nixos-config/configs/nixos/ni/modules/services/backup/default.nix

# It's a setup for my backup.
{ config, lib, pkgs, foodogsquaredLib, ... }:

let
  hostCfg = config.hosts.ni;
  cfg = hostCfg.services.backup;

  borgJobCommonSetting = { patterns ? [ ], passCommand, ... }@args:
    let args' = lib.attrsets.removeAttrs args [ "patterns" "passCommand" ];
    in {
      compression = "zstd,12";
      dateFormat = "+%F-%H-%M-%S-%z";
      doInit = false;
      encryption = {
        inherit passCommand;
        mode = "repokey-blake2";
      };
      extraCreateArgs = lib.concatStringsSep " "
        (builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);
      extraInitArgs = "--make-parent-dirs";

      # We're emptying them since we're specifying them all through the patterns file.
      paths = lib.mkForce [ ];

      persistentTimer = true;
      preHook = ''
        extraCreateArgs="$extraCreateArgs --exclude-if-present .nobackup"
        extraCreateArgs="$extraCreateArgs --stats"
      '';
      prune = {
        keep = {
          within = "1d";
          hourly = 8;
          daily = 30;
          weekly = 4;
          monthly = 6;
          yearly = 3;
        };
      };
    } // args';

  hetzner-boxes-user = "u332477";
  hetzner-boxes-server = "${hetzner-boxes-user}.your-storagebox.de";

  pathPrefix = "borg-backup";
in {
  options.hosts.ni.services.backup.enable =
    lib.mkEnableOption "backup setup with BorgBackup and Snapper";

  config = lib.mkIf cfg.enable {
    sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets.yaml
      (foodogsquaredLib.sops-nix.attachSopsPathPrefix pathPrefix {
        "patterns/home" = { };
        "patterns/root" = { };
        "patterns/keys" = { };
        "repos/archives/password" = { };
        "repos/external-hdd/password" = { };
        "repos/hetzner-box/password" = { };
        "repos/hetzner-box/ssh-key" = { };
      });

    suites.filesystem.setups = { laptop-ssd.enable = true; };

    services.borgbackup.jobs = {
      local-external-storage = borgJobCommonSetting {
        patterns = with config.sops; [
          secrets."${pathPrefix}/patterns/root".path
          secrets."${pathPrefix}/patterns/keys".path
        ];
        passCommand = "cat ${
            config.sops.secrets."${pathPrefix}/repos/external-hdd/password".path
          }";
        removableDevice = true;
        doInit = true;
        repo = "${config.state.paths.laptop-ssd}/Backups";
      };

      remote-backup-hetzner-box = borgJobCommonSetting {
        patterns = with config.sops;
          [ secrets."${pathPrefix}/patterns/home".path ];
        passCommand = "cat ${
            config.sops.secrets."${pathPrefix}/repos/hetzner-box/password".path
          }";
        doInit = true;
        repo =
          "ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni";
        startAt = "04:30";
        environment.BORG_RSH = "ssh -i ${
            config.sops.secrets."${pathPrefix}/repos/hetzner-box/ssh-key".path
          }";
      };
    };

    # The filesystem snapshots.
    services.snapper = {
      snapshotInterval = "hourly";
      persistentTimer = true;

      configs = {
        root = {
          SUBVOLUME = "/";
          SPACE_LIMIT = "0.25";
          FREE_LIMIT = "0.25";
          BACKGROUND_COMPARISION = "yes";
          NUMBER_CLEANUP = true;
          TIMELINE_CREATE = true;
          TIMELINE_CLEANUP = true;
          TIMELINE_LIMIT_HOURLY = 48;
          TIMELINE_LIMIT_DAILY = 30;
          TIMELINE_LIMIT_WEEKLY = 8;
          TIMELINE_LIMIT_MONTHLY = 24;
          TIMELINE_LIMIT_QUARTERLY = 10;
          TIMELINE_LIMIT_YEARLY = 8;
        };

