feat: resticprofile

auricom · Jan 19, 2025 · 4169720 · 4169720
1 parent 10c618e
commit 4169720
Show file tree

Hide file tree

Showing 10 changed files with 215 additions and 0 deletions.
diff --git a/Containerfile.storage b/Containerfile.storage
@@ -34,6 +34,14 @@ COPY apps/resilio-sync/resilio-sync-helene.volume /usr/share/containers/systemd/
 COPY apps/resilio-sync/config/claude.conf /usr/etc/resilio-sync/claude.conf
 COPY apps/resilio-sync/config/helene.conf /usr/etc/resilio-sync/helene.conf
 
+# Apps - Resticprofile
+COPY apps/resticprofile/profiles.yaml /usr/local/share/resticprofile/profiles.yaml
+COPY apps/resticprofile/repository.sops.key /usr/share/resticprofile/repository.sops.key
+COPY apps/resticprofile/resticprofile-backup.service /etc/systemd/system/
+COPY apps/resticprofile/resticprofile-backup.timer /etc/systemd/system/
+COPY apps/resticprofile/resticprofile-forget.service /etc/systemd/system/
+COPY apps/resticprofile/resticprofile-forget.timer /etc/systemd/system/
+
 # Apps - Scrutiny-collector
 COPY apps/scrutiny-collector/storage.container /usr/share/containers/systemd/scrutiny-collector.container
 COPY apps/scrutiny-collector/storage.sops.env /usr/share/scrutiny-collector/config.sops.env

