From 3baa511fce2e5731b97cf27a18b18bd2c1af18bc Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Thu, 27 Jan 2022 16:32:57 +0100 Subject: [PATCH] Plume backup + WIP consul --- app/backup/deploy/backup-daily.hcl | 159 +++++++++++++++--- app/backup/deploy/backup-matrix.hcl | 62 ------- .../email/dovecot/backup_aws_access_key_id | 0 .../dovecot/backup_aws_secret_access_key | 0 .../email/dovecot/backup_restic_password | 0 .../email/dovecot/backup_restic_repository | 0 app/plume/secrets/plume/aws_access_key_id | 1 - app/plume/secrets/plume/aws_endpoint | 1 - app/plume/secrets/plume/aws_secret_access_key | 1 - .../secrets/plume/backup_aws_access_key_id | 1 + .../plume/backup_aws_secret_access_key | 1 + .../secrets/plume/backup_restic_password | 1 + .../secrets/plume/backup_restic_repository | 1 + op_guide/backup_minio/README.md | 56 ++++-- 14 files changed, 187 insertions(+), 97 deletions(-) delete mode 100644 app/backup/deploy/backup-matrix.hcl rename app/{backup => email}/secrets/email/dovecot/backup_aws_access_key_id (100%) rename app/{backup => email}/secrets/email/dovecot/backup_aws_secret_access_key (100%) rename app/{backup => email}/secrets/email/dovecot/backup_restic_password (100%) rename app/{backup => email}/secrets/email/dovecot/backup_restic_repository (100%) delete mode 100644 app/plume/secrets/plume/aws_access_key_id delete mode 100644 app/plume/secrets/plume/aws_endpoint delete mode 100644 app/plume/secrets/plume/aws_secret_access_key create mode 100644 app/plume/secrets/plume/backup_aws_access_key_id create mode 100644 app/plume/secrets/plume/backup_aws_secret_access_key create mode 100644 app/plume/secrets/plume/backup_restic_password create mode 100644 app/plume/secrets/plume/backup_restic_repository diff --git a/app/backup/deploy/backup-daily.hcl b/app/backup/deploy/backup-daily.hcl index a1c2f89..ef9b219 100644 --- a/app/backup/deploy/backup-daily.hcl +++ b/app/backup/deploy/backup-daily.hcl @@ -1,52 +1,167 @@ job "backup_daily" { datacenters = ["dc1"] type = "batch" + + priority = "60" + periodic { cron = "@daily" // Do not allow overlapping runs. prohibit_overlap = true } - task "backup-dovecot" { + group "backup-dovecot" { constraint { attribute = "${attr.unique.hostname}" operator = "=" value = "digitale" } - driver = "docker" + task "main" { + driver = "docker" - config { - image = "restic/restic:0.12.1" - entrypoint = [ "/bin/sh", "-c" ] - args = [ "restic backup /mail && restic forget --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y ; restic prune --max-unused 50% --max-repack-size 2G ; restic check" ] - volumes = [ - "/mnt/ssd/mail:/mail" - ] - } + config { + image = "restic/restic:0.12.1" + entrypoint = [ "/bin/sh", "-c" ] + args = [ "restic backup /mail && restic forget --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y ; restic prune --max-unused 50% --max-repack-size 2G ; restic check" ] + volumes = [ + "/mnt/ssd/mail:/mail" + ] + } - - template { - data = < $NOMAD_ALLOC_DIR/consul.json" ] + } + + resources { + cpu = 200 + memory = 200 + } + + restart { + attempts = 2 + interval = "30m" + delay = "15s" + mode = "fail" + } } - restart { - attempts = 2 - interval = "30m" - delay = "15s" - mode = "fail" + task "upload-kv-store" { + driver = "docker" + + config { + image = "restic/restic:0.12.1" + entrypoint = [ "/bin/sh", "-c" ] + args = [ "restic backup $NOMAD_ALLOC_DIR && restic forget --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y ; restic prune --max-unused 50% --max-repack-size 2G ; restic check" ] + } + + + template { + data = < /dev/stdout </secrets/`: +```bash +echo "USER Backup AWS access key ID" > backup_aws_access_key_id +echo "USER Backup AWS secret access key" > backup_aws_secret_access_key +echo "USER Restic repository, eg. s3:https://s3.garage.tld" > backup_restic_repository +echo "USER Restic password to encrypt backups" > backup_restic_password +``` + +Then run secretmgr: + +```bash +# Spawning a nix shell is an easy way to get all the dependencies you need +nix-shell + +# Check that secretmgr works for you +python3 secretmgr.py check + +# Now interactively feed the secrets +python3 secretmgr.py gen +``` ---