SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 16:21:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add healthchecks to the backups

Browse source
This commit is contained in:
SebastianStork 2024-09-09 16:10:06 +02:00
parent 40a8ba846a
commit 8ab39c79ab
5 changed files with 46 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

1
hosts/stratus/containers/nextcloud/backup.nix
View file

@ -11,6 +11,7 @@
myConfig.resticBackup.nextcloud = {
enable = true;
user = config.users.users.nextcloud.name;
healthchecks.enable = true;
extraConfig = {
backupPrepareCommand = ''

5
hosts/stratus/containers/nextcloud/secrets.yaml
View file

@ -5,6 +5,7 @@ nextcloud:
restic:
environment: ENC[AES256_GCM,data:bYC7JBKvOMUdqB3X/Z9Nh4g8mhSJpqo63vU3zIrdSO+zlRF+PT+n4yofZe8D47Wz46YGAfwnKXGvAy2WQwHsDcMfdWW85e/1ttV5eESWMotSBM7WzpyFRjNDg+vCy4nWkWI=,iv:RVBMlsOwJCehMuJ2Hzls+gnzUIJM8MjdLu5uMJczugw=,tag:hds43pJX/hpBLwXTujiJ8w==,type:str]
password: ENC[AES256_GCM,data:yMs1EG39X1+RYcgeM3SFi38ypOU=,iv:vsEl9jLR3DcqRxJmH5cpIe1+I2W49Hj12oOfwrymznI=,tag:uevinZPEfj0J4KFkTLsV5g==,type:str]
healthchecks-ping-key: ENC[AES256_GCM,data:3bLMIixDXZpCWfkuf8UbCovRvbtlIw==,iv:0G7oIezhyNDl7U9EXw2auvTvdxng6CAbAViXQSbzo+c=,tag:u1QWKdszu9dDLb6LZdAShA==,type:str]
sops:
kms: []
gcp_kms: []
@ -29,8 +30,8 @@ sops:
aWFqYXYrMmJBbEQwQWxza1lrdmU4bmMKm0QbJP1QiNVOA7slpocaPxkq9orE8jrP
xxrDtRUZhvEOEZuCD61wWTfgdeI7SFWaSJkN6MgPlvRyuYQ+3TZh3Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-02T22:12:46Z"
mac: ENC[AES256_GCM,data:lM947a3lS+ultYxIIrmyUe9rGtho1MPQ31cVWeP9JitkwMgP8kZFWV/HYMWIP6hUvvAwrdyMnSsyxRwDAY5EcEPnoGcnCtgctlAjsGb/B9HECCfD/ZeEiGAXGEfsojgkUJIEx/XeoD/FstyNB7CfsYoEHnB06YUFJzk1hj6+JME=,iv:P5wB86h3gUEnveLSMqRjH94gHfdPL2IBCRX3S8UTMBg=,tag:F7ZqYCEuPE0Je01KhAFYIA==,type:str]
lastmodified: "2024-09-09T13:39:24Z"
mac: ENC[AES256_GCM,data:mZ2AATOGjw8ekgf6Av37r3xImSe61dOjhVlsQnFgwLg4Hvlqlo95gFmEasDYfEVZQaRdllAXe/LIHz+GNbIdGRkkU7hjMv6A1vERFahuV2a5rzjgHZDFphROG9bEUI+wjI4rmIHEDz9DYAnpyFPDdNVWsXsO/7cTnwqTxnBl+QM=,iv:KkW7eXQvrd6WkzH8iiHOGGcjslFkuqqvi79v+zlWlz0=,tag:X+HH4ej52oKlY7tGOXQltQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

1
hosts/stratus/containers/paperless/backup.nix
View file

@ -13,6 +13,7 @@
myConfig.resticBackup.paperless = {
enable = true;
user = config.users.users.paperless.name;
healthchecks.enable = true;
extraConfig = {
backupPrepareCommand = ''