diff --git a/apps/resticprofile/profiles.yaml b/apps/resticprofile/profiles.yaml
@@ -0,0 +1,107 @@
+# yaml-language-server: $schema=https://creativeprojects.github.io/resticprofile/jsonschema/config.json
+version: "2"
+
+profiles:
+  default:
+    env:
+      tmp: /tmp
+    cleanup-cache: true
+    exclude-caches: true
+    initialize: true
+    password-file: key
+    restic-stale-lock-age: 2h
+    extended-status: true
+    no-error-on-warning: true
+    prometheus-push: https://pushgateway.xpander.ovh/
+    cache:
+      cleanup: true
+      max-age: 7
+    find:
+      human-readable: true
+      long: true
+    forget:
+      keep-daily: 10
+      keep-weekly: 6
+      keep-monthly: 6
+      keep-yearly: 0
+      prune: true
+    ls:
+      human-readable: true
+      long: true
+      recursive: true
+
+  home:
+    inherit: default
+    lock: /tmp/resticprofile-profile-home.lock
+    prometheus-save-to-file: /usr/share/resticprofile/home.prom
+    backup:
+      source: /var/mnt/vol1/home
+    repository: rclone:storage-backup:home
+    snapshots:
+      tag:
+        - home
+
+  music:
+    inherit: default
+    lock: /tmp/resticprofile-profile-music.lock
+    prometheus-save-to-file: /usr/share/resticprofile/music.prom
+    backup:
+      source: /var/mnt/vol1/music
+    repository: rclone:storage-backup:music
+    snapshots:
+      tag:
+        - music
+
+  photo:
+    inherit: default
+    lock: /tmp/resticprofile-profile-photo.lock
+    prometheus-save-to-file: /usr/share/resticprofile/photo.prom
+    backup:
+      source: /var/mnt/vol1/photo
+    repository: rclone:storage-backup:photo
+    snapshots:
+      tag:
+        - photo
+
+  piracy:
+    inherit: default
+    lock: /tmp/resticprofile-profile-piracy.lock
+    prometheus-save-to-file: /usr/share/resticprofile/piracy.prom
+    backup:
+      source: /var/mnt/vol1/piracy
+    repository: rclone:storage-backup:piracy
+    snapshots:
+      tag:
+        - piracy
+
+  shared-documents:
+    inherit: default
+    lock: /tmp/resticprofile-profile-shared-documents.lock
+    prometheus-save-to-file: /usr/share/resticprofile/shared-documents.prom
+    backup:
+      source: /var/mnt/vol1/shared-documents
+    repository: rclone:storage-backup:shared-documents
+    snapshots:
+      tag:
+        - shared-documents
+
+  minio:
+    inherit: default
+    lock: /tmp/resticprofile-profile-minio.lock
+    prometheus-save-to-file: /usr/share/resticprofile/minio.prom
+    backup:
+      source: /var/mnt/vol2/apps/minio
+    repository: rclone:storage-backup:minio
+    snapshots:
+      tag:
+        - minio
+
+groups:
+  storage-feisar-ovh:
+    profiles:
+      - home
+      - music
+      - photo
+      - piracy
+      - shared-documents
+      - minio
diff --git a/apps/resticprofile/repository.sops.key b/apps/resticprofile/repository.sops.key
@@ -0,0 +1,20 @@
+{
