backwards: Backup sync to cloud with restic

backwards: Add secret for restic cloud sync backup
tadpole: Specify ssh port for gitea
2024-09-01 10:34:05 +02:00 · 2024-09-01 10:34:05 +02:00 · 2024-09-01 10:24:40 +02:00 · 2024-09-01 10:24:40 +02:00 · 2024-09-01 10:24:40 +02:00 · 2024-09-01 10:24:40 +02:00
12 changed files with 166 additions and 3 deletions
--- a/hosts/backwards/modules/default.nix
+++ b/hosts/backwards/modules/default.nix
@@ -13,6 +13,8 @@ in
      ssh.enable = true;
      git.enable = true;
      syncthing.enable = true;
+      restic.enable = true;
+      transmission.enable = true;
    };
  };
 }
--- a/hosts/backwards/modules/restic/default.nix
+++ b/hosts/backwards/modules/restic/default.nix
@@ -0,0 +1,73 @@
+{ lib, config, ... }:
+let
+  enabled = config.mod.restic.enable;
+in
+{
+  options = {
+    mod.restic = {
+      enable = lib.mkEnableOption "Enable restic";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    fileSystems."/home/alex/backup" = {
+      device = "/dev/disk/by-uuid/34601701-65e6-4b2c-ac4d-8bef3dfd743f";
+      fsType = "ext4";
+      options = [ "nofail" ];
+    };
+
+    services = {
+      restic.backups = {
+        "sync-to-external" = {
+          initialize = true;
+
+          passwordFile = config.age.secrets.restic-password.path;
+
+          paths = [ "/home/alex/sync" ];
+          repository = "/home/alex/backup/restic";
+
+          timerConfig = {
+            OnCalendar = "*-*-* 0/12:00:00"; # Every 12th hour, i.e. twice a day
+            Persistent = true;
+          };
+
+          pruneOpts = [
+            "--keep-daily 1"
+            "--keep-weekly 7"
+            "--keep-yearly 12"
+          ];
+        };
+
+        "sync-to-cloud" = {
+          initialize = true;
+
+          passwordFile = config.age.secrets.restic-password.path;
+          environmentFile = config.age.secrets.restic-cloud-sync-key.path;
+          repositoryFile = config.age.secrets.restic-cloud-sync-repository.path;
+
+          paths = ["/home/alex/sync"];
+
+          timerConfig = {
+            OnCalendar = "*-*-* 0/12:00:00"; # Every 12th hour, i.e. twice a day
+            Persistent = true;
+          };
+
+          pruneOpts = [
+            "--keep-daily 1"
+            "--keep-weekly 7"
+            "--keep-yearly 12"
+          ];
+        };
+      };
+    };
+
+    age = {
+      secrets = {
+        "restic-password".file = ../../../../secrets/backwards/restic-password.age;
+        "restic-cloud-sync-key".file = ../../../../secrets/backwards/restic-cloud-sync-key.age;
+        "restic-cloud-sync-repository".file = ../../../../secrets/backwards/restic-cloud-sync-repository.age;
+      };
+    };
+  };
+}
+
--- a/hosts/backwards/modules/transmission/default.nix
+++ b/hosts/backwards/modules/transmission/default.nix
@@ -0,0 +1,42 @@
+{ pkgs, lib, config, ... }:
+let
+  enabled = config.mod.transmission.enable;
+in
+{
+  options = {
+    mod.transmission = {
+      enable = lib.mkEnableOption "enable transmission module";
+    };
+  };
+
+  config = lib.mkIf enabled {
+    services = {
+      transmission = {
+        enable = true;
+        package = pkgs.transmission_4;
+
+        openFirewall = true;
+        openRPCPort = true;
+
+        user = "alex";
+        group = "users";
+
+        home = "/home/alex/media/ts-home";
+        downloadDirPermissions = "775";
+
+        settings = {
+          rpc-bind-address = "0.0.0.0";
+          rpc-port = 9191;
+
+          incomplete-dir-enabled = false;
+          download-dir = "/home/alex/media/downloads";
+
+          rpc-authentication-required = true;
+          rpc-whitelist-enabled = false;
+          rpc-username = "transmission";
+          rpc-password = "{55d884e4042db67313da49e05d7089a368eb64b3Br.3X.Xi";
+        };
+      };
+    };
+  };
+}
--- a/hosts/pinwheel/modules/git/gitconfig
+++ b/hosts/pinwheel/modules/git/gitconfig
@@ -11,3 +11,5 @@
 [url "git@codeberg.org:"]
    insteadOf = https://codeberg.org/

