From 32282ae39d352428988891207fb4f276a311846a Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sun, 6 Feb 2022 21:20:24 +0100 Subject: vidhar: borg --- hosts/sif/default.nix | 24 --- hosts/vidhar/borg.nix | 12 -- hosts/vidhar/borg/authorized-keys/surtr | 26 +++ hosts/vidhar/borg/authorized-keys/surtr.pub | 1 + hosts/vidhar/borg/authorized-keys/ymir | 21 +++ hosts/vidhar/borg/authorized-keys/ymir.pub | 1 + hosts/vidhar/borg/default.nix | 36 ++++ hosts/vidhar/borg/passphrase.yaml | 34 ++++ hosts/vidhar/default.nix | 2 +- modules/borgbackup/btrfs-snapshots.nix | 52 ------ modules/borgbackup/default.nix | 206 ---------------------- modules/borgbackup/lvm-snapshots.nix | 133 -------------- modules/borgbackup/repokeys/borg_munin__borg.yaml | 33 ---- 13 files changed, 120 insertions(+), 461 deletions(-) delete mode 100644 hosts/vidhar/borg.nix create mode 100644 hosts/vidhar/borg/authorized-keys/surtr create mode 100644 hosts/vidhar/borg/authorized-keys/surtr.pub create mode 100644 hosts/vidhar/borg/authorized-keys/ymir create mode 100644 hosts/vidhar/borg/authorized-keys/ymir.pub create mode 100644 hosts/vidhar/borg/default.nix create mode 100644 hosts/vidhar/borg/passphrase.yaml delete mode 100644 modules/borgbackup/btrfs-snapshots.nix delete mode 100644 modules/borgbackup/default.nix delete mode 100644 modules/borgbackup/lvm-snapshots.nix delete mode 100644 modules/borgbackup/repokeys/borg_munin__borg.yaml diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix index 07ba564d..9516ceba 100644 --- a/hosts/sif/default.nix +++ b/hosts/sif/default.nix @@ -405,30 +405,6 @@ in { ACTION=="add", SUBSYSTEM=="net", KERNEL=="virbr0", ENV{NM_UNMANAGED}="1" ''; - services.borgbackup = { - snapshots = "btrfs"; - prefix = "yggdrasil.midgard.sif."; - targets = { - "munin" = { - repo = "borg.munin:borg"; - paths = [ "/home/gkleen" ]; - prune = { - "home" = - [ "--keep-within" "24H" - "--keep-daily" "31" - "--keep-monthly" "12" - "--keep-yearly" "-1" - ]; - }; - keyFile = "/run/secrets/borg-repokey--borg_munin__borg"; - }; - }; - }; - sops.secrets.borg-repokey--borg_munin__borg = { - sopsFile = /. + path + "/modules/borgbackup/repokeys/borg_munin__borg.yaml"; - key = "key"; - }; - services.btrfs.autoScrub = { enable = true; fileSystems = [ "/" "/home" ]; diff --git a/hosts/vidhar/borg.nix b/hosts/vidhar/borg.nix deleted file mode 100644 index 0a0b37a5..00000000 --- a/hosts/vidhar/borg.nix +++ /dev/null @@ -1,12 +0,0 @@ -{ ... }: -{ - config = { - users.users.borg = { - isSystemUser = true; - createHome = false; - group = "borg"; - extraGroups = [ "ssh" ]; - }; - users.groups."borg" = {}; - }; -} diff --git a/hosts/vidhar/borg/authorized-keys/surtr b/hosts/vidhar/borg/authorized-keys/surtr new file mode 100644 index 00000000..26d286b4 --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/surtr @@ -0,0 +1,26 @@ +{ + "data": "ENC[AES256_GCM,data:UFWmVs/D1MtAW9ql+e9S5XRPBEmW5k09zCw+ftP8UgXPWSnNrutRpncsyvM07yqZw8qr4bhEErOrkmMk+BGcVlxGg55S7f6iJsj8GCFMhfJ5gVEa9jJRmEX8F9NZ2wlj3aeMni2JjBNnbypCwD7ffudK+sLNlhmVVwdNFCws2JQLnFW7mQOo/d8+BlPOxCebJIvmTq4K/b7+RqVuuqiK9t28Qt/eo0+F9aciXKyKZVM0bxw54Hh6yADqZ6ZTIzWbHb9+TL3HhP6dquNDqe2iiWaPzI5J63agpNDJ7uEtwTDW/irsIl3Ob5ekrXJ1FOaTmIUqRdyxty71ir6Aa/+JQIeVoC80oUgu1ImD9xenYD2v0EX4s6yJJV3a9bla3D3HRvZSfSuShbjfJDkegehXzFK0pVt2oAZMKKLHF25cx3In428evW7vb0R2aakf/tF0Gjlbooc+zEc2UgEp/YjYW5WaelWIK4ItwfmBRNYG9G5ZE0GT2I8UtHOiMQRA78ShxN7i,iv:H+YVF7wiUATbwnwzqO/LEZgWagnbeRRdMS9aK09vCbg=,tag:sDbC2g2xtjifS8Px3YI6vA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-06T19:43:25Z", + "mac": "ENC[AES256_GCM,data:K3Y96+TM4/Jsl8JQ56tpJNHmkDVuetUtQbUpDqIHbqm65d+RKoL/Qy/IWVGqcfUxZMUvzM2J3fEo/05q8mcxn+wZd2tECSJEUbgFDhGrpPZV8Ir8cQCYlPn+UBTS4rNUfEpSBlymND/vFjQ0lneqMo5lapbetSs4h/GvFzUFw8M=,iv:TyzMk7wKzZpq8TrE9uHRFXi+JzvNePcWrmyogcoCZo0=,tag:KB6ZBlGrBSGuQFg4fB407w==,type:str]", + "pgp": [ + { + "created_at": "2022-02-06T19:43:24Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DyFKFNkTVG5oSAQdAWSCnyt9/7PkWecNhcOwuw0TRJMld9dmV0Ti6KjR6bkAw\nQxTdj0rMaXFayEyyXxotbjxb/ZMTesYCqAce7RKoj0GS2GngmP6Xzpt151uSmyPs\n0l4Bh5Ohfln3bAq6iJvJfOZvwYqmoIicRZFFY7afuBDO7oad4fkoWpQWDRtuLc9M\nIC0ReFXCuQOI5eoFF3V8xT+X+icjFUCVC2OktO/6AlAtXxi6BSL+574CUMivuQz0\n=3v/M\n-----END PGP MESSAGE-----\n", + "fp": "7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8" + }, + { + "created_at": "2022-02-06T19:43:24Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAqlj4zYxkXgnJEEt/RfxQORgOzyfiZdQKzlhm78OhsBkw\nc2EdfAgpGwIm1F8tpVtwYcfNXYgfaJdADMzYSHL8qqn8DJrvhCArJdT/m7ZPWKy2\n0l4B1hpQdga7KQTD/iDlIrTJtiZ9/AMtUJM/HU9KtCl9AFGRNEGTAEdlHTUBDzOP\nTSF+R4NAqoY742C7Lf7pkHbVhhpXige37qJhvu7AMgnT5TT17McsXUj52Sy+Qv3z\n=cBYd\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/vidhar/borg/authorized-keys/surtr.pub b/hosts/vidhar/borg/authorized-keys/surtr.pub new file mode 100644 index 00000000..5c044d7a --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/surtr.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5rfNezLOoI4ijzNNg61OGFfq4AXHlzVT0z/+RO0/ju surtr diff --git a/hosts/vidhar/borg/authorized-keys/ymir b/hosts/vidhar/borg/authorized-keys/ymir new file mode 100644 index 00000000..f3dd360c --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/ymir @@ -0,0 +1,21 @@ +{ + "data": "ENC[AES256_GCM,data:uzfOHmr0fct77EW5F/b5mSlckywoAKp/LCSZYTtUKa6HzbYujCUhlwqwFcc1lOQxfiDyQuJmhZaFbMgTSHyzf5zAfirQnCFPoUJFQf62TkQIoRNkTIYlzyzsaGl5uMZukl3r+qmd92Xoaf/d300Oq9P2k1RHQw2+UtyNn5B2OHD9hR9X6yXr8lRH8ABLKSFcqS2KrJXzYofoHub/V8OSldSRKpG3yy/CpsbVTOkc+ygBaH7orR6PWIy/iSummSGN6EaXdv2GZcqqf/h3iP8+xZlgqWnxRt0X5se6hrXNM0oU04fcs0sneqxUAQTvcnT75uO4z/lZ8ZTKDi05hCDzOF2iKybGjuJTGBMdAitQVC3DG7dtjbtnQ2xWrkZjkIRAGSz9Ud6rXmP0OILWYIhBHXgruyCJVJkTSBlu2Kcc+gwgEMfUHBq5k6rW13f1hlqikINDT6rkKH8IJyvMF0WTNdW0KVEemImKqfJccsfdPK6EdQDLOApq1vjd2djQVnIrCccV,iv:0qExktFJCrwkPbDzyUn2mWrHXCJsDPyZ0w2pSYl/bu8=,tag:N6RWe6owTuohMpyJoJaEjQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-02-06T20:15:30Z", + "mac": "ENC[AES256_GCM,data:uuScAvmls3hQFnuzG2KJXPEC2crHmkAlQGhIsxJRKCfsrlIyLZbDhNmB+MkYSJza4X4Cshm95DcFh7+A1QFa9VlZl+7iFx2RT23dMpW4aDGPB9w/SPUTFoUiKUkxsGIl0VemnoT3EuU3iPRGqGX859MGHAFe6XprCRKUnpU0OyA=,iv:pbG7dQ2ZEVMWmlx9AQfIJBs5Wu2pKCfYQ3DrzteJj28=,tag:UvDuRPJUU7ScgwrmbGjPiA==,type:str]", + "pgp": [ + { + "created_at": "2022-02-06T20:15:29Z", + "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAAju8aRDlzlNFdCuiVeg7Kak6DgixY2Gq5fRqS78PP3Mw\nRZyzG8ZaNBSHIG+lZtgdYcMEe1kH83KZ7pimlh3jKCumpdyB0jEdoMl1VLYhaaw9\n0l4B8yQ4DbxuJuTrrlI4XtMO4srMQXn88UlqDb33ScURLPhl2Xmlhn9JNEoOgut9\nr+vQ5jj1/Cf7jE9fLeB9JcPyKeJJftIM4TBn+trvC/RaKs4gq1UVRH15WFTNRG5/\n=ncoV\n-----END PGP MESSAGE-----\n", + "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51" + } + ], + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/hosts/vidhar/borg/authorized-keys/ymir.pub b/hosts/vidhar/borg/authorized-keys/ymir.pub new file mode 100644 index 00000000..a62fcfdf --- /dev/null +++ b/hosts/vidhar/borg/authorized-keys/ymir.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGRPw65gJccLR1bdKeyD/GB6dBBXPffP0JM9FvvIATzS ymir diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix new file mode 100644 index 00000000..d338dfd6 --- /dev/null +++ b/hosts/vidhar/borg/default.nix @@ -0,0 +1,36 @@ +{ pkgs, lib, ... }: + +with lib; + +{ + config = { + services.borgbackup.repos.borg = { + path = "/srv/backup/borg"; + authorizedKeysAppendOnly = let + dir = ./authorized-keys; + toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}"); + in filter (v: v != null) (lib.mapAttrsToList toAuthKey (builtins.readDir dir)); + }; + + boot.postBootCommands = mkBefore '' + ${pkgs.findutils}/bin/find /srv/backup/borg -maxdepth 1 -type d -empty -delete + ''; + + services.openssh.extraConfig = '' + Match User borg + ClientAliveInterval 10 + ClientAliveCountMax 30 + + Match All + ''; + + sops.secrets.borg-passphrase = { + sopsFile = ./passphrase.yaml; + format = "yaml"; + key = "borg"; + owner = "borg"; + group = "borg"; + mode = "0440"; + }; + }; +} diff --git a/hosts/vidhar/borg/passphrase.yaml b/hosts/vidhar/borg/passphrase.yaml new file mode 100644 index 00000000..6a306cea --- /dev/null +++ b/hosts/vidhar/borg/passphrase.yaml @@ -0,0 +1,34 @@ +borg: ENC[AES256_GCM,data:Ly3WfFtHqQAK7E3MwSPMMOfVshwPurMLtAMYdfStlOk=,iv:taLOAWrdD8AkrPdMjxq3fdvIzyGAtU0NBGhdm6DKRO8=,tag:o84PE6fiVFT/NVp5HanZrg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-02-06T20:18:06Z" + mac: ENC[AES256_GCM,data:Se6Sft5FgW9SYw2PRzDCO/v0BXQSLgRSHh9UGMUCI3sfoZ00D5a3GGgNB7JN0D598ztGmShWUJi03JzxxYOOhIaJZB/Fk5cUUOsEx4kQErXCBrlktowZz7grq3E04tNzKQqzUJ83g3W/4/N6YrAKUnu/mWtMOwnxEithdTtrpS4=,iv:XVmFDCqm3Oa4/gZRVI3XWHyQ0GQE0II7OKWGDGn5TXI=,tag:e2L/dmYlpoGZb4cXClQ0vg==,type:str] + pgp: + - created_at: "2022-02-06T20:16:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DyFKFNkTVG5oSAQdAShFePaI/3pObNwFOa51ZPydA89cfwnErU9zE1/A68Qow + knL5rHbFSUUqGkiKT7syl1G9BupEAHz4BrFEXzc11VE5qc5vF3W6Lm9Agp3W/21W + 0l4BAmm/sqUKSCCqRiSQmVVlpl5Hs7tOMwUsBpZb53edik4oBd7hzsI4y9n0viEa + FhAkXtGI0LzpFRosrbHt1jTK+u9360BO4959AMIfcUCYmIYKscs47Ux3EDzk6+2i + =Azsm + -----END PGP MESSAGE----- + fp: 7ED22F4AA7BB55728B643DC5471B7D88E4EF66F8 + - created_at: "2022-02-06T20:16:31Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DXxoViZlp6dISAQdAIlHLZ6ipYghBjZeqfGv/VSsqsJHU3c6589TiSxXmCV8w + gScJtpO/R3DX1zUAVxxkOoGnJ0qS9IhBEOB4D/ET+vPteR5IIx26a3TFp4vlMXRc + 0l4BSikg39kSaxp+URvRJyAT1VQIprVkuEEmvgM5klvB+gitU0BhW//cEBvhW7SE + v+lfGy9PrpCb5yWpCN1H3DyfGwcRl6Qp3gkH5rs+/vpg39fs/Hh0CG+YnlHMzZ39 + =I8PE + -----END PGP MESSAGE----- + fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/hosts/vidhar/default.nix b/hosts/vidhar/default.nix index 09ae1e1e..c2d3461b 100644 --- a/hosts/vidhar/default.nix +++ b/hosts/vidhar/default.nix @@ -1,7 +1,7 @@ { hostName, flake, config, pkgs, lib, ... }: { imports = with flake.nixosModules.systemProfiles; [ - ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg.nix + ./zfs.nix ./network ./samba.nix ./dns.nix ./prometheus ./borg initrd-all-crypto-modules default-locale openssh rebuild-machines build-server initrd-ssh diff --git a/modules/borgbackup/btrfs-snapshots.nix b/modules/borgbackup/btrfs-snapshots.nix deleted file mode 100644 index 96d2b2ba..00000000 --- a/modules/borgbackup/btrfs-snapshots.nix +++ /dev/null @@ -1,52 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; - -let - cfg = config.services.btrfs-snapshots; - - snapshotMount = str: "${str}${cfg.mountSuffix}"; -in { - options = { - - services.btrfs-snapshots = { - enable = mkEnableOption "a systemd unit for btrfs snapshots"; - - mountSuffix = mkOption { - type = types.str; - default = ".snapshot"; - }; - - readOnly = mkOption { - type = types.bool; - default = true; - }; - - persist = mkOption { - type = types.bool; - default = false; - }; - }; - - }; - - - config = mkIf cfg.enable { - systemd.services."btrfs-snapshot@" = { - enable = true; - - unitConfig = { - StopWhenUnneeded = !cfg.persist; - }; - - serviceConfig = with pkgs; { - Type = "oneshot"; - ExecStartPre = "-${btrfs-progs}/bin/btrfs subvolume delete -c ${snapshotMount "%f"}"; - ExecStart = "${btrfs-progs}/bin/btrfs subvolume snapshot ${optionalString cfg.readOnly "-r"} %f ${snapshotMount "%f"}"; - RemainAfterExit = true; - ExecStop = "${btrfs-progs}/bin/btrfs subvolume delete -c ${snapshotMount "%f"}"; - }; - }; - - }; -} diff --git a/modules/borgbackup/default.nix b/modules/borgbackup/default.nix deleted file mode 100644 index a0419d0e..00000000 --- a/modules/borgbackup/default.nix +++ /dev/null @@ -1,206 +0,0 @@ -{ config, lib, utils, pkgs, ... }: - -with utils; -with lib; - -let - cfg = config.services.borgbackup; - - lvmPath = { - options = { - LV = mkOption { - type = types.str; - }; - VG = mkOption { - type = types.str; - }; - }; - }; - - pathType = if cfg.snapshots == "lvm" then types.submodule lvmPath else types.path; - - systemdPath = path: escapeSystemdPath (if cfg.snapshots == "lvm" then "${path.VG}-${path.LV}" else path); - - withSuffix = path: path + (if cfg.snapshots == "btrfs" then config.services.btrfs-snapshots.mountSuffix else config.services.lvm-snapshots.mountSuffix); - - mountPoint = if cfg.snapshots == "lvm" then config.services.lvm-snapshots.mountPoint else ""; - - targetOptions = { - options = { - repo = mkOption { - type = types.str; - }; - - paths = mkOption { - type = types.listOf pathType; - default = []; - }; - - prune = mkOption { - type = types.attrsOf (types.listOf types.str); - default = {}; - }; - - interval = mkOption { - type = types.str; - default = "6h"; - }; - - jitter = mkOption { - type = with types; nullOr str; - default = "6h"; - }; - - lock = mkOption { - type = types.nullOr types.str; - default = "backup"; - }; - - network = mkOption { - type = types.bool; - default = true; - }; - - lockWait = mkOption { - type = types.int; - default = 600; - }; - - keyFile = mkOption { - type = types.nullOr types.path; - default = null; - }; - }; - }; -in { - disabledModules = [ "services/backup/borgbackup.nix" ]; - - options = { - services.borgbackup = { - snapshots = mkOption { - type = types.nullOr (types.enum ["btrfs" "lvm"]); - default = null; - }; - - targets = mkOption { - type = types.attrsOf (types.submodule targetOptions); - default = {}; - }; - - prefix = mkOption { - type = types.str; - }; - }; - }; - - imports = - [ ./lvm-snapshots.nix - ./btrfs-snapshots.nix - ]; - - config = mkIf (any (t: t.paths != []) (attrValues cfg.targets)) { - services.btrfs-snapshots.enable = mkIf (cfg.snapshots == "btrfs") true; - - services.lvm-snapshots.snapshots = mkIf (cfg.snapshots == "lvm") (listToAttrs (map (path: nameValuePair (path.VG + "-" + path.LV) { - inherit (path) LV VG; - mountName = withSuffix (path.VG + "-" + path.LV); - }) (unique (flatten (mapAttrsToList (target: tCfg: tCfg.paths) cfg.targets))))); - - systemd.targets."timers-borg" = { - wantedBy = [ "timers.target" ]; - }; - - systemd.slices."system-borgbackup" = {}; - - systemd.timers = (listToAttrs (map ({ target, path, tCfg }: nameValuePair "borgbackup-${target}@${systemdPath path}" { - requiredBy = [ "timers-borg.target" ]; - - timerConfig = { - Persistent = false; - OnBootSec = tCfg.interval; - OnUnitActiveSec = tCfg.interval; - RandomizedDelaySec = mkIf (tCfg.jitter != null) tCfg.jitter; - }; - }) (flatten (mapAttrsToList (target: tCfg: map (path: { inherit target path tCfg; }) tCfg.paths) cfg.targets)))) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" { - enable = tCfg.prune != {}; - - requiredBy = [ "timers-borg.target" ]; - - timerConfig = { - Persistent = false; - OnBootSec = tCfg.interval; - OnUnitActiveSec = tCfg.interval; - RandomizedDelaySec = mkIf (tCfg.jitter != null) tCfg.jitter; - }; - }) cfg.targets); - - systemd.services = (mapAttrs' (target: tCfg: nameValuePair "borgbackup-${target}@" (let - deps = flatten [ - (optional (cfg.snapshots == "btrfs") "btrfs-snapshot@%i.service") - (optional tCfg.network "network-online.target") - ]; - in { - bindsTo = deps; - after = deps; - - path = with pkgs; [borgbackup] ++ optional (tCfg.lock != null) utillinux; - - script = let - borgCmd = '' - borg create \ - --lock-wait ${toString tCfg.lockWait} \ - --stats \ - --list \ - --filter 'AME' \ - --exclude-caches \ - --keep-exclude-tags \ - --patterns-from .backup-${target} \ - --one-file-system \ - --compression auto,lzma \ - ${tCfg.repo}::${cfg.prefix}$1-{utcnow} - ''; - in if tCfg.lock == null then borgCmd else "flock -xo /var/lock/${tCfg.lock} ${borgCmd}"; - scriptArgs = if cfg.snapshots == "lvm" then "%I" else "%i"; - - unitConfig = { - AssertPathIsDirectory = mkIf (tCfg.lock != null) "/var/lock"; - DefaultDependencies = false; - RequiresMountsFor = mkIf (cfg.snapshots == "lvm") [ "${mountPoint}/${withSuffix "%I"}" ]; - }; - - serviceConfig = { - Type = "oneshot"; - WorkingDirectory = if (cfg.snapshots == null) then "%I" else (if (cfg.snapshots == "lvm") then "${mountPoint}/${withSuffix "%I"}" else "${withSuffix "%f"}"); - Nice = 15; - IOSchedulingClass = 2; - IOSchedulingPriority = 7; - SuccessExitStatus = [1 2]; - Slice = "system-borgbackup.slice"; - Environment = lib.mkIf (tCfg.keyFile != null) "BORG_KEY_FILE=${tCfg.keyFile}"; - }; - })) cfg.targets) // (mapAttrs' (target: tCfg: nameValuePair "borgbackup-prune-${target}" { - enable = tCfg.prune != {}; - - bindsTo = ["network-online.target"]; - after = ["network-online.target"]; - - path = with pkgs; [borgbackup]; - - script = concatStringsSep "\n" (mapAttrsToList (path: args: '' - borg prune \ - --lock-wait ${toString tCfg.lockWait} \ - --list \ - --stats \ - --prefix ${escapeShellArg "${cfg.prefix}${path}"} \ - ${escapeShellArgs args} \ - ${tCfg.repo} - '') tCfg.prune); - - serviceConfig = { - Type = "oneshot"; - Slice = "system-borgbackup.slice"; - Environment = lib.mkIf (tCfg.keyFile != null) "BORG_KEY_FILE=${tCfg.keyFile}"; - }; - }) cfg.targets); - }; -} diff --git a/modules/borgbackup/lvm-snapshots.nix b/modules/borgbackup/lvm-snapshots.nix deleted file mode 100644 index 9b2a6562..00000000 --- a/modules/borgbackup/lvm-snapshots.nix +++ /dev/null @@ -1,133 +0,0 @@ -{ config, lib, utils, pkgs, ... }: - -with utils; -with lib; - -let - cfg = config.services.lvm-snapshots; - - snapshotMount = name: "${cfg.mountPoint}/${if isNull cfg.snapshots."${name}".mountName then name else cfg.snapshots."${name}".mountName}"; - snapshotName = name: "${name}-${cfg.mountSuffix}"; - - snapshotConfig = { - options = { - LV = mkOption { - type = types.str; - }; - - VG = mkOption { - type = types.str; - }; - - mountName = mkOption { - type = types.nullOr types.str; - default = null; - }; - - cowSize = mkOption { - type = types.str; - default = "-l20%ORIGIN"; - }; - - readOnly = mkOption { - type = types.bool; - default = true; - }; - - persist = mkOption { - type = types.bool; - default = false; - }; - }; - }; -in { - options = { - - services.lvm-snapshots = { - snapshots = mkOption { - type = types.attrsOf (types.submodule snapshotConfig); - default = {}; - }; - - mountPoint = mkOption { - type = types.path; - default = "/mnt"; - }; - - mountSuffix = mkOption { - type = types.str; - default = "-snapshot"; - }; - }; - }; - - - config = mkIf (cfg != {}) { - - boot.kernelModules = [ "dm_snapshot" ]; - - # system.activationScripts = mapAttrs' (name: scfg: nameValuePair ("lvm-mountpoint" + name) '' - # mkdir -p ${snapshotMount name} - # '') cfg.snapshots; - - systemd.services = mapAttrs' (name: scfg: nameValuePair ("lvm-snapshot@" + escapeSystemdPath name) { - enable = true; - - description = "LVM-snapshot of ${scfg.VG}/${scfg.LV}"; - - bindsTo = ["${escapeSystemdPath "/dev/${scfg.VG}/${scfg.LV}"}.device"]; - after = ["${escapeSystemdPath "/dev/${scfg.VG}/${scfg.LV}"}.device"]; - - unitConfig = { - StopWhenUnneeded = !scfg.persist; - AssertPathIsDirectory = "/var/lock"; - }; - - path = with pkgs; [ devicemapper utillinux ]; - - script = '' - ( - flock -xn -E 4 9 - if [[ "$?" -ne 0 ]]; then - exit $? - fi - - lvcreate -s ${scfg.cowSize} --name ${snapshotName name} ${scfg.VG}/${scfg.LV} - - sleep infinity & - ) 9>/var/lock/lvm-snapshot.${scfg.VG} - ''; - - preStart = '' - lvremove -f ${scfg.VG}/${snapshotName name} - ''; - - preStop = '' - lvremove -f ${scfg.VG}/${snapshotName name} - ''; - - serviceConfig = with pkgs; { - Type = "forking"; - RestartForceExitStatus = [ "4" ]; - RestartSec = "5min"; - }; - }) cfg.snapshots; - - systemd.mounts = mapAttrsToList (name: scfg: { - enable = true; - - unitConfig = { - # AssertPathIsDirectory = snapshotMount name; - StopWhenUnneeded = !scfg.persist; - }; - - bindsTo = [ ("lvm-snapshot@" + escapeSystemdPath name + ".service") ]; - after = [ ("lvm-snapshot@" + escapeSystemdPath name + ".service") ]; - - options = concatStringsSep "," ([ "noauto" ] ++ optional scfg.readOnly "ro"); - - where = snapshotMount name; - what = "/dev/" + scfg.VG + "/" + snapshotName name; - }) cfg.snapshots; - }; -} diff --git a/modules/borgbackup/repokeys/borg_munin__borg.yaml b/modules/borgbackup/repokeys/borg_munin__borg.yaml deleted file mode 100644 index f302fe06..00000000 --- a/modules/borgbackup/repokeys/borg_munin__borg.yaml +++ /dev/null @@ -1,33 +0,0 @@ -key: ENC[AES256_GCM,data:mxh+Jtxx+HyD246yPwo0vy7vSTz3IG8VmfbxPMwqJRreh9ZwkGnH5aCTDOvWOHIrkmzaRMF3oCi1P8D29+abMUZdt0MuJ3UE6iL8+SXlflR+WACgALM2Df+x9B3BwQM3yeoCiWG+ebr0iQPHM3jqqpkjoRv1CcythxG2deZueur9lzgC2CwG1g3O8Prnl9z0JQGOa+gjic8Zwfn38B1BECeNPrbjzICGBOrSbN/6EnfBDygI2QzseamzK2I6R6jT+QxHvkl+Zi1m2TRB+4o82VgTjPhIReJyT7PrlDnUyrKObhCOlb3v+LiSdp16IPIDVs968kyDzgyi7QPOpGr+5tutWCZrau5xhPDrONKByl/0nVVwEZfRIYATvEXtn5okJru/mglcpeD0I7AtLt+Vfv9CB9pQczvkHo0cDtgudQDf9ADt/nkmqHugm5VfMg9m9aGbKqzXt6pPOMsXSbS43K7wgDaduLZ/PW4Ookx9gTNLtJHnZ64GBorOv4QSrZIZF8pE1FsQdUhmp/YzVhaNBnjCr+Jh77sYjoOwzF77Xy+VP2C/yVIf492P+FcgkSj6XhYYqHffpFW9l/xmUvyQF5gjj2k5T21UvgChhI1HeLPzQ7W9+xuGSMtg58aD/VPe1loCy8zLITNl71bneararRS5vItoZyzMdmIRMLAZD1klPmDNe1yufTpubOXzNYbWUqFUZtwH/mDL5GRZBD9dqs2b3F26c1CUyw==,iv:NJBHesKSZ1zuKk8qHnYKqIwMnFkH+rkQD1bam5XpLXU=,tag:EiYbIFY/r/eTSTJIhYV+GA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - lastmodified: '2021-01-02T20:38:48Z' - mac: ENC[AES256_GCM,data:3rkFTOk3r2dx3hOqu1u7XIIibTDfqNlRcWY9X2N/LFa/BKojgDt5tcpbphV4HqWvl8nS+fPcVrIElJfQ/QGFEOx68G95BhByntT9+JhSbHJt73dGnCSroZCw5QefdydREGvA5n00Vo9yT9IMvQsQbmpRzo6hcrSSUvagZqmZckA=,iv:F/HllDzyxgulIWZbfz9bFKR+SFg4PoaUYZ5N5hfIzw0=,tag:h2NXmvj/thhBg1rIkwdXXA==,type:str] - pgp: - - created_at: '2021-01-02T20:38:09Z' - enc: | - -----BEGIN PGP MESSAGE----- - - hF4Dgwm4NZSaLAcSAQdAwmvyXlr9MyfPfLgkfQkoktKBV2WA2xhZrGL7NeeGfhAw - REk+clJ9WgiJ0iceRAONPnEjeiK0J6Fsj+5Ulq8flFGkoj5Pta0pm/9fudKmcPdC - 0l4BF0G5LSpG1EmY+LmVdSdas16rWgthnojoXPvbbHG6jZs3aDETshdiN8Bdlqsf - aVhq2LYzscnYezNcdernR4uojtiFny8qcmdF3tFacr+mkgfgIQr0W9yWFhDH15gm - =4TwU - -----END PGP MESSAGE----- - fp: F1AF20B9511B63F681A14E8D51AEFBCD1DEF68F8 - - created_at: '2021-01-02T20:38:09Z' - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DXxoViZlp6dISAQdAruPXj9IsllEN7R5jk4gF7bW0ZirhvX7qsu22/6HbSw8w - 66RwN3WGjYO1CcVbHKuLqVVaUBCnrR/4XHN0JYUaqjubrSZBTWFKTBFsKSTT0LZq - 0l4BKcsXrbGpYC5+yQvg0RHJ7LplxpKOmqMY8KGckvGnVf2xg7k6wuWQREFzqwt+ - lOa3x+xFy9c0JwE8AafyKjb/cgqJiMb96lhsH57BpXJa2E39ImQbXqzDzdx2jEUt - =3rxi - -----END PGP MESSAGE----- - fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51 - unencrypted_suffix: _unencrypted - version: 3.6.1 -- cgit v1.2.3