Add module for backing up volume data to BorgBase

Back up freshrss volume
2025-05-25 16:56:22 +02:00 · 2025-05-25 16:56:22 +02:00 · 67e6ddbf90
commit 67e6ddbf90
parent 39125c71e1
5 changed files with 89 additions and 5 deletions
--- a/nixos/backups-ng.nix
+++ b/nixos/backups-ng.nix
@ -0,0 +1,69 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}: let
+  borgBackupOpts = {
+    options = {
+      repo = lib.mkOption {
+        type = lib.types.str;
+      };
+      paths = lib.mkOption {
+        type = with lib.types; listOf str;
+      };
+      deploymentName = lib.mkOption {
+        type = lib.types.str;
+      };
+      deploymentNamespace = lib.mkOption {
+        type = lib.types.str;
+      };
+      replicaCount = lib.mkOption {
+        type = lib.types.int;
+        default = 1;
+      };
+    };
+  };
+in {
+  options.pim.backups = {
+    borgBackups = lib.mkOption {
+      type = with lib.types; attrsOf (submodule borgBackupOpts);
+      default = {};
+    };
+  };
+
+  # TODO: should have some timeout and alerting?
+  config = {
+    services.borgbackup.jobs =
+      lib.mapAttrs (_name: c: {
+        inherit (c) repo paths;
+        startAt = "*-*-* 00:00:00";
+        # TODO: low benefit, but we could set borgbase's host keys here as they are published online.
+        environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
+        postHook = "${pkgs.k3s}/bin/kubectl scale deployment -n ${c.deploymentNamespace} ${c.deploymentName} --replicas=${toString c.replicaCount}";
+
+        prune.keep = {
+          within = "7d";
+          weekly = 4;
+          monthly = 6;
+        };
+
+        preHook = ''
+          ${pkgs.k3s}/bin/kubectl scale deployment -n ${c.deploymentNamespace} ${c.deploymentName} --replicas=0
+
+          while [ -n "$(${pkgs.k3s}/bin/kubectl get deployment -n ${c.deploymentNamespace} ${c.deploymentName} -o jsonpath='{.status.replicas}')" ]; do
+            echo "Waiting for replicas to scale down to 0..."
+            sleep 2
+          done
+        '';
+
+        encryption = {
+          passCommand = "cat ${config.sops.secrets."borg/borgPassphrase".path}";
+          mode = "repokey-blake2";
+        };
+      })
+      config.pim.backups.borgBackups;
+
+    systemd.timers = lib.mapAttrs' (name: _c: lib.nameValuePair "borgbackup-job-${name}" {timerConfig.RandomizedDelaySec = "1h";}) config.pim.backups.borgBackups;
+  };
+}
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -26,6 +26,7 @@
    ./kubernetes
    ./data-sharing.nix
    ./backups.nix
+    ./backups-ng.nix
  ];

  options = {
--- a/nixos/server.nix
+++ b/nixos/server.nix
@ -63,8 +63,10 @@
      };
    };

-    sops.secrets."tailscale/authKey" = {
-      sopsFile = "${self}/secrets/servers.yaml";
+    sops.secrets = {
+      "tailscale/authKey".sopsFile = "${self}/secrets/servers.yaml";
+      "borg/borgPassphrase".sopsFile = "${self}/secrets/servers.yaml";
+      "borg/borgbasePrivateKey".sopsFile = "${self}/secrets/servers.yaml";
    };
  };
 }