+[url "gitea@git.ppp.pm:"]
+    insteadOf = https://git.ppp.pm/
--- a/hosts/pinwheel/modules/ssh/default.nix
+++ b/hosts/pinwheel/modules/ssh/default.nix
@@ -5,8 +5,8 @@
      enable = true;

      matchBlocks = {
-        "backwards.local" = {
-          hostname = "192.168.50.202";
+        "backwards" = {
+          hostname = "backwards";
          user = "alex";
          identityFile = "/home/alex/.ssh/alex.pinwheel-backwards";
          port = 1122;
@@ -48,6 +48,11 @@
          hostname = "codeberg.org";
          identityFile = "/home/alex/.ssh/alex.pinwheel-codeberg.org";
        };
+
+        "git.ppp.pm" = {
+          hostname = "git.ppp.pm";
+          identityFile = "/home/alex/.ssh/alex.pinwheel-git.ppp.pm";
+        };
      };
    };

@@ -106,6 +111,19 @@
      group = "users";
    };

+    "alex.pinwheel-git.ppp.pm" = {
+      file = ../../../../secrets/pinwheel/alex.pinwheel-git.ppp.pm.age;
+      path = "/home/alex/.ssh/alex.pinwheel-git.ppp.pm";
+      owner = "alex";
+      group = "users";
+    };
+    "alex.pinwheel-git.ppp.pm.pub" = {
+      file = ../../../../secrets/pinwheel/alex.pinwheel-git.ppp.pm.pub.age;
+      path = "/home/alex/.ssh/alex.pinwheel-git.ppp.pm.pub";
+      owner = "alex";
+      group = "users";
+    };
+
    "alex.pinwheel-andromeda" = {
      file = ../../../../secrets/pinwheel/alex.pinwheel-andromeda.age;
      path = "/home/alex/.ssh/alex.pinwheel-andromeda";
--- a/hosts/tadpole/modules/gitea/default.nix
+++ b/hosts/tadpole/modules/gitea/default.nix
@@ -64,7 +64,7 @@ in
          DOMAIN = gitDomain;
          ROOT_URL = "https://${gitDomain}";

-          SSH_PORT = 1122; # See `ssh` module
+          SSH_PORT = 1122; # see `ssh` module
        };

        database = {
--- a/secrets/backwards/restic-cloud-sync-key.age
+++ b/secrets/backwards/restic-cloud-sync-key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Pu0HWg rTAkGJbth0WCE8KM50fHaCyXeO/NrmWXiDT/JH9ciAI
+kTMVbJRwOSh9Da1O9YYx21/7IdfZrb2OhoOJxNEIKSg
+-> ssh-ed25519 +oNaHQ DtMpPTuAjS1GyK2WalNJzErEE1mCos/R5aZyMnun+UQ
+B81FnJ5z70HzI6yvqiy6Lhr2X9ZjEi5dhM6u47flujA
+--- r9HCFWVU5LBiRBdRwOA1+IRBY1/I/1UeukGtFz7BxWE
+T<1F>K%<25><>W<EFBFBD>*&<26>İ<19>-&<26><><EFBFBD>8)|<7C><><EFBFBD><EFBFBD><16><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>07<06><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>l<EFBFBD><6C>Q<03>0<EFBFBD><30><EFBFBD>Ԗ<EFBFBD><D496><EFBFBD>]<5D><>۸<>mP<6D>^~<7E>/<2F>#<23><><EFBFBD><EFBFBD>"<22><1A><19>+<15>)<29>Y<EFBFBD>n<6E>@<1B>჌R<E1838C><52><EFBFBD>_p<5F><70>F<EFBFBD><46>%<25><1E><18>#
--- a/secrets/backwards/restic-cloud-sync-repository.age
+++ b/secrets/backwards/restic-cloud-sync-repository.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Pu0HWg tZ6zAXOBdiWyyUeOZZ66w1ij8xuHY98fvClPn8/jQVs
+AVp3Y04vSbnkurqjAouiDojd5IMFVCYyldXv0v4n9W4
+-> ssh-ed25519 +oNaHQ KK44MdrfQLZK44eYWpLiTFm3d/bx6WTsHm98MkvhQTw
+CYJJWbpHbLQHvzTWLbujg1AZ3KvgCshVUrolPE1hUho
+--- aBOxH3rbMriVBctdVGdQXFH/KYWLbweGzda5sN4HJOA
+<EFBFBD>No<EFBFBD>ǡO><3E><><EFBFBD><EFBFBD><EFBFBD>\I<>#0<><30><EFBFBD>+Y8<59>v<76>CS#<23><>O<10><><EFBFBD>eG<65>;-T<>d<EFBFBD><64>,V@3<0E> <20><><1B><>]`<60>\b<>D<EFBFBD>+<2B><>6<EFBFBD><36><EFBFBD><EFBFBD>䘤n<E498A4>%<25>NȒ
--- a/secrets/backwards/restic-password.age
+++ b/secrets/backwards/restic-password.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 Pu0HWg qmcWFPndrhXlpjBtSsVNARAOHM9UNtfcEvtSGx/BLHY
+EdnzUWju9g61idxWmDaaxSZ6ZiVvhFLOKH3hY1Kyk8s
+-> ssh-ed25519 +oNaHQ CMBvVWHwVsY89rbdYvVoVeoZlIXLJoIN8xsoqqBnSiA
+xogVU/MBezQzq1rbIOqT5PGNYqM8o0Pmojk2npqT4U
+--- mdhPf3weI9cOcaAh9j/CVB+KRfPSRuT678oueeJjdCk
+Z<EFBFBD>mݹ<EFBFBD><EFBFBD>Ӻ*<2A><>9k<39>w<EFBFBD>N<EFBFBD>Zh&<26>G<EFBFBD>
--- a/secrets/pinwheel/alex.pinwheel-git.ppp.pm.age
+++ b/secrets/pinwheel/alex.pinwheel-git.ppp.pm.age
--- a/secrets/pinwheel/alex.pinwheel-git.ppp.pm.pub.age
+++ b/secrets/pinwheel/alex.pinwheel-git.ppp.pm.pub.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -22,6 +22,8 @@ in {
  "pinwheel/alex.pinwheel-andromeda.pub.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-codeberg.org.age".publicKeys = [ pinwheel alex ];
  "pinwheel/alex.pinwheel-codeberg.org.pub.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/alex.pinwheel-git.ppp.pm.age".publicKeys = [ pinwheel alex ];
+  "pinwheel/alex.pinwheel-git.ppp.pm.pub.age".publicKeys = [ pinwheel alex ];

