nixos-config/configs/nixos/ni/modules/services/backup/default.nix

# It's a setup for my backup.
{ config, lib, pkgs, foodogsquaredLib, ... }:

let
  hostCfg = config.hosts.ni;
  cfg = hostCfg.services.backup;

  borgJobCommonSetting = { patterns ? [ ], passCommand }: {
    compression = "zstd,12";
    dateFormat = "+%F-%H-%M-%S-%z";
    doInit = false;
    encryption = {
      inherit passCommand;
      mode = "repokey-blake2";
    };
    extraCreateArgs = lib.concatStringsSep " "
      (builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);
    extraInitArgs = "--make-parent-dirs";

    # We're emptying them since we're specifying them all through the patterns file.
    paths = [ ];

    persistentTimer = true;
    preHook = ''
      extraCreateArgs="$extraCreateArgs --exclude-if-present .nobackup"
      extraCreateArgs="$extraCreateArgs --stats"
    '';
    prune = {
      keep = {
        within = "1d";
        hourly = 8;
        daily = 30;
        weekly = 4;
        monthly = 6;
        yearly = 3;
      };
    };
  };

  hetzner-boxes-user = "u332477";
  hetzner-boxes-server = "${hetzner-boxes-user}.your-storagebox.de";

  pathPrefix = "borg-backup";
in
{
  options.hosts.ni.services.backup.enable =
    lib.mkEnableOption "backup setup with BorgBackup";

  config = lib.mkIf cfg.enable {
    sops.secrets = foodogsquaredLib.sops-nix.getSecrets
      ./secrets.yaml
      (foodogsquaredLib.sops-nix.attachSopsPathPrefix pathPrefix {
        "patterns/home" = { };
        "patterns/etc" = { };
        "patterns/keys" = { };
        "patterns/remote-backup" = { };
        "repos/archive/password" = { };
        "repos/external-drive/password" = { };
        "repos/hetzner-box/password" = { };
        "ssh-key" = { };
      });

    suites.filesystem.setups = {
      archive.enable = true;
      external-hdd.enable = true;
    };

    services.borgbackup.jobs = {
      local-archive = borgJobCommonSetting
        {
          patterns = with config.sops; [
            secrets."${pathPrefix}/patterns/home".path
            secrets."${pathPrefix}/patterns/etc".path
            secrets."${pathPrefix}/patterns/keys".path
          ];
          passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/archive/password".path}";
        } // {
        removableDevice = true;
        repo = "/mnt/archives/backups";
        startAt = "04:30";
      };

      local-external-drive = borgJobCommonSetting
        {
          patterns = with config.sops; [
            secrets."${pathPrefix}/patterns/home".path
            secrets."${pathPrefix}/patterns/etc".path
            secrets."${pathPrefix}/patterns/keys".path
          ];
          passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/external-drive/password".path}";
        } // {
        removableDevice = true;
        repo = "/mnt/external-storage/backups";
        startAt = "04:30";
      };

      #remote-backup-hetzner-box = borgJobCommonSetting
      #  {
      #    patterns = with config.sops; [
      #      secrets."${pathPrefix}/patterns/remote-backup".path
      #    ];
      #    passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/hetzner-box/password".path}";
      #  } // {
      #  doInit = true;
      #  repo = "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni";
      #  startAt = "04:30";
      #  environment.BORG_RSH = "ssh -i ${config.sops.secrets."${pathPrefix}/ssh-key".path}";
      #};
    };

    programs.ssh.extraConfig = ''
      Host ${hetzner-boxes-server}
        IdentityFile ${config.sops.secrets."${pathPrefix}/ssh-key".path}
    '';

