feat: backup

Author: theorderingmachine

cloud/backup.tf

@@ -2,6 +2,7 @@ module "backup" {
   for_each = {
     git       = "tom.git"
     minecraft = "tom.25565"
+    openclaw  = "tom.openclaw"
   }
 
   source = "./modules/backup"
@@ -32,3 +33,15 @@ output "backup_minecraft_secret_access_key" {
   value     = module.backup["minecraft"].secret_access_key
   sensitive = true
 }
+
+# https://opentofu.org/docs/language/values/outputs/
+output "backup_openclaw_access_key_id" {
+  value     = module.backup["openclaw"].access_key_id
+  sensitive = true
+}
+
+# https://opentofu.org/docs/language/values/outputs/
+output "backup_openclaw_secret_access_key" {
+  value     = module.backup["openclaw"].secret_access_key
+  sensitive = true
+}

machines/tom/configuration.nix

@@ -227,6 +227,12 @@
         group = "minecraft";
         sopsFile = ./services/restic/vault.minecraft.env;
       };
+      "aws/iam/openclaw" = {
+        format = "dotenv";
+        owner = "openclaw";
+        group = "openclaw";
+        sopsFile = ./services/restic/vault.openclaw.env;
+      };
       "github/oauth" = {
         owner = config.users.users.default.name;
         group = "wheel";
@@ -305,6 +311,10 @@
         owner = "minecraft";
         group = "minecraft";
       };
+      "restic/openclaw" = {
+        owner = "openclaw";
+        group = "openclaw";
+      };
       "slack/snaek" = {
         format = "dotenv";
         owner = "snaek";

machines/tom/secrets/vault.yaml

@@ -24,6 +24,7 @@ github:
 restic:
     git: ENC[AES256_GCM,data:HiSNgy2BByydX5OpVCno0jIE2tt+XsOc/SqXvmpf2th1OAFauvF+FOrGywM=,iv:DgBnpVXapP39J4eRzy4/DRWHfOc0dk51pMi32XWHlrQ=,tag:7T2kqGV/l6mKRNna7S9bJQ==,type:str]
     minecraft: ENC[AES256_GCM,data:tk4jvTaCTGDK1RGa/uW6RWyjtUKl,iv:EJLhXDhGBnnWmDaKuhDPl4/daoVnnAN8v0mIalS1ODw=,tag:saefTwBI1pDIZEZ10t/ePw==,type:str]
+    openclaw: ENC[AES256_GCM,data:u1XfiniFMqWS+x7xh8/NbPKjWLk1MbOZIHv3BtftL3zcwV0eezfbraLOBl8=,iv:xJfIl1T6L+xmVLF5cEYq2e58DMLUQGd9OoCFwpffbIo=,tag:Emx/SllzPoes7WQpNE6Vug==,type:str]
 tailscale:
     auth: ENC[AES256_GCM,data:6LWj2Cx8DLXpxPH0MnttV0exwkQe7bsxB84aKMGUupws0GAsL0YMFC/yF4ffz5u9109mcMsMY3HatzLpuw4=,iv:hFW8p2fZbprUS1TIl5VR8nwfwey7zwkKN9YPKADzw1s=,tag:DweIRvZNHOUXdoKJr1CDtg==,type:str]
 tom:
@@ -55,7 +56,7 @@ sops:
             ZkxZVFpHMXpPaUhTTFRQZExXZXlrckkKgF4x8xxm1WeRHWmMItTkWUelYnHd0d0v
             rXpwaQ/l79BzAsGy3YmENr/w0/pOTYXTNXSR1dam46qnJuFflqxhhg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-03-07T21:27:42Z"
-    mac: ENC[AES256_GCM,data:ZANJKMW8EuRdi3dywpodG4i/9b66w/iYMjcF0kzLcB5Qvk3669zrlH3G55WaeUTJjd7MA7l5CB4aM8jH5KvIpYA5W7wDApAE3DC8HTXVXPWZdrr1ldZXVzg08lYnucIWXzfJLiQ2qmX7oo0uzP2UTZ6H60Nj5WUkEmNqDfxywo0=,iv:uiF9sjwpatspbhC7tMD3mB3wM+ElbqPtD06V09uhAgc=,tag:s7L8sKAVIK1JZMkFx5+5VA==,type:str]
+    lastmodified: "2026-04-06T01:13:42Z"
+    mac: ENC[AES256_GCM,data:ydWWt/2RdvgYY76euU18JO1rgdnl3BO5NVBFHvcEz3lJYbLewi4ztG8Yor5IEFX3l/GpUkOugsfeacFO7afoJGm1S4P3Z6Qbb+WTr7zZKxCbuEKhrNCuumSQy+VwK0HHY6+pSw5JEG8bfvS1zw22S3jieUn9K2jQAgdC+J5LxwE=,iv:p+nbK7xRE4SsV5QPeZmtz4kUOXjNw2s/r95a9L9joMA=,tag:ImSAUH31OdavSnbbL4ihOQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.12.1
+    version: 3.12.2

