feat(restic): run on makanek, prometheus

2026-03-16 10:11:08 +01:00 · 2022-01-18 23:28:53 +01:00
parent bdc5c147dd
commit 30c2bfe598
5 changed files with 34 additions and 10 deletions
--- a/configs/backup.nix
+++ b/configs/backup.nix
@@ -1,11 +1,11 @@
 { pkgs, config, ... }:
 let
-  repository = "rest:http://zaatar.r:3571/";
+  inherit (import <niveum/lib>) restic;
 in
 {
  services.restic.backups.niveum = {
    initialize = true;
-    inherit repository;
+    inherit (restic) repository;
    timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
    passwordFile = toString <secrets/restic/password>;
    paths = [
@@ -15,7 +15,7 @@ in

  environment.systemPackages = [
    (pkgs.writers.writeDashBin "restic-niveum" ''
-      ${pkgs.restic}/bin/restic -r ${repository} -p ${<secrets/restic/password>} "$@"
+      ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${<secrets/restic/password>} "$@"
    '')
  ];
 }
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -1,6 +1,12 @@
 rec {
  tmpfilesConfig = {type, path, mode ? "-", user ? "-", group ? "-", age ? "-", argument ? "-"}: "${type} '${path}' ${mode} ${user} ${group} ${age} ${argument}";

+  restic = rec {
+    port = 3571;
+    host = "zaatar.r";
+    repository = "rest:http://${host}:${toString port}/";
+  };
+
  firewall = lib: {
    accept = { source, protocol, dport }: "nixos-fw -s ${lib.escapeShellArg source} -p ${lib.escapeShellArg protocol} --dport ${lib.escapeShellArg (toString dport)} -j nixos-fw-accept";
    addRules = lib.concatMapStringsSep "\n" (rule: "iptables -A ${rule}");
--- a/systems/makanek/configuration.nix
+++ b/systems/makanek/configuration.nix
@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }:
 let
-  inherit (import <niveum/lib>) kieran retiolumAddresses;
+  inherit (import <niveum/lib>) kieran retiolumAddresses restic;
 in
 {
  imports = [
@@ -27,6 +27,21 @@ in
    <niveum/modules/retiolum.nix>
  ];

+  services.restic.backups.niveum = {
+    initialize = true;
+    inherit (restic) repository;
+    timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
+    passwordFile = toString <secrets/restic/password>;
+    paths = [
+      "/var/lib/codimd"
+      "/var/lib/postgresql"
+      "/var/lib/weechat"
+      "/var/lib/nextcloud"
+      "/var/lib/grafana"
+      "/var/lib/gitea"
+    ];
+  };
+
  networking = {
    firewall.allowedTCPPorts = [ 80 443 ];
    hostName = "makanek";
--- a/systems/makanek/monitoring/default.nix
+++ b/systems/makanek/monitoring/default.nix
@@ -2,6 +2,7 @@
 let
  lokiConfig = import ./loki.nix;
  blackboxConfig = import ./blackbox.nix;
+  inherit (import <niveum/lib>) restic;
 in
 {
  services.grafana = {
@@ -180,7 +181,10 @@ in
    }
    {
      job_name = "zaatar";
-      static_configs = [ { targets = [ "zaatar.r:${toString config.services.prometheus.exporters.node.port}" ]; } ];
+      static_configs = [ { targets = [
+        "zaatar.r:${toString config.services.prometheus.exporters.node.port}"
+        "zaatar.r:${toString restic.port}"
+      ]; } ];
    }
  ];

--- a/systems/zaatar/backup.nix
+++ b/systems/zaatar/backup.nix
@@ -1,8 +1,7 @@
 { lib, ... }:
 let
-  resticPort = 3571;
  niveumLib = import <niveum/lib>;
-  inherit (niveumLib) retiolumAddresses;
+  inherit (niveumLib) retiolumAddresses restic;
  firewall = niveumLib.firewall lib;
 in
 {
@@ -11,13 +10,13 @@ in
    appendOnly = true;
    dataDir = "/backup/restic";
    prometheus = true;
-    extraFlags = [ "--no-auth" "--prometheus-no-auth" ]; # auth is done via firewall
-    listenAddress = ":${toString resticPort}";
+    extraFlags = [ "--no-auth" ]; # auth is done via firewall
+    listenAddress = ":${toString restic.port}";
  };

  networking.firewall =
  let
-    dport = resticPort;
+    dport = restic.port;
    protocol = "tcp";
    rules = [
      (firewall.accept { inherit dport protocol; source = retiolumAddresses.kabsa.ipv4; })