From 77a11a2d7acb7f97a62ee6fa3b2da32f49c17524 Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Fri, 20 Dec 2024 11:19:26 +0100 Subject: [PATCH] bsky: add backup task --- machines/bsky/backup.nix | 39 +++++++++++++++++++++++++++++++++ machines/bsky/configuration.nix | 3 +++ machines/bsky/secrets.yaml | 8 ++++--- 3 files changed, 47 insertions(+), 3 deletions(-) create mode 100644 machines/bsky/backup.nix diff --git a/machines/bsky/backup.nix b/machines/bsky/backup.nix new file mode 100644 index 0000000..0cd37da --- /dev/null +++ b/machines/bsky/backup.nix @@ -0,0 +1,39 @@ +{ pkgs, config, ... }: +let + borgJob = name: { + environment = { + BORG_RSH = "ssh -i ${config.sops.secrets.bsky-backup-ssh-key.path}"; + }; + repo = "ssh://zh2088@zh2088.rsync.net/./backups/bsky/${name}"; + compression = "zstd,10"; + startAt = "*-*-* 2:30:00"; + extraInitArgs = "--make-parent-dirs"; + archiveBaseName = name; + + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets.bsky-backup-pass.path}"; + }; + + prune = { + keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = -1; + }; + }; + }; +in +{ + services = { + borgbackup.jobs = { + bsky-pds = borgJob "bsky-pds" // { + paths = [ "/var/lib/pds" ]; + }; + }; + }; + + environment.systemPackages = [ pkgs.borgbackup ]; + +} diff --git a/machines/bsky/configuration.nix b/machines/bsky/configuration.nix index 275d97c..e7b7cf1 100644 --- a/machines/bsky/configuration.nix +++ b/machines/bsky/configuration.nix @@ -12,6 +12,7 @@ ../../users/root ../../users/erwin + ./backup.nix ]; eboskma = { @@ -98,6 +99,8 @@ sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { pds-env = { }; + bsky-backup-ssh-key = { }; + bsky-backup-pass = { }; }; system.stateVersion = "25.05"; diff --git a/machines/bsky/secrets.yaml b/machines/bsky/secrets.yaml index 4f49a8c..b02e8db 100644 --- a/machines/bsky/secrets.yaml +++ b/machines/bsky/secrets.yaml @@ -1,4 +1,6 @@ pds-env: ENC[AES256_GCM,data:7igflP/eh4Mvz15Xh1B3R4WcZ51LTCcjBNYiBCu92ZaQvOTalquJqGdLRpaBx425NZjPGGAt6xibMLnbaXOrXpouVW3A+xPj0TzTO+K2ZObFAZgaFfLCDIUPgkc1PUGvvwg/jfU8xMaUvLRlaAQDo1SDfNbmszQrxZRTAJYL4doPHFGnUAKgAW36RQ3PmQKcDGC3Rdaf3Bzi5rU7PIgYmJKaQWDSsDBgD9z5oPd1w/1k1RgoTblHM4u7lk0d0itUeS0TYMkVL4w5+soye6R00wwQBXyIkwQ8fikJUa3GnbhPx67RSzPkwKg3tRIxAZyRfBHC9Cb52RhhhFmZG5AWdG3FLXGpelPO/fMhEZGhCbkDo3dJtDz+Ce567R/ud5cQCpwvTuHQoH1n7/IcROxAy5sf60bgV7eyhA==,iv:8b/U6vv/MHnr/U03vMxN8sr9csgPbpBBALrcehPop/A=,tag:bejYU4f4IA+TVcEfyFhkMA==,type:str] +bsky-backup-ssh-key: ENC[AES256_GCM,data:Mdo1HHWtr/4QrTqEiRievi5qZ04hw+9/XnnqBF39Q61SO760LvDjD7DRszrFMReHpN4UbLnG9KaeaujZbure83aCTDxoc+P3VJ/HYrfaIh1zhxuOGg0D/gz42zOHHI1DOTIqIqB4ILf0ZLLRegmbSvEVq9/k9Wh+nTr4NklJqmWdI8pkPU79nycUFcOQPWUDslse0Q1uqCz3YACKpTp/efbFGbSr++bXxJQ9iEbB0v98AzGta2eypP6sUrH/iQn909dzwThCwHx9S6v5qxOXomLawiKm2zJMgNFnIemMWcpU2rWKL8sWwpj2UdDMByeIJ9YJFSj5vX9n9+4JY5i06h7QyPSbZX2k1K5nK8bY2S1J9Aq7UOAXUynZuxBDGfRW3iQulZ9mgk+9wYQGT05Y6cxBep7zkeNheeqr009u219MwwnYwU1Fw55TgA5zj2VX6qnfAXTLDqC9lehvOYVUiPQtpSdKJn5jQ4N53IvqZNT6kXhzT8HHB1ZdCuX2AOtmlR2TDv2NwOuQw4t23nBV,iv:URYCUXTHmc6iWvGZ+qCKUJa6eTOhGpf6ZGibZtq60nE=,tag:RClxYGvsfM2AvrLzpGJ5+Q==,type:str] +bsky-backup-pass: ENC[AES256_GCM,data:pIwYD6GIudgTj0a8WYHOpGV74aixSbd+Anwr/20hyDWxjBn3W5UtkoRBQG7LCuZn4B/Ht3/kgKb45wTm56jJYRfyNjO6I1skGNh52ybfr/wFRnxzlufrexTcy0K/uhRpHJUtTkuLCcmGeZysFNPDOKVlxAbzz16rwGsxg702ZEo=,iv:M8B98X0DMPH7vWdP9ypCvyT7AtOCabYMdBlnlFxEyMY=,tag:cSwSXDD4zAzJjPDw3VzorA==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +34,8 @@ sops: TFRvdGkyb1czc21weVMyRHJGUlR3WEkKQPEoBJPPLijNmpGo8jngBfWUrkZZJwcg zdi6Wukj6tTS/rKyK0cCC8noyBVc0lLnpUMAemX9xs1dWkFrUBVQiw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-03T21:01:23Z" - mac: ENC[AES256_GCM,data:rjymp5a273Wx2K5WE8yVMRiJDyzz7y3UDLliJvAtUJLg72nx3KXbWFvHjio8BaEQxbobRxnLuPYyAXrGVwIdA14JJVBGFSc4jiJWFsVoX7Kh/7Iui4xkPO/3veoIVkvIzBYyRkPjB249ZwKbLaVR+NlraK7uHvL+Z9wFR+AY67E=,iv:hs6OUurXAApby6s7P0jr1Txplu8TC6DejvWT/87yrMA=,tag:L8+ZVgcwJZc67zd4NitXtQ==,type:str] + lastmodified: "2024-12-20T09:50:48Z" + mac: ENC[AES256_GCM,data:u+vDui46AnPiOaxPGovgAz4IcbDyqhVJm0su2IYlL1lN3TTJsEVjOmjYxD9Cb+OYpMupFHDuSLZVw3j5wp5o9vx4VGAtw0cmrUKq9hu48iGXBk0+zLVTImy5gZ82Bx0fy5rsHulM+QPKWio5zJqaq8Sy4ohib4bQSERR5i8vEFw=,iv:2jXWVmXVYLqRfuN7NH43S1XXvlnzbAd6L4T1YRJigQk=,tag:0eXDlb06a/qFA8+8ASNRdA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.2