feat(restic): run on makanek, prometheus

2026-03-18 19:11:08 +01:00 · 2022-01-18 23:28:53 +01:00
parent bdc5c147dd
commit 30c2bfe598
5 changed files with 34 additions and 10 deletions
--- a/systems/makanek/configuration.nix
+++ b/systems/makanek/configuration.nix
@@ -1,6 +1,6 @@
 { lib, config, pkgs, ... }:
 let
-  inherit (import <niveum/lib>) kieran retiolumAddresses;
+  inherit (import <niveum/lib>) kieran retiolumAddresses restic;
 in
 {
  imports = [
@@ -27,6 +27,21 @@ in
    <niveum/modules/retiolum.nix>
  ];

+  services.restic.backups.niveum = {
+    initialize = true;
+    inherit (restic) repository;
+    timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
+    passwordFile = toString <secrets/restic/password>;
+    paths = [
+      "/var/lib/codimd"
+      "/var/lib/postgresql"
+      "/var/lib/weechat"
+      "/var/lib/nextcloud"
+      "/var/lib/grafana"
+      "/var/lib/gitea"
+    ];
+  };
+
  networking = {
    firewall.allowedTCPPorts = [ 80 443 ];
    hostName = "makanek";
--- a/systems/makanek/monitoring/default.nix
+++ b/systems/makanek/monitoring/default.nix
@@ -2,6 +2,7 @@
 let
  lokiConfig = import ./loki.nix;
  blackboxConfig = import ./blackbox.nix;
+  inherit (import <niveum/lib>) restic;
 in
 {
  services.grafana = {
@@ -180,7 +181,10 @@ in
    }
    {
      job_name = "zaatar";
-      static_configs = [ { targets = [ "zaatar.r:${toString config.services.prometheus.exporters.node.port}" ]; } ];
+      static_configs = [ { targets = [
+        "zaatar.r:${toString config.services.prometheus.exporters.node.port}"
+        "zaatar.r:${toString restic.port}"
+      ]; } ];
    }
  ];

--- a/systems/zaatar/backup.nix
+++ b/systems/zaatar/backup.nix
@@ -1,8 +1,7 @@
 { lib, ... }:
 let
-  resticPort = 3571;
  niveumLib = import <niveum/lib>;
-  inherit (niveumLib) retiolumAddresses;
+  inherit (niveumLib) retiolumAddresses restic;
  firewall = niveumLib.firewall lib;
 in
 {
@@ -11,13 +10,13 @@ in
    appendOnly = true;
    dataDir = "/backup/restic";
    prometheus = true;
-    extraFlags = [ "--no-auth" "--prometheus-no-auth" ]; # auth is done via firewall
-    listenAddress = ":${toString resticPort}";
+    extraFlags = [ "--no-auth" ]; # auth is done via firewall
+    listenAddress = ":${toString restic.port}";
  };

  networking.firewall =
  let
-    dport = resticPort;
+    dport = restic.port;
    protocol = "tcp";
    rules = [
      (firewall.accept { inherit dport protocol; source = retiolumAddresses.kabsa.ipv4; })