fix(backups): proper restic remote repo configuration

deedee-ops · Oct 28, 2024 · bae9ae5 · bae9ae5
1 parent 8db88bf
commit bae9ae5
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 22 deletions.
diff --git a/machines/deedee/configuration.nix b/machines/deedee/configuration.nix
@@ -34,18 +34,22 @@ _: rec {
       local = {
         enable = true;
         location = "/mnt/backup";
+        passFileSopsSecret = "backups/restic/local/password";
       };
       remotes = [
         {
           name = "borgbase-eu";
-          repositoryFileSopsSecret = "backups/restic/repo-borgbase-eu";
+          location = "rest:https://pyif3th7.repo.borgbase.com";
+          envFileSopsSecret = "backups/restic/repo-borgbase-eu/env";
+          passFileSopsSecret = "backups/restic/repo-borgbase-eu/password";
         }
         {
           name = "borgbase-us";
-          repositoryFileSopsSecret = "backups/restic/repo-borgbase-us";
+          location = "rest:https://p51to40o.repo.borgbase.com";
+          envFileSopsSecret = "backups/restic/repo-borgbase-us/env";
+          passFileSopsSecret = "backups/restic/repo-borgbase-us/password";
         }
       ];
-      passFileSopsSecret = "backups/restic/password";
     };
 