  "pinwheel/work-gitconfig.age".publicKeys = [ pinwheel alex ];
  "pinwheel/work-github-token.age".publicKeys = [ pinwheel alex ];
@@ -33,6 +35,9 @@ in {
  "backwards/root.backwards.pub.age".publicKeys = [ backwards alex ];
  "backwards/syncthing-cert.age".publicKeys = [ backwards alex ];
  "backwards/syncthing-key.age".publicKeys = [ backwards alex ];
+  "backwards/restic-sync-password.age".publicKeys = [ backwards alex ];
+  "backwards/restic-cloud-sync-key.age".publicKeys = [ backwards alex ];
+  "backwards/restic-cloud-sync-repository.age".publicKeys = [ backwards alex ];
  "backwards/alex.backwards-codeberg.org.age".publicKeys = [ backwards alex ];
  "backwards/alex.backwards-codeberg.org.pub.age".publicKeys = [ backwards alex ];
  "backwards/wpa_supplicant.conf.age".publicKeys = [ backwards alex ];
Author	SHA1	Message	Date
Alexander Heldt	0c0c27361c	backwards: Backup `sync` to cloud with `restic`	2024-09-01 10:34:05 +02:00
Alexander Heldt	25004fdd25	backwards: Add secret for `restic` cloud sync backup	2024-09-01 10:34:05 +02:00
Alexander Heldt	73cd7e9aaa	tadpole: Specify `ssh` port for `gitea`	2024-09-01 10:24:40 +02:00
Alexander Heldt	383ac9540f	pinwheel: Add `git` url preference for `git.ppp.pm`	2024-09-01 10:24:40 +02:00
Alexander Heldt	606b9e92da	pinwheel: Add `ssh` keys for `git.ppp.pm`	2024-09-01 10:24:40 +02:00
Alexander Heldt	df91d77983	pinwheel: Add secrets for `git.ppp.pm`	2024-09-01 10:24:40 +02:00
Alexander Heldt	f8909a5da7	pinwheel: Use `tailscale` DNS for `ssh` to `backwards`	2024-09-01 10:24:40 +02:00
Alexander Heldt	55671ba649	tadpole: Use standard SSH port for `gitea`	2024-09-01 10:24:40 +02:00
Alexander Heldt	89e1b403c2	backwards: Add `transmission` module	2024-09-01 10:24:40 +02:00
Alexander Heldt	3f58a3dbee	backwards: Backup `sync` to external drive with `restic`	2024-09-01 10:24:40 +02:00
Alexander Heldt	fb03e5cb91	backwards: Add secret for `restic`	2024-09-01 10:02:08 +02:00