From b472b4405a14df1b3a374cfcb35464bcb3b84fb4 Mon Sep 17 00:00:00 2001 From: Nathan McCarty Date: Fri, 10 Jun 2022 20:10:18 -0400 Subject: [PATCH] borg tweaks --- machines/levitation.nix | 2 ++ machines/matrix.nix | 59 +++++++++++++++++++++++++++++++++++++++++ machines/oracles.nix | 1 + secrets/borg.yaml | 5 ++-- 4 files changed, 65 insertions(+), 2 deletions(-) diff --git a/machines/levitation.nix b/machines/levitation.nix index b9ee972..6e0258b 100644 --- a/machines/levitation.nix +++ b/machines/levitation.nix @@ -99,6 +99,8 @@ "/home/nathan/Downloads" "/home/nathan/Music" "/var/lib/docker" + "/var/log" + "/home/nathan/*/Cache" ]; repo = "de1955@de1955.rsync.net:computers/levitation"; encryption = { diff --git a/machines/matrix.nix b/machines/matrix.nix index 39c1bb2..2247bf8 100644 --- a/machines/matrix.nix +++ b/machines/matrix.nix @@ -40,4 +40,63 @@ users.users.nathan = { extraGroups = [ "www-html" ]; }; + + ### + ## Borg Backup + ### + + # Install borg + environment.systemPackages = with pkgs; [ + borgbackup + ]; + + # Setup sops + sops.secrets."borg-sshKey" = { + format = "yaml"; + sopsFile = ../secrets/borg.yaml; + }; + sops.secrets."borg-matrixPassword" = { + format = "yaml"; + sopsFile = ../secrets/borg.yaml; + }; + # Setup the job + services.borgbackup.jobs = { + files = { + paths = [ + "/home" + "/var" + "/etc" + ]; + exclude = [ + "*/.cache" + "*/.tmp" + "/home/nathan/minecraft/server/backup" + "/var/lib/postgresql" + "/var/lib/redis" + "/var/lib/docker" + "/var/log" + ]; + repo = "de1955@de1955.rsync.net:computers/matrix"; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.sops.secrets."borg-matrixPassword".path}"; + }; + environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg-sshKey".path}"; + compression = "auto,zstd"; + startAt = "OnCalendar=00/4:00"; + prune.keep = { + within = "7d"; # Keep all archives for the past week + daily = 1; # Keep 1 snapshot a day for 2 weeks + weekly = 4; # Keep 1 snapshot a week for 4 weeks + monthly = -1; # Keep unlimited monthly backups + }; + }; + }; + # Backup postgres + services.postgresqlBackup = { + enable = true; + compression = "none"; + backupAll = true; + startAt = "OnCalendar=00/2:00"; + }; } diff --git a/machines/oracles.nix b/machines/oracles.nix index c7b373f..83aab55 100644 --- a/machines/oracles.nix +++ b/machines/oracles.nix @@ -72,6 +72,7 @@ "/var/lib/postgresql" "/var/lib/redis" "/var/lib/docker" + "/var/log" ]; repo = "de1955@de1955.rsync.net:computers/oracles"; encryption = { diff --git a/secrets/borg.yaml b/secrets/borg.yaml index 5b94827..a21e998 100644 --- a/secrets/borg.yaml +++ b/secrets/borg.yaml @@ -1,6 +1,7 @@ borg-sshKey: ENC[AES256_GCM,data:rVDwCkDQbeYl8cAu/VlZzcW1XQERFVIhjGBigWZ1n0nSDga9812pJgnaIG6aoRVbuaiOVelSqZa0XJRlNU6yJtrT9sDulWb1nqFudSJ84cnhE3QzrgPzAGZJ60PcAQMI2/dqpb4pHGf0nyNBKf5OGCtOahwN3nqkAuiQkqE/XbGlPylHJ+3Hb+Q/RnmMrL5bhKQ9EvuauHwTczlII5JwkrrtZeuHiTZm1SzokQSTMgt71CUOOmDlKlSxXgHDn2g1C+rc+OHzZraWIFyOI0cMpYdfYOxkJM7Wh0/ByX5Iqlp6nTYAK3IbHr4bUUclw2QPMNtLebIaJzzZP8Hplg4sO1zxEWxG+moZzRT6rfd6FF+5EJ8KalgfTgIHVYVrwsQj3SoL258+IWbahQZI2Er1SixVwZQes46HuPaFn7Ydn+/RfJo33birUJ89H5ge/boEkaUT1cHKcbodxfvJsQJkbRUTzHqpRGIHRW9bF1m94/5D2LaaFmaFoJqondewwy1ZVzZIF0jePRhvF4lFtSmKP4jC1Z0xg2L/JnUo,iv:gHr+vtcY99MgSy9IiMmxy3mlOjcOJ4oN5NS3doNAXwo=,tag:AOaE2qHv5NalE7J/NVXQjw==,type:str] borg-levitationPassword: ENC[AES256_GCM,data:nAtAlhmv6NAE88f81BeroMnMd/lr7ZnUTmLlAMtn4/ML8TuiZjijCJ4LiUSg5FLeWmDEALUN5g/T,iv:2qoF4mw/sbitLmticTsKndcYdV2B+6YjXjKHJr591nk=,tag:ENPk7gm3tmVOSgzfrn7Vag==,type:str] borg-oraclesPassword: ENC[AES256_GCM,data:TRWn/vj3SpSrRc0HcNI9If7e5Q93hO/+eLKoTQULHTBZqZKdnN0Lq6xhUQQf0s7LhS9D2Q==,iv:/vdqnlR6DowmPNpNP8Q3n2cL/gv91heS0NLFth9Wpl0=,tag:peIs7WpNO56DiTkva71fDw==,type:str] +borg-matrixPassword: ENC[AES256_GCM,data:7dZh8G36PAhfVU4k4mdnWAMCRKme9nAd4GUkdwdZiIAd037Ou2n3wJfZLA==,iv:rPGFyAmHe2H0g0mPxSo84NT/wwBwMt1vV9DAenvwbW4=,tag:2Q4ID6jsA02AC4vvPmBTPw==,type:str] sops: kms: [] gcp_kms: [] @@ -61,8 +62,8 @@ sops: WmhzcngwekJ1UzJQNzBwNU9Kb3FLNzQKgWC/Pruek+lfMtyj8M1s88l46emKVqV/ nO3VxonQywOz1QaNEBODNTwly48MzNREwV1bUZy4DBAeraG4O3fRFg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-06-10T23:17:10Z" - mac: ENC[AES256_GCM,data:EgTvO6L9hAcOYQBl5bMmqZeimxEO9uTxKiGKqTBM0nyRU0Fj7zE1ZvuCtwSe0T9RHObBwzd5i1ij1qA4Bd5qDg2fnRs4DoxHPXJxERsD1CrZnE39D//+ppdsdGGaw5rtISlbl2b+4YFDSiYtbgrU73bz/LauUEc71fakBxQzLlI=,iv:imQB792YHWSoJIbxx6ZPiDK2IhwN6DZPrDbnbGA7U/0=,tag:Qtc6K1tQtNcc318Ez9wf9A==,type:str] + lastmodified: "2022-06-11T00:07:08Z" + mac: ENC[AES256_GCM,data:o71aJDP01oX/hzJKjkOkM185wgQ0YSCeYtkjGnGF7OLZ5v7EFIK7iszU4nXP5XdtVydHBXDIWGZPLg2pIzWwlOun3K2sxsy6oGrbgE0rB4+G8SSqO6vi7Lny6+RMI8jYmMEx5hUNOWEc/YWtyBxiQ2iXf7Lcj/Xg2adDDHXUJ4c=,iv:n1D/VapaoLD4qhGhj7xRaqYSkaTizNmNCVYUrfYHyqU=,tag:hZD2iH0YWntEMB9JoMYDXg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3