Add borg backup module
This commit is contained in:
parent
d30315a050
commit
8b4d93de73
33
flake.nix
33
flake.nix
|
@ -107,28 +107,35 @@
|
|||
extraModules = [
|
||||
./hardware/levitation.nix
|
||||
({ pkgs, config, lib, ... }: {
|
||||
boot.loader = {
|
||||
grub = {
|
||||
enable = true;
|
||||
version = 2;
|
||||
efiSupport = true;
|
||||
# Go efi only
|
||||
devices = [ "nodev" ];
|
||||
# Use os-prober
|
||||
useOSProber = true;
|
||||
};
|
||||
efi = {
|
||||
efiSysMountPoint = "/boot/";
|
||||
canTouchEfiVariables = false;
|
||||
# sops for borg
|
||||
sops.secrets."borg-ssh-key" = {
|
||||
sopsFile = ./secrets/levitation/borg.yaml;
|
||||
format = "yaml";
|
||||
};
|
||||
sops.secrets."borg-password" = {
|
||||
sopsFile = ./secrets/levitation/borg.yaml;
|
||||
format = "yaml";
|
||||
};
|
||||
# Setup system configuration
|
||||
nathan = {
|
||||
programs = {
|
||||
games = true;
|
||||
};
|
||||
services = {
|
||||
borg = {
|
||||
enable = true;
|
||||
extraExcludes = [
|
||||
"/home/${config.nathan.config.user}/Music"
|
||||
"/var/lib/docker"
|
||||
"/var/log"
|
||||
];
|
||||
passwordFile = config.sops.secrets."borg-password".path;
|
||||
sshKey = config.sops.secrets."borg-ssh-key".path;
|
||||
};
|
||||
};
|
||||
config = {
|
||||
isDesktop = true;
|
||||
setupGrub = true;
|
||||
nix.autoUpdate = false;
|
||||
harden = false;
|
||||
};
|
||||
|
|
|
@ -15,6 +15,7 @@ in
|
|||
./programs/utils.nix
|
||||
./services/ssh.nix
|
||||
./services/tailscale.nix
|
||||
./services/borg.nix
|
||||
./linux/base.nix
|
||||
];
|
||||
|
||||
|
@ -31,6 +32,36 @@ in
|
|||
tailscale = {
|
||||
enable = mkDefaultOption "tailscale" pkgs.stdenv.isLinux;
|
||||
};
|
||||
# Borg backup
|
||||
# Disabled by default as it requires configuration, but a really good idea to turn on
|
||||
borg = {
|
||||
enable = mkEnableOption "borg";
|
||||
extraExcludes = mkOption {
|
||||
default = [ ];
|
||||
description = "List of extra paths to exclude";
|
||||
};
|
||||
extraIncludes = mkOption {
|
||||
default = [ ];
|
||||
description = "List of extra paths to include";
|
||||
};
|
||||
location = mkOption {
|
||||
default = "de1955@de1955.rsync.net:computers";
|
||||
description = "Location to backup to";
|
||||
type = lib.types.str;
|
||||
};
|
||||
passwordFile = mkOption {
|
||||
description = "Path to the password file";
|
||||
type = lib.types.str;
|
||||
};
|
||||
sshKey = mkOption {
|
||||
description = "Path to the ssh key";
|
||||
type = lib.types.str;
|
||||
};
|
||||
startAt = mkOption {
|
||||
description = "How often to run backups";
|
||||
default = "hourly";
|
||||
};
|
||||
};
|
||||
};
|
||||
# Control enabling/configuratin of services
|
||||
programs = {
|
||||
|
|
|
@ -0,0 +1,43 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib; {
|
||||
config = mkIf config.nathan.services.borg.enable {
|
||||
# Add borg to the system packages
|
||||
environment.systemPackages = with pkgs; [
|
||||
borgbackup
|
||||
];
|
||||
services.borgbackup.jobs = {
|
||||
rsyncnet = {
|
||||
paths = [
|
||||
"/home"
|
||||
"/var"
|
||||
"/etc"
|
||||