    services.btrfs.autoScrub = {
      enable = true;
      fileSystems = [
        "/mnt/archives"
      ];
    };
  };
}
tasks/backup-archive: update to new repo and description 2022-07-05 22:43:09 +00:00			`# It's a setup for my backup.`
flake-parts/setups: set separate namespace for custom library This at least allows us to make custom environment-specific library sets. 2024-02-11 07:16:25 +00:00			`{ config, lib, pkgs, foodogsquaredLib, ... }:`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
			`let`
tasks/backup-archive: migrate as ni's host-specific module In practice, this is only used by it. 2023-12-15 06:14:15 +00:00			`hostCfg = config.hosts.ni;`
			`cfg = hostCfg.services.backup;`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
tasks/backup-archive: assign different passwords for different repos 2023-01-11 05:16:02 +00:00			`borgJobCommonSetting = { patterns ? [ ], passCommand }: {`
tasks/backup-archive: change default settings 2022-12-04 06:08:31 +00:00			`compression = "zstd,12";`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`dateFormat = "+%F-%H-%M-%S-%z";`
tasks/backup-archive: change default settings 2022-12-04 06:08:31 +00:00			`doInit = false;`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`encryption = {`
tasks/backup-archive: assign different passwords for different repos 2023-01-11 05:16:02 +00:00			`inherit passCommand;`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`mode = "repokey-blake2";`
			`};`
			`extraCreateArgs = lib.concatStringsSep " "`
			`(builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);`
			`extraInitArgs = "--make-parent-dirs";`

			`# We're emptying them since we're specifying them all through the patterns file.`
			`paths = [ ];`

			`persistentTimer = true;`
			`preHook = ''`
			`extraCreateArgs="$extraCreateArgs --exclude-if-present .nobackup"`
			`extraCreateArgs="$extraCreateArgs --stats"`
			`'';`
			`prune = {`
			`keep = {`
			`within = "1d";`
			`hourly = 8;`
			`daily = 30;`
			`weekly = 4;`
			`monthly = 6;`
			`yearly = 3;`
			`};`
			`};`
			`};`

config: replace Borgbase with Hetzner storage box for Borg repos 2023-01-07 02:51:49 +00:00			`hetzner-boxes-user = "u332477";`
			`hetzner-boxes-server = "${hetzner-boxes-user}.your-storagebox.de";`
tasks: refactor with path prefix 2023-07-05 05:14:38 +00:00
			`pathPrefix = "borg-backup";`
tasks/backup-archive: format and refactor 2022-09-01 14:47:22 +00:00			`in`
			`{`
tasks/backup-archive: migrate as ni's host-specific module In practice, this is only used by it. 2023-12-15 06:14:15 +00:00			`options.hosts.ni.services.backup.enable =`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`lib.mkEnableOption "backup setup with BorgBackup";`

			`config = lib.mkIf cfg.enable {`
flake-parts/setups: set separate namespace for custom library This at least allows us to make custom environment-specific library sets. 2024-02-11 07:16:25 +00:00			`sops.secrets = foodogsquaredLib.sops-nix.getSecrets`
tasks/backup-archive: migrate as ni's host-specific module In practice, this is only used by it. 2023-12-15 06:14:15 +00:00			`./secrets.yaml`
flake-parts/setups: set separate namespace for custom library This at least allows us to make custom environment-specific library sets. 2024-02-11 07:16:25 +00:00			`(foodogsquaredLib.sops-nix.attachSopsPathPrefix pathPrefix {`
tasks: add prefix for sops secrets key path 2023-07-05 05:04:52 +00:00			`"patterns/home" = { };`
			`"patterns/etc" = { };`
			`"patterns/keys" = { };`
			`"patterns/remote-backup" = { };`
			`"repos/archive/password" = { };`
			`"repos/external-drive/password" = { };`
			`"repos/hetzner-box/password" = { };`
			`"ssh-key" = { };`
			`});`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
modules: move `profiles` custom namespace to `suites` We now have a "proper" profiles modules ala-nixpkgs so we'll have to move these to make it less confusing. 2024-01-22 06:48:55 +00:00			`suites.filesystem.setups = {`
profiles/filesystem: create module This is primarily intended to centralize where we define our filesystems. This way, it would also avoid potential misconfiguration with the mount options. 2022-08-20 05:07:13 +00:00			`archive.enable = true;`
			`external-hdd.enable = true;`
tasks/backup-archive: use no local archive anymore It is no more than a safety net and an expensive one at that. A dedicated external storage media would be better. Ideally, hosts should have a snapshotting system with btrfs or similar but it is what it is for now. 2022-07-09 21:43:32 +00:00			`};`

backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`services.borgbackup.jobs = {`
tasks/backup-archive: format and refactor 2022-09-01 14:47:22 +00:00			`local-archive = borgJobCommonSetting`
			`{`
			`patterns = with config.sops; [`
tasks: refactor with path prefix 2023-07-05 05:14:38 +00:00			`secrets."${pathPrefix}/patterns/home".path`
			`secrets."${pathPrefix}/patterns/etc".path`
			`secrets."${pathPrefix}/patterns/keys".path`
tasks/backup-archive: format and refactor 2022-09-01 14:47:22 +00:00			`];`
tasks: refactor with path prefix 2023-07-05 05:14:38 +00:00			`passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/archive/password".path}";`
tasks/backup-archive: format and refactor 2022-09-01 14:47:22 +00:00			`} // {`
tasks/backup-archive: use no local archive anymore It is no more than a safety net and an expensive one at that. A dedicated external storage media would be better. Ideally, hosts should have a snapshotting system with btrfs or similar but it is what it is for now. 2022-07-09 21:43:32 +00:00			`removableDevice = true;`
			`repo = "/mnt/archives/backups";`
tasks/backup-archive: change daily time schedule 2023-09-19 05:01:55 +00:00			`startAt = "04:30";`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`};`

tasks/backup-archive: format and refactor 2022-09-01 14:47:22 +00:00			`local-external-drive = borgJobCommonSetting`
			`{`
			`patterns = with config.sops; [`
tasks: refactor with path prefix 2023-07-05 05:14:38 +00:00			`secrets."${pathPrefix}/patterns/home".path`
			`secrets."${pathPrefix}/patterns/etc".path`
			`secrets."${pathPrefix}/patterns/keys".path`
tasks/backup-archive: format and refactor 2022-09-01 14:47:22 +00:00			`];`
tasks: refactor with path prefix 2023-07-05 05:14:38 +00:00			`passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/external-drive/password".path}";`
tasks/backup-archive: format and refactor 2022-09-01 14:47:22 +00:00			`} // {`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`removableDevice = true;`
			`repo = "/mnt/external-storage/backups";`
tasks/backup-archive: change daily time schedule 2023-09-19 05:01:55 +00:00			`startAt = "04:30";`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`};`

flake-parts/setups: set separate namespace for custom library This at least allows us to make custom environment-specific library sets. 2024-02-11 07:16:25 +00:00			`#remote-backup-hetzner-box = borgJobCommonSetting`
			`# {`
			`# patterns = with config.sops; [`
			`# secrets."${pathPrefix}/patterns/remote-backup".path`
			`# ];`
			`# passCommand = "cat ${config.sops.secrets."${pathPrefix}/repos/hetzner-box/password".path}";`
			`# } // {`
			`# doInit = true;`
			`# repo = "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni";`
			`# startAt = "04:30";`
			`# environment.BORG_RSH = "ssh -i ${config.sops.secrets."${pathPrefix}/ssh-key".path}";`
			`#};`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`};`

			`programs.ssh.extraConfig = ''`
config: replace Borgbase with Hetzner storage box for Borg repos 2023-01-07 02:51:49 +00:00			`Host ${hetzner-boxes-server}`
tasks: refactor with path prefix 2023-07-05 05:14:38 +00:00			`IdentityFile ${config.sops.secrets."${pathPrefix}/ssh-key".path}`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`'';`
hosts/ni/services/backup: add btrfs autoscrub 2024-01-25 04:19:29 +00:00
			`services.btrfs.autoScrub = {`
			`enable = true;`
			`fileSystems = [`
			`"/mnt/archives"`
			`];`
			`};`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`};`
			`}`