From 1b04a415e98b72841e6b9dba0b0c030428ba0434 Mon Sep 17 00:00:00 2001 From: Silas Schöffel Date: Tue, 21 Jan 2025 21:21:14 +0100 Subject: feat(modules/backup): init --- modules/by-name/ba/backup/module.nix | 91 ++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 modules/by-name/ba/backup/module.nix (limited to 'modules/by-name/ba') diff --git a/modules/by-name/ba/backup/module.nix b/modules/by-name/ba/backup/module.nix new file mode 100644 index 0000000..856a1c3 --- /dev/null +++ b/modules/by-name/ba/backup/module.nix @@ -0,0 +1,91 @@ +{ + config, + pkgs, + lib, + ... +}: let + cfg = config.vhack.backup; + snapshots = "/srv/snapshots"; + postgresUser = "postgres"; +in { + options.vhack.backup = { + enable = lib.mkEnableOption "backups with restic"; + user = lib.mkOption { + type = lib.types.str; + description = "The storagebox-user to use"; + example = "u384702-sub2"; + }; + privateSshKey = lib.mkOption { + type = lib.types.path; + description = "The age-encrypted ssh-key, passed to agenix"; + }; + privatePassword = lib.mkOption { + type = lib.types.path; + description = "The age-encrypted restic password, passed to agenix"; + }; + }; + config = lib.mkIf cfg.enable { + vhack.persist.directories = [ + { + directory = "/root/.ssh"; + user = "root"; + group = "root"; + mode = "0700"; + } + ]; + age.secrets = { + resticpass = { + file = cfg.privatePassword; + mode = "0700"; + owner = "root"; + group = "root"; + }; + resticssh = { + file = cfg.privateSshKey; + mode = "0700"; + owner = "root"; + group = "root"; + }; + }; + services.restic.backups = { + storagebox = { + initialize = true; + backupPrepareCommand = '' + ${pkgs.sudo}/bin/sudo -u ${postgresUser} ${pkgs.postgresql}/bin/pg_dumpall --clean --if-exists --quote-all-identifiers > /srv/db_backup.sql + + [ -d /srv/snapshots ] || ${pkgs.btrfs-progs}/bin/btrfs subvolume create /srv/snapshots; + [ -d /srv/snapshots/srv ] && ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /srv/snapshots/srv; + ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r /srv /srv/snapshots/srv; + + # dump() { + # # compression: + # # pg_dump -F t -v "$1" | xz -z -9 -e -T0 > "db_$1.tar.xz" + # pg_dump -v "$1" > "db_$1.tar.xz" + # } + # # List all databases, and dump each of them in its own file + # # psql --list --csv | while read -r line; do echo "$line" | grep ','; done | while IFS=, read -r name _; do echo "$name"; done | sed '1d' | while read -r db_name; do dump "$db_name"; done + ''; + paths = [ + snapshots + ]; + exclude = [ + ".snapshots" + "/var/lib/postgresql" # included in the db dump + ]; + extraBackupArgs = [ + "--verbose" # spam log + ]; + passwordFile = config.age.secrets.resticpass.path; + extraOptions = [ + "rclone.program='ssh -p 23 ${cfg.user}@${cfg.user}.your-storagebox.de -i ${config.age.secrets.resticssh.path}'" + ]; + repository = "rclone: "; # There is only one repository served + timerConfig = { + Requires = "network-online.target"; + OnCalendar = "daily"; + Persistent = true; + }; + }; + }; + }; +} -- cgit 1.4.1