diff options
Diffstat (limited to 'hosts/vidhar/borg/default.nix')
-rw-r--r-- | hosts/vidhar/borg/default.nix | 82 |
1 files changed, 79 insertions, 3 deletions
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix index ee5856c9..65c309da 100644 --- a/hosts/vidhar/borg/default.nix +++ b/hosts/vidhar/borg/default.nix | |||
@@ -1,15 +1,72 @@ | |||
1 | { pkgs, lib, ... }: | 1 | { config, pkgs, lib, ... }: |
2 | 2 | ||
3 | with lib; | 3 | with lib; |
4 | 4 | ||
5 | { | 5 | let |
6 | copyService = { repo, repoEscaped }: let | ||
7 | serviceName = "copy-borg@${repoEscaped}"; | ||
8 | sshConfig = pkgs.writeText "config" '' | ||
9 | Host yggdrasil.borgbase | ||
10 | HostName nx69hpl8.repo.borgbase.com | ||
11 | User nx69hpl8 | ||
12 | IdentityFile /run/credentials/${serviceName}.service/ssh-identity | ||
13 | IdentitiesOnly yes | ||
14 | |||
15 | BatchMode yes | ||
16 | ServerAliveInterval 10 | ||
17 | ServerAliveCountMax 30 | ||
18 | ''; | ||
19 | in nameValuePair serviceName { | ||
20 | serviceConfig = { | ||
21 | Type = "oneshot"; | ||
22 | ExecStart = "${copyBorg}/bin/copy ${escapeShellArg repo} yggdrasil.borgbase:repo"; | ||
23 | User = "borg"; | ||
24 | Group = "borg"; | ||
25 | StateDirectory = "borg"; | ||
26 | Environment = [ | ||
27 | "BORG_RSH=\"${pkgs.openssh}/bin/ssh -F ${sshConfig}\"" | ||
28 | "BORG_CACHE_DIR=/var/lib/borg/cache" | ||
29 | "BORG_SECURITY_DIR=/var/lib/borg/security" | ||
30 | "BORG_KEYS_DIR=/var/lib/borg/keys" | ||
31 | "BORG_KEY_FILE=/run/credentials/${serviceName}.service/keyfile" | ||
32 | ]; | ||
33 | LoadCredential = [ | ||
34 | "ssh-identity:${config.sops.secrets."append.borgbase".path}" | ||
35 | "keyfile:${config.sops.secrets."yggdrasil.borgkey".path}" | ||
36 | ]; | ||
37 | }; | ||
38 | }; | ||
39 | |||
40 | copyBorg = pkgs.stdenv.mkDerivation rec { | ||
41 | name = "copy"; | ||
42 | src = ./copy.py; | ||
43 | |||
44 | phases = ["buildPhase" "checkPhase" "installPhase"]; | ||
45 | |||
46 | python = pkgs.python39.withPackages (ps: with ps; [humanize tqdm dateutil xdg python-unshare halo]); | ||
47 | |||
48 | buildPhase = '' | ||
49 | substituteAll $src copy | ||
50 | ''; | ||
51 | |||
52 | doCheck = true; | ||
53 | checkPhase = '' | ||
54 | ${python}/bin/python -m py_compile copy | ||
55 | ''; | ||
56 | |||
57 | installPhase = '' | ||
58 | install -m 0755 -D -t $out/bin \ | ||
59 | copy | ||
60 | ''; | ||
61 | }; | ||
62 | in { | ||
6 | config = { | 63 | config = { |
7 | services.borgbackup.repos.jotnar = { | 64 | services.borgbackup.repos.jotnar = { |
8 | path = "/srv/backup/borg/jotnar"; | 65 | path = "/srv/backup/borg/jotnar"; |
9 | authorizedKeysAppendOnly = let | 66 | authorizedKeysAppendOnly = let |
10 | dir = ./jotnar; | 67 | dir = ./jotnar; |
11 | toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}"); | 68 | toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}"); |
12 | in filter (v: v != null) (lib.mapAttrsToList toAuthKey (builtins.readDir dir)); | 69 | in filter (v: v != null) (mapAttrsToList toAuthKey (builtins.readDir dir)); |
13 | }; | 70 | }; |
14 | 71 | ||
15 | boot.postBootCommands = mkBefore '' | 72 | boot.postBootCommands = mkBefore '' |
@@ -25,5 +82,24 @@ with lib; | |||
25 | 82 | ||
26 | Match All | 83 | Match All |
27 | ''; | 84 | ''; |
85 | |||
86 | sops.secrets."append.borgbase" = { | ||
87 | format = "binary"; | ||
88 | sopsFile = ./append.borgbase; | ||
89 | }; | ||
90 | sops.secrets."yggdrasil.borgkey" = { | ||
91 | format = "binary"; | ||
92 | sopsFile = ./yggdrasil.borgkey; | ||
93 | }; | ||
94 | |||
95 | systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]); | ||
96 | |||
97 | # systemd.timers."copy-borg@srv-backup-borg-jotnar" = { | ||
98 | # wantedBy = ["multi-user.target"]; | ||
99 | |||
100 | # timerConfig = { | ||
101 | # OnCalendar = "*-*-* 00/4:00:00 Europe/Berlin"; | ||
102 | # }; | ||
103 | # }; | ||
28 | }; | 104 | }; |
29 | } | 105 | } |