diff --git a/machines/koyomi/configuration.nix b/machines/koyomi/configuration.nix index 419ded5..f582eb9 100644 --- a/machines/koyomi/configuration.nix +++ b/machines/koyomi/configuration.nix @@ -15,6 +15,7 @@ restic = { enable = true; backups.system.enable = true; + mirror.backblaze.enable = true; prune.enable = true; }; wireguard.home.enable = true; diff --git a/machines/koyomi/secrets.yaml b/machines/koyomi/secrets.yaml index 3ef1331..705844a 100644 --- a/machines/koyomi/secrets.yaml +++ b/machines/koyomi/secrets.yaml @@ -1,3 +1,4 @@ +restic-mirror-backblaze-env: ENC[AES256_GCM,data:VII+kDpsmWRevdeAhoAI4A0NVlofH1ZNrWCKknwasSHEQhi1/9dNzcHhPd3d264xjh85crq9sIhSZ4dvkZnzEL5AglM6zlmZFf1m46w2vQlyW5VHVZ1T2Yja,iv:wyClY0TnBMqY6nBNdrlmRt09dqRxDT6Ui/kDJDQzOE0=,tag:FrTtthFqZ2ndHVvcFxHjDA==,type:str] restic-ssh-key: ENC[AES256_GCM,data:fDKiNhPBZu3Hf4xx13rJpNrOv+HWmh6LtTqbcWAu+0dxiKRz8J7lJLlg9AnDL5gIkNukzqL1eAXAC7P9B8ocFBGqcOC3QFGem8o61VWXB0JHurxrm/R7jZCKd/delRiv3gnn0S1wVAfkItDTdoLMhfv+E4uIzgR4bcQDIrvozV02jHOxQY54XpsDCyOFnC0FlQxa0W5EyWVvSTHJsXBNjsrdEQB1y6hh+s7jxAAdV8XdnOJ5/ivVoe+mbhKNrkHEPKHD/JOhjJooDgfr1+XsTkN3rbTPHCqJ1fQVkoh3KiHJQKYc/tG5KPm+W4tzsPbuNroUWr8gBlyCf7y7wae5fHAcuwnl2T2ETspU4N4pfdI/rbzr8uFtNEQTbNiHTD2eLzA9OiDhzPneWiQrfKc3/4/67ZT5vs3o0x6kmQyhhy3/SnXkoiyvjQOFPbRdygarKJBNhIVOHLmZz6cMCYbvuLMjmJPu/7hQAvC8g7JRtJ15foA1SrhHaAcKN7QYCnl5d+fKmfioEguEmYa6U0j4,iv:8Jm9r9u2RCfvNpeEEqbB5MHqTJc3k03P6Z2V5s5xAA8=,tag:ESmj1lRwL6lkUnr48nDeyA==,type:str] wg-home-private-key: ENC[AES256_GCM,data:fFoXn5sLL06hNeXhQGKbheQV4ZNlYxJKWlHpPfyF6PyYbBcz4An9DPYnQKk=,iv:pY2dVEspIijtZkatUrSdg90D0ldxAoy5rUj1lw1cOF8=,tag:jz4q+Yum05S9c5OlciBZ1g==,type:str] sops: @@ -6,8 +7,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-08-22T16:40:49Z" - mac: ENC[AES256_GCM,data:ng4SA9NVO/5CCiUqnZJFkr5TI/i4FMnaqQkz8eZwIUIqlB9KsuWb/6a+DlLEYusim2WrDJGSWcwamTHiqldWy+0uErIE7dvAvuYJFypqGxZusMswBwnL4g70cjOIblWhKSzYI+shQpRIw4NNdSAyn3wFywe+vC1Y/7u0nTyOtoo=,iv:g+wiA0WhTL81xhRgVvUprJe0FYvTck7qbkSgqyXzjYM=,tag:9iyHqjHCwauVdXMnizjebw==,type:str] + lastmodified: "2024-08-27T09:48:17Z" + mac: ENC[AES256_GCM,data:XBL1szDu+Mw7A/D31BJt4rD5a4ic1EuTmUefMYoMdL4kTl5fi7Ckk9EIV6MI5nKhF8ejR4cN94ih2cILzLodj/e89Xf74d0o8RX5PlUzqFsHoKV/yy9QVVtDDqnwo87sGZztUUcjlJX427SfPwdcMlNAuCoEZ/3SOQgcz5yoMB8=,iv:+WOJuSpSwB74brg3/SZ4Yu2WVtE4YOOiGfwlencLWps=,tag:YchYDy1eKXmTbK0Jb1Ewjg==,type:str] pgp: - created_at: "2024-08-20T22:33:06Z" enc: |- diff --git a/modules/restic/default.nix b/modules/restic/default.nix index 1602690..ff27384 100644 --- a/modules/restic/default.nix +++ b/modules/restic/default.nix @@ -37,6 +37,7 @@ in default = cfg.enable && config.sbruder.gui.enable; }; prune.enable = lib.mkEnableOption "pruning"; + mirror.backblaze.enable = lib.mkEnableOption "mirroring to Backblaze B2"; }; config = lib.mkIf cfg.enable (lib.mkMerge [ @@ -88,5 +89,51 @@ in }; }; }) + (lib.mkIf cfg.mirror.backblaze.enable { + sops.secrets = { + restic-ssh-key.sopsFile = ../../machines/${config.networking.hostName}/secrets.yaml; + restic-mirror-backblaze-env.sopsFile = ../../machines/${config.networking.hostName}/secrets.yaml; + }; + + systemd.services.restic-mirror-backblaze = { + wants = [ "network-online.target" ]; + after = [ "network-online.target" ]; + + serviceConfig = { + ExecStart = "${pkgs.rclone}/bin/rclone --config /dev/null sync :sftp,user=u313368-sub4,host=u313368-sub4.your-storagebox.de,port=23,key_file=$CREDENTIALS_DIRECTORY/ssh-key: :b2:sbruder-restic"; + EnvironmentFile = config.sops.secrets.restic-mirror-backblaze-env.path; + + LoadCredential = "ssh-key:${config.sops.secrets.restic-ssh-key.path}"; + + DynamicUser = true; + CapabilityBoundingSet = null; + LockPersonality = true; + MemoryDenyWriteExecute = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectClock = true; + ProtectControlGroups = true; + ProtectHome = true; + ProtectHostname = true; + ProtectKernelLogs = true; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectProc = "noaccess"; + RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; + RestrictNamespaces = true; + RestrictRealtime = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + }; + }; + + systemd.timers.restic-mirror-backblaze = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "hourly"; + RandomizedDelaySec = "15min"; + }; + }; + }) ]); }