From 24ecd65cf0e060a5a7f711b7811fb4604b768ca2 Mon Sep 17 00:00:00 2001 From: Eli Ribble Date: Tue, 30 Sep 2025 17:46:46 +0000 Subject: [PATCH] Add backup for fieldseeker-sync files. This required changing the directory of the user files so that I don't accidentially backup Gleipnir test files. --- modules/system/fieldseeker-sync.nix | 51 ++++++++++++++++++++++++ secrets/fieldseeker-sync.env | 6 +-- secrets/restic.yaml | 62 +++++++++++++++++++++++++++++ 3 files changed, 116 insertions(+), 3 deletions(-) create mode 100644 secrets/restic.yaml diff --git a/modules/system/fieldseeker-sync.nix b/modules/system/fieldseeker-sync.nix index 1b25b5e..65bd1e5 100644 --- a/modules/system/fieldseeker-sync.nix +++ b/modules/system/fieldseeker-sync.nix @@ -31,6 +31,39 @@ in { name = "fieldseeker-sync"; }]; }; + services.restic.backups.deltamvcd-db = { + # Need nixos unstable for this + #command = [ + #"\${lib.getExe pkgs.sudo}" + #"-u postgres" + #"\${pkgs.postgresql}/bin/pg_dump fieldseeker-sync" + #]; + environmentFile = "/var/run/secrets/restic-env"; + extraBackupArgs = [ + "--tag database" + # Replace the below with 'command=' after next release + "--stdin-from-command -- \${lib.getExe pkgs.sudo} -u postgres \${pkgs.postgresql}/bin/pg_dump fieldseeker-sync" + ]; + initialize = true; + passwordFile = "/var/run/secrets/restic-password"; + pruneOpts = [ + "--keep-daily 14" + "--keep-weekly 4" + "--keep-monthly 2" + "--group-by tags" + ]; + repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-deltamvcd/database"; + }; + services.restic.backups.deltamvcd-files = { + environmentFile = "/var/run/secrets/restic-env"; + initialize = true; + passwordFile = "/var/run/secrets/restic-password"; + paths = [ + "/opt/fieldseeker-sync/deltamvcd" + ]; + repository = "s3:s3.us-west-004.backblazeb2.com/gleipnir-backup-deltamvcd/files"; + + }; sops.secrets.fieldseeker-sync-env = { format = "dotenv"; group = "fieldseeker-sync"; @@ -47,6 +80,24 @@ in { restartUnits = ["fieldseeker-sync-gleipnir.service"]; sopsFile = ../../secrets/fieldseeker-sync-gleipnir.env; }; + sops.secrets.restic-env = { + format = "yaml"; + key = "backblaze"; + group = "root"; + mode = "0440"; + owner = "root"; + #restartUnits = ["fieldseeker-sync.service"]; + sopsFile = ../../secrets/restic.yaml; + }; + sops.secrets.restic-password = { + format = "yaml"; + key = "password"; + group = "root"; + mode = "0440"; + owner = "root"; + #restartUnits = ["fieldseeker-sync.service"]; + sopsFile = ../../secrets/restic.yaml; + }; systemd.services.fieldseeker-sync-audio-post-processor = { after=["network.target" "network-online.target" "fieldseeker-sync-migrate.service"]; description="FieldSeeker sync audio post processor"; diff --git a/secrets/fieldseeker-sync.env b/secrets/fieldseeker-sync.env index 5028398..a33297b 100644 --- a/secrets/fieldseeker-sync.env +++ b/secrets/fieldseeker-sync.env @@ -3,7 +3,7 @@ FIELDSEEKER_SYNC_ARCGIS_TENANTID=ENC[AES256_GCM,data:Zc3qodyvIvG49pbTe0DRfmZT,iv FIELDSEEKER_SYNC_ARCGIS_SERVICEROOT=ENC[AES256_GCM,data:zZsg/B9ZdMQybxTGeQa55ZLJCMFau6Ephz8Dtgjd,iv:45mC2/kBS6Yf6CRy+4WH+8wuG0A1c/3OBNU4rpzGbtA=,tag:JHC0oHJnhR6H7VO2CgPnXA==,type:str] FIELDSEEKER_SYNC_ARCGIS_FIELDSEEKERSERVICE=ENC[AES256_GCM,data:OFIYNlq2d7lDXp5vsoB7Sw==,iv:K7FB0pqc55PBsmeLmQZysXksyscYbZkDBVTJfX2faYM=,tag:woTG5DQOOQvPwirwz7wfYg==,type:str] FIELDSEEKER_SYNC_DATABASE_URL=ENC[AES256_GCM,data:3VvsXW6eSIRKV04hW0eIlwB73/2pNLFpqZQgjH2VYwy+9XKmFuVzWq5gs43vFWumzNt3nSXplgE=,iv:H2YwilwJ0+taW3/KqmG8ZkuyRjNW1XbCL1i6vxxP/38=,tag:a2TRIlOIlhUKqEy+J+tanw==,type:str] -FIELDSEEKER_SYNC_USERFILES_DIRECTORY=ENC[AES256_GCM,data:vYCnRcmRLFo/jD72ENjLRSa8s6kYB78=,iv:LycJvFSAbTscLZvGRMDdWS1E11yb+O6qbzTZiJ8TlNk=,tag:P+OH9M7DdhDahKShGTEgCg==,type:str] +FIELDSEEKER_SYNC_USERFILES_DIRECTORY=ENC[AES256_GCM,data:9w2x5el/5tuRIVnlrBKt7irFFvnZEeYkZs3Q03BwSU1m,iv:U2+U4TINInZ3/EdjBs5Dj2Q5AxkGwXagLHEGyoT1j7Q=,tag:tQWtYEXEktxmd5appkSmdA==,type:str] FIELDSEEKER_SYNC_WEBSERVER_BIND=ENC[AES256_GCM,data:bFcRwDBy+io5LxvtxnoDfw==,iv:9laF6OmbMK+CCs727cmm55zaJ/YlWiajX5pNThNeTRE=,tag:WlZur8M0ER9cQrozVOL4hA==,type:str] FIELDSEEKER_SYNC_WEBHOOK_SECRET=ENC[AES256_GCM,data:3LL/GRSBYO6zi2jCiKDw/snVPOD5dA86yjGXsIEl+ObcfBmm5jQ=,iv:6z7pjBu3dQPbvPc4SCvKNzG2Fv3ro6FKxB9D9vQU00w=,tag:vaha53IJd0z5ifdssLGmNg==,type:str] SENTRY_DSN=ENC[AES256_GCM,data:kvPQz0NKrUtGxISRdwIAlT+2Apxgb22GvGKVJLaxW47DoY4FzvxFh9cu0kAsnjcrQyee9Ol6F3l5tIWDacCQVp0plob4u4NSDvE=,iv:uNZPx+J1jjRDcwknw6XgeYrWk6/UYj7sf4YlkxQeYmM=,tag:57e9XEtFCWRIFEr7wLjh6g==,type:str] @@ -20,7 +20,7 @@ sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb2 sops_age__list_4__map_recipient=age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge