diff --git a/flake.nix b/flake.nix
index c9ee0ff..00a3338 100644
--- a/flake.nix
+++ b/flake.nix
@@ -156,6 +156,7 @@
cachix-deploy = ./modules/nixos/cachix-deploy;
community-builder = ./modules/nixos/community-builder;
+ github-org-backup = ./modules/nixos/github-org-backup.nix;
hercules-ci = ./modules/nixos/hercules-ci;
hydra = ./modules/nixos/hydra.nix;
nur-update = ./modules/nixos/nur-update.nix;
diff --git a/hosts/build03/configuration.nix b/hosts/build03/configuration.nix
index 8b612e6..e61e74c 100644
--- a/hosts/build03/configuration.nix
+++ b/hosts/build03/configuration.nix
@@ -21,6 +21,7 @@
inputs.self.nixosModules.remote-builder-darwin02
inputs.self.nixosModules.remote-builder-darwin03
+ inputs.self.nixosModules.github-org-backup
inputs.self.nixosModules.hydra
inputs.self.nixosModules.nur-update
];
diff --git a/hosts/build03/secrets.yaml b/hosts/build03/secrets.yaml
index da6c06d..351dd70 100644
--- a/hosts/build03/secrets.yaml
+++ b/hosts/build03/secrets.yaml
@@ -3,6 +3,7 @@ id_buildfarm: ENC[AES256_GCM,data:18qi8jBCsntp/6mM8iFkpUS+4yQAsaL6JtLBR9fT51XSWL
hydra-admin-password: ENC[AES256_GCM,data:t0vmchbXXIAzvM2nxm4j16N9W67yWRb439M=,iv:qr/OfyMvTzi6Znw446KtxE2erh3XWi2VTJvVL2Ot2UI=,tag:mS6HlE6nojkemjp4F59+wQ==,type:str]
nur-update-github-token: ENC[AES256_GCM,data:KIZCx9IeuBHZei2V13iiyHzCedhkkGEd08mVJEc6F0DWQn1wtzC7+w==,iv:pNVRj/RR7wj64g640F7Vo4H10ijsxnrfFQnt6YHBug4=,tag:UlvOMNB5JZbuJaD9TcJ2UQ==,type:str]
hydra-users: ENC[AES256_GCM,data:askAB+a3bsFvue/j9i6sYSwgOQl+rL+uh+1+z+xizzBOWdTZcvRh5uFHTkg7MV/E7tG7eRByQ7b+v/onJ4+l3rGJJ6qsWtLLLizC1rusngsAXyI9jt66eqpsyacN5kw8cKILjGearptrhUZDWdKpbaHII6fwUbWbjyV5fpoQzNmI4VELWEQMZ50yECfAfCLHx9iTdoMJHPXzhqwvAZ+TbX6TsyqbDrrNauYWNUBhCK7E2tDYAQqOGhxnQWI+gQs=,iv:Baqyd/WfloMuXTiICD2dlvENst8G6YU9rSHdRkTECkU=,tag:z4j5dYcba3aZTyWu5wvkzw==,type:str]
+hetzner-borgbackup-ssh: ENC[AES256_GCM,data:ZNrQp36c3EuERlAYez6SHTLbHK7ZmLNqDpAffTTQARL2zpnjpw1wJQJdm6d6Un1wTjYmHMJ/f1jCKgn389FGiZJwxSLUL4Ko2n5HffBTjZwTeqE1y4XFe6qvAY/LYBmD728ZWOsSWPvoVZOm1dG7LsxxwUZWk2VyDtvODuJBInn19Dn7Tw5VqPjJMJAp5CfAaW8ilEPpdeG0JQfkJkBQj0+pMlpI1EIVDvdZai5fesweUWeaajrPnIjrBbqdFvd8eG9qrTehLM7FvpnT2qllfsCOeQf/KTPEw16I6eGFFm22iPblJgHFPzpu1a2Lvwn+8HcwqSMlGI9poOeV5RwXqBhFX9vozlN8G82csAnehiZmLktyYin1kYF3nfOXFqH9fKxbvXn/1hxQP//GDeoaNlepa/K/w51pj1mgbIXIb5g/PKsHaC7Rv3iDMcYW977+lobA4WnxfWhjA6k/iBb1unkSKbrZs+iHglpOKueAq9g6HO5fJ299eY2+GcmsPU3QKm4W,iv:550mzEValpqVruLQBMMJeJHVyYfaxNHwCvXkvz66qI0=,tag:k48T+9AtJs8GTVchyEP8Jw==,type:str]
sops:
kms: []