     disks = {

diff --git a/machines/deedee/secrets.sops.yaml b/machines/deedee/secrets.sops.yaml
@@ -3,9 +3,14 @@ alerts:
         env: ENC[AES256_GCM,data:rVa16yLOOc+bJyBNSe+FpuC0+OJrQSjr6duIHQ88XWxpZN4/4mgfu4g78NyTELAEmv1qKrXCXjVhltqU/1gY809lGB14Y62x4gaKKqiXHZzJIfejwRaXUalYHD6zp58WVA==,iv:NIiov8DHS99ML4kY+6uyMOxSM6jgCrqIicYm/E0Fb7A=,tag:cj5lcNJT9n1Y34I+gKsgbw==,type:str]
 backups:
     restic:
-        password: ENC[AES256_GCM,data:YrJJQi7v4OIuQjJX3FebRsDKm5hrKbRjWqUeWBvk2oKpjWpS7svjvQ==,iv:dLOe0HezZDdSd2OFgu/jH14JTP6Y02VlIM1VUkR5XMI=,tag:LDfBmTJOKdsTYF8q5Q6kfQ==,type:str]
-        repo-borgbase-eu: ENC[AES256_GCM,data:YKk09bwUOfIkvmh/2+VIFkns3LbP/uGhJT7HVlOYiV3SljSWXsZAia3WOIKwzEgLKd7GOofs6VGDVLvg0cZugqo=,iv:57K5mzs7fscimmeDF4qRq1qIF/yD12ZDat6kY3BLkbA=,tag:k/A8f1/3lMDl5S8DtEw5ew==,type:str]
-        repo-borgbase-us: ENC[AES256_GCM,data:7NYfU03rKk0+rS7naXBpIALdb0z/lv9GgQ5JfsNDlQp11CGl8cS6/2qFIZquytUjlyMFYub/BU/3asz9wrhZJ/g=,iv:s1PnGz1zXhSO5Mfrwg6CIj/C1dhIq9p6ECTljiPO3HE=,tag:gbMklOOJmb4PKACDv3l+FQ==,type:str]
+        local:
+            password: ENC[AES256_GCM,data:IZ2XMBv1OzOLtmuie78WuxUk6c/l1IJ95YOlfZ/VjsgVgD9dtMY7hw==,iv:8YzImyu6/VzMVL0sCupRYm1AahkO1v/KVKwX8LzY8Bo=,tag:yOkdnA4GvsvHwodKNHRCtw==,type:str]
+        repo-borgbase-eu:
+            password: ENC[AES256_GCM,data:cnw4mvjDo28REbUAotxfNBbVR18NemXoUz2bBiUd275bE6M2WSgxzQ==,iv:llyLuGfl8KQqXGnasbSYlO1dGlhp6+zxcweiAH4FIRY=,tag:iNw8riEIZ8PFNovRwKsPHA==,type:str]
+            env: ENC[AES256_GCM,data:Qj7HipyHBVqicL5SVhlEdxzyXh8ikUaVOIflsBuwl0DvV98c19ZRzHR0eZMskpGlEw2t42V2RLnt/f7Cx0E+DOyrzmE=,iv:BDvljzj4TU/ulTeXEDfSh0ANxIwISK32wEKKsxWV6iU=,tag:BgXleTABhgy1p5ZoZs0f9Q==,type:str]
+        repo-borgbase-us:
+            password: ENC[AES256_GCM,data:YYlKf8OG2OiRiiHpGynSp1qW0bcdI61LmyH0Le/QJjf5l80fYbV+Aw==,iv:wLi6ABP8PXCwOIoyqMDiqqhmHYGWKv6BFvFEP3p2goI=,tag:zr1YTnwbPJK6v3bAGnErbA==,type:str]
+            env: ENC[AES256_GCM,data:2B8oEKfW5CwnLbzTtO5VEI5qlbAFqDVZMFsc7NwpntEAcYqaJA6Y/SpS9EgH9d0WoYvjIdbpI5CvA3VYb4MzcssuY60=,iv:dmWNwpdRnUztKD1v+BlUe5o6a7j8JBzOzcjJBF6u0SI=,tag:ACaOTd9dWjX8qPRA5QpuAg==,type:str]
 credentials:
     github:
         access-token-nix-config: ENC[AES256_GCM,data:etHhyYvskH3UgviTjOzmdCxRytfMNG5k7XujVWDB8xuv+eW7OLmqJfk+ptjFCX8/kIArWNZYMA20shGiO68Z11oDhzkT+BLKoxs5DjAgVJSV+Us+XhgWTS7z5PlfZmYbvkTom5Awai0ZcyZXf9V25QaOGAlQ6/Kb,iv:F3sjnEa5K6jGDVotoe4y3UcLvkgTeEyby1ms28gCS8g=,tag:cnQepz88qWRgQ3FgT/sykQ==,type:str]
@@ -111,8 +116,8 @@ sops:
             c3FoaFNzbjJubzlBckdDb2lNOUZtOGMKRbHxa1B3QAdredBMTd7W7g3kRz6l8uyV
             bBclsA8Gm7p+6ndV39sN+Daqm5MyggY1Prwv/Ukdd5Q+1C+XsEW6OQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-27T21:39:43Z"
-    mac: ENC[AES256_GCM,data:6V9pkQ5LOIOjbosi4lwLRMoXj/aJz04F4HWXY6HeBWdp/OLI6o5IvYJaQcKWPnClvffTUOwQyo0KgkcNPRFxVJO7AVb9l6vzRXz1cdIlxd8Bst9KEO8vswAHY8tEj9LwvE0PqBhCuveIrlKZjeU89GKnQOikTVCx7kvUcqdAf+U=,iv:6BnO0ty6V0n7Osh/vJJ7Ega12/itISw5T3c0utRurcg=,tag:qC/JO6H/3W7n5SeQkGTFOg==,type:str]
+    lastmodified: "2024-10-28T17:41:51Z"
+    mac: ENC[AES256_GCM,data:W2USP96yAxaDFl/pTcA/3Ma3ASIaU9UInCDsZ/A6TrjWl+sMAWTphfEfkNy4mh8O3YjwxNGhABLR5CjQsgYmsyfzjR5h2OOZeVlXCG0AofD8ATVZN2mtAGAaX5oyKYBZ/HllzR2z4GTC4BayJFETpGsOgLDWKo9Ebur6f5XYg5U=,iv:58Vsas7dACW7EU0Wet4uBKuT1fA4UdpEtOA+3iVVzz4=,tag:TbAT20VTvrtC1AI4S9zdyg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1
diff --git a/modules/system/backup.nix b/modules/system/backup.nix
@@ -15,6 +15,10 @@ in
         type = lib.types.str;
         description = "Location for local backups.";
       };
+      passFileSopsSecret = lib.mkOption {
+        type = lib.types.str;
+        description = "Sops secret name containing local restic backups password.";
+      };
     };
     remotes = lib.mkOption {
       type = lib.types.listOf (
@@ -24,9 +28,17 @@ in
               type = lib.types.str;
               description = "Remote repository alias for restic.";
             };
-            repositoryFileSopsSecret = lib.mkOption {
+            location = lib.mkOption {
+              type = lib.types.str;
+              description = "Location for remote backups.";
+            };
+            envFileSopsSecret = lib.mkOption {
+              type = lib.types.str;
+              description = "Sops secret name containing remote restic repository envs.";
+            };
+            passFileSopsSecret = lib.mkOption {
               type = lib.types.str;
-              description = "Sops secret name containing remote restic repository url.";
+              description = "Sops secret name containing remote restic backups password.";
             };
           };
         }
@@ -37,10 +49,6 @@ in
       description = "Location for snapshot mount.";
       default = "/mnt/backup-snapshot";
     };
-    passFileSopsSecret = lib.mkOption {
-      type = lib.types.str;
-      description = "Sops secret name containing restic backups password.";
-    };
   };
 
