modules/nixos: github-org-backup

2023-05-07 10:24:44 +10:00 · 2023-05-07 10:24:44 +10:00 · f26d290066
commit f26d290066
parent 55c23f9f39
4 changed files with 64 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -156,6 +156,7 @@
          cachix-deploy = ./modules/nixos/cachix-deploy;
          community-builder = ./modules/nixos/community-builder;
          github-org-backup = ./modules/nixos/github-org-backup.nix;
          hercules-ci = ./modules/nixos/hercules-ci;
          hydra = ./modules/nixos/hydra.nix;
          nur-update = ./modules/nixos/nur-update.nix;
--- a/hosts/build03/configuration.nix
+++ b/hosts/build03/configuration.nix
@ -21,6 +21,7 @@
    inputs.self.nixosModules.remote-builder-darwin02
    inputs.self.nixosModules.remote-builder-darwin03
    inputs.self.nixosModules.github-org-backup
    inputs.self.nixosModules.hydra
    inputs.self.nixosModules.nur-update
  ];
--- a/hosts/build03/secrets.yaml
+++ b/hosts/build03/secrets.yaml
@ -3,6 +3,7 @@ id_buildfarm: ENC[AES256_GCM,data:18qi8jBCsntp/6mM8iFkpUS+4yQAsaL6JtLBR9fT51XSWL
 hydra-admin-password: ENC[AES256_GCM,data:t0vmchbXXIAzvM2nxm4j16N9W67yWRb439M=,iv:qr/OfyMvTzi6Znw446KtxE2erh3XWi2VTJvVL2Ot2UI=,tag:mS6HlE6nojkemjp4F59+wQ==,type:str]
 nur-update-github-token: ENC[AES256_GCM,data:KIZCx9IeuBHZei2V13iiyHzCedhkkGEd08mVJEc6F0DWQn1wtzC7+w==,iv:pNVRj/RR7wj64g640F7Vo4H10ijsxnrfFQnt6YHBug4=,tag:UlvOMNB5JZbuJaD9TcJ2UQ==,type:str]
 hydra-users: ENC[AES256_GCM,data:askAB+a3bsFvue/j9i6sYSwgOQl+rL+uh+1+z+xizzBOWdTZcvRh5uFHTkg7MV/E7tG7eRByQ7b+v/onJ4+l3rGJJ6qsWtLLLizC1rusngsAXyI9jt66eqpsyacN5kw8cKILjGearptrhUZDWdKpbaHII6fwUbWbjyV5fpoQzNmI4VELWEQMZ50yECfAfCLHx9iTdoMJHPXzhqwvAZ+TbX6TsyqbDrrNauYWNUBhCK7E2tDYAQqOGhxnQWI+gQs=,iv:Baqyd/WfloMuXTiICD2dlvENst8G6YU9rSHdRkTECkU=,tag:z4j5dYcba3aZTyWu5wvkzw==,type:str]
 hetzner-borgbackup-ssh: ENC[AES256_GCM,data:ZNrQp36c3EuERlAYez6SHTLbHK7ZmLNqDpAffTTQARL2zpnjpw1wJQJdm6d6Un1wTjYmHMJ/f1jCKgn389FGiZJwxSLUL4Ko2n5HffBTjZwTeqE1y4XFe6qvAY/LYBmD728ZWOsSWPvoVZOm1dG7LsxxwUZWk2VyDtvODuJBInn19Dn7Tw5VqPjJMJAp5CfAaW8ilEPpdeG0JQfkJkBQj0+pMlpI1EIVDvdZai5fesweUWeaajrPnIjrBbqdFvd8eG9qrTehLM7FvpnT2qllfsCOeQf/KTPEw16I6eGFFm22iPblJgHFPzpu1a2Lvwn+8HcwqSMlGI9poOeV5RwXqBhFX9vozlN8G82csAnehiZmLktyYin1kYF3nfOXFqH9fKxbvXn/1hxQP//GDeoaNlepa/K/w51pj1mgbIXIb5g/PKsHaC7Rv3iDMcYW977+lobA4WnxfWhjA6k/iBb1unkSKbrZs+iHglpOKueAq9g6HO5fJ299eY2+GcmsPU3QKm4W,iv:550mzEValpqVruLQBMMJeJHVyYfaxNHwCvXkvz66qI0=,tag:k48T+9AtJs8GTVchyEP8Jw==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -63,8 +64,8 @@ sops:
