diff options
Diffstat (limited to 'hosts/vidhar/borg/default.nix')
-rw-r--r-- | hosts/vidhar/borg/default.nix | 92 |
1 files changed, 75 insertions, 17 deletions
diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix index 579630a9..650c91ee 100644 --- a/hosts/vidhar/borg/default.nix +++ b/hosts/vidhar/borg/default.nix | |||
@@ -1,23 +1,28 @@ | |||
1 | { config, pkgs, lib, ... }: | 1 | { config, pkgs, lib, flakeInputs, ... }: |
2 | 2 | ||
3 | with lib; | 3 | with lib; |
4 | 4 | ||
5 | let | 5 | let |
6 | sshConfig = pkgs.writeText "config" '' | ||
7 | Include /etc/ssh/ssh_config | ||
8 | |||
9 | ControlMaster auto | ||
10 | ControlPath /var/lib/borg/.borgssh-master-%r@%n:%p | ||
11 | ControlPersist yes | ||
12 | |||
13 | Host yggdrasil.borgbase | ||
14 | HostName nx69hpl8.repo.borgbase.com | ||
15 | User nx69hpl8 | ||
16 | IdentityFile ${config.sops.secrets."append.borgbase".path} | ||
17 | IdentitiesOnly yes | ||
18 | |||
19 | BatchMode yes | ||
20 | ServerAliveInterval 10 | ||
21 | ServerAliveCountMax 30 | ||
22 | ''; | ||
23 | |||
6 | copyService = { repo, repoEscaped }: let | 24 | copyService = { repo, repoEscaped }: let |
7 | serviceName = "copy-borg@${repoEscaped}"; | 25 | serviceName = "copy-borg@${repoEscaped}"; |
8 | sshConfig = pkgs.writeText "config" '' | ||
9 | Include /etc/ssh/ssh_config | ||
10 | |||
11 | Host yggdrasil.borgbase | ||
12 | HostName nx69hpl8.repo.borgbase.com | ||
13 | User nx69hpl8 | ||
14 | IdentityFile ${config.sops.secrets."append.borgbase".path} | ||
15 | IdentitiesOnly yes | ||
16 | |||
17 | BatchMode yes | ||
18 | ServerAliveInterval 10 | ||
19 | ServerAliveCountMax 30 | ||
20 | ''; | ||
21 | in nameValuePair serviceName { | 26 | in nameValuePair serviceName { |
22 | serviceConfig = { | 27 | serviceConfig = { |
23 | Type = "oneshot"; | 28 | Type = "oneshot"; |
@@ -72,8 +77,63 @@ let | |||
72 | --prefix PATH : ${makeBinPath (with pkgs; [utillinux borgbackup])}:${config.security.wrapperDir} | 77 | --prefix PATH : ${makeBinPath (with pkgs; [utillinux borgbackup])}:${config.security.wrapperDir} |
73 | ''; | 78 | ''; |
74 | }); | 79 | }); |
80 | |||
81 | borgsnap = flakeInputs.mach-nix.lib.${config.nixpkgs.system}.buildPythonPackage rec { | ||
82 | pname = "borgsnap"; | ||
83 | src = ./borgsnap; | ||
84 | version = "0.0.0"; | ||
85 | ignoreDataOutdated = true; | ||
86 | |||
87 | requirements = '' | ||
88 | atomicwrites | ||
89 | pyprctl | ||
90 | python-unshare | ||
91 | xdg | ||
92 | python-dateutil | ||
93 | ''; | ||
94 | postInstall = '' | ||
95 | wrapProgram $out/bin/borgsnap \ | ||
96 | --prefix PATH : ${makeBinPath (with pkgs; [utillinux borgbackup])}:${config.security.wrapperDir} | ||
97 | ''; | ||
98 | |||
99 | providers.python-unshare = "nixpkgs"; | ||
100 | overridesPre = [ | ||
101 | (self: super: { python-unshare = super.python-unshare.overrideAttrs (oldAttrs: { name = "python-unshare-0.2.1"; version = "0.2.1"; }); }) | ||
102 | ]; | ||
103 | |||
104 | _.xdg.buildInputs.add = with pkgs."python3Packages"; [ poetry ]; | ||
105 | _.tomli.buildInputs.add = with pkgs."python3Packages"; [ flit-core ]; | ||
106 | }; | ||
75 | in { | 107 | in { |
76 | config = { | 108 | config = { |
109 | services.zfssnap.config.exec = { | ||
110 | check = "${borgsnap}/bin/borgsnap -vvv --target yggdrasil.borgbase:repo --archive-prefix yggdrasil.vidhar. check --cache-file /run/zfssnap-prune/archives-cache.json"; | ||
111 | cmd = "${borgsnap}/bin/borgsnap -vvv --target yggdrasil.borgbase:repo --archive-prefix yggdrasil.vidhar. create --dry-run"; | ||
112 | |||
113 | halfweekly = "8"; | ||
114 | monthly = "-1"; | ||
115 | }; | ||
116 | |||
117 | systemd.services = { | ||
118 | "zfssnap-prune" = { | ||
119 | serviceConfig = { | ||
120 | Environment = [ | ||
121 | "BORG_RSH=\"${pkgs.openssh}/bin/ssh -F ${sshConfig}\"" | ||
122 | "BORG_BASE_DIR=/var/lib/borg" | ||
123 | "BORG_CONFIG_DIR=/var/lib/borg/config" | ||
124 | "BORG_CACHE_DIR=/var/lib/borg/cache" | ||
125 | "BORG_SECURITY_DIR=/var/lib/borg/security" | ||
126 | "BORG_KEYS_DIR=/var/lib/borg/keys" | ||
127 | "BORG_KEY_FILE=${config.sops.secrets."yggdrasil.borgkey".path}" | ||
128 | "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes" | ||
129 | "BORG_HOSTNAME_IS_UNIQUE=yes" | ||
130 | ]; | ||
131 | RuntimeDirectory = "zfssnap-prune"; | ||
132 | }; | ||
133 | }; | ||
134 | } // listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]); | ||
135 | |||
136 | |||
77 | services.borgbackup.repos.jotnar = { | 137 | services.borgbackup.repos.jotnar = { |
78 | path = "/srv/backup/borg/jotnar"; | 138 | path = "/srv/backup/borg/jotnar"; |
79 | authorizedKeysAppendOnly = let | 139 | authorizedKeysAppendOnly = let |
@@ -111,11 +171,9 @@ in { | |||
111 | mode = "0400"; | 171 | mode = "0400"; |
112 | }; | 172 | }; |
113 | 173 | ||
114 | systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]); | ||
115 | |||
116 | systemd.timers."copy-borg@srv-backup-borg-jotnar" = { | 174 | systemd.timers."copy-borg@srv-backup-borg-jotnar" = { |
117 | wantedBy = ["multi-user.target"]; | 175 | wantedBy = ["multi-user.target"]; |
118 | 176 | ||
119 | timerConfig = { | 177 | timerConfig = { |
120 | OnCalendar = "*-*-* 00/4:00:00 Europe/Berlin"; | 178 | OnCalendar = "*-*-* 00/4:00:00 Europe/Berlin"; |
121 | }; | 179 | }; |