sops_age__list_5__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnb1hGWFlFTzMwdVVCNDRt\nWWhQQzgycGFHcmU1U2RkWURMM0dpU3ZqbWtrCk9zSVQwem5CRXlJWXF5eXExZzU1\nK2pvZXBTdlVEQitRWTdsMGdZTXhUK3cKLS0tIE9TYTZIOVBudE8yVFRPQzFmYjdX\nS0o3bi9rMVNSZC9MNklMUm9zdC9FN1UK7ey3TmrTqEuLHjh48KaPJCOmjhcqwMfU\ngHmUqmeOteEWGyhA2O3GdfyraLbwTQQsRKS9YqgYim2g2ILNWAft/w==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_5__map_recipient=age1j90h7hcp4fctr2xwj4zf9cxuelm43wkujvryc9hk6rzzc37rwdmss035w7 -sops_lastmodified=2025-08-25T18:51:49Z -sops_mac=ENC[AES256_GCM,data:4HIPsbsl52yMF7NDjKlSzNIno47dJOJ1AFyEOw2jTNrsU4zjqG3tIPX9cSarWoRSCIzn/op/IwKz8ShS9Kmq26tsFpXVsHBuVP3Aio1Fvm4/34cDuzWUrimCKAjyNvhin73+51BXcslXwCY1If53scvQy4gBc7ix3+twOEPCpLc=,iv:Hi73BWzeaDQc0/aAq2g7ACeI6Ng97iLzYpCmU7lH6rU=,tag:NHZAbnjwqCF1RhrigZ1ZFQ==,type:str] +sops_lastmodified=2025-09-30T17:39:37Z +sops_mac=ENC[AES256_GCM,data:Q49cycoyYuo2fvZZCIaVikwd7+uqof5pek98HeeNE7xvPims0juwfVfdaWVTJS3A00Ci+e3lg4QY82snqEB9ajH2dNaEdS+h7BIDAf1DXp15StN8iEyAG3iOJhwW3hj6kH4LUhNWFS88VGQJFMNh5dT+oyhO4EuI6yVy3BBlI+o=,iv:11oYVnndK63rztVBNB58cnNbgSWb2gSDpFPlE9BhwwQ=,tag:5fOLD23wR6deq50TDGKjYw==,type:str] sops_unencrypted_suffix=_unencrypted sops_version=3.10.2 diff --git a/secrets/restic.yaml b/secrets/restic.yaml new file mode 100644 index 0000000..ddb8347 --- /dev/null +++ b/secrets/restic.yaml @@ -0,0 +1,62 @@ +password: ENC[AES256_GCM,data:8+9fN4o5sDIdfvi9tSKE2ZzvuF3yCJtboNOML0bfoIEYRTkk,iv:tq9URJYhpDOx8rg5RdhyazBpp7EHpLUXCCQITapKvio=,tag:U99XmbB2mQ4HGv/uF0B+HA==,type:str] +backblaze: ENC[AES256_GCM,data:yY61q4Bfa9ABc+Lo5D4btjWX47WDy7X+Na6f3QhbC0jIs+TkOInR/NgU6d8WoUeFUgp4Uv9v1wHx0mmR81G9KWCoFtBuPkD4v6OZNjGMeiTmQl7TSh2TwsOchZqcyJ22ELM/s1fEH3pS1WhG5jugmpvji5c8552t1ZcYqDYygZ6kpHAd098bkhKwiwBxsTsKlrLTTGvq9lWB+SOlqzo=,iv:D7Qq1S0gE6R0dfWI9ZPJ3eVFE4ANVOdOqRf0hnu0Zsk=,tag:SdiLYe6PROffLr78P0JwEw==,type:str] +sops: + age: + - recipient: age1fnkhk9rv7r8gh84vxnhvndk4fgh20qcj4hvnfhdpumcydl6m6vrse50lrz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlQTBwZWZSZEhBVGpuWDlG + MHhuOXQ0Ly83NDNaQ3o4ZmZWZW9pTTVvd2tBCnRSNHVOTUFoc0ZFbXEwMzhCUE5m + WUlmaDFueGZyc0J3eVRkQU9SNjVzbncKLS0tIGQyMWlLVmJyWGZ6V2ZWaFVQWFNB + aHVWL004cnNjcHprNVlScXRiV25oWDgKWy0uAVaqRBH3QJDjJ1MGU/ux7te3A2CA + 9HohUxSYcYH2Ug74wJiJDCgzmGYIzzWSwkgtMQccbAlVv7M2BO4Igw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1x704pjnueguchkl54ly8w4w26ltys5900v7xnl7w3zlgasus09jszz45t8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxL1pSQWtDS09kbnBia0E4 + aHJ3VXhNL1BRVWxVTGJ2dVlzalZNenpnQmp3CjlORW9EYkVUOVhRVHVMN2Jzd29y + bExBcEcyL3FncjhGbzlqcHBuTGNOeHcKLS0tIHgvRHRqNGpQdWpkd1hNR3Z3RWto + NXNsRzF3V05SRmNlZFdra0xqQjJZYTQKBy48xP06q9jMjzgDYkb3m+o8hdM3s5N0 + bO/R5TSm+l7nlHzbXBiXU6pgNY4yqDbXytMP+WzIOQNIczTGggM66Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age15y4k929zaj9fdg3vd40pa40tgvrgv9mn22xfummn5zxfmkcw5d0st6prjx + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyRUNZQUp5cWFTcWsrUlhF + ZVhWejVVZHlvMG42ckIvdEtXZnJSTFpPajBZCk5sTEJDODJSb0lVd2hiRlBXOEdh + U1pQeEdKSUVvakFJSU5Bd2FHaTRNWkEKLS0tIGpkb0R1K0lZTWp2WXVNZlRScjZC + eGVrZzZGZDRzZyszYTNvNlZqclFlWE0KxDOKdnlUe9/IYNR/8apZJe+twDAX3ijD + 6Cyj7nr4elgoFAo5wYzckZCjqjvrnuNv6pfr2UZKl5relPYzQkH27A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1ck44jqpuz3zlthquvuh7wsemrjrgfzhn462sk7rlfetwxpgy0uqs79xn2h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWXhNT1JLTjNlYUFlL0k4 + dllhaWV1RzlTdEZ1WUpjWC9SL2pxNjF3cVFzCkoxU2ptYXpzQzR1dHFrMGd6SDlv + NWxrL0k2SHJVRTVVamdwQTJ4R20vV2cKLS0tIGl5TjNiQSs1c1RZNlBPMjZaY2pV + QzcxM3p0Umhqa3hvUUZ3czBwbXFtSEEKNtj0HpO83jEncqR9GUWCANNzNF6SZA6y + dqh8I3Ncr07IY82ZVt2LxIMCW8lBDdH2Z2/MZMrNVQcx7bDuwjTRHg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1t3ryfktuhr3cysf49m9q2n8fkjf9ajjjnhztxw9hz8paxgk4lpcq065jge + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwVFpESlhmZEwyQUVUZTJ6 + Z05ybGs5MVRMbXRNTG41STVTMHIzZ24vZjNzCmhhUVdSVm1yU1lvcldGdmRhVlhn + V1dyYTduQ1RwdEdxVmxXM0VpU3o2R1UKLS0tIG1neU52WXpUN3B6NjNUdjNuUlcy + TE5mODRzY2lVaEhYcFFNSHA0cTEwQ1UKVhty22l2UpN2unDd4rd1RaLWjUYAR3uU + oFWBY/uwymccU0ySzHlOgP5om9BcLpNd+RaVRwjGmxX4xUGvRJe3Cg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1j90h7hcp4fctr2xwj4zf9cxuelm43wkujvryc9hk6rzzc37rwdmss035w7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwS0c5R3ROekVJVkEvV2lM + VzRIWXdONlA4YldpSzRLYXVuajVJK0FOUTJrCjBrTndyVFJNSlQxUUZySkl4N05a + Y1FQNmxNcWduTXVZQVYydlFKV05oQVkKLS0tIDdmU2VJc01yT2hoaXRvNytFc29z + SlE5RHJTeCt6cFVwbEprNzBiQWhPaTQKJBdRuScefHDJQmM1KBQU5mZKgHgyfdfD + h2sJ6irLm0tVkNuaNTtCEFUqzyaFI4M3zQhYA8B3ZJwfhoN+3UiwKg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-09-30T17:43:08Z" + mac: ENC[AES256_GCM,data:aGvETiPMIFHSTD+HFbpxcZZChseyYa/nSYG6Jdn4N9IZ07NTrQGrCoXydAyPbMcZ2/1nHxUjEBDjR/WyqJXtBRgpLQIBRWUU9BXonUeK1lCfvFsNoxCKGmWUGxVFMyRs9t+z/bzYKiFx5yFrhxZ0O73K7E5E7bk4D4np7C+xJCI=,iv:eopRqkfBx3308W5jBBGZViKXMVwJARJA484j8N15SFI=,tag:HjltEecsL5f5o4dI6pd8Kw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2