blob: c8f8a924eee7b8d5147a1db00845fb5654318e8d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
# nixos-config - My current NixOS configuration
#
# Copyright (C) 2025 Benedikt Peetz <benedikt.peetz@b-peetz.de>
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This file is part of my nixos-config.
#
# You should have received a copy of the License along with this program.
# If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>.
{
lib,
config,
pkgs,
...
}: let
cfg = config.soispha.services.backup;
in {
options.soispha.services.backup = {
enable = lib.mkEnableOption "backups via restic to a storagebox";
user = lib.mkOption {
type = lib.types.str;
description = "The storagebox-user to use";
example = "u384702-sub2";
};
privateSshKey = lib.mkOption {
type = lib.types.path;
description = "The age-encrypted ssh-key, passed to agenix";
};
privatePassword = lib.mkOption {
type = lib.types.path;
description = "The age-encrypted restic password, passed to agenix";
};
};
config = lib.mkIf cfg.enable {
age.secrets = {
resticpass = {
file = cfg.privatePassword;
mode = "0700";
owner = "root";
group = "root";
};
resticssh = {
file = cfg.privateSshKey;
mode = "0700";
owner = "root";
group = "root";
};
};
soispha.programs.ssh = {
enable = true;
rootKnownHosts = {
"[u459143-sub1.your-storagebox.de]:23" = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
};
};
services.restic.backups = let
snapshotDir = "/srv/last_snapshot";
homeDir = "${snapshotDir}/home";
in {
storagebox = {
initialize = true;
backupPrepareCommand =
# bash
''
[ -d "${snapshotDir}" ] && ${lib.getExe' pkgs.btrfs-progs "btrfs"} subvolume delete "${snapshotDir}"
# -r := Make the snapshot read-only
${lib.getExe' pkgs.btrfs-progs "btrfs"} subvolume snapshot -r /srv "${snapshotDir}";
'';
paths = [
snapshotDir
];
exclude = [
"${homeDir}/soispha/.cache"
];
extraBackupArgs = [
"--verbose" # Spam log
];
passwordFile = config.age.secrets.resticpass.path;
extraOptions = [
"rclone.program='ssh -p 23 ${cfg.user}@${cfg.user}.your-storagebox.de -i ${config.age.secrets.resticssh.path} command_forced_on_remote'"
];
# This setting is normally passed to rclone, but we force
# the command on the remote.
# As such, the value does not matter and must only be parseable by restic.
repository = "rclone: ";
timerConfig = {
Requires = "network-online.target";
OnActiveSec = "30m";
OnUnitInactiveSec = "2h";
Persistent = true;
};
};
};
};
}
|