machines/tom/services/restic/default.nix

@@ -42,5 +42,25 @@
         Persistent = true;
       };
     };
+    openclaw = {
+      initialize = true;
+      user = "openclaw";
+      environmentFile = "/run/secrets/aws/iam/openclaw";
+      passwordFile = "/run/secrets/restic/openclaw";
+      repository = "s3:s3.us-east-1.amazonaws.com/tom.openclaw";
+      paths = [
+        "/var/lib/openclaw"
+      ];
+      pruneOpts = [
+        "--keep-daily 5"
+        "--keep-weekly 6"
+        "--keep-monthly 12"
+        "--keep-yearly 60"
+      ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+      };
+    };
   };
 }

machines/tom/services/restic/vault.openclaw.env

@@ -0,0 +1,8 @@
+AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:I2BZZad6XA8bykwxyM9yRkRY0Qs=,iv:KqDHlW/6RCFrvB6SqLvoJ4oEjTskvKmkZwAgbBHvddY=,tag:UwlcreLfyGttotNal0aDUQ==,type:str]
+AWS_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:rmWvrotMPHmtbtxccsIGTNy1ZXzM8qMaC1W8Yr1rHjtJWLcUBcIY4w==,iv:yq3RmdClHDSTTrkRHuk3tju0OINsoQEcLGPYiBUCvoE=,tag:C7tXZC6Ti06VzlUQhDFoqA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva2VGVVNyTkladTNHc2ox\nc1ZsU3NLSzc2Rkt0dGt4T0pJQ3BmUFhqUmw4ClMwa3Y5OGxGUWw5ckFrakY1Q2Fi\naUVjZ2Jmdm1XeXJYZTNTcEE3WmcxaHcKLS0tIDZFNUg3SGxENStBVk1RdVJFZWtr\nY25CS1pNUG5tNEU0S2JlKzhSS25BVk0KNchaSe7PfTcwt3D6EjKDauN+u60YIK9O\nmWPWATZLYI8f9mk9yDSLUlL00qdT84elz8qdAF8oFTMT3jY+E4vSqw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1dujf55uzev2nnpq6c2drn0e8pmpxay22qqfsavwaxqakwn9se5hsputgx4
+sops_lastmodified=2026-04-06T01:06:32Z
+sops_mac=ENC[AES256_GCM,data:+5BrGqcXNi/iOSU8d3T59sACwss1KBNZtp5u8XjuKjJCLcUtNaIAHjg2bXCaKmHrTE6qqkgi1sXLnr2on+fbj9G9ZNedOfAQlDfJOuaqwkvmtMe6K2bT6YP/9upvJKor1dt/GtS9YV2sQmYKSGNB8dyMuoPjwrscn+PykpE1P7I=,iv:D5ah3mIkOB7Us0s9EwY+ndcQe4/ygn9rNtWncZYLOco=,tag:8qBzCt0AoUIA9lgBIN1Gog==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.12.2