Add borg backup module
This commit is contained in:
parent
d30315a050
commit
8b4d93de73
33
flake.nix
33
flake.nix
|
@ -107,28 +107,35 @@
|
||||||
extraModules = [
|
extraModules = [
|
||||||
./hardware/levitation.nix
|
./hardware/levitation.nix
|
||||||
({ pkgs, config, lib, ... }: {
|
({ pkgs, config, lib, ... }: {
|
||||||
boot.loader = {
|
# sops for borg
|
||||||
grub = {
|
sops.secrets."borg-ssh-key" = {
|
||||||
enable = true;
|
sopsFile = ./secrets/levitation/borg.yaml;
|
||||||
version = 2;
|
format = "yaml";
|
||||||
efiSupport = true;
|
|
||||||
# Go efi only
|
|
||||||
devices = [ "nodev" ];
|
|
||||||
# Use os-prober
|
|
||||||
useOSProber = true;
|
|
||||||
};
|
|
||||||
efi = {
|
|
||||||
efiSysMountPoint = "/boot/";
|
|
||||||
canTouchEfiVariables = false;
|
|
||||||
};
|
};
|
||||||
|
sops.secrets."borg-password" = {
|
||||||
|
sopsFile = ./secrets/levitation/borg.yaml;
|
||||||
|
format = "yaml";
|
||||||
};
|
};
|
||||||
# Setup system configuration
|
# Setup system configuration
|
||||||
nathan = {
|
nathan = {
|
||||||
programs = {
|
programs = {
|
||||||
games = true;
|
games = true;
|
||||||
};
|
};
|
||||||
|
services = {
|
||||||
|
borg = {
|
||||||
|
enable = true;
|
||||||
|
extraExcludes = [
|
||||||
|
"/home/${config.nathan.config.user}/Music"
|
||||||
|
"/var/lib/docker"
|
||||||
|
"/var/log"
|
||||||
|
];
|
||||||
|
passwordFile = config.sops.secrets."borg-password".path;
|
||||||
|
sshKey = config.sops.secrets."borg-ssh-key".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
config = {
|
config = {
|
||||||
isDesktop = true;
|
isDesktop = true;
|
||||||
|
setupGrub = true;
|
||||||
nix.autoUpdate = false;
|
nix.autoUpdate = false;
|
||||||
harden = false;
|
harden = false;
|
||||||
};
|
};
|
||||||
|
|
|
@ -15,6 +15,7 @@ in
|
||||||
./programs/utils.nix
|
./programs/utils.nix
|
||||||
./services/ssh.nix
|
./services/ssh.nix
|
||||||
./services/tailscale.nix
|
./services/tailscale.nix
|
||||||
|
./services/borg.nix
|
||||||
./linux/base.nix
|
./linux/base.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
@ -31,6 +32,36 @@ in
|
||||||
tailscale = {
|
tailscale = {
|
||||||
enable = mkDefaultOption "tailscale" pkgs.stdenv.isLinux;
|
enable = mkDefaultOption "tailscale" pkgs.stdenv.isLinux;
|
||||||
};
|
};
|
||||||
|
# Borg backup
|
||||||
|
# Disabled by default as it requires configuration, but a really good idea to turn on
|
||||||
|
borg = {
|
||||||
|
enable = mkEnableOption "borg";
|
||||||
|
extraExcludes = mkOption {
|
||||||
|
default = [ ];
|
||||||
|
description = "List of extra paths to exclude";
|
||||||
|
};
|
||||||
|
extraIncludes = mkOption {
|
||||||
|
default = [ ];
|
||||||
|
description = "List of extra paths to include";
|
||||||
|
};
|
||||||
|
location = mkOption {
|
||||||
|
default = "de1955@de1955.rsync.net:computers";
|
||||||
|
description = "Location to backup to";
|
||||||
|
type = lib.types.str;
|
||||||
|
};
|
||||||
|
passwordFile = mkOption {
|
||||||
|
description = "Path to the password file";
|
||||||
|
type = lib.types.str;
|
||||||
|
};
|
||||||
|
sshKey = mkOption {
|
||||||
|
description = "Path to the ssh key";
|
||||||
|
type = lib.types.str;
|
||||||
|
};
|
||||||
|
startAt = mkOption {
|
||||||
|
description = "How often to run backups";
|
||||||
|
default = "hourly";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
# Control enabling/configuratin of services
|
# Control enabling/configuratin of services
|
||||||
programs = {
|
programs = {
|
||||||
|
|
|
@ -0,0 +1,43 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib; {
