Add healthchecks to the backups

2026-01-21 18:41:34 +01:00 · 2024-09-09 16:10:06 +02:00 · 2024-09-09 16:10:06 +02:00 · 8ab39c79ab
commit 8ab39c79ab
parent 40a8ba846a
5 changed files with 46 additions and 14 deletions
--- a/hosts/stratus/containers/nextcloud/backup.nix
+++ b/hosts/stratus/containers/nextcloud/backup.nix
@ -11,6 +11,7 @@
  myConfig.resticBackup.nextcloud = {
    enable = true;
    user = config.users.users.nextcloud.name;
    healthchecks.enable = true;
    extraConfig = {
      backupPrepareCommand = ''
--- a/hosts/stratus/containers/nextcloud/secrets.yaml
+++ b/hosts/stratus/containers/nextcloud/secrets.yaml
@ -5,6 +5,7 @@ nextcloud:
 restic:
  environment: ENC[AES256_GCM,data:bYC7JBKvOMUdqB3X/Z9Nh4g8mhSJpqo63vU3zIrdSO+zlRF+PT+n4yofZe8D47Wz46YGAfwnKXGvAy2WQwHsDcMfdWW85e/1ttV5eESWMotSBM7WzpyFRjNDg+vCy4nWkWI=,iv:RVBMlsOwJCehMuJ2Hzls+gnzUIJM8MjdLu5uMJczugw=,tag:hds43pJX/hpBLwXTujiJ8w==,type:str]
  password: ENC[AES256_GCM,data:yMs1EG39X1+RYcgeM3SFi38ypOU=,iv:vsEl9jLR3DcqRxJmH5cpIe1+I2W49Hj12oOfwrymznI=,tag:uevinZPEfj0J4KFkTLsV5g==,type:str]
 healthchecks-ping-key: ENC[AES256_GCM,data:3bLMIixDXZpCWfkuf8UbCovRvbtlIw==,iv:0G7oIezhyNDl7U9EXw2auvTvdxng6CAbAViXQSbzo+c=,tag:u1QWKdszu9dDLb6LZdAShA==,type:str]
 sops:
  kms: []
  gcp_kms: []
@ -29,8 +30,8 @@ sops:
        aWFqYXYrMmJBbEQwQWxza1lrdmU4bmMKm0QbJP1QiNVOA7slpocaPxkq9orE8jrP
        xxrDtRUZhvEOEZuCD61wWTfgdeI7SFWaSJkN6MgPlvRyuYQ+3TZh3Q==
        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-09-02T22:12:46Z"
+  lastmodified: "2024-09-09T13:39:24Z"
-  mac: ENC[AES256_GCM,data:lM947a3lS+ultYxIIrmyUe9rGtho1MPQ31cVWeP9JitkwMgP8kZFWV/HYMWIP6hUvvAwrdyMnSsyxRwDAY5EcEPnoGcnCtgctlAjsGb/B9HECCfD/ZeEiGAXGEfsojgkUJIEx/XeoD/FstyNB7CfsYoEHnB06YUFJzk1hj6+JME=,iv:P5wB86h3gUEnveLSMqRjH94gHfdPL2IBCRX3S8UTMBg=,tag:F7ZqYCEuPE0Je01KhAFYIA==,type:str]
+  mac: ENC[AES256_GCM,data:mZ2AATOGjw8ekgf6Av37r3xImSe61dOjhVlsQnFgwLg4Hvlqlo95gFmEasDYfEVZQaRdllAXe/LIHz+GNbIdGRkkU7hjMv6A1vERFahuV2a5rzjgHZDFphROG9bEUI+wjI4rmIHEDz9DYAnpyFPDdNVWsXsO/7cTnwqTxnBl+QM=,iv:KkW7eXQvrd6WkzH8iiHOGGcjslFkuqqvi79v+zlWlz0=,tag:X+HH4ej52oKlY7tGOXQltQ==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.0
--- a/hosts/stratus/containers/paperless/backup.nix
+++ b/hosts/stratus/containers/paperless/backup.nix
@ -13,6 +13,7 @@
  myConfig.resticBackup.paperless = {
    enable = true;
    user = config.users.users.paperless.name;
    healthchecks.enable = true;
    extraConfig = {
      backupPrepareCommand = ''
--- a/hosts/stratus/containers/paperless/secrets.yaml
+++ b/hosts/stratus/containers/paperless/secrets.yaml
@ -3,6 +3,7 @@ paperless-admin-password: ENC[AES256_GCM,data:7xjn0fXEFZCYDvzjP7P5R5reZR8=,iv:jM
 restic:
  environment: ENC[AES256_GCM,data:JRwMFhbVLg4hkmJsNw+yNdCBX3Cud5ADbGL+nkRFUjpMkF1c3JubWnNI4lG/ehfJ0GJmHveOyMD304XEykPWuK89KVNNmqTuaa2hGUIykQPyqAqvkChOsOZAfGA/gHrC8tY=,iv:xsXanfAtI8ppOxwtsu89+3KWwNXtXPyT1k+Toe6f6Vw=,tag:hUO7jaTgzX+z4eiLK9CQ7g==,type:str]
  password: ENC[AES256_GCM,data:txtSW2r1HTFeZXEmkkMBYhPkdms=,iv:kTI52zpI7vUU6IxO/qwzoAtdNZnHrhU69WovA1dBYi0=,tag:6XF1BUOA2Brao/qR3DNe0g==,type:str]
