From b62e5596303a3078df2ed5377f730200ba9036ab Mon Sep 17 00:00:00 2001 From: Erwin Boskma Date: Mon, 11 Sep 2023 20:12:52 +0200 Subject: [PATCH] Add backups for minio data --- machines/gitea/configuration.nix | 19 ---------------- machines/minio/backup.nix | 39 ++++++++++++++++++++++++++++++++ machines/minio/configuration.nix | 23 ++++--------------- machines/minio/secrets.yaml | 6 +++-- 4 files changed, 47 insertions(+), 40 deletions(-) create mode 100644 machines/minio/backup.nix diff --git a/machines/gitea/configuration.nix b/machines/gitea/configuration.nix index 3342d2c..ffae08d 100644 --- a/machines/gitea/configuration.nix +++ b/machines/gitea/configuration.nix @@ -26,25 +26,6 @@ system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; - # networking = { - # hostName = "gitea"; - # useDHCP = false; - - # interfaces = { - # eth0 = { - # ipv4.addresses = [ - # { - # address = "10.0.0.201"; - # prefixLength = 24; - # } - # ]; - # }; - # }; - - # defaultGateway = "10.0.0.1"; - # nameservers = [ "10.0.0.254" ]; - # }; - proxmoxLXC = { privileged = true; }; diff --git a/machines/minio/backup.nix b/machines/minio/backup.nix new file mode 100644 index 0000000..e07c9b0 --- /dev/null +++ b/machines/minio/backup.nix @@ -0,0 +1,39 @@ +{ pkgs, config, lib, ... }: +with lib; +let + minioCfg = config.services.minio; + + borgJob = name: { + environment = { + BORG_RSH = "ssh -i ${config.sops.secrets.minio_backup_ssh_key.path}"; + }; + repo = "ssh://zh2088@zh2088.rsync.net/./backups/minio/${name}"; + compression = "zstd,10"; + startAt = "*-*-* 02:30:00"; + extraInitArgs = "--make-parent-dirs"; + archiveBaseName = name; + + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets.minio_backup_pass.path}"; + }; + + prune = { + keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = -1; + }; + }; + }; +in +{ + services.borgbackup.jobs = mkIf minioCfg.enable { + data = borgJob "data" // { + paths = minioCfg.dataDir; + }; + }; + + environment.systemPackages = [ pkgs.borgbackup ]; +} diff --git a/machines/minio/configuration.nix b/machines/minio/configuration.nix index 6f4db48..ea09c65 100644 --- a/machines/minio/configuration.nix +++ b/machines/minio/configuration.nix @@ -2,6 +2,8 @@ { modulesPath, ... }: { imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") + + ./backup.nix ../../users/root ../../users/erwin ]; @@ -24,25 +26,6 @@ system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; - # networking = { - # hostName = "gitea"; - # useDHCP = false; - - # interfaces = { - # eth0 = { - # ipv4.addresses = [ - # { - # address = "10.0.0.204"; - # prefixLength = 24; - # } - # ]; - # }; - # }; - - # defaultGateway = "10.0.0.1"; - # nameservers = [ "10.0.0.254" ]; - # }; - proxmoxLXC = { privileged = true; }; @@ -54,6 +37,8 @@ sops.defaultSopsFile = ./secrets.yaml; sops.secrets = { minio-root-credentials = { }; + minio_backup_ssh_key = { }; + minio_backup_pass = { }; }; system.stateVersion = "23.05"; diff --git a/machines/minio/secrets.yaml b/machines/minio/secrets.yaml index 6c4b810..d40912f 100644 --- a/machines/minio/secrets.yaml +++ b/machines/minio/secrets.yaml @@ -1,4 +1,6 @@ minio-root-credentials: ENC[AES256_GCM,data:IR2xlQ/pXHUA0baJTe9J+iH4qsw3dHeCP+oSQ3yZohQSm1mrXil7HR1NlsI2sbQVQM1GAJcmPytrn7z3YocrainnDv3WZ0AeRqwyEtItC2cXfw3mfh+SIeq2sX2jkYDycuW0J7jRdCBV+Bs=,iv:A7cgR9ykXY4qkixDp699wzNLs4AEVEJRJ8PxzOAnCqU=,tag:++C4ejM5h8wM95G2N6PZmg==,type:str] +minio_backup_ssh_key: ENC[AES256_GCM,data:pVyhIAa+7GEgOouwgSYgN6rFjm9nZEesYJvrUIA0SZ9hXW4tnuc01DMLoGLTqYLqtlhpEtTtfMd0no55sHesCqru+5z3I4b5YlYEMoPR3ce0sDTV3lxnRSJGK+O5YRxnza1fG4RUAaOt0neiRma7F8+jFFJJPHksy8qrzYd3bQFiLEaRTJdyv9M5b2ETsi4A9ZVDPcwk34TEcrldEQIVIQU8rl0LPyN7WhaaHwjospb0Fav8U0w4PYCuqsBVmX3ssD7OZw1vJjz6eVB3CeUe91VbDfx6O3ahrUb4E9LWgWh4VlsGYtz7/ThNRR8n5DdYxUnA5aLDSkaEv64WBcUmA5VA6IZ7/jeMr4bGBf5f0rxlBMXqOdauBNeO/o5UwdHN8EV5Hafpn5XuLQ7sTSknTzxi0bo9mR63SWulW/64I6iN9kSEPs6OtKMNsaoYt9fyaGcPEEOAXLPauXMk/ddXK5l3D/GNLShwuH2nKWaoDCIvDjBx7rwW5wZynPxlTYlB7Pj1rkXK2J9nbRObTYps,iv:F82onSArHBV7z2BZ83yZUWPTf+Nj/yGwPckhj1JC3A4=,tag:e/QwEifl96Vtuf1jeItVhQ==,type:str] +minio_backup_pass: ENC[AES256_GCM,data:t6mh1Fuj+CNbRCi6zgM/IDUc7IaHnsWcqsWKtTSzfO0gmAkfpGcvqe1KhDrgQiYqwVSlzYfIa5bsYrrgrePejmkt2hcTBeCM51dBIPJSqx6b47MAii/nEvdksxUENAZiUxP6ZSfrLOs2dkuEbxOTXfBC4z/bISKvst3VILH7ZqM=,iv:Pn0PUCCvqZQmV3Hkjd5CbSRR3sHGZsBcZdhUCgSZb0U=,tag:3Vru8OLVa72e677DEy6LvQ==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +34,8 @@ sops: S2VBY05lVXZIZ1dTaDNvSGNQaVVmS1kKirfOAiMzO6dz5VYHb0RpUtNojg7Zd6I4 1QZR3oJykIUybeNScW7Qhb2AtRObUefXMx3kA814d62yDJkwbApkDw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-01-04T22:17:52Z" - mac: ENC[AES256_GCM,data:aK5XNUiQYVHpSRuztLO7WXQnBQwScvtF3rABMjsJBbJ2aep74MhVUYEq9FwQOaC3puB2J0jdfKd0i6Mxdn0iScZ1JndGizEqBOeyxVZuAIfg5jL2sL/FjKGIU6BgbNquExiCnllikVyEKfjfX9sxkaB7vfjuYNauQ7hPW68GCwI=,iv:HYx9SaTBDICgWcU9B+a7h9pWA5+fVjZ0Y9pfrv4iAJM=,tag:fJXCQdCXd7IddyRP9Scueg==,type:str] + lastmodified: "2023-09-11T14:19:07Z" + mac: ENC[AES256_GCM,data:G/hYRqQxQxdij3hNsZcaQvx/SA95FeEA9q2DlC/Bkx1x0ApM7qG7eVNeVtqlYHkUd7IsylKyq1lf4Z4GQMj0Cq2sMZRn0Z6InUq67FSHqTd0JInZPQGDY5DDSD0WNuDSIHPJLWd1cC+onSpvBtx2xqxGb9HGNAJo+sGM4mlUBvU=,iv:E5pzAv+WRx8lPofUGZcH39lEPZa0MIn/m/ldX4I9PdU=,tag:a7pnkayI+U04G1KBrBEpOg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3