|
||||||
|
config = mkIf config.nathan.services.borg.enable {
|
||||||
|
# Add borg to the system packages
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
borgbackup
|
||||||
|
];
|
||||||
|
services.borgbackup.jobs = {
|
||||||
|
rsyncnet = {
|
||||||
|
paths = [
|
||||||
|
"/home"
|
||||||
|
"/var"
|
||||||
|
"/etc"
|
||||||
|
"/root"
|
||||||
|
] ++ config.nathan.services.borg.extraIncludes;
|
||||||
|
exclude = [
|
||||||
|
"*/.cache"
|
||||||
|
"*/.tmp"
|
||||||
|
"/home/${config.nathan.config.user}/Projects/*/target"
|
||||||
|
"/home/${config.nathan.config.user}/Work/*/target"
|
||||||
|
"/home/${config.nathan.config.user}/.local/share/Steam"
|
||||||
|
"/home/${config.nathan.config.user}/*/Cache"
|
||||||
|
"/home/*/Downloads"
|
||||||
|
];
|
||||||
|
repo = "${config.nathan.services.borg.location}/${config.networking.hostName}";
|
||||||
|
encryption = {
|
||||||
|
mode = "repokey-blake2";
|
||||||
|
passCommand = "cat ${config.nathan.services.borg.passwordFile}";
|
||||||
|
};
|
||||||
|
environment.BORG_RSH = "ssh -i ${config.nathan.services.borg.sshKey}";
|
||||||
|
compression = "auto,zstd";
|
||||||
|
startAt = config.nathan.services.borg.startAt;
|
||||||
|
prune.keep = {
|
||||||
|
within = "7d"; # Keep all archives for the past week
|
||||||
|
daily = 1; # Keep 1 snapshot a day for 2 weeks
|
||||||
|
weekly = 4; # Keep 1 snapshot a week for 4 weeks
|
||||||
|
monthly = -1; # Keep unlimited monthly backups
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
borg-ssh-key: ENC[AES256_GCM,data:w3l69u5319qQsD+4SIEtqft5WX9yWtbK0/AB/RJAohh3x8zBfVOz9EG+tSoal28EUEcXg0EDVYh7hZ33nPeq5PWP+/ktob0uWd1i7apTJRnQGI5sOf0GrK3qCZXJMn7kGVSzYlnZWyf1XAzgEOtR4QhGnrHsFrp5IKBrRC2u2HTdlxPJPUwNjOL3PbtuPZga8R497/6d86LHdmx1q+DWBhANkQZNNsDWiXGQU2MKfJFoNMd8I4SZia1M7rt4T8TkcxzwzqRvx8CRjI/CWmUkzRnojIvmOFsZuScfeenjq8uolDSI5kNznXG+r+bIyW6BFyOPoGCqR4YcJZZdPJxIJGBBl6wXDow1iyAoCnSrJhQV7HFDc4Gyd0UESeAIRiWzEmlAiKvGQG/J7K1HbYekrLfxENcwYEt26h5FfLznFSNJ1VGIOJFk/08ewy2SZ9KiImeTpv2lcqAmOLjSp+OkxU+1xeffOMGR8adutsbhXLMlCIaqlimZWvSRPyR5Qp9SOo2esQ3S4Rq5VUbq93xAFnrJpNgyr7r0OZTy,iv:UGiwqGadbm3P5RBI/R32zlIOmVjRiEaEwAuGTAqhnks=,tag:WS0ksDUEoGJLl1L2jNb2Zg==,type:str]
|
||||||
|
borg-password: ENC[AES256_GCM,data:W0MEp075S/1fAzLl3UxQ/8W/Cx+Z0pBU/qYMEbL+rmvCnhLRpbM/iy48RAz0xFZ4txUIDHkNllaA,iv:7wlt8FjA8k5iol4lgW8upuRQJTeu2ToyI6LsTmPCk/4=,tag:jrG00Q5bkDONDhfYMlKtfA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ak5NVEJ4U0s0ajB2SnhC
|
||||||
|
Ym45TlZjdWM0VnhYK08yMWduWUg5SDI3bFJrCkt1SGlpUkx2cnFMbDdLTWdUM3Za
|
||||||
|
eElFbjJDVXlRUDQrek5XalpUMEZydVUKLS0tIHpLU21ZY29ydU1ENmVWWXdTK0RF
|
||||||
|
VFFmQld5UzVUZUtDQmRRVnNacm1uUkEKuodQeOPsTw7i3dTWqb4XQ4v/Jtf9X9ah
|
||||||
|
NVhYD79ZltK2k5Epa95oH46Djwz1RjPad0WVgLDPlPYdto2Kd5Y26A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadlVMRzY1Zkoyb1JVYTd0
|
||||||
|
NEQ0bStuNWVpRTZJRGx6NVpUejIxMzhKT1NjCnJyK1pONmljYTVLajF3VGpiRllG
|
||||||
|
MEcxR1ptbWs0Q1U5Zi85U3hZOFJxUGMKLS0tIDZYT0dZYkJoU0lTMHBRS0NqVHdq
|
||||||
|
SHRtU2NNeHdJTVdvNFhDU1dXbHZVSTgKAan3xhZNtYVRgrx0oCgz5bA2x2gS9+mj
|
||||||
|
DzxQY1NrM4ZEGWQtm7NWyyfuO16OAVsdotiMN8mbSlyh9uB+j4nNig==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2022-07-02T18:30:32Z"
|
||||||
|
mac: ENC[AES256_GCM,data:cX7URw9zZN2WIpKe4RKbZi6T/CW6L5nMiINzAoNeO0pdmsQpeCiiNiI3bn4epOf5qWKZDybSbwMdEB9a/uDOAImIKL08rUUJr9JTLICFRMcQgNpczN6XNu5Xpbt8uxksRc/ex2x8a7TbE7gy4xsEE0U9CGG3WWQm2LeUpbz9PGA=,iv:mbY+1H1rsyAL00VmNTjzmGITywRc5uFEd+HAfQQNtY4=,tag:JNcoz8XLPCpQ61CV2Dxfuw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
Loading…
Reference in New Issue