"/root"
|
||||
] ++ config.nathan.services.borg.extraIncludes;
|
||||
exclude = [
|
||||
"*/.cache"
|
||||
"*/.tmp"
|
||||
"/home/${config.nathan.config.user}/Projects/*/target"
|
||||
"/home/${config.nathan.config.user}/Work/*/target"
|
||||
"/home/${config.nathan.config.user}/.local/share/Steam"
|
||||
"/home/${config.nathan.config.user}/*/Cache"
|
||||
"/home/*/Downloads"
|
||||
];
|
||||
repo = "${config.nathan.services.borg.location}/${config.networking.hostName}";
|
||||
encryption = {
|
||||
mode = "repokey-blake2";
|
||||
passCommand = "cat ${config.nathan.services.borg.passwordFile}";
|
||||
};
|
||||
environment.BORG_RSH = "ssh -i ${config.nathan.services.borg.sshKey}";
|
||||
compression = "auto,zstd";
|
||||
startAt = config.nathan.services.borg.startAt;
|
||||
prune.keep = {
|
||||
within = "7d"; # Keep all archives for the past week
|
||||
daily = 1; # Keep 1 snapshot a day for 2 weeks
|
||||
weekly = 4; # Keep 1 snapshot a week for 4 weeks
|
||||
monthly = -1; # Keep unlimited monthly backups
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
borg-ssh-key: ENC[AES256_GCM,data:w3l69u5319qQsD+4SIEtqft5WX9yWtbK0/AB/RJAohh3x8zBfVOz9EG+tSoal28EUEcXg0EDVYh7hZ33nPeq5PWP+/ktob0uWd1i7apTJRnQGI5sOf0GrK3qCZXJMn7kGVSzYlnZWyf1XAzgEOtR4QhGnrHsFrp5IKBrRC2u2HTdlxPJPUwNjOL3PbtuPZga8R497/6d86LHdmx1q+DWBhANkQZNNsDWiXGQU2MKfJFoNMd8I4SZia1M7rt4T8TkcxzwzqRvx8CRjI/CWmUkzRnojIvmOFsZuScfeenjq8uolDSI5kNznXG+r+bIyW6BFyOPoGCqR4YcJZZdPJxIJGBBl6wXDow1iyAoCnSrJhQV7HFDc4Gyd0UESeAIRiWzEmlAiKvGQG/J7K1HbYekrLfxENcwYEt26h5FfLznFSNJ1VGIOJFk/08ewy2SZ9KiImeTpv2lcqAmOLjSp+OkxU+1xeffOMGR8adutsbhXLMlCIaqlimZWvSRPyR5Qp9SOo2esQ3S4Rq5VUbq93xAFnrJpNgyr7r0OZTy,iv:UGiwqGadbm3P5RBI/R32zlIOmVjRiEaEwAuGTAqhnks=,tag:WS0ksDUEoGJLl1L2jNb2Zg==,type:str]
|
||||
borg-password: ENC[AES256_GCM,data:W0MEp075S/1fAzLl3UxQ/8W/Cx+Z0pBU/qYMEbL+rmvCnhLRpbM/iy48RAz0xFZ4txUIDHkNllaA,iv:7wlt8FjA8k5iol4lgW8upuRQJTeu2ToyI6LsTmPCk/4=,tag:jrG00Q5bkDONDhfYMlKtfA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ak5NVEJ4U0s0ajB2SnhC
|
||||
Ym45TlZjdWM0VnhYK08yMWduWUg5SDI3bFJrCkt1SGlpUkx2cnFMbDdLTWdUM3Za
|
||||
eElFbjJDVXlRUDQrek5XalpUMEZydVUKLS0tIHpLU21ZY29ydU1ENmVWWXdTK0RF
|
||||
VFFmQld5UzVUZUtDQmRRVnNacm1uUkEKuodQeOPsTw7i3dTWqb4XQ4v/Jtf9X9ah
|
||||
NVhYD79ZltK2k5Epa95oH46Djwz1RjPad0WVgLDPlPYdto2Kd5Y26A==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadlVMRzY1Zkoyb1JVYTd0
|
||||
NEQ0bStuNWVpRTZJRGx6NVpUejIxMzhKT1NjCnJyK1pONmljYTVLajF3VGpiRllG
|
||||
MEcxR1ptbWs0Q1U5Zi85U3hZOFJxUGMKLS0tIDZYT0dZYkJoU0lTMHBRS0NqVHdq
|
||||
SHRtU2NNeHdJTVdvNFhDU1dXbHZVSTgKAan3xhZNtYVRgrx0oCgz5bA2x2gS9+mj
|
||||
DzxQY1NrM4ZEGWQtm7NWyyfuO16OAVsdotiMN8mbSlyh9uB+j4nNig==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-07-02T18:30:32Z"
|
||||
mac: ENC[AES256_GCM,data:cX7URw9zZN2WIpKe4RKbZi6T/CW6L5nMiINzAoNeO0pdmsQpeCiiNiI3bn4epOf5qWKZDybSbwMdEB9a/uDOAImIKL08rUUJr9JTLICFRMcQgNpczN6XNu5Xpbt8uxksRc/ex2x8a7TbE7gy4xsEE0U9CGG3WWQm2LeUpbz9PGA=,iv:mbY+1H1rsyAL00VmNTjzmGITywRc5uFEd+HAfQQNtY4=,tag:JNcoz8XLPCpQ61CV2Dxfuw==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
Loading…
Reference in New Issue