        home = {
          SUBVOLUME = "/home";
          ALLOW_USERS = [ "foo-dogsquared" ];
          TIMELINE_CREATE = true;
          TIMELINE_CLEANUP = true;
          TIMELINE_MIN_AGE = 300;
          TIMELINE_LIMIT_HOURLY = 24;
          TIMELINE_LIMIT_DAILY = 30;
          TIMELINE_LIMIT_WEEKLY = 12;
        };
      };
    };
  };
}
tasks/backup-archive: update to new repo and description 2022-07-05 22:43:09 +00:00			`# It's a setup for my backup.`
flake-parts/setups: set separate namespace for custom library This at least allows us to make custom environment-specific library sets. 2024-02-11 07:16:25 +00:00			`{ config, lib, pkgs, foodogsquaredLib, ... }:`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
			`let`
tasks/backup-archive: migrate as ni's host-specific module In practice, this is only used by it. 2023-12-15 06:14:15 +00:00			`hostCfg = config.hosts.ni;`
			`cfg = hostCfg.services.backup;`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
hosts/ni/services/backup: update backup service 2024-03-11 00:51:02 +00:00			`borgJobCommonSetting = { patterns ? [ ], passCommand, ... }@args:`
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`let args' = lib.attrsets.removeAttrs args [ "patterns" "passCommand" ];`
			`in {`
			`compression = "zstd,12";`
			`dateFormat = "+%F-%H-%M-%S-%z";`
			`doInit = false;`
			`encryption = {`
			`inherit passCommand;`
			`mode = "repokey-blake2";`
			`};`
			`extraCreateArgs = lib.concatStringsSep " "`
			`(builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);`
			`extraInitArgs = "--make-parent-dirs";`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`# We're emptying them since we're specifying them all through the patterns file.`
			`paths = lib.mkForce [ ];`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`persistentTimer = true;`
			`preHook = ''`
			`extraCreateArgs="$extraCreateArgs --exclude-if-present .nobackup"`
			`extraCreateArgs="$extraCreateArgs --stats"`
			`'';`
			`prune = {`
			`keep = {`
			`within = "1d";`
			`hourly = 8;`
			`daily = 30;`
			`weekly = 4;`
			`monthly = 6;`
			`yearly = 3;`
			`};`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`};`
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`} // args';`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
config: replace Borgbase with Hetzner storage box for Borg repos 2023-01-07 02:51:49 +00:00			`hetzner-boxes-user = "u332477";`
			`hetzner-boxes-server = "${hetzner-boxes-user}.your-storagebox.de";`
tasks: refactor with path prefix 2023-07-05 05:14:38 +00:00
			`pathPrefix = "borg-backup";`
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`in {`
tasks/backup-archive: migrate as ni's host-specific module In practice, this is only used by it. 2023-12-15 06:14:15 +00:00			`options.hosts.ni.services.backup.enable =`
hosts/ni/services/backup: add Snapper service 2025-02-08 02:10:16 +00:00			`lib.mkEnableOption "backup setup with BorgBackup and Snapper";`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
			`config = lib.mkIf cfg.enable {`
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets.yaml`
flake-parts/setups: set separate namespace for custom library This at least allows us to make custom environment-specific library sets. 2024-02-11 07:16:25 +00:00			`(foodogsquaredLib.sops-nix.attachSopsPathPrefix pathPrefix {`
tasks: add prefix for sops secrets key path 2023-07-05 05:04:52 +00:00			`"patterns/home" = { };`
hosts/ni/services/backup: update backup service 2024-03-11 00:51:02 +00:00			`"patterns/root" = { };`
tasks: add prefix for sops secrets key path 2023-07-05 05:04:52 +00:00			`"patterns/keys" = { };`
hosts/ni/services/backup: update backup service 2024-03-11 00:51:02 +00:00			`"repos/archives/password" = { };`
			`"repos/external-hdd/password" = { };`
tasks: add prefix for sops secrets key path 2023-07-05 05:04:52 +00:00			`"repos/hetzner-box/password" = { };`
hosts/ni/services/backup: update backup service 2024-03-11 00:51:02 +00:00			`"repos/hetzner-box/ssh-key" = { };`
tasks: add prefix for sops secrets key path 2023-07-05 05:04:52 +00:00			`});`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`suites.filesystem.setups = { laptop-ssd.enable = true; };`
tasks/backup-archive: use no local archive anymore It is no more than a safety net and an expensive one at that. A dedicated external storage media would be better. Ideally, hosts should have a snapshotting system with btrfs or similar but it is what it is for now. 2022-07-09 21:43:32 +00:00
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`services.borgbackup.jobs = {`
hosts/ni/services/backup: remove local external storage backup job Much of the backup occurs on the user-level anyways and we have already made that. 2024-12-03 04:42:22 +00:00			`local-external-storage = borgJobCommonSetting {`
hosts/ni/services/backup: refactor code 2024-03-06 09:03:12 +00:00			`patterns = with config.sops; [`
			`secrets."${pathPrefix}/patterns/root".path`
			`secrets."${pathPrefix}/patterns/keys".path`
			`];`
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`passCommand = "cat ${`
			`config.sops.secrets."${pathPrefix}/repos/external-hdd/password".path`
			`}";`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`removableDevice = true;`
hosts/ni/services/backup: update backup service 2024-03-11 00:51:02 +00:00			`doInit = true;`
hosts/ni/services/backup: remove local external storage backup job Much of the backup occurs on the user-level anyways and we have already made that. 2024-12-03 04:42:22 +00:00			`repo = "${config.state.paths.laptop-ssd}/Backups";`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`};`

