diff --git a/flake.nix b/flake.nix index c9ee0ff..00a3338 100644 --- a/flake.nix +++ b/flake.nix @@ -156,6 +156,7 @@ cachix-deploy = ./modules/nixos/cachix-deploy; community-builder = ./modules/nixos/community-builder; + github-org-backup = ./modules/nixos/github-org-backup.nix; hercules-ci = ./modules/nixos/hercules-ci; hydra = ./modules/nixos/hydra.nix; nur-update = ./modules/nixos/nur-update.nix; diff --git a/hosts/build03/configuration.nix b/hosts/build03/configuration.nix index 8b612e6..e61e74c 100644 --- a/hosts/build03/configuration.nix +++ b/hosts/build03/configuration.nix @@ -21,6 +21,7 @@ inputs.self.nixosModules.remote-builder-darwin02 inputs.self.nixosModules.remote-builder-darwin03 + inputs.self.nixosModules.github-org-backup inputs.self.nixosModules.hydra inputs.self.nixosModules.nur-update ]; diff --git a/hosts/build03/secrets.yaml b/hosts/build03/secrets.yaml index da6c06d..351dd70 100644 --- a/hosts/build03/secrets.yaml +++ b/hosts/build03/secrets.yaml @@ -3,6 +3,7 @@ id_buildfarm: ENC[AES256_GCM,data:18qi8jBCsntp/6mM8iFkpUS+4yQAsaL6JtLBR9fT51XSWL hydra-admin-password: ENC[AES256_GCM,data:t0vmchbXXIAzvM2nxm4j16N9W67yWRb439M=,iv:qr/OfyMvTzi6Znw446KtxE2erh3XWi2VTJvVL2Ot2UI=,tag:mS6HlE6nojkemjp4F59+wQ==,type:str] nur-update-github-token: ENC[AES256_GCM,data:KIZCx9IeuBHZei2V13iiyHzCedhkkGEd08mVJEc6F0DWQn1wtzC7+w==,iv:pNVRj/RR7wj64g640F7Vo4H10ijsxnrfFQnt6YHBug4=,tag:UlvOMNB5JZbuJaD9TcJ2UQ==,type:str] hydra-users: ENC[AES256_GCM,data:askAB+a3bsFvue/j9i6sYSwgOQl+rL+uh+1+z+xizzBOWdTZcvRh5uFHTkg7MV/E7tG7eRByQ7b+v/onJ4+l3rGJJ6qsWtLLLizC1rusngsAXyI9jt66eqpsyacN5kw8cKILjGearptrhUZDWdKpbaHII6fwUbWbjyV5fpoQzNmI4VELWEQMZ50yECfAfCLHx9iTdoMJHPXzhqwvAZ+TbX6TsyqbDrrNauYWNUBhCK7E2tDYAQqOGhxnQWI+gQs=,iv:Baqyd/WfloMuXTiICD2dlvENst8G6YU9rSHdRkTECkU=,tag:z4j5dYcba3aZTyWu5wvkzw==,type:str] +hetzner-borgbackup-ssh: ENC[AES256_GCM,data:ZNrQp36c3EuERlAYez6SHTLbHK7ZmLNqDpAffTTQARL2zpnjpw1wJQJdm6d6Un1wTjYmHMJ/f1jCKgn389FGiZJwxSLUL4Ko2n5HffBTjZwTeqE1y4XFe6qvAY/LYBmD728ZWOsSWPvoVZOm1dG7LsxxwUZWk2VyDtvODuJBInn19Dn7Tw5VqPjJMJAp5CfAaW8ilEPpdeG0JQfkJkBQj0+pMlpI1EIVDvdZai5fesweUWeaajrPnIjrBbqdFvd8eG9qrTehLM7FvpnT2qllfsCOeQf/KTPEw16I6eGFFm22iPblJgHFPzpu1a2Lvwn+8HcwqSMlGI9poOeV5RwXqBhFX9vozlN8G82csAnehiZmLktyYin1kYF3nfOXFqH9fKxbvXn/1hxQP//GDeoaNlepa/K/w51pj1mgbIXIb5g/PKsHaC7Rv3iDMcYW977+lobA4WnxfWhjA6k/iBb1unkSKbrZs+iHglpOKueAq9g6HO5fJ299eY2+GcmsPU3QKm4W,iv:550mzEValpqVruLQBMMJeJHVyYfaxNHwCvXkvz66qI0=,tag:k48T+9AtJs8GTVchyEP8Jw==,type:str] sops: