From c4fe904896b68c50d4cccd9c6956d0de13e18748 Mon Sep 17 00:00:00 2001 From: Christine Elisabeth Koppel Date: Sat, 7 Feb 2026 23:50:44 +0100 Subject: [PATCH] Oeh, I am "loving" NixOS right now. --- .../secrets-config/sops-composesongsheet.nix | 2 +- .../modules/secrets-config/sops-database.nix | 2 +- .../modules/system_scripts/backup_mariadb.zsh | 23 ------- .../system_scripts/backup_postgresql.zsh | 24 ------- .../modules/system_scripts/gcloud_backup.nix | 63 ++++++++++++++----- 5 files changed, 51 insertions(+), 63 deletions(-) delete mode 100755 nix-system-configs/modules/system_scripts/backup_mariadb.zsh delete mode 100755 nix-system-configs/modules/system_scripts/backup_postgresql.zsh diff --git a/nix-system-configs/modules/secrets-config/sops-composesongsheet.nix b/nix-system-configs/modules/secrets-config/sops-composesongsheet.nix index 3ef24f1..342ea2c 100644 --- a/nix-system-configs/modules/secrets-config/sops-composesongsheet.nix +++ b/nix-system-configs/modules/secrets-config/sops-composesongsheet.nix @@ -20,7 +20,7 @@ # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; sops.defaultSopsFile = ../../secrets/songsheet/secrets.yaml; # This will automatically import SSH keys as age keys - sops.age.sshKeyPaths = ["/home/songsheetprg/.ssh/id_ed25519.pub"]; + #sops.age.sshKeyPaths = ["/home/songsheetprg/.ssh/id_ed25519"]; # This is using an age key that is expected to already be in the filesystem sops.age.keyFile = "/var/lib/sops-nix/key.txt"; # This will generate a new key if the key specified above does not exist diff --git a/nix-system-configs/modules/secrets-config/sops-database.nix b/nix-system-configs/modules/secrets-config/sops-database.nix index f823287..e243528 100644 --- a/nix-system-configs/modules/secrets-config/sops-database.nix +++ b/nix-system-configs/modules/secrets-config/sops-database.nix @@ -20,7 +20,7 @@ # sops.defaultSopsFile = "/root/.sops/secrets/example.yaml"; sops.defaultSopsFile = ../../secrets/songsheet/secrets.yaml; # This will automatically import SSH keys as age keys - sops.age.sshKeyPaths = ["/home/nixosdd/.ssh/id_ed25519.pub"]; + #sops.age.sshKeyPaths = ["/home/nixosdd/.ssh/id_ed25519"]; # This is using an age key that is expected to already be in the filesystem sops.age.keyFile = "/var/lib/sops-nix/key.txt"; # This will generate a new key if the key specified above does not exist diff --git a/nix-system-configs/modules/system_scripts/backup_mariadb.zsh b/nix-system-configs/modules/system_scripts/backup_mariadb.zsh deleted file mode 100755 index 1d500f5..0000000 --- a/nix-system-configs/modules/system_scripts/backup_mariadb.zsh +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -TIMESTAMP=$(date +%Y%m%d%H%M%S) -BACKUP_DIR=$(mktemp -d) -trap 'rm -rf "$BACKUP_DIR"' EXIT - -gpg --batch --import "${GPG_KEY_FILE}" - -DATABASES=$(mysql -u root -e "SHOW DATABASES;" | grep -Ev "^(Database|information_schema|performance_schema|mysql|sys)$") - -for DB in $DATABASES; do - echo "Backing up MariaDB database: $DB" - - FILENAME="mariadb_${DB}_${TIMESTAMP}.sql.gz.gpg" - if mysqldump -u root "$DB" | gzip | gpg --batch --encrypt --recipient "${GPG_RECIPIENT}" > "$BACKUP_DIR/$FILENAME"; then - gsutil cp "$BACKUP_DIR/$FILENAME" "gs://${GCS_BUCKET}/mariadb/$FILENAME" - echo "Successfully uploaded encrypted $FILENAME" - else - echo "Failed to backup $DB" >&2 - exit 1 - fi -done diff --git a/nix-system-configs/modules/system_scripts/backup_postgresql.zsh b/nix-system-configs/modules/system_scripts/backup_postgresql.zsh deleted file mode 100755 index 53e4e68..0000000 --- a/nix-system-configs/modules/system_scripts/backup_postgresql.zsh +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -TIMESTAMP=$(date +%Y%m%d%H%M%S) -BACKUP_DIR=$(mktemp -d) -trap 'rm -rf "$BACKUP_DIR"' EXIT - -# Import GPG key for encryption -gpg --batch --import "${GPG_KEY_FILE}" - -DATABASES=$(psql -U