nixos-configs/nixos/backups.nix

94 lines
2.7 KiB
Nix

{
pkgs,
lib,
config,
...
}: let
cfg = config.pim.backups;
borgmaticConfig = pkgs.writeTextFile {
name = "borgmatic-config.yaml";
text = lib.generators.toYAML {} {
source_directories = ["/mnt/longhorn/persistent/longhorn-backup"];
repositories = [
{
path = cfg.repoLocation;
label = "nfs";
}
{
path = "ssh://s6969ym3@s6969ym3.repo.borgbase.com/./repo";
label = "borgbase";
}
];
ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no";
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = -1;
encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/borgPassphrase".path}";
};
};
in {
options.pim.backups = {
enable = lib.mkOption {
default = false;
type = lib.types.bool;
description = ''
Whether to enable backups of persistent data on this machine.
'';
};
repoLocation = lib.mkOption {
default = "/mnt/longhorn/persistent/nfs.borg";
type = lib.types.str;
description = ''
Location of the Borg repository to back up to.
'';
};
};
config = lib.mkIf cfg.enable {
environment.systemPackages = with pkgs; [borgbackup];
# Converted from:
# https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd
systemd.services.borgmatic = {
description = "borgmatic backup";
wants = ["network-online.target"];
after = ["network-online.target"];
unitConfig.ConditionACPower = true;
preStart = "${pkgs.coreutils}/bin/sleep 10s";
serviceConfig = {
Type = "oneshot";
Nice = 19;
CPUSchedulingPolicy = "batch";
IOSchedulingClass = "best-effort";
IOSchedulingPriority = 7;
IOWeight = 100;
Restart = "no";
LogRateLimitIntervalSec = 0;
Environment = "BORG_PASSPHRASE_FILE=${config.sops.secrets."borg/borgPassphrase".path}";
};
script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}";
};
systemd.timers.borgmatic = {
description = "Run borgmatic backup";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* 3:00:00";
Persistent = true;
RandomizedDelaySec = "1h";
};
};
sops.secrets = {
"borg/borgPassphrase" = {};
"borg/borgbasePrivateKey" = {};
};
};
}