nixos-config/modules/nixos/tasks/backup-archive/default.nix

# This is my external hard drive with the backup setup with borg.
{ config, options, lib, pkgs, ... }:

let
  cfg = config.tasks.backup-archive;

  borgJobCommonSetting = { patterns ? [ ] }: {
    compression = "zstd,9";
    dateFormat = "+%F-%H-%M-%S-%z";
    doInit = true;
    encryption = {
      mode = "repokey-blake2";
      passCommand = "cat ${config.age.secrets.borg-password.path}";
    };
    extraCreateArgs = lib.concatStringsSep " "
      (builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);
    extraInitArgs = "--make-parent-dirs";

    # We're emptying them since we're specifying them all through the patterns file.
    paths = [ ];

    persistentTimer = true;
    preHook = ''
      extraCreateArgs="$extraCreateArgs --exclude-if-present .nobackup"
      extraCreateArgs="$extraCreateArgs --stats"
    '';
    prune = {
      keep = {
        within = "1d";
        hourly = 8;
        daily = 30;
        weekly = 4;
        monthly = 6;
        yearly = 3;
      };
    };
  };

in {
  options.tasks.backup-archive.enable =
    lib.mkEnableOption "backup setup with BorgBackup";

  config = lib.mkIf cfg.enable {
    assertions = [{
      assertion = config.profiles.agenix.enable;
      message = ''
        Agenix module is not enabled. This is for the borgmatic configuration
        we're using.
      '';
    }];

    age.secrets.borg-password.file = lib.getSecret "archive/password";
    age.secrets.borg-patterns.file = lib.getSecret "archive/borg-patterns";
    age.secrets.borg-patterns-local.file =
      lib.getSecret "archive/borg-patterns-local";
    age.secrets.borg-ssh-key.file = lib.getSecret "archive/borg-ssh-key";

    fileSystems."/mnt/external-storage" = {
      device = "/dev/disk/by-uuid/665A391C5A38EB07";
      fsType = "ntfs";
      noCheck = true;
      options = [
        "nofail"
        "noauto"
        "user"

        # See systemd.mount.5 and systemd.automount.5 manual page for more
        # details.
        "x-systemd.automount"
        "x-systemd.device-timeout=2"
        "x-systemd.idle-timeout=2"
      ];
    };

    services.borgbackup.jobs = {
      local = borgJobCommonSetting {
        patterns = [
          config.age.secrets.borg-patterns-local.path
          config.age.secrets.borg-patterns.path
        ];
      } // {
        doInit = true;
        repo = "/archives/backups";
        startAt = "04/5:00:00";
      };

      local-archive = borgJobCommonSetting {
        patterns = [
          config.age.secrets.borg-patterns-local.path
          config.age.secrets.borg-patterns.path
        ];
      } // {
        doInit = false;
        removableDevice = true;
        repo = "/mnt/external-storage/backups";
        startAt = "daily";
      };

      remote-borgbase = borgJobCommonSetting {
        patterns = [ config.age.secrets.borg-patterns.path ];
      } // {
        doInit = false;
        repo = "m9s7d92s@m9s7d92s.repo.borgbase.com:repo";
        startAt = "daily";
        environment.BORG_RSH = "ssh -i ${config.age.secrets.borg-ssh-key.path}";
      };
    };

    programs.ssh.extraConfig = ''
      Host *.repo.borgbase.com
       IdentityFile ${config.age.secrets.borg-ssh-key.path}
    '';
  };
}
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`# This is my external hard drive with the backup setup with borg.`
			`{ config, options, lib, pkgs, ... }:`

			`let`
rename `hardware-setup` to `tasks` It isn't really hardware-specific anymore and it is better to put them all under in one basket. This is similar to my Ansible playbooks setup. 2022-03-31 05:59:54 +00:00			`cfg = config.tasks.backup-archive;`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00
			`borgJobCommonSetting = { patterns ? [ ] }: {`
			`compression = "zstd,9";`
			`dateFormat = "+%F-%H-%M-%S-%z";`
			`doInit = true;`
			`encryption = {`
			`mode = "repokey-blake2";`
			`passCommand = "cat ${config.age.secrets.borg-password.path}";`
			`};`
			`extraCreateArgs = lib.concatStringsSep " "`
			`(builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);`
			`extraInitArgs = "--make-parent-dirs";`

