From a41c19ccc18413c552a47dfa2b3faedae0d0404a Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Sun, 30 Oct 2022 21:06:18 +0100 Subject: [PATCH] Backups for gitea --- home-manager/modules/ssh/default.nix | 1 - machines/gitea/backup.nix | 37 ++++++++++++++++++++++ machines/gitea/configuration.nix | 3 ++ machines/gitea/id_ed25519-gitea-backup.pub | 1 + machines/gitea/secrets.yaml | 8 +++-- modules/gitea/default.nix | 2 +- 6 files changed, 47 insertions(+), 5 deletions(-) create mode 100644 machines/gitea/backup.nix create mode 100644 machines/gitea/id_ed25519-gitea-backup.pub diff --git a/home-manager/modules/ssh/default.nix b/home-manager/modules/ssh/default.nix index 3b16c63..72f1f32 100644 --- a/home-manager/modules/ssh/default.nix +++ b/home-manager/modules/ssh/default.nix @@ -1,4 +1,3 @@ - { pkgs , config , lib diff --git a/machines/gitea/backup.nix b/machines/gitea/backup.nix new file mode 100644 index 0000000..7b26f13 --- /dev/null +++ b/machines/gitea/backup.nix @@ -0,0 +1,37 @@ +{ pkgs, config, lib, ... }: +with lib; +let + giteaCfg = config.services.gitea; + + borgJob = name: { + environment = { + BORG_RSH = "ssh -i ${config.sops.secrets.gitea_backup_ssh_key.path}"; + }; + repo = "ssh://zh2088@zh2088.rsync.net:backups/gitea/${name}"; + compression = "zstd,10"; + startAt = "*-*-* 2,6,10,14,18,22:30:00"; + + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets.gitea_backup_pass.path}"; + }; + + prune = { + keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = -1; + }; + }; + }; +in +{ + services.borgbackup.jobs = mkIf giteaCfg.enable { + repos = borgJob "gitea" // { + paths = [ "/var/lib" ]; + }; + }; + + environment.systemPackages = [ pkgs.borgbackup ]; +} diff --git a/machines/gitea/configuration.nix b/machines/gitea/configuration.nix index c78ffea..e9553be 100644 --- a/machines/gitea/configuration.nix +++ b/machines/gitea/configuration.nix @@ -3,6 +3,7 @@ ./hardware-configuration.nix ../../users/root ../../users/erwin + ./backup.nix ]; eboskma = { @@ -51,6 +52,8 @@ gitea_db_password = { owner = "git"; }; + gitea_backup_ssh_key = { }; + gitea_backup_pass = { }; }; system.stateVersion = "22.05"; diff --git a/machines/gitea/id_ed25519-gitea-backup.pub b/machines/gitea/id_ed25519-gitea-backup.pub new file mode 100644 index 0000000..155ba41 --- /dev/null +++ b/machines/gitea/id_ed25519-gitea-backup.