diff options
-rw-r--r-- | hosts/sif/default.nix | 26 | ||||
-rw-r--r-- | modules/borgbackup/default.nix | 7 | ||||
-rw-r--r-- | modules/borgbackup/repokeys/borg_munin__borg.yaml | 33 |
3 files changed, 65 insertions, 1 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 4e9826bd..9271515f 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix | |||
@@ -1,4 +1,4 @@ | |||
1 | { flake, pkgs, customUtils, lib, config, ... }: | 1 | { flake, pkgs, customUtils, lib, config, path, ... }: |
2 | { | 2 | { |
3 | imports = with flake.nixosModules.systemProfiles; [ | 3 | imports = with flake.nixosModules.systemProfiles; [ |
4 | ./hw.nix | 4 | ./hw.nix |
@@ -259,6 +259,30 @@ | |||
259 | SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" | 259 | SUBSYSTEM=="power_supply", ENV{POWER_SUPPLY_ONLINE}=="1", RUN+="${systemd}/bin/systemctl --no-block start ac-plugged.service" |
260 | ''; | 260 | ''; |
261 | 261 | ||
262 | services.borgbackup = { | ||
263 | snapshots = "btrfs"; | ||
264 | prefix = "yggdrasil.midgard.sif."; | ||
265 | targets = { | ||
266 | "munin" = { | ||
267 | repo = "borg.munin:borg"; | ||
268 | paths = [ "/home/gkleen" ]; | ||
269 | prune = { | ||
270 | "home" = | ||
271 | [ "--keep-within" "24H" | ||
272 | "--keep-daily" "31" | ||
273 | "--keep-monthly" "12" | ||
274 | "--keep-yearly" "-1" | ||
275 | ]; | ||
276 | }; | ||
277 | keyFile = "/run/secrets/borg-repokey--borg_munin__borg"; | ||
278 | }; | ||
279 | }; | ||
280 | }; | ||
281 | sops.secrets.borg-repokey--borg_munin__borg = { | ||
282 | sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml"; | ||
283 | key = "key"; | ||
284 | }; | ||
285 | |||
262 | services.btrfs.autoScrub = { | 286 | services.btrfs.autoScrub = { |
263 | enable = true; | 287 | enable = true; |
264 | fileSystems = [ "/" "/home" ]; | 288 | fileSystems = [ "/" "/home" ]; |
diff --git a/modules/borgbackup/default.nix b/modules/borgbackup/default.nix index 47f8e06d..a0419d0e 100644 --- a/modules/borgbackup/default.nix +++ b/modules/borgbackup/default.nix | |||
@@ -65,6 +65,11 @@ let | |||
65 | type = types.int; | 65 | type = types.int; |
66 | default = 600; | 66 | default = 600; |
67 | }; | 67 | }; |
68 | |||
69 | keyFile = mkOption { | ||
70 | type = types.nullOr types.path; | ||
71 | default = null; | ||
72 | }; | ||
68 | }; | 73 | }; |
69 | }; | 74 | }; |
70 | in { | 75 | in { |
@@ -171,6 +176,7 @@ in { | |||
171 | IOSchedulingPriority = 7; | 176 | IOSchedulingPriority = 7; |
172 | SuccessExitStatus = [1 2]; | 177 | SuccessExitStatus = [1 2]; |
173 | Slice = "system-borgbackup.slice"; | 178 | Slice = "system-borgbackup.slice"; |
179 | Environment = lib.mkIf (tCfg.keyFile != null) "BORG_KEY_FILE=${tCfg.keyFile}"; | ||
174 | }; | 180 | }; |
175 | })) cfg.targets) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" { | 181 | })) cfg.targets) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" { |
176 | enable = tCfg.prune != {}; | 182 | enable = tCfg.prune != {}; |
@@ -193,6 +199,7 @@ in { | |||
193 | serviceConfig = { | 199 | serviceConfig = { |
