Add borg backup module

This commit is contained in:
nathan mccarty 2022-07-02 14:33:15 -04:00
parent d30315a050
commit 8b4d93de73
Signed by: thatonelutenist
GPG Key ID: D70DA3DD4D1E9F96
4 changed files with 126 additions and 14 deletions

View File

@ -107,28 +107,35 @@
extraModules = [ extraModules = [
./hardware/levitation.nix ./hardware/levitation.nix
({ pkgs, config, lib, ... }: { ({ pkgs, config, lib, ... }: {
boot.loader = { # sops for borg
grub = { sops.secrets."borg-ssh-key" = {
enable = true; sopsFile = ./secrets/levitation/borg.yaml;
version = 2; format = "yaml";
efiSupport = true;
# Go efi only
devices = [ "nodev" ];
# Use os-prober
useOSProber = true;
};
efi = {
efiSysMountPoint = "/boot/";
canTouchEfiVariables = false;
}; };
sops.secrets."borg-password" = {
sopsFile = ./secrets/levitation/borg.yaml;
format = "yaml";
}; };
# Setup system configuration # Setup system configuration
nathan = { nathan = {
programs = { programs = {
games = true; games = true;
}; };
services = {
borg = {
enable = true;
extraExcludes = [
"/home/${config.nathan.config.user}/Music"
"/var/lib/docker"
"/var/log"
];
passwordFile = config.sops.secrets."borg-password".path;
sshKey = config.sops.secrets."borg-ssh-key".path;
};
};
config = { config = {
isDesktop = true; isDesktop = true;
setupGrub = true;
nix.autoUpdate = false; nix.autoUpdate = false;
harden = false; harden = false;
}; };

View File

@ -15,6 +15,7 @@ in
./programs/utils.nix ./programs/utils.nix
./services/ssh.nix ./services/ssh.nix
./services/tailscale.nix ./services/tailscale.nix
./services/borg.nix
./linux/base.nix ./linux/base.nix
]; ];
@ -31,6 +32,36 @@ in
tailscale = { tailscale = {
enable = mkDefaultOption "tailscale" pkgs.stdenv.isLinux; enable = mkDefaultOption "tailscale" pkgs.stdenv.isLinux;
}; };
# Borg backup
# Disabled by default as it requires configuration, but a really good idea to turn on
borg = {
enable = mkEnableOption "borg";
extraExcludes = mkOption {
default = [ ];
description = "List of extra paths to exclude";
};
extraIncludes = mkOption {
default = [ ];
description = "List of extra paths to include";
};
location = mkOption {
default = "de1955@de1955.rsync.net:computers";
description = "Location to backup to";
type = lib.types.str;
};
passwordFile = mkOption {
description = "Path to the password file";
type = lib.types.str;
};
sshKey = mkOption {
description = "Path to the ssh key";
type = lib.types.str;
};
startAt = mkOption {
description = "How often to run backups";
default = "hourly";
};
};
}; };
# Control enabling/configuratin of services # Control enabling/configuratin of services
programs = { programs = {

43
modules/services/borg.nix Normal file
View File

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
with lib; {
config = mkIf config.nathan.services.borg.enable {
# Add borg to the system packages
environment.systemPackages = with pkgs; [
borgbackup
];
services.borgbackup.jobs = {
rsyncnet = {
paths = [
"/home"
"/var"
"/etc"
"/root"
] ++ config.nathan.services.borg.extraIncludes;
exclude = [
"*/.cache"
"*/.tmp"
"/home/${config.nathan.config.user}/Projects/*/target"
"/home/${config.nathan.config.user}/Work/*/target"
"/home/${config.nathan.config.user}/.local/share/Steam"
"/home/${config.nathan.config.user}/*/Cache"
"/home/*/Downloads"
];
repo = "${config.nathan.services.borg.location}/${config.networking.hostName}";
encryption = {
mode = "repokey-blake2";
passCommand = "cat ${config.nathan.services.borg.passwordFile}";
};
environment.BORG_RSH = "ssh -i ${config.nathan.services.borg.sshKey}";
compression = "auto,zstd";
startAt = config.nathan.services.borg.startAt;
prune.keep = {
within = "7d"; # Keep all archives for the past week
daily = 1; # Keep 1 snapshot a day for 2 weeks
weekly = 4; # Keep 1 snapshot a week for 4 weeks
monthly = -1; # Keep unlimited monthly backups
};
};
};
};
}