+	"data": "ENC[AES256_GCM,data:xSEC2wZf3AZgRP3/5L8Pmq3wki1/GuwkmgMCH5heS6WJPkFedLsx5DbIUh8dHgf60dHR5vRbM9ZhTYXwIV7s3ZshoBgmtsVhicM++Vp+heiGKk1a8Hdh7BuPeQsXU0U9WHCHx2+ks+1p6sNyYjBVIIaXrU25x0NhPyP9cR/73DByrTK6WyX3YgGZ7x4T59UB2U1h77/zl1BUPbg4escNiNJsvqaRozOzpdlmfPI5dJPWdCTccLAJjiJ/dh2F50KMCQXFLH+oK1X1ZzcLYebv03BYqQMvGDhE0MEC27xxwa8IVolM7QP+BvQpRcsHoAHL6umESlcTo/cs+4837yVfkorGdVppjopuU2k2ize1vgPCOemxb9MvxCcQbgkiw5wiB/0njpsqJRJmjom9zVZJLRFxODudRvpocuedP/HfnyNtoB6ZmqoA2cmw7eDYwTiUbIWmf2mmSctpmYHTfql9dHk+Yqkv4OnP/3z9qhL7iVw6ekx5Vaw2yHUSrre03GJOoNtbi9pR0bcmrcKzY/8dtohGs1HiaBgrsJPfHKWzEbGMHeMN77Rzy+ZpbNVggmu2WyMiJ6c5sxnGReRHzwdyWlThUzpDRkMY+W+bu7t0iDjjFlGYwsVZdw6S1Lapx7OpbuSq6ge4Cf4U3/dAu5x6HSfw+9lJUjcxyor3/m6Ce436BVlB9c5kiN1aAQD8YZcJ88utgdnSziMwKMOn0VlT74kh5RSB5aY00saUz6Yb0Sj1+o7ot6Jyq+SlVQkYBseV7S7r0a5Z2X52LkMt1qT/kpNK1SudkJFXXURd13SY0/lXbJd3B/XwAlaBdBMHbNOldS2xNIRp9LTwLfK6qjlCjxHXkhzh5iBzZbSNflDimEr7+t3n/uE1MQjFGMKEQhUlKXZkOJKnck49RlbNr11Z/F8mpdD1b5cp9vPpZx9o/quekq10833PqVfXVXsE/RjrO1nhi4triLrt9ov6FVFOSpTFWiMVUAd2J361eXbUOGc4xjLbrZ52kt2MzclwJ8ejImqC7+tcVIfAdVxlEPitrvvdhXbhz5ZWlFEB6WDAqETTQ0OkguqPKea91JCBBbADdChi/1RJgGJvRwMdG7ejfJothEBK9mmmZj2dzIYcuIIqvMsp/ernXJpdQ9aJ1xPi+YTHDApGdfcGBaVinoxwGWHJyhM2QmHUNDyYvXwmmk0RBSX9KT/+axIJ/RjO6J5iicW3f6MwzPu2yfxXQIkdoexVq2gFgJpe6kk8oLw1e3mdlZWpcB1sJicN6bN4eB/ZWx3xDJoj4U3260XFkQ1cJa7jZUc1LDz56DDHqt1o+/VcoRRnWVxnjoZTWMcz+ZlU7SyZ59Qih/ye540nSobmSAzxTG0a+cie4WOVwkAceXN0i6nJr8wKbVUnXrWNFVZjvVdnH8rEBzBRjrF9q9Fdpc+h77Rn1/r7J6PTmV6R77nKqM6v9hE6g1hMjf6F/CYmWvAHADB5/0kVQ71VTF7yLjkwiCrC+0jesEneKpxYwPCn45m5VVe5sytYeaBnF36bQf3gOE23DqFPt2CRNzzFc83JnHYHVq+Crqh5UYs2WweaQeuXQEBdfYpvueCwPqNx9EoXRQXZzxW5TikHTTh6NUxZLipdVyOSJKSLb5EleeKC2sSGmv3tH8nWDCYFoPpOlNy+SrOMM/etykJlcTNiPMAhc+iutSw3/Br5fkh4dgh4kLHkW9g6CrQlQhinyaqZp4ztoWSl/19HHmEafArZ30RLiGXa7tOQPy0ySdevYQhMNYzfJGXMIjtLkaBJDdizdLivFjBxZRllgraAQ3d/vUdzx1nGHCDM,iv:Q93vpAra3++5x9bdpgXoOCaop80291V8dJgRwOkuMvE=,tag:SdjEQLtnb4ds1FxbEI/afQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1c8cqpw6gnlrf82ewm2vj0yalzszvtzd0mmk5yzr4nfpqqseynq7q86f3sq",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMFZXMTFYa3REdTNQc093\ndlZDLzRhUEl5WEI3a1ZWWmVjelVZb3FPQXdvCmh5MHNOWTYwdTBlM3Vpc2ZmL3BP\nMmpNcFMvZkRnMThKdmJDWjlUZkE5Y1kKLS0tIHBYUVlqMXNyVXBNUnZFR0s2dEFQ\nbGcwRk9hTmFEanluaFVkNlJ3QUg1SlkKg3zwgb3ApKAVxJ1IN25o8H2fig9ykZv8\nSFAw0UDUv5Gzv25KoDM4Hom9GzC2UGZp/X9AixGXVe2wWE3HRp58Sw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-01-18T20:38:23Z",
+		"mac": "ENC[AES256_GCM,data:3ZkQFbzcJcHn6+2013J7533Qz1L4d7A4Gewanbeavbz7fXd9r7jNDU3RoOnBk05QkIOjmmB0vUjf7ulkcYKR5nLlifoZwrLpFvbZYHEVQQw0NOZ+CaGxKr9HRYUHYltnAZmoYQNsMfaZAKFlQTG00EXEUNAU4ozNW9SmfS1bARU=,iv:6EU1mX3DJOlmB5m2KKRf34fWUt5hg4hFWSlBzqCNJUI=,tag:jL38t1Kw5a+k8KOcT62+Sg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.3"
+	}
+}
diff --git a/apps/resticprofile/resticprofile-backup.service b/apps/resticprofile/resticprofile-backup.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=resticprofile backup
+After=local-fs.target
+After=network-online.target
+ConditionPathExists=/home/linuxbrew/.linuxbrew/bin/restic
+ConditionPathExists=/home/linuxbrew/.linuxbrew/bin/rclone
+ConditionPathExists=/home/core/.config/rclone/rclone.conf
+ConditionPathExists=/usr/local/bin/resticprofile
+ConditionPathExists=/usr/local/share/resticprofile/profiles.yaml
+ConditionPathExists=/usr/share/resticprofile/repository.sops.key
+
+[Service]
+Type=oneshot
+Environment="PATH=/home/linuxbrew/.linuxbrew/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+Environment=SOPS_AGE_KEY_FILE=/root/.config/sops/age/keys.txt
+ExecStartPre=/bin/sh -c 'test -f "${SOPS_AGE_KEY_FILE}" || exit 1'
+ExecStartPre=/usr/bin/sops --config /usr/share/sops/.sops.yaml exec-file /usr/share/resticprofile/repository.sops.key "cp {} /usr/local/share/resticprofile/key ; chmod 444 /usr/local/share/resticprofile/key"
+ExecStartPre=/bin/mkdir -p /root/.config/rclone