 healthchecks-ping-key: ENC[AES256_GCM,data:HihujYrVxFEXF5PnPscigc7vXWM8kg==,iv:T6JmbIjcMjfHKssR5tJrlfQGivqGDWz5d80PQORNLH4=,tag:2Gkddfksi5QPnFK1JFip2g==,type:str]
 sops:
  kms: []
  gcp_kms: []
@ -27,8 +28,8 @@ sops:
        cmFJeFpHdnRzMFA2a1NML1A1RFB6clEK+FH8x1dccz8TnUuEFc0EkTSzG6Ody0IF
        tCNrHN2h3AzqYxKFYucquMmnE9WGJuzShijIXAv1W7JE2JZw9XnS4w==
        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-09-02T11:41:12Z"
+  lastmodified: "2024-09-09T13:39:48Z"
-  mac: ENC[AES256_GCM,data:BPT+RVvdUxbNmhKUEqagk3XBaxG9+o40u29oyKPWPC8L62j7FgKjihoMKEKtiGTuswQdwNiHrz2QAAcQ90yXE0WVQC2yho7QvoejTTVkkii2fh9+AGWFffQXQ1GNXqPVsTF5d8vkLkEMipZqatObC4yFQgffIvQfAMHPPHCxdsc=,iv:e8ENMa8cZ+q5JJD1JqhdjQazxI8jzwQqZEdX/M0+zMY=,tag:mhFfY2rP/XKFazjFuBVVmQ==,type:str]
+  mac: ENC[AES256_GCM,data:mm7p2HU3U0oJIhncjQVX/dag3NhuJrru7dlPy3QFZfBBd5/guy9jyW6eJkFyBKwukNzrhhUiI9IVnYYRdNcloGFlAnoWdIqMm80OWxn0C0KU3MMUoWTQCZuJiDpbH7fRCeq5gVgvNkdYt04AQZbd3XpfHOP0cieSVOlXejJIyh8=,iv:Pz6QkeFvUcBAeZOq19yxMoi71eZiTUF/3PQzcZ7XWhs=,tag:w0eJWmwbA9l9i8/aWfxOmQ==,type:str]
  pgp: []
  unencrypted_suffix: _unencrypted
  version: 3.9.0
--- a/modules/system/restic-backup.nix
+++ b/modules/system/restic-backup.nix
@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
  config,
  pkgs,
  lib,
  ...
 }:
 let
  cfg = lib.filterAttrs (_: value: value.enable) config.myConfig.resticBackup;
 in
@ -12,6 +17,7 @@ in
            type = lib.types.str;
            default = config.users.users.root.name;
          };
          healthchecks.enable = lib.mkEnableOption "";
          extraConfig = lib.mkOption {
            type = lib.types.attrsOf lib.types.anything;
            default = { };
@ -29,15 +35,20 @@ in
    users.groups.restic.members = lib.mapAttrsToList (_: value: value.user) cfg;
-    sops.secrets = {
+    sops.secrets =
-      "restic/environment" = {
+      let
-        mode = "440";
+        resticPermissions = {
        group = config.users.groups.restic.name;
      };
      "restic/password" = {
          mode = "440";
          group = config.users.groups.restic.name;
        };
      in
      {
        "restic/environment" = resticPermissions;
        "restic/password" = resticPermissions;
        "healthchecks-ping-key" = lib.mkIf (
          (lib.filterAttrs (_: value: value.healthchecks.enable) cfg) != { }
        ) resticPermissions;
      };
    services.restic.backups = lib.mapAttrs (
@ -57,5 +68,22 @@ in
      }
      // value.extraConfig
    ) cfg;
    systemd.services = lib.mapAttrs' (
      name: _:
      lib.nameValuePair "restic-backups-${name}" (
        let
          ping = signal: ''
            ${lib.getExe pkgs.curl} -fsS -m 10 --retry 5  https://hc-ping.com/$(cat ${
              config.sops.secrets."healthchecks-ping-key".path
            })/${name}-backup/${signal}
          '';
        in
        {
          preStart = lib.mkBefore (ping "start");
          postStop = lib.mkAfter (ping "0");
        }
      )
    ) (lib.filterAttrs (_: value: value.healthchecks.enable) cfg);
  };
 }