View File

@ -0,0 +1,31 @@
borg-ssh-key: ENC[AES256_GCM,data:w3l69u5319qQsD+4SIEtqft5WX9yWtbK0/AB/RJAohh3x8zBfVOz9EG+tSoal28EUEcXg0EDVYh7hZ33nPeq5PWP+/ktob0uWd1i7apTJRnQGI5sOf0GrK3qCZXJMn7kGVSzYlnZWyf1XAzgEOtR4QhGnrHsFrp5IKBrRC2u2HTdlxPJPUwNjOL3PbtuPZga8R497/6d86LHdmx1q+DWBhANkQZNNsDWiXGQU2MKfJFoNMd8I4SZia1M7rt4T8TkcxzwzqRvx8CRjI/CWmUkzRnojIvmOFsZuScfeenjq8uolDSI5kNznXG+r+bIyW6BFyOPoGCqR4YcJZZdPJxIJGBBl6wXDow1iyAoCnSrJhQV7HFDc4Gyd0UESeAIRiWzEmlAiKvGQG/J7K1HbYekrLfxENcwYEt26h5FfLznFSNJ1VGIOJFk/08ewy2SZ9KiImeTpv2lcqAmOLjSp+OkxU+1xeffOMGR8adutsbhXLMlCIaqlimZWvSRPyR5Qp9SOo2esQ3S4Rq5VUbq93xAFnrJpNgyr7r0OZTy,iv:UGiwqGadbm3P5RBI/R32zlIOmVjRiEaEwAuGTAqhnks=,tag:WS0ksDUEoGJLl1L2jNb2Zg==,type:str]
borg-password: ENC[AES256_GCM,data:W0MEp075S/1fAzLl3UxQ/8W/Cx+Z0pBU/qYMEbL+rmvCnhLRpbM/iy48RAz0xFZ4txUIDHkNllaA,iv:7wlt8FjA8k5iol4lgW8upuRQJTeu2ToyI6LsTmPCk/4=,tag:jrG00Q5bkDONDhfYMlKtfA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ak5NVEJ4U0s0ajB2SnhC
Ym45TlZjdWM0VnhYK08yMWduWUg5SDI3bFJrCkt1SGlpUkx2cnFMbDdLTWdUM3Za
eElFbjJDVXlRUDQrek5XalpUMEZydVUKLS0tIHpLU21ZY29ydU1ENmVWWXdTK0RF
VFFmQld5UzVUZUtDQmRRVnNacm1uUkEKuodQeOPsTw7i3dTWqb4XQ4v/Jtf9X9ah
NVhYD79ZltK2k5Epa95oH46Djwz1RjPad0WVgLDPlPYdto2Kd5Y26A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadlVMRzY1Zkoyb1JVYTd0
NEQ0bStuNWVpRTZJRGx6NVpUejIxMzhKT1NjCnJyK1pONmljYTVLajF3VGpiRllG
MEcxR1ptbWs0Q1U5Zi85U3hZOFJxUGMKLS0tIDZYT0dZYkJoU0lTMHBRS0NqVHdq
SHRtU2NNeHdJTVdvNFhDU1dXbHZVSTgKAan3xhZNtYVRgrx0oCgz5bA2x2gS9+mj
DzxQY1NrM4ZEGWQtm7NWyyfuO16OAVsdotiMN8mbSlyh9uB+j4nNig==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-02T18:30:32Z"
mac: ENC[AES256_GCM,data:cX7URw9zZN2WIpKe4RKbZi6T/CW6L5nMiINzAoNeO0pdmsQpeCiiNiI3bn4epOf5qWKZDybSbwMdEB9a/uDOAImIKL08rUUJr9JTLICFRMcQgNpczN6XNu5Xpbt8uxksRc/ex2x8a7TbE7gy4xsEE0U9CGG3WWQm2LeUpbz9PGA=,iv:mbY+1H1rsyAL00VmNTjzmGITywRc5uFEd+HAfQQNtY4=,tag:JNcoz8XLPCpQ61CV2Dxfuw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3