From 8b4d93de73e6663c59b075cea6d3fdfee26b2c1f Mon Sep 17 00:00:00 2001 From: nathan mccarty Date: Sat, 2 Jul 2022 14:33:15 -0400 Subject: [PATCH] Add borg backup module --- flake.nix | 35 +++++++++++++++++------------ modules/default.nix | 31 ++++++++++++++++++++++++++ modules/services/borg.nix | 43 ++++++++++++++++++++++++++++++++++++ secrets/levitation/borg.yaml | 31 ++++++++++++++++++++++++++ 4 files changed, 126 insertions(+), 14 deletions(-) create mode 100644 modules/services/borg.nix create mode 100644 secrets/levitation/borg.yaml diff --git a/flake.nix b/flake.nix index fb4c689..9c8e47f 100644 --- a/flake.nix +++ b/flake.nix @@ -107,28 +107,35 @@ extraModules = [ ./hardware/levitation.nix ({ pkgs, config, lib, ... }: { - boot.loader = { - grub = { - enable = true; - version = 2; - efiSupport = true; - # Go efi only - devices = [ "nodev" ]; - # Use os-prober - useOSProber = true; - }; - efi = { - efiSysMountPoint = "/boot/"; - canTouchEfiVariables = false; - }; + # sops for borg + sops.secrets."borg-ssh-key" = { + sopsFile = ./secrets/levitation/borg.yaml; + format = "yaml"; + }; + sops.secrets."borg-password" = { + sopsFile = ./secrets/levitation/borg.yaml; + format = "yaml"; }; # Setup system configuration nathan = { programs = { games = true; }; + services = { + borg = { + enable = true; + extraExcludes = [ + "/home/${config.nathan.config.user}/Music" + "/var/lib/docker" + "/var/log" + ]; + passwordFile = config.sops.secrets."borg-password".path; + sshKey = config.sops.secrets."borg-ssh-key".path; + }; + }; config = { isDesktop = true; + setupGrub = true; nix.autoUpdate = false; harden = false; }; diff --git a/modules/default.nix b/modules/default.nix index fc01c2a..619eae7 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -15,6 +15,7 @@ in ./programs/utils.nix ./services/ssh.nix ./services/tailscale.nix + ./services/borg.nix ./linux/base.nix ]; @@ -31,6 +32,36 @@ in tailscale = { enable = mkDefaultOption "tailscale" pkgs.stdenv.isLinux; }; + # Borg backup + # Disabled by default as it requires configuration, but a really good idea to turn on + borg = { + enable = mkEnableOption "borg"; + extraExcludes = mkOption { + default = [ ]; + description = "List of extra paths to exclude"; + }; + extraIncludes = mkOption { + default = [ ]; + description = "List of extra paths to include"; + }; + location = mkOption { + default = "de1955@de1955.rsync.net:computers"; + description = "Location to backup to"; + type = lib.types.str; + }; + passwordFile = mkOption { + description = "Path to the password file"; + type = lib.types.str; + }; + sshKey = mkOption { + description = "Path to the ssh key"; + type = lib.types.str; + }; + startAt = mkOption { + description = "How often to run backups"; + default = "hourly"; + }; + }; }; # Control enabling/configuratin of services programs = { diff --git a/modules/services/borg.nix b/modules/services/borg.nix new file mode 100644 index 0000000..34df290 --- /dev/null +++ b/modules/services/borg.nix @@ -0,0 +1,43 @@ +{ config, lib, pkgs, ... }: + +with lib; { + config = mkIf config.nathan.services.borg.enable { + # Add borg to the system packages + environment.systemPackages = with pkgs; [ + borgbackup + ]; + services.borgbackup.jobs = { + rsyncnet = { + paths = [ + "/home" + "/var" + "/etc" + "/root" + ] ++ config.nathan.services.borg.extraIncludes; + exclude = [ + "*/.cache" + "*/.tmp" + "/home/${config.nathan.config.user}/Projects/*/target" + "/home/${config.nathan.config.user}/Work/*/target" + "/home/${config.nathan.config.user}/.local/share/Steam" + "/home/${config.nathan.config.user}/*/Cache" + "/home/*/Downloads" + ]; + repo = "${config.nathan.services.borg.location}/${config.networking.hostName}"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.nathan.services.borg.passwordFile}"; + }; + environment.BORG_RSH = "ssh -i ${config.nathan.services.borg.sshKey}"; + compression = "auto,zstd"; + startAt = config.nathan.services.borg.startAt; + prune.keep = { + within = "7d"; # Keep all archives for the past week + daily = 1; # Keep 1 snapshot a day for 2 weeks + weekly = 4; # Keep 1 snapshot a week for 4 weeks + monthly = -1; # Keep unlimited monthly backups + }; + }; + }; + }; +} diff --git a/secrets/levitation/borg.yaml b/secrets/levitation/borg.yaml new file mode 100644 index 0000000..0d40b9d --- /dev/null +++ b/secrets/levitation/borg.yaml @@ -0,0 +1,31 @@ +borg-ssh-key: ENC[AES256_GCM,data:w3l69u5319qQsD+4SIEtqft5WX9yWtbK0/AB/RJAohh3x8zBfVOz9EG+tSoal28EUEcXg0EDVYh7hZ33nPeq5PWP+/ktob0uWd1i7apTJRnQGI5sOf0GrK3qCZXJMn7kGVSzYlnZWyf1XAzgEOtR4QhGnrHsFrp5IKBrRC2u2HTdlxPJPUwNjOL3PbtuPZga8R497/6d86LHdmx1q+DWBhANkQZNNsDWiXGQU2MKfJFoNMd8I4SZia1M7rt4T8TkcxzwzqRvx8CRjI/CWmUkzRnojIvmOFsZuScfeenjq8uolDSI5kNznXG+r+bIyW6BFyOPoGCqR4YcJZZdPJxIJGBBl6wXDow1iyAoCnSrJhQV7HFDc4Gyd0UESeAIRiWzEmlAiKvGQG/J7K1HbYekrLfxENcwYEt26h5FfLznFSNJ1VGIOJFk/08ewy2SZ9KiImeTpv2lcqAmOLjSp+OkxU+1xeffOMGR8adutsbhXLMlCIaqlimZWvSRPyR5Qp9SOo2esQ3S4Rq5VUbq93xAFnrJpNgyr7r0OZTy,iv:UGiwqGadbm3P5RBI/R32zlIOmVjRiEaEwAuGTAqhnks=,tag:WS0ksDUEoGJLl1L2jNb2Zg==,type:str] +borg-password: ENC[AES256_GCM,data:W0MEp075S/1fAzLl3UxQ/8W/Cx+Z0pBU/qYMEbL+rmvCnhLRpbM/iy48RAz0xFZ4txUIDHkNllaA,iv:7wlt8FjA8k5iol4lgW8upuRQJTeu2ToyI6LsTmPCk/4=,tag:jrG00Q5bkDONDhfYMlKtfA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ak5NVEJ4U0s0ajB2SnhC + Ym45TlZjdWM0VnhYK08yMWduWUg5SDI3bFJrCkt1SGlpUkx2cnFMbDdLTWdUM3Za + eElFbjJDVXlRUDQrek5XalpUMEZydVUKLS0tIHpLU21ZY29ydU1ENmVWWXdTK0RF + VFFmQld5UzVUZUtDQmRRVnNacm1uUkEKuodQeOPsTw7i3dTWqb4XQ4v/Jtf9X9ah + NVhYD79ZltK2k5Epa95oH46Djwz1RjPad0WVgLDPlPYdto2Kd5Y26A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadlVMRzY1Zkoyb1JVYTd0 + NEQ0bStuNWVpRTZJRGx6NVpUejIxMzhKT1NjCnJyK1pONmljYTVLajF3VGpiRllG + MEcxR1ptbWs0Q1U5Zi85U3hZOFJxUGMKLS0tIDZYT0dZYkJoU0lTMHBRS0NqVHdq + SHRtU2NNeHdJTVdvNFhDU1dXbHZVSTgKAan3xhZNtYVRgrx0oCgz5bA2x2gS9+mj + DzxQY1NrM4ZEGWQtm7NWyyfuO16OAVsdotiMN8mbSlyh9uB+j4nNig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-02T18:30:32Z" + mac: ENC[AES256_GCM,data:cX7URw9zZN2WIpKe4RKbZi6T/CW6L5nMiINzAoNeO0pdmsQpeCiiNiI3bn4epOf5qWKZDybSbwMdEB9a/uDOAImIKL08rUUJr9JTLICFRMcQgNpczN6XNu5Xpbt8uxksRc/ex2x8a7TbE7gy4xsEE0U9CGG3WWQm2LeUpbz9PGA=,iv:mbY+1H1rsyAL00VmNTjzmGITywRc5uFEd+HAfQQNtY4=,tag:JNcoz8XLPCpQ61CV2Dxfuw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3