diff --git a/hosts/stratus/containers/nextcloud/backup.nix b/hosts/stratus/containers/nextcloud/backup.nix index 9e837ce..0d93786 100644 --- a/hosts/stratus/containers/nextcloud/backup.nix +++ b/hosts/stratus/containers/nextcloud/backup.nix @@ -11,6 +11,7 @@ myConfig.resticBackup.nextcloud = { enable = true; user = config.users.users.nextcloud.name; + healthchecks.enable = true; extraConfig = { backupPrepareCommand = '' diff --git a/hosts/stratus/containers/nextcloud/secrets.yaml b/hosts/stratus/containers/nextcloud/secrets.yaml index 272a59c..be57dbf 100644 --- a/hosts/stratus/containers/nextcloud/secrets.yaml +++ b/hosts/stratus/containers/nextcloud/secrets.yaml @@ -5,6 +5,7 @@ nextcloud: restic: environment: ENC[AES256_GCM,data:bYC7JBKvOMUdqB3X/Z9Nh4g8mhSJpqo63vU3zIrdSO+zlRF+PT+n4yofZe8D47Wz46YGAfwnKXGvAy2WQwHsDcMfdWW85e/1ttV5eESWMotSBM7WzpyFRjNDg+vCy4nWkWI=,iv:RVBMlsOwJCehMuJ2Hzls+gnzUIJM8MjdLu5uMJczugw=,tag:hds43pJX/hpBLwXTujiJ8w==,type:str] password: ENC[AES256_GCM,data:yMs1EG39X1+RYcgeM3SFi38ypOU=,iv:vsEl9jLR3DcqRxJmH5cpIe1+I2W49Hj12oOfwrymznI=,tag:uevinZPEfj0J4KFkTLsV5g==,type:str] +healthchecks-ping-key: ENC[AES256_GCM,data:3bLMIixDXZpCWfkuf8UbCovRvbtlIw==,iv:0G7oIezhyNDl7U9EXw2auvTvdxng6CAbAViXQSbzo+c=,tag:u1QWKdszu9dDLb6LZdAShA==,type:str] sops: kms: [] gcp_kms: [] @@ -29,8 +30,8 @@ sops: aWFqYXYrMmJBbEQwQWxza1lrdmU4bmMKm0QbJP1QiNVOA7slpocaPxkq9orE8jrP xxrDtRUZhvEOEZuCD61wWTfgdeI7SFWaSJkN6MgPlvRyuYQ+3TZh3Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-02T22:12:46Z" - mac: ENC[AES256_GCM,data:lM947a3lS+ultYxIIrmyUe9rGtho1MPQ31cVWeP9JitkwMgP8kZFWV/HYMWIP6hUvvAwrdyMnSsyxRwDAY5EcEPnoGcnCtgctlAjsGb/B9HECCfD/ZeEiGAXGEfsojgkUJIEx/XeoD/FstyNB7CfsYoEHnB06YUFJzk1hj6+JME=,iv:P5wB86h3gUEnveLSMqRjH94gHfdPL2IBCRX3S8UTMBg=,tag:F7ZqYCEuPE0Je01KhAFYIA==,type:str] + lastmodified: "2024-09-09T13:39:24Z" + mac: ENC[AES256_GCM,data:mZ2AATOGjw8ekgf6Av37r3xImSe61dOjhVlsQnFgwLg4Hvlqlo95gFmEasDYfEVZQaRdllAXe/LIHz+GNbIdGRkkU7hjMv6A1vERFahuV2a5rzjgHZDFphROG9bEUI+wjI4rmIHEDz9DYAnpyFPDdNVWsXsO/7cTnwqTxnBl+QM=,iv:KkW7eXQvrd6WkzH8iiHOGGcjslFkuqqvi79v+zlWlz0=,tag:X+HH4ej52oKlY7tGOXQltQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/hosts/stratus/containers/paperless/backup.nix b/hosts/stratus/containers/paperless/backup.nix index fd83def..60c7271 100644 --- a/hosts/stratus/containers/paperless/backup.nix +++ b/hosts/stratus/containers/paperless/backup.nix @@ -13,6 +13,7 @@ myConfig.resticBackup.paperless = { enable = true; user = config.users.users.paperless.name; + healthchecks.enable = true; extraConfig = { backupPrepareCommand = '' diff --git a/hosts/stratus/containers/paperless/secrets.yaml b/hosts/stratus/containers/paperless/secrets.yaml index 6651166..fdcd2e6 100644 --- a/hosts/stratus/containers/paperless/secrets.yaml +++ b/hosts/stratus/containers/paperless/secrets.yaml @@ -3,6 +3,7 @@ paperless-admin-password: ENC[AES256_GCM,data:7xjn0fXEFZCYDvzjP7P5R5reZR8=,iv:jM restic: environment: ENC[AES256_GCM,data:JRwMFhbVLg4hkmJsNw+yNdCBX3Cud5ADbGL+nkRFUjpMkF1c3JubWnNI4lG/ehfJ0GJmHveOyMD304XEykPWuK89KVNNmqTuaa2hGUIykQPyqAqvkChOsOZAfGA/gHrC8tY=,iv:xsXanfAtI8ppOxwtsu89+3KWwNXtXPyT1k+Toe6f6Vw=,tag:hUO7jaTgzX+z4eiLK9CQ7g==,type:str] password: ENC[AES256_GCM,data:txtSW2r1HTFeZXEmkkMBYhPkdms=,iv:kTI52zpI7vUU6IxO/qwzoAtdNZnHrhU69WovA1dBYi0=,tag:6XF1BUOA2Brao/qR3DNe0g==,type:str] +healthchecks-ping-key: ENC[AES256_GCM,data:HihujYrVxFEXF5PnPscigc7vXWM8kg==,iv:T6JmbIjcMjfHKssR5tJrlfQGivqGDWz5d80PQORNLH4=,tag:2Gkddfksi5QPnFK1JFip2g==,type:str] sops: kms: [] gcp_kms: [] @@ -27,8 +28,8 @@ sops: cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-02T11:41:12Z" - mac: ENC[AES256_GCM,data:BPT+RVvdUxbNmhKUEqagk3XBaxG9+o40u29oyKPWPC8L62j7FgKjihoMKEKtiGTuswQdwNiHrz2QAAcQ90yXE0WVQC2yho7QvoejTTVkkii2fh9+AGWFffQXQ1GNXqPVsTF5d8vkLkEMipZqatObC4yFQgffIvQfAMHPPHCxdsc=,iv:e8ENMa8cZ+q5JJD1JqhdjQazxI8jzwQqZEdX/M0+zMY=,tag:mhFfY2rP/XKFazjFuBVVmQ==,type:str] + lastmodified: "2024-09-09T13:39:48Z" + mac: ENC[AES256_GCM,data:mm7p2HU3U0oJIhncjQVX/dag3NhuJrru7dlPy3QFZfBBd5/guy9jyW6eJkFyBKwukNzrhhUiI9IVnYYRdNcloGFlAnoWdIqMm80OWxn0C0KU3MMUoWTQCZuJiDpbH7fRCeq5gVgvNkdYt04AQZbd3XpfHOP0cieSVOlXejJIyh8=,iv:Pz6QkeFvUcBAeZOq19yxMoi71eZiTUF/3PQzcZ7XWhs=,tag:w0eJWmwbA9l9i8/aWfxOmQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/modules/system/restic-backup.nix b/modules/system/restic-backup.nix index b552aff..6e84a64 100644 --- a/modules/system/restic-backup.nix +++ b/modules/system/restic-backup.nix @@ -1,4 +1,9 @@ -{ config, lib, ... }: +{ + config, + pkgs, + lib, + ... +}: let cfg = lib.filterAttrs (_: value: value.enable) config.myConfig.resticBackup; in @@ -12,6 +17,7 @@ in type = lib.types.str; default = config.users.users.root.name; }; + healthchecks.enable = lib.mkEnableOption ""; extraConfig = lib.mkOption { type = lib.types.attrsOf lib.types.anything; default = { }; @@ -29,16 +35,21 @@ in users.groups.restic.members = lib.mapAttrsToList (_: value: value.user) cfg; - sops.secrets = { - "restic/environment" = { - mode = "440"; - group = config.users.groups.restic.name; + sops.secrets = + let + resticPermissions = { + mode = "440"; + group = config.users.groups.restic.name; + }; + in + { + "restic/environment" = resticPermissions; + "restic/password" = resticPermissions; + + "healthchecks-ping-key" = lib.mkIf ( + (lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { } + ) resticPermissions; }; - "restic/password" = { - mode = "440"; - group = config.users.groups.restic.name; - }; - }; services.restic.backups = lib.mapAttrs ( name: value: @@ -57,5 +68,22 @@ in } // value.extraConfig ) cfg; + + systemd.services = lib.mapAttrs' ( + name: _: + lib.nameValuePair "restic-backups-${name}" ( + let + ping = signal: '' + ${lib.getExe pkgs.curl} -fsS -m 10 --retry 5 https://hc-ping.com/$(cat ${ + config.sops.secrets."healthchecks-ping-key".path + })/${name}-backup/${signal} + ''; + in + { + preStart = lib.mkBefore (ping "start"); + postStop = lib.mkAfter (ping "0"); + } + ) + ) (lib.filterAttrs (_: value: value.healthchecks.enable) cfg); }; }