{ config, pkgs, lib, flakeInputs, ... }: with lib; let sshConfig = pkgs.writeText "config" '' Include /etc/ssh/ssh_config ControlMaster auto ControlPath /var/lib/borg/.borgssh-master-%r@%n:%p ControlPersist yes Host yggdrasil.borgbase HostName nx69hpl8.repo.borgbase.com User nx69hpl8 IdentityFile ${config.sops.secrets."append.borgbase".path} IdentitiesOnly yes BatchMode yes ServerAliveInterval 10 ServerAliveCountMax 30 ''; copyService = { repo, repoEscaped }: let serviceName = "copy-borg@${repoEscaped}"; in nameValuePair serviceName { serviceConfig = { Type = "oneshot"; ExecStart = "${copyBorg}/bin/copy ${escapeShellArg repo} yggdrasil.borgbase:repo"; TimeoutStartSec = "8h"; # User = "borg"; # Group = "borg"; # StateDirectory = "borg"; RuntimeDirectory = "copy-borg"; Environment = [ "BORG_RSH=\"${pkgs.openssh}/bin/ssh -F ${sshConfig}\"" "BORG_BASE_DIR=/var/lib/borg" "BORG_CONFIG_DIR=/var/lib/borg/config" "BORG_CACHE_DIR=/var/lib/borg/cache" "BORG_SECURITY_DIR=/var/lib/borg/security" "BORG_KEYS_DIR=/var/lib/borg/keys" "BORG_KEY_FILE=${config.sops.secrets."yggdrasil.borgkey".path}" "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes" "BORG_HOSTNAME_IS_UNIQUE=yes" ]; }; }; copyBorg = pkgs.stdenv.mkDerivation (let packageOverrides = pkgs.callPackage ./pyprctl-packages.nix {}; inpPython = pkgs.python39.override { inherit packageOverrides; }; in rec { name = "copy"; src = ./copy.py; phases = ["buildPhase" "checkPhase" "installPhase"]; buildInputs = with pkgs; [makeWrapper]; python = inpPython.withPackages (ps: with ps; [humanize tqdm python-dateutil xdg python-unshare pyprctl halo]); buildPhase = '' substitute $src copy \ --subst-var-by python ${escapeShellArg python} ''; doCheck = true; checkPhase = '' ${python}/bin/python -m py_compile copy ''; installPhase = '' install -m 0755 -D -t $out/bin \ copy wrapProgram $out/bin/copy \ --prefix PATH : ${makeBinPath (with pkgs; [config.boot.zfs.package util-linux borgbackup])}:${config.security.wrapperDir} ''; }); borgsnap = flakeInputs.mach-nix.lib.${config.nixpkgs.system}.buildPythonPackage rec { pname = "borgsnap"; src = ./borgsnap; version = "0.0.0"; ignoreDataOutdated = true; requirements = '' atomicwrites pyprctl python-unshare python-dateutil ''; postInstall = '' wrapProgram $out/bin/borgsnap \ --prefix PATH : ${makeBinPath (with pkgs; [util-linux borgbackup])}:${config.security.wrapperDir} ''; providers.python-unshare = "nixpkgs"; overridesPre = [ (self: super: { python-unshare = super.python-unshare.overrideAttrs (oldAttrs: { name = "python-unshare-0.2.1"; version = "0.2.1"; }); }) ]; _.tomli.buildInputs.add = with pkgs."python3Packages"; [ flit-core ]; }; in { config = { services.zfssnap.config.exec = { check = "${borgsnap}/bin/borgsnap -vvv --target yggdrasil.borgbase:repo --archive-prefix yggdrasil.vidhar. check --cache-file /run/zfssnap-prune/archives-cache.json"; cmd = "${borgsnap}/bin/borgsnap -vvv --target yggdrasil.borgbase:repo --archive-prefix yggdrasil.vidhar. create"; halfweekly = "8"; monthly = "-1"; }; systemd.services = { "zfssnap-prune" = { serviceConfig = { Environment = [ "BORG_RSH=\"${pkgs.openssh}/bin/ssh -F ${sshConfig}\"" "BORG_BASE_DIR=/var/lib/borg" "BORG_CONFIG_DIR=/var/lib/borg/config" "BORG_CACHE_DIR=/var/lib/borg/cache" "BORG_SECURITY_DIR=/var/lib/borg/security" "BORG_KEYS_DIR=/var/lib/borg/keys" "BORG_KEY_FILE=${config.sops.secrets."yggdrasil.borgkey".path}" "BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=yes" "BORG_HOSTNAME_IS_UNIQUE=yes" ]; RuntimeDirectory = "zfssnap-prune"; }; }; } // listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]); services.borgbackup.repos.jotnar = { path = "/srv/backup/borg/jotnar"; authorizedKeysAppendOnly = let dir = ./jotnar; toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}"); in filter (v: v != null) (mapAttrsToList toAuthKey (builtins.readDir dir)); }; boot.postBootCommands = mkBefore '' ${pkgs.findutils}/bin/find /srv/backup/borg -type d -empty -delete ''; users.users.borg.extraGroups = ["ssh"]; services.openssh.extraConfig = '' Match User borg ClientAliveInterval 10 ClientAliveCountMax 30 Match All ''; sops.secrets."append.borgbase" = { format = "binary"; sopsFile = ./append.borgbase; owner = "borg"; group = "borg"; mode = "0400"; }; sops.secrets."yggdrasil.borgkey" = { format = "binary"; sopsFile = ./yggdrasil.borgkey; owner = "borg"; group = "borg"; mode = "0400"; }; systemd.timers."copy-borg@srv-backup-borg-jotnar" = { wantedBy = ["multi-user.target"]; timerConfig = { OnCalendar = "*-*-* 00/4:00:00 Europe/Berlin"; }; }; }; }