diff options
Diffstat (limited to '')
| -rw-r--r-- | modules/by-name/ba/backup/module.nix | 183 |
1 files changed, 144 insertions, 39 deletions
diff --git a/modules/by-name/ba/backup/module.nix b/modules/by-name/ba/backup/module.nix index 3e07fbd1..d0805092 100644 --- a/modules/by-name/ba/backup/module.nix +++ b/modules/by-name/ba/backup/module.nix @@ -14,75 +14,162 @@ ... }: let cfg = config.soispha.services.backup; + + snapshotDir = "/srv/last_snapshot"; in { options.soispha.services.backup = { - enable = lib.mkEnableOption "backups via restic to a storagebox"; + storagebox = { + enable = lib.mkEnableOption "remote backups"; + user = lib.mkOption { + type = lib.types.str; + description = "The storagebox-user to use"; + example = "u384702-sub2"; + }; - user = lib.mkOption { - type = lib.types.str; - description = "The storagebox-user to use"; - example = "u384702-sub2"; - }; - privateSshKey = lib.mkOption { - type = lib.types.path; - description = "The age-encrypted ssh-key, passed to agenix"; + sshKey = lib.mkOption { + type = lib.types.path; + description = "The age-encrypted ssh-key, passed to agenix"; + default = ./secrets/storagebox/ssh_key.age; + }; + + repositoryPassword = lib.mkOption { + type = lib.types.path; + description = "The age-encrypted restic password, passed to agenix"; + default = ./secrets/storagebox/repository_password.age; + }; }; - privatePassword = lib.mkOption { - type = lib.types.path; - description = "The age-encrypted restic password, passed to agenix"; + + local = { + enable = lib.mkEnableOption "local backups"; + + repositoryPassword = lib.mkOption { + type = lib.types.path; + description = "The age-encrypted restic password, passed to agenix"; + default = ./secrets/local/repository_password.age; + }; + + backupMountPoint = lib.mkOption { + type = lib.types.path; + description = "The path where to expect the mounted backup disk"; + default = "/mnt/backup"; + }; }; }; - config = lib.mkIf cfg.enable { + config = { age.secrets = { - resticpass = { - file = cfg.privatePassword; + resticStorageboxSshKey = lib.mkIf cfg.storagebox.enable { + file = cfg.storagebox.sshKey; + mode = "0700"; + owner = "root"; + group = "root"; + }; + resticStorageboxRepositoryPassword = lib.mkIf cfg.storagebox.enable { + file = cfg.storagebox.repositoryPassword; mode = "0700"; owner = "root"; group = "root"; }; - resticssh = { - file = cfg.privateSshKey; + resticLocalRepositoryPassword = lib.mkIf cfg.local.enable { + file = cfg.local.repositoryPassword; mode = "0700"; owner = "root"; group = "root"; }; }; - soispha.programs.ssh = { + soispha.programs.ssh = lib.mkIf cfg.storagebox.enable { enable = true; rootKnownHosts = { "[u459143-sub1.your-storagebox.de]:23" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs"; }; }; + systemd.services = { + prepare-backup = { + requires = []; + after = []; + + description = "Prepare a backup by snapshotting the system."; + + serviceConfig = { + ExecStart = lib.getExe (pkgs.writeShellApplication { + name = "prepareBackup"; + text = '' + set -x + + [ -d "${snapshotDir}" ] && btrfs subvolume delete "${snapshotDir}" + + # -r := Make the snapshot read-only + btrfs subvolume snapshot -r /srv "${snapshotDir}"; + ''; + + inheritPath = false; + runtimeInputs = [ + pkgs.btrfs-progs + ]; + }); + + Type = "oneshot"; + + User = "root"; + Group = "root"; + + # TODO: Hardening <2025-05-04> + }; + }; + + restic-backups-storagebox = lib.mkIf cfg.storagebox.enable { + requires = ["prepare-backup.service"]; + after = ["prepare-backup.service"]; + }; + + restic-backups-local = lib.mkIf cfg.local.enable { + requires = ["prepare-backup.service"]; + after = ["prepare-backup.service"]; + + serviceConfig = { + ConditionPathIsDirectory = "${cfg.local.backupMountPoint}"; + }; + }; + }; + services.restic.backups = let - snapshotDir = "/srv/last_snapshot"; homeDir = "${snapshotDir}/home"; + + paths = [ + snapshotDir + ]; + exclude = [ + "${homeDir}/soispha/.cache" + ]; + extraBackupArgs = [ + "--verbose=2" + ]; in { - storagebox = { + local = lib.mkIf cfg.local.enable { + inhibitsSleep = true; initialize = true; - backupPrepareCommand = - # bash - '' - [ -d "${snapshotDir}" ] && ${lib.getExe' pkgs.btrfs-progs "btrfs"} subvolume delete "${snapshotDir}" - - # -r := Make the snapshot read-only - ${lib.getExe' pkgs.btrfs-progs "btrfs"} subvolume snapshot -r /srv "${snapshotDir}"; - ''; - paths = [ - snapshotDir - ]; - exclude = [ - "${homeDir}/soispha/.cache" - ]; - extraBackupArgs = [ - "--verbose=2" - ]; - passwordFile = config.age.secrets.resticpass.path; + inherit paths exclude extraBackupArgs; + + passwordFile = config.age.secrets.resticLocalRepositoryPassword.path; + + repository = "${cfg.local.backupMountPoint}/restic-backup-data/"; + + # Start on demand. + timerConfig = null; + }; + + storagebox = lib.mkIf cfg.storagebox.enable { + inhibitsSleep = true; + initialize = true; + + inherit paths exclude extraBackupArgs; + + passwordFile = config.age.secrets.resticStorageboxRepositoryPassword.path; extraOptions = [ - "rclone.program='ssh -p 23 ${cfg.user}@${cfg.user}.your-storagebox.de -i ${config.age.secrets.resticssh.path} command_forced_on_remote'" + "rclone.program='ssh -p 23 ${cfg.storagebox.user}@${cfg.storagebox.user}.your-storagebox.de -i ${config.age.secrets.resticStorageboxSshKey.path} command_forced_on_remote'" ]; # This setting is normally passed to rclone, but we force @@ -97,6 +184,24 @@ in { Persistent = true; }; }; + + # This is only for listing, pruning and such stuff. + storagebox-admin = lib.mkIf cfg.storagebox.enable { + inhibitsSleep = false; + initialize = false; + + passwordFile = config.age.secrets.resticStorageboxRepositoryPassword.path; + extraOptions = [ + "rclone.program='ssh -p 23 ${cfg.storagebox.user}@${cfg.storagebox.user}.your-storagebox.de command_forced_on_remote'" + ]; + + # This setting is normally passed to rclone, but we force + # the command on the remote. + # As such, the value does not matter and must only be parseable by restic. + repository = "rclone: "; + + timerConfig = null; + }; }; }; } |