5
hosts/stratus/containers/paperless/secrets.yaml
View file

@ -3,6 +3,7 @@ paperless-admin-password: ENC[AES256_GCM,data:7xjn0fXEFZCYDvzjP7P5R5reZR8=,iv:jM
restic:
environment: ENC[AES256_GCM,data:JRwMFhbVLg4hkmJsNw+yNdCBX3Cud5ADbGL+nkRFUjpMkF1c3JubWnNI4lG/ehfJ0GJmHveOyMD304XEykPWuK89KVNNmqTuaa2hGUIykQPyqAqvkChOsOZAfGA/gHrC8tY=,iv:xsXanfAtI8ppOxwtsu89+3KWwNXtXPyT1k+Toe6f6Vw=,tag:hUO7jaTgzX+z4eiLK9CQ7g==,type:str]
password: ENC[AES256_GCM,data:txtSW2r1HTFeZXEmkkMBYhPkdms=,iv:kTI52zpI7vUU6IxO/qwzoAtdNZnHrhU69WovA1dBYi0=,tag:6XF1BUOA2Brao/qR3DNe0g==,type:str]
healthchecks-ping-key: ENC[AES256_GCM,data:HihujYrVxFEXF5PnPscigc7vXWM8kg==,iv:T6JmbIjcMjfHKssR5tJrlfQGivqGDWz5d80PQORNLH4=,tag:2Gkddfksi5QPnFK1JFip2g==,type:str]
sops:
kms: []
gcp_kms: []
@ -27,8 +28,8 @@ sops:
cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF
tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-09-02T11:41:12Z"
mac: ENC[AES256_GCM,data:BPT+RVvdUxbNmhKUEqagk3XBaxG9+o40u29oyKPWPC8L62j7FgKjihoMKEKtiGTuswQdwNiHrz2QAAcQ90yXE0WVQC2yho7QvoejTTVkkii2fh9+AGWFffQXQ1GNXqPVsTF5d8vkLkEMipZqatObC4yFQgffIvQfAMHPPHCxdsc=,iv:e8ENMa8cZ+q5JJD1JqhdjQazxI8jzwQqZEdX/M0+zMY=,tag:mhFfY2rP/XKFazjFuBVVmQ==,type:str]
lastmodified: "2024-09-09T13:39:48Z"
mac: ENC[AES256_GCM,data:mm7p2HU3U0oJIhncjQVX/dag3NhuJrru7dlPy3QFZfBBd5/guy9jyW6eJkFyBKwukNzrhhUiI9IVnYYRdNcloGFlAnoWdIqMm80OWxn0C0KU3MMUoWTQCZuJiDpbH7fRCeq5gVgvNkdYt04AQZbd3XpfHOP0cieSVOlXejJIyh8=,iv:Pz6QkeFvUcBAeZOq19yxMoi71eZiTUF/3PQzcZ7XWhs=,tag:w0eJWmwbA9l9i8/aWfxOmQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

48
modules/system/restic-backup.nix
View file

@ -1,4 +1,9 @@
{ config, lib, ... }:
{
config,
pkgs,
lib,
...
}:
let
cfg = lib.filterAttrs (_: value: value.enable) config.myConfig.resticBackup;
in
@ -12,6 +17,7 @@ in
type = lib.types.str;
default = config.users.users.root.name;
};
healthchecks.enable = lib.mkEnableOption "";
extraConfig = lib.mkOption {
type = lib.types.attrsOf lib.types.anything;
default = { };
@ -29,16 +35,21 @@ in
users.groups.restic.members = lib.mapAttrsToList (_: value: value.user) cfg;
sops.secrets = {
"restic/environment" = {
mode = "440";
group = config.users.groups.restic.name;
sops.secrets =
let
resticPermissions = {
mode = "440";
group = config.users.groups.restic.name;
};
in
{
"restic/environment" = resticPermissions;
"restic/password" = resticPermissions;
"healthchecks-ping-key" = lib.mkIf (
(lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { }
) resticPermissions;
};
"restic/password" = {
mode = "440";
group = config.users.groups.restic.name;
};
};
services.restic.backups = lib.mapAttrs (
name: value:
@ -57,5 +68,22 @@ in
}
// value.extraConfig
) cfg;
systemd.services = lib.mapAttrs' (
name: _:
lib.nameValuePair "restic-backups-${name}" (
let
ping = signal: ''
${lib.getExe pkgs.curl} -fsS -m 10 --retry 5 https://hc-ping.com/$(cat ${
config.sops.secrets."healthchecks-ping-key".path
})/${name}-backup/${signal}
'';
in
{
preStart = lib.mkBefore (ping "start");
postStop = lib.mkAfter (ping "0");
}
)
) (lib.filterAttrs (_: value: value.healthchecks.enable) cfg);
};
}