feat(infra): Init backups

2024-02-21 17:18:14 +01:00 · 2024-02-21 17:18:14 +01:00 · 6b827e56b1
commit 6b827e56b1
parent 13b7b2fab4
10 changed files with 136 additions and 0 deletions
--- a/machines/compute01/_configuration.nix
+++ b/machines/compute01/_configuration.nix
@ -3,6 +3,7 @@
 lib.extra.mkConfig {
  enabledModules = [
    # List of modules to enable
+    "dgn-backups"
    "dgn-fail2ban"
    "dgn-web"
  ];
--- a/machines/compute01/hedgedoc.nix
+++ b/machines/compute01/hedgedoc.nix
@ -57,4 +57,6 @@ in
    "hedgedoc"
    "hedgedoc/uploads"
  ];
+
+  dgn-backups.jobs.hedgedoc.settings.paths = [ "/var/lib/hedgedoc" ];
 }
--- a/machines/compute01/secrets/bupstash-put_key
+++ b/machines/compute01/secrets/bupstash-put_key
--- a/machines/compute01/secrets/secrets.nix
+++ b/machines/compute01/secrets/secrets.nix
@ -4,6 +4,7 @@ let
 in

 lib.setDefault { inherit publicKeys; } [
+  "bupstash-put_key"
  "ds-fr-secret_file"
  "grafana-smtp_password_file"
  "grafana-oauth_client_secret_file"
--- a/machines/compute01/vaultwarden.nix
+++ b/machines/compute01/vaultwarden.nix
@ -71,4 +71,6 @@ in
      ];
    };
  };
+
+  dgn-backups.jobs.vaultwarden.settings.paths = [ "/var/lib/bitwarden_rs" ];
 }
--- a/machines/geo01/_configuration.nix
+++ b/machines/geo01/_configuration.nix
@ -3,6 +3,7 @@
 lib.extra.mkConfig {
  enabledModules = [
    # List of modules to enable
+    "dgn-backups"
  ];

  enabledServices = [
--- a/machines/geo02/_configuration.nix
+++ b/machines/geo02/_configuration.nix
@ -3,6 +3,7 @@
 lib.extra.mkConfig {
  enabledModules = [
    # List of modules to enable
+    "dgn-backups"
  ];

  enabledServices = [
--- a/machines/storage01/_configuration.nix
+++ b/machines/storage01/_configuration.nix
@ -3,6 +3,7 @@
 lib.extra.mkConfig {
  enabledModules = [
    # List of modules to enable
+    "dgn-backups"
    "dgn-fail2ban"
    "dgn-web"
  ];
--- a/modules/default.nix
+++ b/modules/default.nix
@ -39,6 +39,7 @@
    (lib.extra.mkImports ./. [
      "dgn-access-control"
      "dgn-acme"
+      "dgn-backups"
      "dgn-console"
      "dgn-fail2ban"
      "dgn-hardware"
@ -55,5 +56,6 @@
      "age-secrets"
      "services/crabfit"
      "services/forgejo-nix-runners"
+      "services/bupstash"
    ]);
 }
--- a/modules/dgn-backups/default.nix
+++ b/modules/dgn-backups/default.nix
@ -0,0 +1,125 @@
+{
+  config,
+  lib,
+  name,
+  ...
+}:
+
+let
+  inherit (lib) mkEnableOption mkOption remove;
+
+  inherit (lib.types)
+    attrs
+    attrsOf
+    listOf
+    str
+    submodule
+    ;
+
+  cfg = config.dgn-backups;
+
+  homes = {
+    compute01 = "/data/slow/bupstash";
+    geo01 = "/data/bupstash";
+    geo02 = "/data/bupstash";
+    storage01 = "/data/slow/bupstash";
+  };
+
+  starts = {
+    compute01 = "*-*-* *:28:00";
+  };
+
+  mkJobs = builtins.mapAttrs (
+    _:
+    { to, settings }:
+    {
+      startAt = starts.${name};
+      key = config.age.secrets."bupstash-put_key".path;
+      repositoryCommands =
+        lib.extra.mapSingleFuse (host: "ssh -i /etc/ssh/ssh_host_ed25519_key bupstash-repo@${host}.dgnum")
+          to;
+    }
+    // settings
+  );
+
+  mkPgJobs = lib.extra.mapFuse (db: { "pg-${db}" = { }; });
+in
+
+{
+  options.dgn-backups = {
+    enable = mkEnableOption "DGNum backup service.";
+
+    pgDumps = mkOption {
+      type = listOf str;
+      default = [ ];
+      description = ''
+        List of postgres databases to dump into bupstash.
+      '';
+    };
+
+    jobs = mkOption {
+      type = attrsOf (
+        submodule {
+          options = {
+            to = mkOption {
+              type = listOf str;
+              default = remove name [
+                "compute01"
+                "geo01"
+                "geo02"
+                "storage01"
+              ];
+              description = "Hosts to send the backups to.";
+            };
+
+            settings = mkOption {
+              type = attrs;
+              default = { };
+              description = "Base bupstash job config.";
+            };
+          };
+        }
+      );
+      default = { };
+      description = "List of bupstash jobs.";
+    };
+  };
+
+  config = {
+    services.bupstash = {
+      repositories = {
+        inherit (cfg) enable;
+
+        home = homes.${name};
+
+        access = [
+          {
+            repo = "default";
+            keys = lib.extra.getAllKeys (
+              # Nodes allowed to create backups
+              builtins.map (host: "machines/${host}") [
+                "compute01"
+                "storage01"
+                "vault01"
+                "web01"
+              ]
+            );
+            allowed = [ "put" ];
+          }
+        ];
+      };
+
+      jobs = (mkPgJobs cfg.pgDumps) // (mkJobs cfg.jobs);
+    };
+
+    programs.ssh.knownHosts =
+      lib.extra.mapFuse
+        (host: { "${host}.dgnum".publicKey = builtins.head (lib.extra.getKeys "machines/${host}"); })
+        [
+          "compute01"
+          "geo01"
+          "geo02"
+          "storage01"
+        ];
+  };
+}