            WUZQSGQyQy9halJsRTIvb1FGV08zZEEKmjlYY6epTuZKRBcVyjPvJI5XKQtP5Yag
            FMrI+M6hUeyBeCade5C+Y4eGQbt57BWLmsX7u0J1WTlkUSS5j7+wPg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-04-24T21:59:57Z"
+    lastmodified: "2023-07-21T12:58:43Z"
-    mac: ENC[AES256_GCM,data:OlS4htYXpBjYSFR5zsyr7H/cjT0DEsy4OQT3Bj7NkpZVpgS6zZ5s5BlND0wzgvvqwbACUjkiwZsEjIPD4xLfPsMlUm14NjZarBeePGN+/5hGpTjMHxJsboByZtsnOzkOk0eGhSc51tYhWBd1cPRfMJ0hR63eM0BU/8gzyF1onPc=,iv:sI8Nln8lLbpjJAIIRn3eEZjT/cb99VB02pyAzEz/wrI=,tag:6/9zhsaxDdS27m5y9d2z+Q==,type:str]
+    mac: ENC[AES256_GCM,data:zTImcUQeQsbWfWZjwJ6nPNCrYWkyUvZrud3pNWdsMLqXn0uB61n/Oav3i3m1zyz7eQObutG1OR+0aUlLMk0v7Xbz9rZCrMKN+GuV7tcaeu3ksvpn21ldd8PGzmYa6M+0EKkVqeTKXYHYY06OsxfeWafT52XA+0/uKE+3ldS2o3U=,iv:CSWcScdbdu+6lWt/6WFBBO8GqygNsKVNzII3bbxh8jg=,tag:tBwvCs0usPFBgoWRw3G5eQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/modules/nixos/github-org-backup.nix
+++ b/modules/nixos/github-org-backup.nix
@ -0,0 +1,59 @@
 { config, pkgs, ... }:
 {
  # upstream docs show how to restore these backups
  # https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups
  systemd.services.github-org-backup = {
    environment.HOME = "/var/lib/github-org-backup";
    path = [ pkgs.git pkgs.ghorg ];
    # exclude nix, nixpkgs and repos > 200MB
    script = ''
      ghorg clone nix-community \
        --backup \
        --clone-wiki \
        --concurrency 2 \
        --exclude-match-regex '^(all-cabal-json|dream2nix-nodejs-auto|nix|nixpkgs|nur-search)$' \
        --no-token \
        --path /var/lib/github-org-backup \
        --prune \
        --prune-no-confirm
    '';
    startAt = "daily";
    serviceConfig.Type = "oneshot";
  };
  sops.secrets.hetzner-borgbackup-ssh = { };
  systemd.services.borgbackup-job-github-org = {
    after = [ "github-org-backup.service" ];
    serviceConfig.ReadWritePaths = [
      "/var/log/telegraf"
    ];
  };
  services.borgbackup.jobs.github-org = {
    paths = [
      "/var/lib/github-org-backup"
    ];
    repo = "u348918@u348918.your-storagebox.de:/./github-org";
    encryption.mode = "none";
    compression = "auto,zstd";
    startAt = "daily";
    environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
    preHook = ''
      set -x
    '';
    postHook = ''
      cat > /var/log/telegraf/borgbackup-github-org <<EOF
      task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
      EOF
    '';
    prune.keep = {
      within = "1d"; # Keep all archives from the last day
      daily = 7;
      weekly = 4;
      monthly = 0;
    };
  };
 }