos-23.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@ -1156,11 +1172,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704684968,
-        "narHash": "sha256-h+lSV/cfnfE5//dHefL154mgvaEmTz13ehI7eb/Hph0=",
+        "lastModified": 1705080950,
+        "narHash": "sha256-ltAQAwwE6UyUcVh6PIf+RYpuxvMSLgc7Dqwfox6HwPg=",
        "owner": "nix-community",
        "repo": "nixpkgs-wayland",
-        "rev": "17d7827cd61e7e6bdc732c4817ea4da26ab0b47b",
+        "rev": "8621ab0a5a9953c719aa21d3d078532613accdcb",
        "type": "github"
      },
      "original": {
@ -1185,6 +1201,22 @@
        "type": "github"
      }
    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1681358109,
+        "narHash": "sha256-eKyxW4OohHQx9Urxi7TQlFBTDWII+F+x2hklDOQPB50=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "96ba1c52e54e74c3197f4d43026b3f3d92e83ff9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixvim": {
      "inputs": {
        "flake-parts": "flake-parts_2",
@ -1198,11 +1230,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1704812275,
-        "narHash": "sha256-uRe8BdZhuSiupXOxohaVP8LzJtBRG+ETP9PgzR60orI=",
+        "lastModified": 1705268857,
+        "narHash": "sha256-IMaCyPTp5Za0xVUorHRxq39VaUrEDuWA9MbV1z6eHR8=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "b4ddb322889e2daf41333b4dbca2555da2e8bb7e",
+        "rev": "9e04eb3c3c6fcb6ea31e4d3633ea5fd7378906cb",
        "type": "github"
      },
      "original": {
@ -1308,11 +1340,11 @@
        "nixpkgs-stable": "nixpkgs-stable_4"
      },
      "locked": {
-        "lastModified": 1704725188,
-        "narHash": "sha256-qq8NbkhRZF1vVYQFt1s8Mbgo8knj+83+QlL5LBnYGpI=",
+        "lastModified": 1705229514,
+        "narHash": "sha256-itILy0zimR/iyUGq5Dgg0fiW8plRDyxF153LWGsg3Cw=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "ea96f0c05924341c551a797aaba8126334c505d2",
+        "rev": "ffa9a5b90b0acfaa03b1533b83eaf5dead819a05",
        "type": "github"
      },
      "original": {
@ -1373,6 +1405,25 @@
        "type": "github"
      }
    },
+    "rust-overlay_2": {
+      "inputs": {
+        "flake-utils": "flake-utils_6",
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1702865809,
+        "narHash": "sha256-K7caQe+KqjqTBFmJawmBjmm25S6bza5CXhAqbXFLyH8=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "b2aafcee4a8842cecfc877ff7dd271f333dc0fa8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
    "spectrum": {
      "flake": false,
      "locked": {
@ -1541,6 +1592,21 @@
        "type": "github"
      }
    },
+    "systems_9": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
    "templates": {
      "locked": {
        "lastModified": 1704737624,
@ -1578,35 +1644,20 @@
        "type": "github"
      }
    },
-    "utils": {
-      "locked": {
-        "lastModified": 1652776076,
-        "narHash": "sha256-gzTw/v1vj4dOVbpBSJX4J0DwUR6LIyXo7/SuuTJp1kM=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "04c1b180862888302ddfb2e3ad9eaa63afc60cf8",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
    "wired-notify": {
      "inputs": {
-        "alejandra": "alejandra",
+        "flake-parts": "flake-parts_3",
        "nixpkgs": [
          "nixpkgs"
        ],
-        "utils": "utils"
+        "rust-overlay": "rust-overlay_2"
      },
      "locked": {
-        "lastModified": 1699064982,
-        "narHash": "sha256-BAKfy2O0Df1JdNWn2rPsrjbIyOdGjJZeGxXZkvMZzvU=",
+        "lastModified": 1705141537,