gcp_kms: []
@@ -63,8 +64,8 @@ sops:
WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag
FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2023-04-24T21:59:57Z"
- mac: ENC[AES256_GCM,data:OlS4htYXpBjYSFR5zsyr7H/cjT0DEsy4OQT3Bj7NkpZVpgS6zZ5s5BlND0wzgvvqwbACUjkiwZsEjIPD4xLfPsMlUm14NjZarBeePGN+/5hGpTjMHxJsboByZtsnOzkOk0eGhSc51tYhWBd1cPRfMJ0hR63eM0BU/8gzyF1onPc=,iv:sI8Nln8lLbpjJAIIRn3eEZjT/cb99VB02pyAzEz/wrI=,tag:6/9zhsaxDdS27m5y9d2z+Q==,type:str]
+ lastmodified: "2023-07-21T12:58:43Z"
+ mac: ENC[AES256_GCM,data:zTImcUQeQsbWfWZjwJ6nPNCrYWkyUvZrud3pNWdsMLqXn0uB61n/Oav3i3m1zyz7eQObutG1OR+0aUlLMk0v7Xbz9rZCrMKN+GuV7tcaeu3ksvpn21ldd8PGzmYa6M+0EKkVqeTKXYHYY06OsxfeWafT52XA+0/uKE+3ldS2o3U=,iv:CSWcScdbdu+6lWt/6WFBBO8GqygNsKVNzII3bbxh8jg=,tag:tBwvCs0usPFBgoWRw3G5eQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3
diff --git a/modules/nixos/github-org-backup.nix b/modules/nixos/github-org-backup.nix
new file mode 100644
index 0000000..1f6f6ae
--- /dev/null
+++ b/modules/nixos/github-org-backup.nix
@@ -0,0 +1,59 @@
+{ config, pkgs, ... }:
+{
+ # upstream docs show how to restore these backups
+ # https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups
+ systemd.services.github-org-backup = {
+ environment.HOME = "/var/lib/github-org-backup";
+ path = [ pkgs.git pkgs.ghorg ];
+ # exclude nix, nixpkgs and repos > 200MB
+ script = ''
+ ghorg clone nix-community \
+ --backup \
+ --clone-wiki \
+ --concurrency 2 \
+ --exclude-match-regex '^(all-cabal-json|dream2nix-nodejs-auto|nix|nixpkgs|nur-search)$' \
+ --no-token \
+ --path /var/lib/github-org-backup \
+ --prune \
+ --prune-no-confirm
+ '';
+ startAt = "daily";
+ serviceConfig.Type = "oneshot";
+ };
+
+ sops.secrets.hetzner-borgbackup-ssh = { };
+
+ systemd.services.borgbackup-job-github-org = {
+ after = [ "github-org-backup.service" ];
+ serviceConfig.ReadWritePaths = [
+ "/var/log/telegraf"
+ ];
+ };
+
+ services.borgbackup.jobs.github-org = {
+ paths = [
+ "/var/lib/github-org-backup"
+ ];
+ repo = "u348918@u348918.your-storagebox.de:/./github-org";
+ encryption.mode = "none";
+ compression = "auto,zstd";
+ startAt = "daily";
+ environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
+ preHook = ''
+ set -x
+ '';
+
+ postHook = ''
+ cat > /var/log/telegraf/borgbackup-github-org <<EOF
+ task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
+ EOF
+ '';
+
+ prune.keep = {
+ within = "1d"; # Keep all archives from the last day
+ daily = 7;
+ weekly = 4;
+ monthly = 0;
+ };
+ };
+}