diff --git a/configs/backup.nix b/configs/backup.nix index 7e15129..d4ef6d9 100644 --- a/configs/backup.nix +++ b/configs/backup.nix @@ -1,11 +1,11 @@ { pkgs, config, ... }: let - repository = "rest:http://zaatar.r:3571/"; + inherit (import ) restic; in { services.restic.backups.niveum = { initialize = true; - inherit repository; + inherit (restic) repository; timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; }; passwordFile = toString ; paths = [ @@ -15,7 +15,7 @@ in environment.systemPackages = [ (pkgs.writers.writeDashBin "restic-niveum" '' - ${pkgs.restic}/bin/restic -r ${repository} -p ${} "$@" + ${pkgs.restic}/bin/restic -r ${restic.repository} -p ${} "$@" '') ]; } diff --git a/lib/default.nix b/lib/default.nix index 051214b..7270db1 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -1,6 +1,12 @@ rec { tmpfilesConfig = {type, path, mode ? "-", user ? "-", group ? "-", age ? "-", argument ? "-"}: "${type} '${path}' ${mode} ${user} ${group} ${age} ${argument}"; + restic = rec { + port = 3571; + host = "zaatar.r"; + repository = "rest:http://${host}:${toString port}/"; + }; + firewall = lib: { accept = { source, protocol, dport }: "nixos-fw -s ${lib.escapeShellArg source} -p ${lib.escapeShellArg protocol} --dport ${lib.escapeShellArg (toString dport)} -j nixos-fw-accept"; addRules = lib.concatMapStringsSep "\n" (rule: "iptables -A ${rule}"); diff --git a/systems/makanek/configuration.nix b/systems/makanek/configuration.nix index ce097c5..db7e896 100644 --- a/systems/makanek/configuration.nix +++ b/systems/makanek/configuration.nix @@ -1,6 +1,6 @@ { lib, config, pkgs, ... }: let - inherit (import ) kieran retiolumAddresses; + inherit (import ) kieran retiolumAddresses restic; in { imports = [ @@ -27,6 +27,21 @@ in ]; + services.restic.backups.niveum = { + initialize = true; + inherit (restic) repository; + timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; }; + passwordFile = toString ; + paths = [ + "/var/lib/codimd" + "/var/lib/postgresql" + "/var/lib/weechat" + "/var/lib/nextcloud" + "/var/lib/grafana" + "/var/lib/gitea" + ]; + }; + networking = { firewall.allowedTCPPorts = [ 80 443 ]; hostName = "makanek"; diff --git a/systems/makanek/monitoring/default.nix b/systems/makanek/monitoring/default.nix index 17bc397..f9d93e4 100644 --- a/systems/makanek/monitoring/default.nix +++ b/systems/makanek/monitoring/default.nix @@ -2,6 +2,7 @@ let lokiConfig = import ./loki.nix; blackboxConfig = import ./blackbox.nix; + inherit (import ) restic; in { services.grafana = { @@ -180,7 +181,10 @@ in } { job_name = "zaatar"; - static_configs = [ { targets = [ "zaatar.r:${toString config.services.prometheus.exporters.node.port}" ]; } ]; + static_configs = [ { targets = [ + "zaatar.r:${toString config.services.prometheus.exporters.node.port}" + "zaatar.r:${toString restic.port}" + ]; } ]; } ]; diff --git a/systems/zaatar/backup.nix b/systems/zaatar/backup.nix index e8a8250..ccf5f09 100644 --- a/systems/zaatar/backup.nix +++ b/systems/zaatar/backup.nix @@ -1,8 +1,7 @@ { lib, ... }: let - resticPort = 3571; niveumLib = import ; - inherit (niveumLib) retiolumAddresses; + inherit (niveumLib) retiolumAddresses restic; firewall = niveumLib.firewall lib; in { @@ -11,13 +10,13 @@ in appendOnly = true; dataDir = "/backup/restic"; prometheus = true; - extraFlags = [ "--no-auth" "--prometheus-no-auth" ]; # auth is done via firewall - listenAddress = ":${toString resticPort}"; + extraFlags = [ "--no-auth" ]; # auth is done via firewall + listenAddress = ":${toString restic.port}"; }; networking.firewall = let - dport = resticPort; + dport = restic.port; protocol = "tcp"; rules = [ (firewall.accept { inherit dport protocol; source = retiolumAddresses.kabsa.ipv4; })