postgres -t -c "SELECT datname FROM pg_database WHERE datistemplate = false AND datname != 'postgres';" | grep -v '^$') - -for DB in $DATABASES; do - DB=$(echo "$DB" | xargs) - echo "Backing up PostgreSQL database: $DB" - FILENAME="pgsql_${DB}_${TIMESTAMP}.sql.gz.gpg" - if pg_dump -U postgres -d "$DB" | gzip | gpg --batch --encrypt --recipient "${GPG_RECIPIENT}" > "$BACKUP_DIR/$FILENAME"; then - gsutil cp "$BACKUP_DIR/$FILENAME" "gs://${GCS_BUCKET}/postgresql/$FILENAME" - echo "Successfully uploaded encrypted $FILENAME" - else - echo "Failed to backup $DB" >&2 - exit 1 - fi -done diff --git a/nix-system-configs/modules/system_scripts/gcloud_backup.nix b/nix-system-configs/modules/system_scripts/gcloud_backup.nix index 90e6dca..e2cf0e7 100644 --- a/nix-system-configs/modules/system_scripts/gcloud_backup.nix +++ b/nix-system-configs/modules/system_scripts/gcloud_backup.nix @@ -64,24 +64,59 @@ -----END PGP PUBLIC KEY BLOCK----- ''; - postgresBackupScript = pkgs.writeShellScript "backup-postgresql-wrapper" '' - export GOOGLE_APPLICATION_CREDENTIALS="${config.sops.secrets.gcloud_bucket.path}" - export GCS_BUCKET="${gcsBucket}" - export GPG_RECIPIENT="${gpgRecipient}" - export GPG_PUBLIC_KEY="${gpgPublicKey}" - export PATH="${lib.makeBinPath [pkgs.postgresql pkgs.gzip pkgs.google-cloud-sdk pkgs.gnupg]}:$PATH" + postgresBackupScript = pkgs.writeShellScript "backup-postgresql" '' + set -euo pipefail - exec ${./backup_postgresql.zsh} + export GOOGLE_APPLICATION_CREDENTIALS="${config.sops.secrets.gcloud_bucket.path}" + export PATH="${lib.makeBinPath [pkgs.postgresql pkgs.gzip pkgs.google-cloud-sdk pkgs.gnupg pkgs.coreutils pkgs.gnugrep]}:$PATH" + + TIMESTAMP=$(date +%Y%m%d%H%M%S) + BACKUP_DIR=$(mktemp -d) + trap 'rm -rf "$BACKUP_DIR"' EXIT + + gpg --batch --import "${gpgPublicKey}" + + DATABASES=$(psql -U postgres -t -c "SELECT datname FROM pg_database WHERE datistemplate = false AND datname != 'postgres';" | grep -v '^$') + + for DB in $DATABASES; do + DB=$(echo "$DB" | xargs) + echo "Backing up PostgreSQL database: $DB" + FILENAME="pgsql_''${DB}_''${TIMESTAMP}.sql.gz.gpg" + if pg_dump -U postgres -d "$DB" | gzip | gpg --batch --encrypt --recipient "${gpgRecipient}" > "$BACKUP_DIR/$FILENAME"; then + gsutil cp "$BACKUP_DIR/$FILENAME" "gs://${gcsBucket}/postgresql/$FILENAME" + echo "Successfully uploaded encrypted $FILENAME" + else + echo "Failed to backup $DB" >&2 + exit 1 + fi + done ''; - mariadbBackupScript = pkgs.writeShellScript "backup-mariadb-wrapper" '' - export GOOGLE_APPLICATION_CREDENTIALS="${config.sops.secrets.gcloud_bucket.path}" - export GCS_BUCKET="${gcsBucket}" - export GPG_RECIPIENT="${gpgRecipient}" - export GPG_PUBLIC_KEY="${gpgPublicKey}" - export PATH="${lib.makeBinPath [pkgs.mariadb pkgs.gzip pkgs.google-cloud-sdk pkgs.gnupg]}:$PATH" + mariadbBackupScript = pkgs.writeShellScript "backup-mariadb" '' + set -euo pipefail - exec ${./backup_mariadb.zsh} + export GOOGLE_APPLICATION_CREDENTIALS="${config.sops.secrets.gcloud_bucket.path}" + export PATH="${lib.makeBinPath [pkgs.mariadb pkgs.gzip pkgs.google-cloud-sdk pkgs.gnupg pkgs.coreutils pkgs.gnugrep]}:$PATH" + + TIMESTAMP=$(date +%Y%m%d%H%M%S) + BACKUP_DIR=$(mktemp -d) + trap 'rm -rf "$BACKUP_DIR"' EXIT + + gpg --batch --import "${gpgPublicKey}" + + DATABASES=$(mysql -u root -e "SHOW DATABASES;" | grep -Ev "^(Database|information_schema|performance_schema|mysql|sys)$") + + for DB in $DATABASES; do + echo "Backing up MariaDB database: $DB" + FILENAME="mariadb_''${DB}_''${TIMESTAMP}.sql.gz.gpg" + if mysqldump -u root "$DB" | gzip | gpg --batch --encrypt --recipient "${gpgRecipient}" > "$BACKUP_DIR/$FILENAME"; then + gsutil cp "$BACKUP_DIR/$FILENAME" "gs://${gcsBucket}/mariadb/$FILENAME" + echo "Successfully uploaded encrypted $FILENAME" + else + echo "Failed to backup $DB" >&2 + exit 1 + fi + done ''; in { systemd.services.backup-postgresql = {