From 52f5a2c9c123159282bebcff5455cecee21025ee Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Fri, 10 Jun 2022 19:30:15 -0400 Subject: [PATCH] Setup borg on oracles --- machines/levitation.nix | 1 + machines/oracles.nix | 61 +++++++++++++++++++++++++++++++++++++++++ secrets/borg.yaml | 5 ++-- 3 files changed, 65 insertions(+), 2 deletions(-) diff --git a/machines/levitation.nix b/machines/levitation.nix index 7983af9..b9ee972 100644 --- a/machines/levitation.nix +++ b/machines/levitation.nix @@ -98,6 +98,7 @@ "/home/nathan/.local/share/Steam" "/home/nathan/Downloads" "/home/nathan/Music" + "/var/lib/docker" ]; repo = "de1955@de1955.rsync.net:computers/levitation"; encryption = { diff --git a/machines/oracles.nix b/machines/oracles.nix index 9ee20ac..3696588 100644 --- a/machines/oracles.nix +++ b/machines/oracles.nix @@ -45,5 +45,66 @@ # Install java environment.systemPackages = with pkgs; [ jdk + borgbackup ]; + + # Setup sops + sops.secrets."borg-sshKey" = { + format = "yaml"; + sopsFile = ../secrets/borg.yaml; + }; + sops.secrets."borg-oraclesPassword" = { + format = "yaml"; + sopsFile = ../secrets/borg.yaml; + }; + # Setup the job + services.borgbackup.jobs = { + files = { + paths = [ + "/home" + "/var" + "/etc" + ]; + exclude = [ + "*/.cache" + "*/.tmp" + "/home/nathan/minecraft/server/backup" + "/var/lib/postgresql" + "/var/lib/redis" + "/var/lib/docker" + ]; + repo = "de1955@de1955.rsync.net:computers/oracles"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets."borg-levitationPassword".path}"; + }; + environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg-sshKey".path}"; + compression = "auto,zstd"; + startAt = "hourly"; + prune.keep = { + within = "7d"; # Keep all archives for the past week + daily = 1; # Keep 1 snapshot a day for 2 weeks + weekly = 4; # Keep 1 snapshot a week for 4 weeks + monthly = -1; # Keep unlimited monthly backups + }; + }; + postgres = { + dumpCommand = "su postgres -c pg_dumpall"; + repo = "de1955@de1955.rsync.net:databases/oracles/postgres"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets."borg-levitationPassword".path}"; + }; + environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg-sshKey".path}"; + compression = "auto,zstd"; + startAt = "hourly"; + prune.keep = { + within = "7d"; # Keep all archives for the past week + daily = 1; # Keep 1 snapshot a day for 2 weeks + weekly = 4; # Keep 1 snapshot a week for 4 weeks + monthly = -1; # Keep unlimited monthly backups + }; + }; + }; + } diff --git a/secrets/borg.yaml b/secrets/borg.yaml index 50cc9f9..5b94827 100644 --- a/secrets/borg.yaml +++ b/secrets/borg.yaml @@ -1,5 +1,6 @@ borg-sshKey: ENC[AES256_GCM,data:rVDwCkDQbeYl8cAu/VlZzcW1XQERFVIhjGBigWZ1n0nSDga9812pJgnaIG6aoRVbuaiOVelSqZa0XJRlNU6yJtrT9sDulWb1nqFudSJ84cnhE3QzrgPzAGZJ60PcAQMI2/dqpb4pHGf0nyNBKf5OGCtOahwN3nqkAuiQkqE/XbGlPylHJ+3Hb+Q/RnmMrL5bhKQ9EvuauHwTczlII5JwkrrtZeuHiTZm1SzokQSTMgt71CUOOmDlKlSxXgHDn2g1C+rc+OHzZraWIFyOI0cMpYdfYOxkJM7Wh0/ByX5Iqlp6nTYAK3IbHr4bUUclw2QPMNtLebIaJzzZP8Hplg4sO1zxEWxG+moZzRT6rfd6FF+5EJ8KalgfTgIHVYVrwsQj3SoL258+IWbahQZI2Er1SixVwZQes46HuPaFn7Ydn+/RfJo33birUJ89H5ge/boEkaUT1cHKcbodxfvJsQJkbRUTzHqpRGIHRW9bF1m94/5D2LaaFmaFoJqondewwy1ZVzZIF0jePRhvF4lFtSmKP4jC1Z0xg2L/JnUo,iv:gHr+vtcY99MgSy9IiMmxy3mlOjcOJ4oN5NS3doNAXwo=,tag:AOaE2qHv5NalE7J/NVXQjw==,type:str] borg-levitationPassword: ENC[AES256_GCM,data:nAtAlhmv6NAE88f81BeroMnMd/lr7ZnUTmLlAMtn4/ML8TuiZjijCJ4LiUSg5FLeWmDEALUN5g/T,iv:2qoF4mw/sbitLmticTsKndcYdV2B+6YjXjKHJr591nk=,tag:ENPk7gm3tmVOSgzfrn7Vag==,type:str] +borg-oraclesPassword: ENC[AES256_GCM,data:TRWn/vj3SpSrRc0HcNI9If7e5Q93hO/+eLKoTQULHTBZqZKdnN0Lq6xhUQQf0s7LhS9D2Q==,iv:/vdqnlR6DowmPNpNP8Q3n2cL/gv91heS0NLFth9Wpl0=,tag:peIs7WpNO56DiTkva71fDw==,type:str] sops: kms: [] gcp_kms: [] @@ -60,8 +61,8 @@ sops: WmhzcngwekJ1UzJQNzBwNU9Kb3FLNzQKgWC/Pruek+lfMtyj8M1s88l46emKVqV/ nO3VxonQywOz1QaNEBODNTwly48MzNREwV1bUZy4DBAeraG4O3fRFg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-06-10T22:53:54Z" - mac: ENC[AES256_GCM,data:ZCTwUX3m4BPjJxMzaTmG1FNFmxJ+rO/5aKe8AB/Fca2Ut5V6GccrpnjVx43ccNSTibDEgdxvUPtAZRLZ0nZXsAFE1tI5KoCk5XxzhCddmG0gkrMDpt2bgnv+eNgwU5fpMNu1+IdwnUf9ut4LaJBtpojDQjM9wWpcVMAJKTfh83Y=,iv:M5SWFxX2anu7yoUd3S3HZ98LfzQrr20CHtX3KR9GI1U=,tag:/BXJkqtLT83AnuA6fZWQVg==,type:str] + lastmodified: "2022-06-10T23:17:10Z" + mac: ENC[AES256_GCM,data:EgTvO6L9hAcOYQBl5bMmqZeimxEO9uTxKiGKqTBM0nyRU0Fj7zE1ZvuCtwSe0T9RHObBwzd5i1ij1qA4Bd5qDg2fnRs4DoxHPXJxERsD1CrZnE39D//+ppdsdGGaw5rtISlbl2b+4YFDSiYtbgrU73bz/LauUEc71fakBxQzLlI=,iv:imQB792YHWSoJIbxx6ZPiDK2IhwN6DZPrDbnbGA7U/0=,tag:Qtc6K1tQtNcc318Ez9wf9A==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3