summaryrefslogtreecommitdiff
path: root/hosts/vidhar/borg/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/vidhar/borg/default.nix')
-rw-r--r--hosts/vidhar/borg/default.nix82
1 files changed, 79 insertions, 3 deletions
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix
index ee5856c9..65c309da 100644
--- a/hosts/vidhar/borg/default.nix
+++ b/hosts/vidhar/borg/default.nix
@@ -1,15 +1,72 @@
1{ pkgs, lib, ... }: 1{ config, pkgs, lib, ... }:
2 2
3with lib; 3with lib;
4 4
5{ 5let
6 copyService = { repo, repoEscaped }: let
7 serviceName = "copy-borg@${repoEscaped}";
8 sshConfig = pkgs.writeText "config" ''
9 Host yggdrasil.borgbase
10 HostName nx69hpl8.repo.borgbase.com
11 User nx69hpl8
12 IdentityFile /run/credentials/${serviceName}.service/ssh-identity
13 IdentitiesOnly yes
14
15 BatchMode yes
16 ServerAliveInterval 10
17 ServerAliveCountMax 30
18 '';
19 in nameValuePair serviceName {
20 serviceConfig = {
21 Type = "oneshot";
22 ExecStart = "${copyBorg}/bin/copy ${escapeShellArg repo} yggdrasil.borgbase:repo";
23 User = "borg";
24 Group = "borg";
25 StateDirectory = "borg";
26 Environment = [
27 "BORG_RSH=\"${pkgs.openssh}/bin/ssh -F ${sshConfig}\""
28 "BORG_CACHE_DIR=/var/lib/borg/cache"
29 "BORG_SECURITY_DIR=/var/lib/borg/security"
30 "BORG_KEYS_DIR=/var/lib/borg/keys"
31 "BORG_KEY_FILE=/run/credentials/${serviceName}.service/keyfile"
32 ];
33 LoadCredential = [
34 "ssh-identity:${config.sops.secrets."append.borgbase".path}"
35 "keyfile:${config.sops.secrets."yggdrasil.borgkey".path}"
36 ];
37 };
38 };
39
40 copyBorg = pkgs.stdenv.mkDerivation rec {
41 name = "copy";
42 src = ./copy.py;
43
44 phases = ["buildPhase" "checkPhase" "installPhase"];
45
46 python = pkgs.python39.withPackages (ps: with ps; [humanize tqdm dateutil xdg python-unshare halo]);
47
48 buildPhase = ''
49 substituteAll $src copy
50 '';
51
52 doCheck = true;
53 checkPhase = ''
54 ${python}/bin/python -m py_compile copy
55 '';
56
57 installPhase = ''
58 install -m 0755 -D -t $out/bin \
59 copy
60 '';
61 };
62in {
6 config = { 63 config = {
7 services.borgbackup.repos.jotnar = { 64 services.borgbackup.repos.jotnar = {
8 path = "/srv/backup/borg/jotnar"; 65 path = "/srv/backup/borg/jotnar";
9 authorizedKeysAppendOnly = let 66 authorizedKeysAppendOnly = let
10 dir = ./jotnar; 67 dir = ./jotnar;
11 toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}"); 68 toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}");
12 in filter (v: v != null) (lib.mapAttrsToList toAuthKey (builtins.readDir dir)); 69 in filter (v: v != null) (mapAttrsToList toAuthKey (builtins.readDir dir));
13 }; 70 };
14 71
15 boot.postBootCommands = mkBefore '' 72 boot.postBootCommands = mkBefore ''
@@ -25,5 +82,24 @@ with lib;
25 82
26 Match All 83 Match All
27 ''; 84 '';
85
86 sops.secrets."append.borgbase" = {
87 format = "binary";
88 sopsFile = ./append.borgbase;
89 };
90 sops.secrets."yggdrasil.borgkey" = {
91 format = "binary";
92 sopsFile = ./yggdrasil.borgkey;
93 };
94
95 systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]);
96
97 # systemd.timers."copy-borg@srv-backup-borg-jotnar" = {
98 # wantedBy = ["multi-user.target"];
99
100 # timerConfig = {
101 # OnCalendar = "*-*-* 00/4:00:00 Europe/Berlin";
102 # };
103 # };
28 }; 104 };
29} 105}