+ExecStartPre=/bin/sh -c '[ -L /root/.config/rclone/rclone.conf ] || ln -s /home/core/.config/rclone/rclone.conf /root/.config/rclone/rclone.conf'
+ExecStart=/usr/local/bin/resticprofile --config /usr/local/share/resticprofile/profiles.yaml storage-feisar-ovh.backup
diff --git a/apps/resticprofile/resticprofile-backup.timer b/apps/resticprofile/resticprofile-backup.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=Timer for resticprofile backup
+Wants=network-online.target
+
+[Timer]
+OnCalendar=*-*-* 02:20:00
+OnCalendar=*-*-* 14:20:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/apps/resticprofile/resticprofile-forget.service b/apps/resticprofile/resticprofile-forget.service
@@ -0,0 +1,18 @@
+[Unit]
+Description=resticprofile forget
+After=local-fs.target
+After=network-online.target
+ConditionPathExists=/home/linuxbrew/.linuxbrew/bin/restic
+ConditionPathExists=/home/linuxbrew/.linuxbrew/bin/rclone
+ConditionPathExists=/home/core/.config/rclone/rclone.conf
+ConditionPathExists=/usr/local/bin/resticprofile
+ConditionPathExists=/usr/local/share/resticprofile/profiles.yaml
+ConditionPathExists=/usr/share/resticprofile/repository.sops.key
+
+[Service]
+Type=oneshot
+Environment="PATH=/home/linuxbrew/.linuxbrew/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+Environment=SOPS_AGE_KEY_FILE=/root/.config/sops/age/keys.txt
+ExecStartPre=/bin/sh -c 'test -f "${SOPS_AGE_KEY_FILE}" || exit 1'
+ExecStartPre=/usr/bin/sops --config /usr/share/sops/.sops.yaml exec-file /usr/share/resticprofile/repository.sops.key "cp {} /usr/local/share/resticprofile/key ; chmod 444 /usr/local/share/resticprofile/key"
+ExecStart=/usr/local/bin/resticprofile --config /usr/local/share/resticprofile/profiles.yaml storage-feisar-ovh.forget
diff --git a/apps/resticprofile/resticprofile-forget.timer b/apps/resticprofile/resticprofile-forget.timer
@@ -0,0 +1,10 @@
+[Unit]
+Description=Timer for resticprofile forget
+Wants=network-online.target
+
+[Timer]
+OnCalendar=Sun *-*-* 07:00:00
+Persistent=true
+
+[Install]
+WantedBy=timers.target
diff --git a/scripts/apps/resticprofile.sh b/scripts/apps/resticprofile.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/bash
+
+set -ouex pipefail
+
+# renovate: datasource=github-releases depName=creativeprojects/resticprofile
+RESTICPROFILE_VERSION=v0.29.0
+
+
+RELEASE_INFO=$(curl -s "https://api.github.com/repos/creativeprojects/resticprofile/releases/tags/${RESTICPROFILE_VERSION}")
+ASSET_URL=$(echo "${RELEASE_INFO}" | grep -oP '"browser_download_url": "\K[^"]+' | grep 'linux_amd64\.tar\.gz$' | grep no_self_update )
+
+curl -L -o "/tmp/resticprofile.tar.gz" "${ASSET_URL}"
+
+tar -xzf /tmp/resticprofile.tar.gz -C /tmp
+
+mv "/tmp/resticprofile" /usr/local/bin
diff --git a/scripts/install.sh b/scripts/install.sh
@@ -31,6 +31,7 @@ if [[ "${HOST}" = "storage" ]]; then
         samba
 
     /tmp/apps/cockpit-file-sharing.sh
+    /tmp/apps/resticprofile.sh
     /tmp/apps/zrepl.sh storage storage-remote
 
 elif [[ "${HOST}" = "storage-remote" ]]; then

diff --git a/scripts/post-install.sh b/scripts/post-install.sh
@@ -27,6 +27,10 @@ systemctl enable ucore-firewalld-setup.service
 
 if [[ "${HOST}" = "storage" ]]; then
 
+    # Resticprofile
+    systemctl enable resticprofile-backup.timer
+    systemctl enable resticprofile-forget.timer
+
     # NFS
     systemctl enable nfs-server.service