diff --git a/.sops.yaml b/.sops.yaml index 8ee1c995..f3a90b20 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -7,7 +7,7 @@ keys: - &vpsfree1 age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla - &vultr1 age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla creation_rules: - - path_regex: /[^/]+\.yaml$ + - path_regex: /[^/]+.*$ key_groups: - age: - *foureighty-source diff --git a/nixos/boxes/vpsfree1/backups.nix b/nixos/boxes/vpsfree1/backups.nix new file mode 100644 index 00000000..fe36e1c3 --- /dev/null +++ b/nixos/boxes/vpsfree1/backups.nix @@ -0,0 +1,27 @@ +{ config, pkgs, ... }: { + + environment.systemPackages = with pkgs; [ restic ]; + + sops.secrets."restic-backups-b2-repo-password" = { + sopsFile = ./restic.sops.yaml; + }; + sops.secrets."restic-backups-b2-environment" = { + sopsFile = ./restic-environment.sops; + format = "binary"; + path = "/etc/nixos/secrets/b2-env"; + }; + services = { + restic.backups.b2 = { + passwordFile = "/run/secrets/restic-backups-b2-repo-password"; + paths = [ "/var/lib/foundryvtt" ]; + repository = "b2:cyplo-restic-vpsfree"; + timerConfig = { OnCalendar = "hourly"; }; + environmentFile = "/etc/nixos/secrets/b2-env"; + }; + }; + + systemd.services.restic-backups-b2.serviceConfig = { + Nice = 19; + IOSchedulingClass = "idle"; + }; +} diff --git a/nixos/boxes/vpsfree1/default.nix b/nixos/boxes/vpsfree1/default.nix index 81d15749..6e936296 100644 --- a/nixos/boxes/vpsfree1/default.nix +++ b/nixos/boxes/vpsfree1/default.nix @@ -7,6 +7,7 @@ ./foundryvtt.nix ./cryptpad.nix ./syncthing-relay.nix + ./backups.nix ]; services.dockerRegistry = { diff --git a/nixos/boxes/vpsfree1/foundryvtt.nix b/nixos/boxes/vpsfree1/foundryvtt.nix index 673b4453..002e54b1 100644 --- a/nixos/boxes/vpsfree1/foundryvtt.nix +++ b/nixos/boxes/vpsfree1/foundryvtt.nix @@ -40,6 +40,12 @@ in { containerPort = 30000; hostPort = 30000; }]; + bindMounts = { + "/var/lib/foundryvtt" = { + hostPath = "/var/lib/foundryvtt"; + isReadOnly = false; + }; + }; config = { config, pkgs, ... }: { systemd.services."foundryvtt" = { requires = [ "network-online.target" ]; diff --git a/nixos/boxes/vpsfree1/restic-environment.sops b/nixos/boxes/vpsfree1/restic-environment.sops