+        "narHash": "sha256-CjcrCvhrtiQIozs7Ns6yWpcw5eOozjZ3XK1PU2pO/Y0=",
        "owner": "Toqozz",
        "repo": "wired-notify",
-        "rev": "9f2e1420e122030953734f795eaf8cf000002abd",
+        "rev": "f0bca119f7914142e3bef1e019511f8ea7681fd4",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -160,7 +160,7 @@
        ;
    }
    // flake-utils.lib.eachDefaultSystem (system: rec {
-      apps.setupHetznerStorageBoxes = import (nixos-extra-modules + "/apps/setup-hetzner-storage-box.nix") {
+      apps.setupHetznerStorageBoxes = import (nixos-extra-modules + "/apps/setup-hetzner-storage-boxes.nix") {
        inherit pkgs;
        nixosConfigurations = self.nodes;
        decryptIdentity = builtins.head self.secretsConfig.masterIdentities;
--- a/hosts/sire/guests/samba.nix
+++ b/hosts/sire/guests/samba.nix
@ -223,7 +223,7 @@ in {
      enable = true;
      inherit (box) mainUser;
      inherit (box.users.samba) subUid path;
-      sshPrivateKeyFile = config.age.secrets.restic-ssh-privkey.rekeyFile;
+      sshAgeSecret = "restic-ssh-privkey";
    };

    user = "root";
--- a/hosts/ward/guests/vaultwarden.nix
+++ b/hosts/ward/guests/vaultwarden.nix
@ -51,6 +51,10 @@ in {
  services.vaultwarden = {
    enable = true;
    dbBackend = "sqlite";
+    # WARN: Careful! The backup script does not remove files in the backup location
+    # if they were removed in the original location! Therefore, we use a directory
+    # that is not persisted and thus clean on every reboot.
+    backupDir = "/var/cache/vaultwarden-backup";
    config = {
      dataFolder = lib.mkForce "/var/lib/vaultwarden";
      extendedLogging = true;
@ -80,4 +84,37 @@ in {
    StateDirectory = lib.mkForce "vaultwarden";
    RestartSec = "600"; # Retry every 10 minutes
  };
+
+  # Backups
+  # ========================================================================
+
+  age.secrets.restic-encryption-password.generator.script = "alnum";
+  age.secrets.restic-ssh-privkey.generator.script = "ssh-ed25519";
+
+  services.restic.backups.main = {
+    hetznerStorageBox = let
+      box = config.repo.secrets.global.hetzner.storageboxes.dusk;
+    in {
+      enable = true;
+      inherit (box) mainUser;
+      inherit (box.users.vaultwarden) subUid path;
+      sshAgeSecret = "restic-ssh-privkey";
+    };
+
+    user = "root";
+    timerConfig = {
+      OnCalendar = "06:15";
+      RandomizedDelaySec = "3h";
+      Persistent = true;
+    };
+    initialize = true;
+    passwordFile = config.age.secrets.restic-encryption-password.path;
+    paths = [config.services.vaultwarden.backupDir];
+    pruneOpts = [
+      "--keep-daily 14"
+      "--keep-weekly 7"
+      "--keep-monthly 12"
+      "--keep-yearly 75"
+    ];
+  };
 }
--- a/secrets/generated/ward-vaultwarden/restic-encryption-password.age
+++ b/secrets/generated/ward-vaultwarden/restic-encryption-password.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> X25519 cyCP17wFsTKBZv0uAeHIXk3xiMUCzwDQ5O4ObRpmcQg
+uaLCoFo4qjgr2hocVFsbAUEf0OK8hZCVYjSlXOA1mCQ
+-> piv-p256 xqSe8Q AvJBo83Vngkv1Y0czPaAj0DoHRmhPF2Yq1AhQB+Ztvq8
+leN6QRaenTmq+1sUF64cx7I6EGfuWjW5kO9gS4D1htE
+-> k,-grease
+8bQYuOSk3TkNV7ViXmhag/8+lZch6Q
+--- pWjIBQehKUCNox8IGv0TM1schPlj0q40nthpCqnWz2I
+æÆ“sZˆ]ëz´6l
wC…¡AïjTê§�¶4UOÕÙ»#
+Öîïd)1æyk�Ò<4† >ù<ážlKŽPz’Óêþî®®fÏ
--- a/secrets/generated/ward-vaultwarden/restic-ssh-privkey.age
+++ b/secrets/generated/ward-vaultwarden/restic-ssh-privkey.age
--- a/secrets/global.nix.age
+++ b/secrets/global.nix.age