From 55a46df5834b76765405a8bfd25473ec1445eca2 Mon Sep 17 00:00:00 2001 From: Cy Pokhrel Date: Sun, 24 Nov 2024 03:53:24 -0500 Subject: [PATCH] restic backup to azure archive on master --- nix/configuration.nix | 114 ++++++++++++++++++++++++++++----------- nix/secrets/secrets.yaml | 7 ++- 2 files changed, 87 insertions(+), 34 deletions(-) diff --git a/nix/configuration.nix b/nix/configuration.nix index ffc10aa..431d3e2 100644 --- a/nix/configuration.nix +++ b/nix/configuration.nix @@ -9,7 +9,11 @@ sops.defaultSopsFile = ./secrets/secrets.yaml; sops.defaultSopsFormat = "yaml"; sops.age.keyFile = "/root/.config/sops/age/keys.txt"; - sops.secrets."borg/yt" = { }; + sops.secrets = { + "borg/yt" = { }; + "restic/azure-yt" = { }; + "azure" = { }; + }; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; @@ -32,9 +36,23 @@ }; time.timeZone = "America/Toronto"; + security.rtkit.enable = true; services.pipewire = { enable = true; pulse.enable = true; + alsa.enable = true; + alsa.support32Bit = true; + }; + services.pipewire.wireplumber.extraConfig.bluetoothEnhancements = { + "wireplumber.settings" = { + "bluetooth.autoswitch-to-headset-profile" = false; + }; + "monitor.bluez.properties" = { + "bluez5.enable-sbc-xq" = true; + "bluez5.enable-msbc" = true; + "bluez5.enable-hw-volume" = true; + "bluez5.roles" = [ "a2dp_sink" "a2dp_source" ]; + }; }; services.libinput.enable = true; @@ -67,6 +85,7 @@ signal-desktop cosign azure-cli + pavucontrol ]; }; @@ -105,6 +124,7 @@ wireguard-tools traceroute sops + restic ]; system.stateVersion = "24.05"; @@ -139,38 +159,69 @@ # withUWSM = true; }; - services.borgbackup.jobs = { - ytnixRsync = { - paths = [ "/root" "/home" "/var/lib" "/opt" "/etc" ]; - exclude = [ - ".git" - "**/.cache" - "**/node_modules" - "**/cache" - "**/Cache" - "/var/lib/docker" - "/home/**/Downloads" - "**/.steam" - "**/.rustup" - "**/.docker" - "**/borg" - ]; - repo = "de3911@de3911.rsync.net:borg/yt"; - encryption = { - mode = "repokey-blake2"; - passCommand = "cat /run/secrets/borg/yt"; + services.borgbackup.jobs.ytnixRsync = { + paths = [ "/root" "/home" "/var/lib" "/opt" "/etc" ]; + exclude = [ + ".git" + "**/.cache" + "**/node_modules" + "**/cache" + "**/Cache" + "/var/lib/docker" + "/home/**/Downloads" + "**/.steam" + "**/.rustup" + "**/.docker" + "**/borg" + ]; + repo = "de3911@de3911.rsync.net:borg/yt"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat /run/secrets/borg/yt"; + }; + environment = { + BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519"; + BORG_REMOTE_PATH = "borg1"; + }; + compression = "auto,zstd"; + startAt = "daily"; + extraCreateArgs = [ "--stats" ]; + # warnings are often not that serious + failOnWarnings = false; + }; + + services.restic.backups.ytazure = { + paths = [ "/root" "/home" "/var/lib" "/opt" "/etc" ]; + exclude = [ + ".git" + "**/.cache" + "**/node_modules" + "**/cache" + "**/Cache" + "/var/lib/docker" + "/home/**/Downloads" + "**/.steam" + "**/.rustup" + "**/.docker" + "**/borg" + ]; + passwordFile = "/run/secrets/restic/azure-yt"; + environmentFile = "/run/secrets/azure"; + repository = "azure:yt-backup:/"; + extraOptions = [ + "azure.access-tier=Archive" + ]; + package = pkgs.restic.overrideAttrs { + src = pkgs.fetchFromGitHub { + owner = "restic"; + repo = "restic"; + rev = "1133498ef80762608f959df41d303f7246fff04f"; + hash = "sha256-RmCEZ5T99uNNDwrQ3CofXBf4UzNjelVzyZyvx5aZO0A="; }; - environment = { - BORG_RSH = "ssh -i /home/yt/.ssh/id_ed25519"; - BORG_REMOTE_PATH = "borg1"; - }; - compression = "auto,zstd"; - startAt = "daily"; - extraCreateArgs = [ "--stats" ]; - # warnings are often not that serious - failOnWarnings = false; + vendorHash = "sha256-TstuI6KgAFEQH90PCZMN6s4dUab2GyPKqOtqMfIV8wA="; }; }; + services.btrbk.instances.local.settings = { snapshot_preserve = "14d"; snapshot_preserve_min = "2d"; @@ -214,9 +265,8 @@ virtualisation.libvirtd.enable = true; programs.virt-manager.enable = true; - networking.wg-quick.interfaces.wgnord.configFile = "/etc/wireguard/wgnord.conf"; + # https-dns-proxy doesn't work without this :( services.resolved.enable = true; - services.https-dns-proxy = { enable = true; provider = { diff --git a/nix/secrets/secrets.yaml b/nix/secrets/secrets.yaml index f5179d9..b606ea7 100644 --- a/nix/secrets/secrets.yaml +++ b/nix/secrets/secrets.yaml @@ -1,5 +1,8 @@ borg: yt: ENC[AES256_GCM,data:CGcdcA9LnDDlTYJwsT25uY9h70yJtKhxgA==,iv:F25VTezkd4RQd7BZ3DD39hPiPj+Z3H01IgPhCGUQ5aM=,tag:mxLPXR/ffBXkByk1R1PYvQ==,type:str] +restic: + azure-yt: ENC[AES256_GCM,data:s8TJ5cNVW2Jr7kyul8mrBGwdLoTlNTb2MfpZgPU=,iv:sC0DbgFbFl6vvLqwOFDwRa3nabrIWxOTuz7GXn17IHk=,tag:2MYprYgNhh1aFlzuyw5eGQ==,type:str] +azure: ENC[AES256_GCM,data:UdHmasRElCFC66dxnnGTOw6vgOzrOIMiSLsczK0Qew2WBdZUKVnRTfSCxQrB7P8k+j3N2CDt5Y4GXvf9GVFrWCMOInOqYXcyycGXsdli2DbqpXTa3f13ykvc/aoKyw3YuFQdrNci3Kae9PYZ4v5f7fH8n4WgOKuYj3mO9k7WHxM1JBzYRRZP41Jghnb9SqVhl9UXVPI5ONBd6JI/FiezSMZPYC2FxNgQ7zHUQJ7qQ6aJTgRljslJK9I=,iv:bRoYEA1hbEXRG7PoU7Dfba9uRu3cAqfeuvSIfavZZ8M=,tag:cHXUe/njZNoG6EuHYYz0Yg==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +18,8 @@ sops: a1MwYjB0Tm03bzJnWTdoZ01KbXBPUkUKUr6hOsdZDJK6bFyEnBf4Vkms8EJsIvZY ML481g9d9Vlm5x7X74nUcWemFSzttSdWEM3Y/IOHpXDbvC/Tbw+z7Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-24T02:00:55Z" - mac: ENC[AES256_GCM,data:d8CY4QNU0O2pqTsNZgikJpCkm/jGgvu0lyBfmKoYmlQpHHIeWag9cT3n5/8UKnrcdgiLzCu26j0D6RiqolvpS/qtTz953kjSXiu3mclk9uuRurvzxxA31IacuiOeDRiln7dephRXxzzYvNiq5HtyAIEBxoIni5BCLFepBtGhB8U=,iv:b7Z6jFuXdhHJSuz6mJtB0f1hfo41UcNsXi+XwWUR10M=,tag:2Bdv9m4eoWZAt5Q/Fmf6Rw==,type:str] + lastmodified: "2024-11-24T08:24:07Z" + mac: ENC[AES256_GCM,data:W9K3+AERYBzRU0gvy50MbRULXGNyM6iujxdonSNbkoyoO6IBoGkMF+509jvoxrVFjEdiy7OZnj86O8XwAQDH3MLYSxpaUiJyQ8W3oQLdeJSk+cWVmBGSO5nXSjMGjU0jzKs2SH8SZKJXyOdDd3tmVTxTLk9u43fAi3AB4Iq/c8Q=,iv:5ETuAuMNpbxNYJLSLQ/J7A4Ov+laTkfNtNy8f5HSi0Y=,tag:1Dnnx5jv6v9ok7T59FX26w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1