new file mode 100644 index 00000000..7b4fcb9b --- /dev/null +++ b/nixos/boxes/vpsfree1/restic-environment.sops @@ -0,0 +1,44 @@ +{ + "data": "ENC[AES256_GCM,data:XbZZT4EvSrmaL3ISyEQjTWnnOKoWZ/uEyZr275eXlJFXL2V1y11IzOOaEanXEKvcyAmW62j034IWoM1hMAmGC0UFC74pKsubw71pjKQb9UclOeMPTAZBdw==,iv:/BJY2a65QAm3+9Ohvvp+VxMPXedPDbcGFglDgQPCZMM=,tag:i1oSYO24z/TaG2w62XMoAg==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKc0pLQ0t4K280WVVwRnJ0\nYnZ3RGtXQ01PaE45N0tmTC9aOVBKdkp5dm5NCnN6bHlTeFBoazdKOWthdDE2dHBO\naXFTR1NETHZINzk0UkpFL3RobjJTQ0EKLS0tIHBwNmQrd0xHQWx3eG1UdzJ1THdv\naFBTeG9mR09XMmZsNFBGUzIzNnZsb1EK6tkaiqS2s3BKNUSzD/wt6T/RPlz8hM/u\nmzBKryrlYszGV76kKPO3XBtze7lqnsY3E/Mi01AvWH9jJeaI8X69Jg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzc1Q1Q2g5My9BL3dVUEp1\nRjJjclkxdWd6bXVqUThuK3hON2NHaVZRTndFClpxM1hWUUJieGYzTVVWWHdiM2xH\naWJpSlBTSEhoMTVXWGJoTWt1UTl5Rk0KLS0tIENwMlFiZndtWWhwV2NNOVhtQk5l\nSzV4VGg5ZU8yaXY1UWJSK1JVWjZDZFEKAXPLsV5ytWUcBw2Qf3l0HOp/ASWKqjJk\ncD0OZXNd+1yKoC6TtZxhhp7rO8RQrggoo+0mQMqDe9NJPRnTqannjg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKU0NSN1VDYUlFbkNUaTN6\nWVFBbXRneXJwWTBuRFUwenRwOFVINjVwa0NrCm5rMjFJK1p6Q09pR3pzazdhNHhP\nNGdFdlJhdC9LZ3Z5bGU0c1A1K2Y0bjgKLS0tIFQ1c3dySHVpK1hDckswTlMxTC9O\nSTE3MG5tWEdjNFQ3R2xrSW5HdDFOU28KJbV+leDxSf/CfCbZbiKx1bb2uE9UQhis\nFTLregz9Wg20ZOY5+/Mn+p2FHs1VFmm5LSkzLd4dDodf4XB7X5L03g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwcmxPNjMvOE1IWjNGN2ZG\nUGh2UWhxN2xjTEFiWHMzYy96clJpbktYeDBNCldiSVpDNEdSLzhIbHc2NUg2Sm53\nRW5HK21KV3JGRGs5V0NmQzMvSVQ0UUUKLS0tIDRtWUVVSFFGSkhhbGp4UjNER01S\nRllaZDhXTGJ5V2ZtS2F1WWJ0UithbGcKG3FFQmyzGstt8RRx/56f2L+d7lknLs9U\nzjgedEKFlVeWh9nbvV3D5Fqh4ekoSmZE0KJZKcjEcBDrMYeU0fcc2w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYSkdCb1hhQkljSFh6UHkx\ncGFnSTJDcDV1am0wd0IvOXdxWW5jMSswN0FBCnU3QVhsT1JGQzg2TGRZU1ltWmRN\ncjhrYTdtUnFUb3BvWGYyRkhjSHpnRUUKLS0tIEVLeWY3MWxTZUJzTWw0dVBoUVdv\nV3NFTHdRVWp4WEh1MGp6SnBjRGtZNGcKVJToOhX2ptmsvTA2B8VSiZ1e9te+SOIN\nrEdEH47h4/t4pswnZSZg9Ll8asYbmtbPNBWdEKtO/80cFMMz4N4QBQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnRGIzbzhzZ2pjVXhDci9S\nV0JOcHlOcDVhM0pzb0c3Q01ZYXp3ek1CY0dNCnhGY2NMM3dhVUpWUFhiQUNUcXlL\nMTNNN2xnTWZqWWVkeGhURkNCU01Cd