modules/nixos: github-org-backup

2023-05-07 10:24:44 +10:00 · 2023-05-07 10:24:44 +10:00 · f26d290066
commit f26d290066
parent 55c23f9f39
4 changed files with 64 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -156,6 +156,7 @@

          cachix-deploy = ./modules/nixos/cachix-deploy;
          community-builder = ./modules/nixos/community-builder;
+          github-org-backup = ./modules/nixos/github-org-backup.nix;
          hercules-ci = ./modules/nixos/hercules-ci;
          hydra = ./modules/nixos/hydra.nix;
          nur-update = ./modules/nixos/nur-update.nix;
--- a/hosts/build03/configuration.nix
+++ b/hosts/build03/configuration.nix
@ -21,6 +21,7 @@
    inputs.self.nixosModules.remote-builder-darwin02
    inputs.self.nixosModules.remote-builder-darwin03

+    inputs.self.nixosModules.github-org-backup
    inputs.self.nixosModules.hydra
    inputs.self.nixosModules.nur-update
  ];
--- a/hosts/build03/secrets.yaml
+++ b/hosts/build03/secrets.yaml
@ -3,6 +3,7 @@ id_buildfarm: ENC[AES256_GCM,data:18qi8jBCsntp/6mM8iFkpUS+4yQAsaL6JtLBR9fT51XSWL
 hydra-admin-password: ENC[AES256_GCM,data:t0vmchbXXIAzvM2nxm4j16N9W67yWRb439M=,iv:qr/OfyMvTzi6Znw446KtxE2erh3XWi2VTJvVL2Ot2UI=,tag:mS6HlE6nojkemjp4F59+wQ==,type:str]
 nur-update-github-token: ENC[AES256_GCM,data:KIZCx9IeuBHZei2V13iiyHzCedhkkGEd08mVJEc6F0DWQn1wtzC7+w==,iv:pNVRj/RR7wj64g640F7Vo4H10ijsxnrfFQnt6YHBug4=,tag:UlvOMNB5JZbuJaD9TcJ2UQ==,type:str]
 hydra-users: ENC[AES256_GCM,data:askAB+a3bsFvue/j9i6sYSwgOQl+rL+uh+1+z+xizzBOWdTZcvRh5uFHTkg7MV/E7tG7eRByQ7b+v/onJ4+l3rGJJ6qsWtLLLizC1rusngsAXyI9jt66eqpsyacN5kw8cKILjGearptrhUZDWdKpbaHII6fwUbWbjyV5fpoQzNmI4VELWEQMZ50yECfAfCLHx9iTdoMJHPXzhqwvAZ+TbX6TsyqbDrrNauYWNUBhCK7E2tDYAQqOGhxnQWI+gQs=,iv:Baqyd/WfloMuXTiICD2dlvENst8G6YU9rSHdRkTECkU=,tag:z4j5dYcba3aZTyWu5wvkzw==,type:str]
+hetzner-borgbackup-ssh: ENC[AES256_GCM,data:ZNrQp36c3EuERlAYez6SHTLbHK7ZmLNqDpAffTTQARL2zpnjpw1wJQJdm6d6Un1wTjYmHMJ/f1jCKgn389FGiZJwxSLUL4Ko2n5HffBTjZwTeqE1y4XFe6qvAY/LYBmD728ZWOsSWPvoVZOm1dG7LsxxwUZWk2VyDtvODuJBInn19Dn7Tw5VqPjJMJAp5CfAaW8ilEPpdeG0JQfkJkBQj0+pMlpI1EIVDvdZai5fesweUWeaajrPnIjrBbqdFvd8eG9qrTehLM7FvpnT2qllfsCOeQf/KTPEw16I6eGFFm22iPblJgHFPzpu1a2Lvwn+8HcwqSMlGI9poOeV5RwXqBhFX9vozlN8G82csAnehiZmLktyYin1kYF3nfOXFqH9fKxbvXn/1hxQP//GDeoaNlepa/K/w51pj1mgbIXIb5g/PKsHaC7Rv3iDMcYW977+lobA4WnxfWhjA6k/iBb1unkSKbrZs+iHglpOKueAq9g6HO5fJ299eY2+GcmsPU3QKm4W,iv:550mzEValpqVruLQBMMJeJHVyYfaxNHwCvXkvz66qI0=,tag:k48T+9AtJs8GTVchyEP8Jw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -63,8 +64,8 @@ sops:
            WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag
            FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-24T21:59:57Z"
-    mac: ENC[AES256_GCM,data:OlS4htYXpBjYSFR5zsyr7H/cjT0DEsy4OQT3Bj7NkpZVpgS6zZ5s5BlND0wzgvvqwbACUjkiwZsEjIPD4xLfPsMlUm14NjZarBeePGN+/5hGpTjMHxJsboByZtsnOzkOk0eGhSc51tYhWBd1cPRfMJ0hR63eM0BU/8gzyF1onPc=,iv:sI8Nln8lLbpjJAIIRn3eEZjT/cb99VB02pyAzEz/wrI=,tag:6/9zhsaxDdS27m5y9d2z+Q==,type:str]
+    lastmodified: "2023-07-21T12:58:43Z"
+    mac: ENC[AES256_GCM,data:zTImcUQeQsbWfWZjwJ6nPNCrYWkyUvZrud3pNWdsMLqXn0uB61n/Oav3i3m1zyz7eQObutG1OR+0aUlLMk0v7Xbz9rZCrMKN+GuV7tcaeu3ksvpn21ldd8PGzmYa6M+0EKkVqeTKXYHYY06OsxfeWafT52XA+0/uKE+3ldS2o3U=,iv:CSWcScdbdu+6lWt/6WFBBO8GqygNsKVNzII3bbxh8jg=,tag:tBwvCs0usPFBgoWRw3G5eQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/modules/nixos/github-org-backup.nix
+++ b/modules/nixos/github-org-backup.nix
@ -0,0 +1,59 @@
+{ config, pkgs, ... }:
+{
+  # upstream docs show how to restore these backups
+  # https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups
+  systemd.services.github-org-backup = {
+    environment.HOME = "/var/lib/github-org-backup";
+    path = [ pkgs.git pkgs.ghorg ];
+    # exclude nix, nixpkgs and repos > 200MB
+    script = ''
+      ghorg clone nix-community \
+        --backup \
+        --clone-wiki \
+        --concurrency 2 \
+        --exclude-match-regex '^(all-cabal-json|dream2nix-nodejs-auto|nix|nixpkgs|nur-search)$' \
+        --no-token \
+        --path /var/lib/github-org-backup \
+        --prune \
+        --prune-no-confirm
+    '';
+    startAt = "daily";
+    serviceConfig.Type = "oneshot";
+  };
+
+  sops.secrets.hetzner-borgbackup-ssh = { };
+
+  systemd.services.borgbackup-job-github-org = {
+    after = [ "github-org-backup.service" ];
+    serviceConfig.ReadWritePaths = [
+      "/var/log/telegraf"
+    ];
+  };
+
+  services.borgbackup.jobs.github-org = {
+    paths = [
+      "/var/lib/github-org-backup"
+    ];
+    repo = "u348918@u348918.your-storagebox.de:/./github-org";
+    encryption.mode = "none";
+    compression = "auto,zstd";
+    startAt = "daily";
+    environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
+    preHook = ''
+      set -x
+    '';
+
+    postHook = ''
+      cat > /var/log/telegraf/borgbackup-github-org <<EOF
+      task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
+      EOF
+    '';
+
+    prune.keep = {
+      within = "1d"; # Keep all archives from the last day
+      daily = 7;
+      weekly = 4;
+      monthly = 0;
+    };
+  };
+}