194 | Type = "oneshot"; | 200 | Type = "oneshot"; |
195 | Slice = "system-borgbackup.slice"; | 201 | Slice = "system-borgbackup.slice"; |
202 | Environment = lib.mkIf (tCfg.keyFile != null) "BORG_KEY_FILE=${tCfg.keyFile}"; | ||
196 | }; | 203 | }; |
197 | }) cfg.targets); | 204 | }) cfg.targets); |
198 | }; | 205 | }; |
diff --git a/modules/borgbackup/repokeys/borg_munin__borg.yaml b/modules/borgbackup/repokeys/borg_munin__borg.yaml new file mode 100644 index 00000000..f302fe06 --- /dev/null +++ b/modules/borgbackup/repokeys/borg_munin__borg.yaml | |||
@@ -0,0 +1,33 @@ | |||
1 | key: ENC[AES256_GCM,data:mxh+Jtxx+HyD246yPwo0vy7vSTz3IG8VmfbxPMwqJRreh9ZwkGnH5aCTDOvWOHIrkmzaRMF3oCi1P8D29+abMUZdt0MuJ3UE6iL8+SXlflR+WACgALM2Df+x9B3BwQM3yeoCiWG+ebr0iQPHM3jqqpkjoRv1CcythxG2deZueur9lzgC2CwG1g3O8Prnl9z0JQGOa+gjic8Zwfn38B1BECeNPrbjzICGBOrSbN/6EnfBDygI2QzseamzK2I6R6jT+QxHvkl+Zi1m2TRB+4o82VgTjPhIReJyT7PrlDnUyrKObhCOlb3v+LiSdp16IPIDVs968kyDzgyi7QPOpGr+5tutWCZrau5xhPDrONKByl/0nVVwEZfRIYATvEXtn5okJru/mglcpeD0I7AtLt+Vfv9CB9pQczvkHo0cDtgudQDf9ADt/nkmqHugm5VfMg9m9aGbKqzXt6pPOMsXSbS43K7wgDaduLZ/PW4Ookx9gTNLtJHnZ64GBorOv4QSrZIZF8pE1FsQdUhmp/YzVhaNBnjCr+Jh77sYjoOwzF77Xy+VP2C/yVIf492P+FcgkSj6XhYYqHffpFW9l/xmUvyQF5gjj2k5T21UvgChhI1HeLPzQ7W9+xuGSMtg58aD/VPe1loCy8zLITNl71bneararRS5vItoZyzMdmIRMLAZD1klPmDNe1yufTpubOXzNYbWUqFUZtwH/mDL5GRZBD9dqs2b3F26c1CUyw==,iv:NJBHesKSZ1zuKk8qHnYKqIwMnFkH+rkQD1bam5XpLXU=,tag:EiYbIFY/r/eTSTJIhYV+GA==,type:str] | ||
2 | sops: | ||
3 | kms: [] | ||
4 | gcp_kms: [] | ||
5 | azure_kv: [] | ||
6 | hc_vault: [] | ||
7 | lastmodified: '2021-01-02T20:38:48Z' | ||
8 | mac: ENC[AES256_GCM,data:3rkFTOk3r2dx3hOqu1u7XIIibTDfqNlRcWY9X2N/LFa/BKojgDt5tcpbphV4HqWvl8nS+fPcVrIElJfQ/QGFEOx68G95BhByntT9+JhSbHJt73dGnCSroZCw5QefdydREGvA5n00Vo9yT9IMvQsQbmpRzo6hcrSSUvagZqmZckA=,iv:F/HllDzyxgulIWZbfz9bFKR+SFg4PoaUYZ5N5hfIzw0=,tag:h2NXmvj/thhBg1rIkwdXXA==,type:str] | ||
9 | pgp: | ||
10 | - created_at: '2021-01-02T20:38:09Z' | ||
11 | enc: | | ||
12 | -----BEGIN PGP MESSAGE----- | ||
13 | |||
14 | hF4Dgwm4NZSaLAcSAQdAwmvyXlr9MyfPfLgkfQkoktKBV2WA2xhZrGL7NeeGfhAw | ||
15 | REk+clJ9WgiJ0iceRAONPnEjeiK0J6Fsj+5Ulq8flFGkoj5Pta0pm/9fudKmcPdC | ||
16 | 0l4BF0G5LSpG1EmY+LmVdSdas16rWgthnojoXPvbbHG6jZs3aDETshdiN8Bdlqsf | ||
17 | aVhq2LYzscnYezNcdernR4uojtiFny8qcmdF3tFacr+mkgfgIQr0W9yWFhDH15gm | ||
18 | =4TwU | ||
19 | -----END PGP MESSAGE----- | ||
20 | fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8 | ||
21 | - created_at: '2021-01-02T20:38:09Z' | ||
22 | enc: | | ||
23 | -----BEGIN PGP MESSAGE----- | ||
24 | |||
25 | hF4DXxoViZlp6dISAQdAruPXj9IsllEN7R5jk4gF7bW0ZirhvX7qsu22/6HbSw8w | ||
26 | 66RwN3WGjYO1CcVbHKuLqVVaUBCnrR/4XHN0JYUaqjubrSZBTWFKTBFsKSTT0LZq | ||
27 | 0l4BKcsXrbGpYC5+yQvg0RHJ7LplxpKOmqMY8KGckvGnVf2xg7k6wuWQREFzqwt+ | ||
28 | lOa3x+xFy9c0JwE8AafyKjb/cgqJiMb96lhsH57BpXJa2E39ImQbXqzDzdx2jEUt | ||
29 | =3rxi | ||
30 | -----END PGP MESSAGE----- | ||
31 | fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 | ||
32 | unencrypted_suffix: _unencrypted | ||
33 | version: 3.6.1 | ||