hosts/ni/services/backup: refactor code 2024-03-06 09:03:12 +00:00			`remote-backup-hetzner-box = borgJobCommonSetting {`
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`patterns = with config.sops;`
			`[ secrets."${pathPrefix}/patterns/home".path ];`
			`passCommand = "cat ${`
			`config.sops.secrets."${pathPrefix}/repos/hetzner-box/password".path`
			`}";`
hosts/ni/services/backup: refactor code 2024-03-06 09:03:12 +00:00			`doInit = true;`
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`repo =`
			`"ssh://${hetzner-boxes-user}@${hetzner-boxes-server}:23/./borg/desktop/ni";`
hosts/ni/services/backup: refactor code 2024-03-06 09:03:12 +00:00			`startAt = "04:30";`
chore: reformat codebase 2025-01-29 04:48:19 +00:00			`environment.BORG_RSH = "ssh -i ${`
			`config.sops.secrets."${pathPrefix}/repos/hetzner-box/ssh-key".path`
			`}";`
hosts/ni/services/backup: refactor code 2024-03-06 09:03:12 +00:00			`};`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`};`
hosts/ni/services/backup: add Snapper service 2025-02-08 02:10:16 +00:00
			`# The filesystem snapshots.`
			`services.snapper = {`
			`snapshotInterval = "hourly";`
			`persistentTimer = true;`

			`configs = {`
			`root = {`
			`SUBVOLUME = "/";`
			`SPACE_LIMIT = "0.25";`
			`FREE_LIMIT = "0.25";`
			`BACKGROUND_COMPARISION = "yes";`
			`NUMBER_CLEANUP = true;`
			`TIMELINE_CREATE = true;`
			`TIMELINE_CLEANUP = true;`
			`TIMELINE_LIMIT_HOURLY = 48;`
			`TIMELINE_LIMIT_DAILY = 30;`
			`TIMELINE_LIMIT_WEEKLY = 8;`
			`TIMELINE_LIMIT_MONTHLY = 24;`
			`TIMELINE_LIMIT_QUARTERLY = 10;`
			`TIMELINE_LIMIT_YEARLY = 8;`
			`};`

			`home = {`
			`SUBVOLUME = "/home";`
			`ALLOW_USERS = [ "foo-dogsquared" ];`
			`TIMELINE_CREATE = true;`
			`TIMELINE_CLEANUP = true;`
			`TIMELINE_MIN_AGE = 300;`
			`TIMELINE_LIMIT_HOURLY = 24;`
			`TIMELINE_LIMIT_DAILY = 30;`
			`TIMELINE_LIMIT_WEEKLY = 12;`
			`};`
			`};`
			`};`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`};`
			`}`