kms: [] gcp_kms: [] @@ -63,8 +64,8 @@ sops: WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-04-24T21:59:57Z" - mac: ENC[AES256_GCM,data:OlS4htYXpBjYSFR5zsyr7H/cjT0DEsy4OQT3Bj7NkpZVpgS6zZ5s5BlND0wzgvvqwbACUjkiwZsEjIPD4xLfPsMlUm14NjZarBeePGN+/5hGpTjMHxJsboByZtsnOzkOk0eGhSc51tYhWBd1cPRfMJ0hR63eM0BU/8gzyF1onPc=,iv:sI8Nln8lLbpjJAIIRn3eEZjT/cb99VB02pyAzEz/wrI=,tag:6/9zhsaxDdS27m5y9d2z+Q==,type:str] + lastmodified: "2023-07-21T12:58:43Z" + mac: ENC[AES256_GCM,data:zTImcUQeQsbWfWZjwJ6nPNCrYWkyUvZrud3pNWdsMLqXn0uB61n/Oav3i3m1zyz7eQObutG1OR+0aUlLMk0v7Xbz9rZCrMKN+GuV7tcaeu3ksvpn21ldd8PGzmYa6M+0EKkVqeTKXYHYY06OsxfeWafT52XA+0/uKE+3ldS2o3U=,iv:CSWcScdbdu+6lWt/6WFBBO8GqygNsKVNzII3bbxh8jg=,tag:tBwvCs0usPFBgoWRw3G5eQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/modules/nixos/github-org-backup.nix b/modules/nixos/github-org-backup.nix new file mode 100644 index 0000000..1f6f6ae --- /dev/null +++ b/modules/nixos/github-org-backup.nix @@ -0,0 +1,59 @@ +{ config, pkgs, ... }: +{ + # upstream docs show how to restore these backups + # https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups + systemd.services.github-org-backup = { + environment.HOME = "/var/lib/github-org-backup"; + path = [ pkgs.git pkgs.ghorg ]; + # exclude nix, nixpkgs and repos > 200MB + script = '' + ghorg clone nix-community \ + --backup \ + --clone-wiki \ + --concurrency 2 \ + --exclude-match-regex '^(all-cabal-json|dream2nix-nodejs-auto|nix|nixpkgs|nur-search)$' \ + --no-token \ + --path /var/lib/github-org-backup \ + --prune \ + --prune-no-confirm + ''; + startAt = "daily"; + serviceConfig.Type = "oneshot"; + }; + + sops.secrets.hetzner-borgbackup-ssh = { }; + + systemd.services.borgbackup-job-github-org = { + after = [ "github-org-backup.service" ]; + serviceConfig.ReadWritePaths = [ + "/var/log/telegraf" + ]; + }; + + services.borgbackup.jobs.github-org = { + paths = [ + "/var/lib/github-org-backup" + ]; + repo = "u348918@u348918.your-storagebox.de:/./github-org"; + encryption.mode = "none"; + compression = "auto,zstd"; + startAt = "daily"; + environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}"; + preHook = '' + set -x + ''; + + postHook = '' + cat > /var/log/telegraf/borgbackup-github-org <<EOF + task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)" + EOF + ''; + + prune.keep = { + within = "1d"; # Keep all archives from the last day + daily = 7; + weekly = 4; + monthly = 0; + }; + }; +}