Backup Cryptpad

6 files changed, 76 insertions, 0 deletions

diff --git a/app/cryptpad/deploy/backup.hcl b/app/cryptpad/deploy/backup.hcl
new file mode 100644
index 0000000..99dee2f
--- /dev/null
+++ b/app/cryptpad/deploy/backup.hcl
@@ -0,0 +1,57 @@
+job "cryptpad_backup" {
+  datacenters = ["neptune"]
+  type = "batch"
+
+  priority = "60"
+
+  periodic {
+    cron = "@daily"
+    // Do not allow overlapping runs.
+    prohibit_overlap = true
+  }
+
+  group "backup-cryptpad" {
+    constraint {
+      attribute = "${attr.unique.hostname}"
+      operator = "="
+      value = "courgette"
+    }
+
+    task "main" {
+      driver = "docker"
+
+      config {
+        image = "restic/restic:0.12.1"
+        entrypoint = [ "/bin/sh", "-c" ]
+        args = [ "restic backup /cryptpad && restic forget --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
+        volumes = [
+          "/mnt/storage/cryptpad:/cryptpad"
+        ]
+      }
+
+      template {
+        data = <<EOH
+AWS_ACCESS_KEY_ID={{ key "secrets/cryptpad_backup/backup_aws_access_key_id" }}
+AWS_SECRET_ACCESS_KEY={{ key "secrets/cryptpad_backup/backup_aws_secret_access_key" }}
+RESTIC_REPOSITORY={{ key "secrets/cryptpad_backup/backup_restic_repository" }}
+RESTIC_PASSWORD={{ key "secrets/cryptpad_backup/backup_restic_password" }}
+EOH
+
+         destination = "secrets/env_vars"
+         env = true
+      }
+
+      resources {
+        cpu = 500
+        memory = 200
+      }
+
+      restart {
+        attempts = 2
+        interval = "30m"
+        delay = "15s"
+        mode = "fail"
+      }
+    }
+  }
+}
diff --git a/app/cryptpad/secrets/cryptpad_backup/backup_aws_access_key_id b/app/cryptpad/secrets/cryptpad_backup/backup_aws_access_key_id
new file mode 100644
index 0000000..9235e53
--- /dev/null
+++ b/app/cryptpad/secrets/cryptpad_backup/backup_aws_access_key_id
@@ -0,0 +1 @@
+USER Backup AWS access key ID
diff --git a/app/cryptpad/secrets/cryptpad_backup/backup_aws_secret_access_key b/app/cryptpad/secrets/cryptpad_backup/backup_aws_secret_access_key
new file mode 100644
index 0000000..f34677e
--- /dev/null
+++ b/app/cryptpad/secrets/cryptpad_backup/backup_aws_secret_access_key
@@ -0,0 +1 @@
+USER Backup AWS secret access key
diff --git a/app/cryptpad/secrets/cryptpad_backup/backup_restic_password b/app/cryptpad/secrets/cryptpad_backup/backup_restic_password
new file mode 100644
index 0000000..fbaa5fa
--- /dev/null
+++ b/app/cryptpad/secrets/cryptpad_backup/backup_restic_password
@@ -0,0 +1 @@
+USER Restic password to encrypt backups
diff --git a/app/cryptpad/secrets/cryptpad_backup/backup_restic_repository b/app/cryptpad/secrets/cryptpad_backup/backup_restic_repository
new file mode 100644
index 0000000..3f6cb93
--- /dev/null
+++ b/app/cryptpad/secrets/cryptpad_backup/backup_restic_repository
@@ -0,0 +1 @@
+USER Restic repository, eg. s3:https://s3.garage.tld
diff --git a/app/shell.nix b/app/shell.nix
new file mode 100644
index 0000000..c9b8053
--- /dev/null
+++ b/app/shell.nix
@@ -0,0 +1,15 @@
+{
+  pkgs ? import <nixpkgs> {}
+}:
+
+with pkgs; mkShell {
+  nativeBuildInputs = [
+    nomad 
+    docker-compose
+    python39Packages.pip 
+    python39Packages.ldap 
+    python39Packages.consul 
+    python39Packages.passlib
+  ];
+}
+