			`# We're emptying them since we're specifying them all through the patterns file.`
			`paths = [ ];`

			`persistentTimer = true;`
			`preHook = ''`
			`extraCreateArgs="$extraCreateArgs --exclude-if-present .nobackup"`
			`extraCreateArgs="$extraCreateArgs --stats"`
			`'';`
			`prune = {`
			`keep = {`
			`within = "1d";`
			`hourly = 8;`
			`daily = 30;`
			`weekly = 4;`
			`monthly = 6;`
			`yearly = 3;`
			`};`
			`};`
			`};`

			`in {`
rename `hardware-setup` to `tasks` It isn't really hardware-specific anymore and it is better to put them all under in one basket. This is similar to my Ansible playbooks setup. 2022-03-31 05:59:54 +00:00			`options.tasks.backup-archive.enable =`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`lib.mkEnableOption "backup setup with BorgBackup";`

			`config = lib.mkIf cfg.enable {`
			`assertions = [{`
			`assertion = config.profiles.agenix.enable;`
			`message = ''`
			`Agenix module is not enabled. This is for the borgmatic configuration`
			`we're using.`
			`'';`
			`}];`

			`age.secrets.borg-password.file = lib.getSecret "archive/password";`
			`age.secrets.borg-patterns.file = lib.getSecret "archive/borg-patterns";`
			`age.secrets.borg-patterns-local.file =`
			`lib.getSecret "archive/borg-patterns-local";`
			`age.secrets.borg-ssh-key.file = lib.getSecret "archive/borg-ssh-key";`

			`fileSystems."/mnt/external-storage" = {`
			`device = "/dev/disk/by-uuid/665A391C5A38EB07";`
			`fsType = "ntfs";`
			`noCheck = true;`
			`options = [`
			`"nofail"`
			`"noauto"`
			`"user"`

			`# See systemd.mount.5 and systemd.automount.5 manual page for more`
			`# details.`
			`"x-systemd.automount"`
			`"x-systemd.device-timeout=2"`
			`"x-systemd.idle-timeout=2"`
			`];`
			`};`

			`services.borgbackup.jobs = {`
			`local = borgJobCommonSetting {`
			`patterns = [`
			`config.age.secrets.borg-patterns-local.path`
			`config.age.secrets.borg-patterns.path`
			`];`
			`} // {`
			`doInit = true;`
rename `hardware-setup` to `tasks` It isn't really hardware-specific anymore and it is better to put them all under in one basket. This is similar to my Ansible playbooks setup. 2022-03-31 05:59:54 +00:00			`repo = "/archives/backups";`
backup-archive: switch to NixOS borg module While Borgmatic is great, the NixOS module does have easier configuration for various use cases such as backups in removable devices. To make this possible in Borgmatic, you have to go through some loops. Borgmatic does have easier way of indicating paths. However, in recent versions of Borg, they have the experimental feature of indicate both include and exclude through patterns which is close enough. Also, because of this, we'll be deprecating the custom borgmatic service at this point. It'll be removed once all of my NixOS-related backup setups are not using it. 2022-02-19 08:58:08 +00:00			`startAt = "04/5:00:00";`
			`};`

			`local-archive = borgJobCommonSetting {`
			`patterns = [`
			`config.age.secrets.borg-patterns-local.path`
			`config.age.secrets.borg-patterns.path`
			`];`
			`} // {`
			`doInit = false;`
			`removableDevice = true;`
			`repo = "/mnt/external-storage/backups";`
			`startAt = "daily";`
			`};`

			`remote-borgbase = borgJobCommonSetting {`
			`patterns = [ config.age.secrets.borg-patterns.path ];`
			`} // {`
			`doInit = false;`
			`repo = "m9s7d92s@m9s7d92s.repo.borgbase.com:repo";`
			`startAt = "daily";`
			`environment.BORG_RSH = "ssh -i ${config.age.secrets.borg-ssh-key.path}";`
			`};`
			`};`

			`programs.ssh.extraConfig = ''`
			`Host *.repo.borgbase.com`
			`IdentityFile ${config.age.secrets.borg-ssh-key.path}`
			`'';`
			`};`
			`}`