   config = lib.mkIf (cfg.local.enable || (builtins.length cfg.remotes > 0)) {
@@ -58,11 +66,17 @@ in
 
     sops.secrets =
       {
-        "${cfg.passFileSopsSecret}" = { };
+        "${cfg.local.passFileSopsSecret}" = { };
       }
       // builtins.listToAttrs (
         builtins.map (remote: {
-          name = remote.repositoryFileSopsSecret;
+          name = remote.passFileSopsSecret;
+          value = { };
+        }) cfg.remotes
+      )
+      // builtins.listToAttrs (
+        builtins.map (remote: {
+          name = remote.envFileSopsSecret;
           value = { };
         }) cfg.remotes
       );

diff --git a/modules/system/containers/firefly-iii/default.nix b/modules/system/containers/firefly-iii/default.nix
@@ -93,7 +93,7 @@ in
         host = "firefly";
         proxyPass = "http://firefly-iii.docker:8080";
       };
-      postgresqlBackup = lib.mkIf cfg.backup { databases = [ "firefly-iii" ]; };
+      postgresqlBackup = lib.mkIf cfg.backup { databases = [ "firefly" ]; };
     };
 
     systemd = {

diff --git a/modules/system/containers/mail-archive/dovecot.nix b/modules/system/containers/mail-archive/dovecot.nix
@@ -28,6 +28,7 @@ in
         extraOptions = [
           "--cap-add=CAP_CHOWN"
           "--cap-add=CAP_FSETID"
+          "--cap-add=CAP_KILL"
           "--cap-add=CAP_SETGID"
           "--cap-add=CAP_SETUID"
           "--cap-add=CAP_SYS_CHROOT"

diff --git a/modules/system/containers/paperless-ngx/paperless-ngx.nix b/modules/system/containers/paperless-ngx/paperless-ngx.nix
@@ -91,7 +91,7 @@ in
           object-src 'self';
         '';
       };
-      postgresqlBackup = lib.mkIf cfg.backup { databases = [ "paperless-ngx" ]; };
+      postgresqlBackup = lib.mkIf cfg.backup { databases = [ "paperless" ]; };
       restic.backups = lib.mkIf cfg.backup (
         svc.mkRestic {
           name = "paperless-ngx";

diff --git a/modules/system/lib.nix b/modules/system/lib.nix
@@ -201,7 +201,6 @@
           #
           ${lib.getExe pkgs.restic} unlock --remove-all || true
         '';
-        passwordFile = config.sops.secrets."${config.mySystem.backup.passFileSopsSecret}".path;
 
         # Move the path to the zfs snapshot path
         includePaths = map (path: "${config.mySystem.backup.snapshotMountPath}/${path}") paths;
@@ -214,11 +213,11 @@
             timerConfig
             initialize
             backupPrepareCommand
-            passwordFile
             ;
 
           paths = includePaths;
           exclude = excludePaths;
+          passwordFile = config.sops.secrets."${config.mySystem.backup.local.passFileSopsSecret}".path;
           repository = "${config.mySystem.backup.local.location}/${name}";
         };
 
@@ -233,12 +232,13 @@
               timerConfig
               initialize
               backupPrepareCommand
-              passwordFile
               ;
 
             paths = includePaths;
             exclude = excludePaths;
-            repositoryFile = config.sops.secrets."${remote.repositoryFileSopsSecret}".path;
+            passwordFile = config.sops.secrets."${remote.passFileSopsSecret}".path;
+            repository = "${remote.location}/${name}";
+            environmentFile = config.sops.secrets."${remote.envFileSopsSecret}".path;
           };
         }) config.mySystem.backup.remotes
       );