0kKLS0tIGg3eEZZOGhoakZ4Ni9DMzBvcllx\nREJTOHFOWHdwTU80QzMxamkzc2JsTVUKnmxnq+4LBfHxyIomCE8JeiNLloXEygGd\nx0Sm3hN99Qohp2IEKF9UiSfzcmoUgC0yzXal4GxkE4zO/5EkxMoBfw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZ3ZSVEFOZ2o1eVR4Z21R\nM1JtTFVuSUpjNWJreERHUlpPVHlTS0paVHpjClRqamhjUVpMZFhHb0dRZ0lCbGhV\nTWtIM3luODlqalNUN3VqU3g1RHhFUzAKLS0tIERNSWRCQUxDd3ZMNFFYamRLYXUv\nTDQrbTVremRWNFpqWFZrWlBpUUpXcUUKEyBwbsNf3EF05EbIxLBECNlkEaQ0+B96\nEDVOiMYyStKRSJvaaiJK2mNSizc8qs6aJvyF/F5qeJUWSa2JguzBtQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2022-08-20T08:49:31Z", + "mac": "ENC[AES256_GCM,data:+yp1/bwAu8cN0i6yec2iTbBTwIOnO7465nX3+Qkex1sRGMB6hra92jEZyo2sVgFl8ws5APzGmmsyAeAaKqdzvC/8OGbqlSb+SXKqaa9mxZA58+NnIuAI8gtYQKz1gZ/N6gr0gZpllF+u622ooHrwiL2/GmzOYVApBmSpAROOGsw=,iv:rJzDHQH6Urwb2E1u5nT3dTtlEqGCFQME0uChghG1G94=,tag:vC20wbEyiwvvDpxMD4uYJA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/nixos/boxes/vpsfree1/restic.sops.yaml b/nixos/boxes/vpsfree1/restic.sops.yaml new file mode 100644 index 00000000..0b1422e9 --- /dev/null +++ b/nixos/boxes/vpsfree1/restic.sops.yaml @@ -0,0 +1,75 @@ +restic-backups-b2-repo-password: ENC[AES256_GCM,data:Th/Uz+kcaWdz8GcRoU0uACOqV51n42FkcheSuK99h1VIN4tg1Qrjd38tEWCsrqswURWQdNdVnR+AmQlm3lmmT/aQBhHSwWRgxLjnx1WRvNANS4jC/OImr0u8/1Z6rfVwaHCIgkWOpsG1BSWYmGrX1+Lpx8+YpP6RUVy1csLforDoukvRhtGPjz/TfKs0pVkTmoSJvyCNnzjeHAMrpGYiUSTqhUNCr78OW1EQhDUjoNMHNQZJN8yiDykA83OQiyZRfvpYJyk5QrLIbmBwdj7fjMSvV4X7gWjpYn/hm4pqfFSTMhIcBDtmRouohsAElMAt1VFDTh+dSbITfhLTiHr6IQ==,iv:V/ZyW1yqlN8ZbeyTlkztBNtUF+H7BfKK6hgTtX2T6Jw=,tag:HQjlo4GxpGsOzybSWtfM1A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArdXh2MGtKc0lrRG0rWWFF + bnFidy90a1IzcXV1U0dFWW1pdmg2MGNxQkhrClU2NUdtZU83aGhuWlBRMDdLQjFm + T2VJMlJvMWc2YlNGT29Oem9VT0lxUG8KLS0tIG92c3VsWi9JK0xKNjliY1MzWTZs + WmdMUXBEYzluWHNJTklYRVhmMGF4dDAK6+vMr86fOjy0Bw4e+7MPSrOqQ7m50MNc + Aj4btH7NffuUrOsjpxCos0y8q6oQxOFpOAt2N6jhx9QyXAmxKeHZpg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXWVRFZnV1YjhsZFNZUVhq + NU1TZ1JFV09vY212aHVXT21LZmVUYXRIMkJRClhPQStSN1BmL2NweTlhMkRLQVht + dUd2YTVkZnJkWVZueFdMNGRFcDlkRFUKLS0tIEM2WGpCd3BwakRIL0RLS2tJMVQ1 + Qm1hZ0dHTzRWdWs0bnFpTUJaS0NiT2MKzabwKNeYP13NDjqNis9jk5su2EwZLanX + TOToLrk8NmARHAyqGPrHGDCJb7y3o34sAFbXeRTtkpeyC4PXo3DA1A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQzFsa2pIVnA1NmhiZFFa + eFVkSERHeVp2Z3FRbXNFNUJaVER2czFOOEVrCm9ZYWVOWXdsSnk4OUxtdnlUYnRo + TjhTc01UYTFNQWNwWkFpNmt0WGtiRkUKLS0tIDV4QUxpZVB3NG1tQi9QTFdLcERF + TG03SGoxYkNqVG1DZ29LV3JES1MyMlUKsmORsigoSec0HAa3UzFEi2YDVdvONKhT + rgPBLCVDsHgrH+b3NYcTyiGG1cwiEoy3EDIDCDorN4a0XytpRhw6jQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzK0M4cVdod3RzVmN1elJC + UW1ZSy82R2J1V2dSTk9EZC9xOVI3NTFBQTBZClkxZGJoSEQ4YVlnQWZzbnJkbHBG + NVdYYkdOalk0cjZYWDFnSEtrWFpTZ0EKLS0tIFFORzRtRkFMNzRMWFVWY2xQTmpm + RWsxWVVwYXV5U1E1MWZSNmxQQnhGeGcKPQUxaJwfKEc8/NUdALftg9t4ZfX2xKOJ + BEEcTAo+eS+TQ10gPBrhX6fmuQcWkKH27AcooQczLRj7h0KWm4mNiQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTSStiYjRFNUtaTFc0bGpJ + TkdQbDlVTGxJSkpPL3VEZ3VSMmEwMHdYc3lnCmdqRDc2Y2E1R2MwR2ljWG9CcEha + MklxSkZOUTVCNXpuTS8yTUVDNXUvb0kKLS0tIHZKWGFOd3l5ZnllbnJOVmdzN1FS + d1JMNFNxTS85K09zMXZsdVIvbThiaWsK8GAykyhoW+/iOgfbgQCtblA4BjlrIVcY + 6uw00sByQB0e2KT48Lb/hiWDnNbyH8nv9U2K3Iyo/BFkbCQ/GJOXTw== + -----END AGE ENCRYPTED FILE----- + - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGbFBVTFFvU05XUGptb2hj + eTZaUm16bE9xZFJUUEZNVTE1ZGpYRVh2dlNRCjRabWxzcTE3UDBsRXUvVG82dXkw + elFONkU5UkVoY3Z4OU9ZbG9CdldUd00KLS0tIDFvSGRid3RMMHZETDFURHNnVThW + cHE4Y2F1ZWh6Q2tGZ1ZUaGlPT1JGck0KV4hiMystiZ/nD/8D9nPF5JrtSauj9GIO + 4E/2syq+dXp8o5UPf3zCYfAiVm0hurFNIv3noS0t5ucIEELQ2bsH/w== + -----END AGE ENCRYPTED FILE----- + - recipient: age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJZFZjU1R1L3F6RjJNdjVB + MksxSVVtdlh0Vm9LZ1JVVHVjV0ZMa042N3drCmErOUpaOUFVR3BVVWVqUVErajR0 + bkpXMCtHaHJNYmhKTTlpTzJId1o1UmMKLS0tIGs3VUtmaC9DSDZIenpYMmZibVpi + UGs3bmVxNkF0NVNDSit3UDJOMGpNMkUKg0A+T0zMthtarMORQk9P8F0Eh4kNYAdO + 0VgyYS5JfJ76Le9YJGRMygUciidptyfK4W1MJ5D1lPceNmCQ7uLSdg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-08-20T08:34:12Z" + mac: ENC[AES256_GCM,data:WXYIXl20eI4YwvWfrlY0Kje947u5b2xcGunFLB6KQkuoBM/3Mv9MNJ5NsWpPruRiX5BEIW7rIFfsuVYBn0EVZOPR2xGUsgGWxQ7hU1C0GNVB4NODoQ1iW0W75fM3XW+vzEE6SIxxAkFJK470JwpJpWI/TNC28gj16Z2Kt6yAuBU=,iv:YmyxRbrw8SgxVccRBwVVuqNBFw8LNCUQsDD6ds8qzUk=,tag:16B2m9p/VAVY1VvZdxBBYw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3