rclone: Add systemd service for transparent backup

This commit adds a new systemd service, `rclone-sync@.service`, templated against the absolute path of a directory to keep in sync with a (presumably) remote store. Support for Backblaze B2 endpoints has been set up by default, but the specific remote type can be configured via the `RCLONE_REMOTE_TYPE` host variable. In addition, a default-passthrough remote that encrypts data against a static password and salt has been defined under the `crypt` name, and can also be used as the `RCLONE_DEST` of choice.
2022-02-06 20:22:31 +00:00 · 2022-02-06 20:22:31 +00:00 · 9dad5ad2c4
parent c65689d325
commit 9dad5ad2c4
8 changed files with 52 additions and 0 deletions
--- a/host/lhr01srv/lhr01srv.env.gpg
+++ b/host/lhr01srv/lhr01srv.env.gpg
--- a/host/virtual/spec.bu
+++ b/host/virtual/spec.bu
@ -21,6 +21,7 @@ ignition:
      - local: service/navidrome/spec.ign
      - local: service/writefreely/spec.ign
      - local: service/coturn/spec.ign
+      - local: service/rclone/spec.ign

 passwd:
  users:
--- a/host/virtual/virtual.env
+++ b/host/virtual/virtual.env
@ -46,5 +46,11 @@ RSPAMD_CONTROLLER_PASSWORD=password
 RSS2EMAIL_FROM=noreply@localhost
 RSS2EMAIL_TO=root@localhost

+# Configuration for Rclone.
+RCLONE_DEST=crypt:
+RCLONE_CRYPT_REMOTE=/data/rclone
+RCLONE_CRYPT_PASSWORD=3NYQAySloaAVy4CxtVkAset0mz9KDlhT
+RCLONE_CRYPT_SALT=jqsQXp_MPwBPIzw69TkmSp7ScuA
+
 # Configuration for WriteFreely.
 WRITEFREELY_SITE_HOST=https://writefreely.localhost
--- a/service/rclone/Containerfile
+++ b/service/rclone/Containerfile
@ -0,0 +1 @@
+FROM docker.io/rclone/rclone:1.57
--- a/service/rclone/rclone.env.template
+++ b/service/rclone/rclone.env.template
@ -0,0 +1,18 @@
+# Common configuration.
+RCLONE_DEST=${RCLONE_DEST}
+RCLONE_LOG_LEVEL=INFO
+
+# Configuration for default encrypted remote. This should be configured to wrap the default
+# unencrypted remote. Password and salt values must be processed via `rclone obscure` before setting.
+RCLONE_CONFIG_CRYPT_TYPE=crypt
+RCLONE_CONFIG_CRYPT_REMOTE=${RCLONE_CRYPT_REMOTE}
+RCLONE_CONFIG_CRYPT_PASSWORD=${RCLONE_CRYPT_PASSWORD}
+RCLONE_CONFIG_CRYPT_PASSWORD2=${RCLONE_CRYPT_SALT}
+
+# Configuration for default unencrypted remote.
+RCLONE_CONFIG_REMOTE_TYPE=${RCLONE_REMOTE_TYPE}
+
+# Configuration for B2-type remotes.
+RCLONE_B2_ACCOUNT=${RCLONE_B2_ACCOUNT}
+RCLONE_B2_KEY=${RCLONE_B2_KEY}
+RCLONE_B2_HARD_DELETE=false
--- a/service/rclone/spec.bu
+++ b/service/rclone/spec.bu
@ -0,0 +1,8 @@
+variant: fcos
+version: 1.3.0
+storage:
+  trees:
+    - path: /etc/coreos-home-server/rclone
+      local: service/rclone/
+    - path: /etc/systemd/system
+      local: service/rclone/systemd/
--- a/service/rclone/systemd/container-volume-backup@.service.d/rclone-after.conf
+++ b/service/rclone/systemd/container-volume-backup@.service.d/rclone-after.conf
@ -0,0 +1,3 @@
+[Unit]
+Wants=rclone-sync@var-lib-backups-coreos\x2dhome\x2dserver-%i.service
+After=rclone-sync@var-lib-backups-coreos\x2dhome\x2dserver-%i.service
--- a/service/rclone/systemd/rclone-sync@.service
+++ b/service/rclone/systemd/rclone-sync@.service
@ -0,0 +1,15 @@
+[Unit]
+Description=Rclone Sync for /%I
+Wants=container-build@rclone.service
+After=container-build@rclone.service
+ConditionDirectoryNotEmpty=/%I
+
+[Service]
+Type=oneshot
+SyslogIdentifier=%N
+EnvironmentFile=%E/coreos-home-server/rclone/rclone.env
+ExecStart=/bin/podman run --rm --env-file %E/coreos-home-server/rclone/rclone.env \
+                          --volume /%I:/data:z localhost/rclone:latest sync /data ${RCLONE_DEST}
+
+[Install]
+WantedBy=multi-user.target