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINW2iXu6SPhql2AxGlUEsvrE1v0T4wKsVqlbYaicZ9fp gitea-backup diff --git a/machines/gitea/secrets.yaml b/machines/gitea/secrets.yaml index e44311b..86630f9 100644 --- a/machines/gitea/secrets.yaml +++ b/machines/gitea/secrets.yaml @@ -1,4 +1,6 @@ gitea_db_password: ENC[AES256_GCM,data:DhTDb2LuzEnkdSztIsSoICIz1qIpqNQYp2Z69NDNqPib3u/fzjnt6EyI5k9+0c2s0+AZBKPzItCm61WKquoIV80MsDgROANP2LP63j+id4KHMtIvvT7TBZelN8vaZnM422MutUzOFYB0+SA2LcSDtTHL9WKtqTnF4AjK3UpKjYk=,iv:zK65d01tXoSPYIu2JxRy2O8wURD73AqM7r+80H2nzAs=,tag:qc63u9c9/NaMT/OI5IsuLQ==,type:str] +gitea_backup_ssh_key: ENC[AES256_GCM,data:t+Pu22ziCtpOt5cSdQB9ubfeLRYn6k++dCrMpcuF69AX3yCeZGDAabGx7FHeTFQ0xiUrXo9LxwxJrFAnguOtis67SOT0AO0f6HhrrWTo7XxvuSRRNB3Tk0i8hEXj6KPQMHcqenHLX0T1wJ1ZL/DQCaTgtXBFE5/UlLiF9vWS/OKHNZcRZlpPHWjvBsSfyI6fblmbRUlfekVZKkojA7NQLKSOv5O9oo9v82jQJKk4l+/QBrhmuSpk+AsMob3tRX3EAz/E8ZXo/Zoh1qxUPPWn+jn2PT+dfKUp4DzuJlnJAShjG5H94BcW+7p6g469my5VohpPmZTSCkp6AxDQgSGuWczpksdKRM5aDuIEYdd0DdvbdnZWORZMZamCwsfwRec/hvBbT+h8zjnWqNhsHVdtjLePUQdzXxAksUM2DKGKRyZHhCkKmsx8WqrHzxnJYJVa+e/E3xY4JQ7+zhTrp/FtuiWQitr9kohZupmmBLdBeVQpde2XXdFc7FPAHeCdT2mtE+Z2BfbHjrv4pEEnicXt,iv:iWi4uKEVlAGSNvJj11rnBcCZtp9EJlAjUwxuosOZctQ=,tag:DRPAD/ojMS6BkPtfPWKTag==,type:str] +gitea_backup_pass: ENC[AES256_GCM,data:6UgfUOgLpCZrRNEcsrG7JKFp4isTSGcuedRnE2tDTe7sHe+8Ky+07VsEW+kUdIx8GnluajpatSeWLCeVT72pJazfz6aECblDLQPJLK9odpwmoqZKHz9wSntnofPWT0CAVYSRG1/NPoyzeIY4+Qu4u4ZmuWmRo/Wy2Sz1jhPapR8=,iv:q0+fbP8pE1uRVuEgN/nl0qV4ymNfhmKdHlZN0MU7QUw=,tag:aCD75vFgcgTkfdBHvbtetw==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +25,8 @@ sops: RW1CWDlrZ1FYSStNYVJzZHpkNWVaTG8KUxGxfbma4OE7UPlv3lDtu9v/h0Jx1vYx 7hfDVn+yOamCsqs77kmuTprQyAZbiPh2AzYxCkqy657XOdaq4gThWQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-04-26T19:26:23Z" - mac: ENC[AES256_GCM,data:8KcUH12RqxkuX7MQpm4Xtl0YNUnhj/ef55ix8mb59ncLfjWauM7KlYVJg+La0FrqvWOFNNsMTYiBNlt/1KU9tqJs7kjzQQvhkcUDA6jAnFKtLCV6X8fd+3mon2UUL6eh5FDWjy3lTp45VrWNwTjC+LP1RAGGG7ie4tuI69PM1h0=,iv:SoU3hXDCZwJk4BLgjFU00rQUdqxlD5j8LcdQ8RZvbGs=,tag:9uveuZWgDesins8lk5w9Dw==,type:str] + lastmodified: "2022-10-26T18:26:01Z" + mac: ENC[AES256_GCM,data:byjcMu8J5cAeOoU0mAZbJL/bkX3utCXk7VuBhApz8F/6N0ekyLixUHVqBcShp7XgWs4MU3GewVaMZZNqPkEfj15PgEWxxfpsE4HiLN6eaI6Fx21X2CmllQQ5qjeRQVZwkJchrpCO4rp/Q+nFqyVYMgAr8yJm85zZ3FIvHPbErOY=,iv:RsXReft0DUnPr/huYQYZkPy/0iCeEiU3k881KqhcUiY=,tag:JqD3o2BLU8PrBYCeLtdZjg==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.7.2 + version: 3.7.3 diff --git a/modules/gitea/default.nix b/modules/gitea/default.nix index abc2a29..a5e73f6 100644 --- a/modules/gitea/default.nix +++ b/modules/gitea/default.nix @@ -36,7 +36,7 @@ in }; log.LEVEL = "Warn"; - + database = { LOG_SQL = false; };