From 6165d4a2afb6e595d26ef0884d2fe5ae5b11783e Mon Sep 17 00:00:00 2001 From: Petru Paler Date: Tue, 11 Mar 2025 10:18:24 +0000 Subject: [PATCH] WIP: kopia backup script --- common/global/backup.nix | 2 +- common/global/kopia-snapshot-backup.sh | 17 +++++++++++++++++ secrets/secrets.yaml | 8 +++++--- stateful-commands.txt | 9 +++++++++ 4 files changed, 32 insertions(+), 4 deletions(-) create mode 100755 common/global/kopia-snapshot-backup.sh diff --git a/common/global/backup.nix b/common/global/backup.nix index e4dd354..adb3af5 100644 --- a/common/global/backup.nix +++ b/common/global/backup.nix @@ -1,6 +1,6 @@ { pkgs, ... }: { - environment.systemPackages = [ pkgs.kopia ]; + environment.systemPackages = [ pkgs.unstable.kopia ]; # systemd = { # services = { diff --git a/common/global/kopia-snapshot-backup.sh b/common/global/kopia-snapshot-backup.sh new file mode 100755 index 0000000..512a06e --- /dev/null +++ b/common/global/kopia-snapshot-backup.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +set -Eeuxo pipefail + +target_path="/persist" +snapshot_path="$target_path/kopia-backup-snapshot" + +if [ -e "$snapshot_path" ] && btrfs subvolume delete "$snapshot_path"; then + echo "Deleted leftover old snapshot." +fi + +btrfs subvolume snapshot -r "$target_path" "$snapshot_path" + +# --no-send-snapshot-path due to https://github.com/kopia/kopia/issues/4402 +kopia snapshot create --no-send-snapshot-report --override-source "$target_path" "$@" -- "$snapshot_path" + +btrfs subvolume delete "$snapshot_path" diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index f7b3c11..b4ec1db 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -1,4 +1,6 @@ ppetru-password: ENC[AES256_GCM,data:ykxGdbwTLNGKGy7PI/6uLyeWzEyfTo6R7d56m8Lb7kyY6rF0ovDzMGv71ruBA3CwznIp5EaCopvKVXf35xIEyptpQJie++ireQ==,iv:ArWScjeDHp/4DurW+id6PLUiwnMVVwk7iD5S9Bzc8lc=,tag:uErsF74I5D1M86Yl78Gqlw==,type:str] +kopia-c1: ENC[AES256_GCM,data:blR7sTzegbjIN+3WDn8ob9CVrm0=,iv:mkmKuE+1f1mAyxO9day7RLG/aCUWAwNQs5PoDVXlpzg=,tag:Y5UH0w39UQeEg1V51KJj5A==,type:str] +kopia-zippy: ENC[AES256_GCM,data:UZmeMpQteqX4N6Q0Fto901vQTPQ=,iv:AvZjhd4+RthDLfSQjvmq4KlwKwI0UEKsDWwo6YwXRRc=,tag:ctkBJVdpPLRHOv3np/5/qg==,type:str] sops: kms: [] gcp_kms: [] @@ -68,8 +70,8 @@ sops: UHZwRmc2NjNDUlJCdWN1V1dhS1RkelEKF1KiZLQvruEAfjwbW8lIyzvcCqeAMReI svl1uSaSaxPtCbnc9RA2nfo0vvCoz0a02dhr7CAy3syfQPLLZqRAIA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-19T14:26:29Z" - mac: ENC[AES256_GCM,data:/IULS161NWmomr4jkVV2zgPJddcxIazq5AsuY9uNwfIlUDrKBiyhDcFPaQD2Ivih1v//ScphzhmaedMZbIhu88YEiMGSUXHjYtbXU8/Dxs9IvmJIq+e9ao7wgqtB/bc1G2z4aGNKifSwmVm0AClI1xK11e2ik6A9uFwMuYF2i4Y=,iv:MxaXnhyJfXg8qBs1LKl+Qe+oBhlpjaWtWL3JDDcM2ZY=,tag:/4NSLC4ksLNw6HHimS7AHQ==,type:str] + lastmodified: "2025-03-10T18:23:09Z" + mac: ENC[AES256_GCM,data:aI7MI72Iza1fOA69FolDo1eLYB1xw0e7O2EisWi3KJCIyJs8HgcGszwovxAPK2gz6YC2pqu1bvEEw2CcJoaL7zFD+Lkbdw7OpG9gC6+lcDy2CVPoPBbjfG7vUge3qaIw9s9J9hNQm/L7QcpQAu+IksEsHq28tb3pxFr7UX9G9nA=,iv:sz0eVmjG7V0L/85C1wU6dbsCs9fAivbUS6nHmbjyp6M=,tag:KxB2O/2dEysqDUVPp7o8ow==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.4 diff --git a/stateful-commands.txt b/stateful-commands.txt index 94e7375..5c5bcda 100644 --- a/stateful-commands.txt +++ b/stateful-commands.txt @@ -27,3 +27,12 @@ replacing failed / reinstalled gluster volume (c1 in this case). all commands on * gluster peer detach c1 * gluster peer probe 192.168.1.71 (not c1 because switching to IPs to avoid DNS/tailscale issues) * gluster volume add-brick compute replica 3 192.168.1.71:/persist/glusterfs/compute/brick1 + +kopia repository server setup (on a non-NixOS host at the time): + * kopia repository create filesystem --path /backup/persist + * kopia repository connect filesystem --path=/backup/persist + * kopia server user add root@zippy + then, add the password to secrets.yaml + * kopia server start --address 0.0.0.0:51515 --tls-cert-file ~/kopia-certs/kopia.cert --tls-key-file ~/kopia-certs/kopia.key --tls-generate-cert (first time) + * kopia server start --address 0.0.0.0:51515 --tls-cert-file ~/kopia-certs/kopia.cert --tls-key-file ~/kopia-certs/kopia.key (subsequent) +[TLS is mandatory for this]