diff --git a/modules/nixos/hardware-setup/backup-archive.nix b/modules/nixos/hardware-setup/backup-archive.nix index b505a2b9..f8f71c40 100644 --- a/modules/nixos/hardware-setup/backup-archive.nix +++ b/modules/nixos/hardware-setup/backup-archive.nix @@ -14,7 +14,7 @@ in { message = "Agenix module is not enabled."; }]; - age.secrets.archive-password.file = ../../../secrets/archive/password; + age.secrets.external-backup-borgmatic-settings.file = lib.getSecret "archive/password"; fileSystems."/mnt/external-storage" = { device = "/dev/disk/by-uuid/665A391C5A38EB07"; fsType = "ntfs"; @@ -32,46 +32,58 @@ in { ]; }; - services.borgbackup.jobs.external-storage = { - dateFormat = "+%F-%H-%M-%S-%z"; - doInit = false; - removableDevice = true; - paths = [ - "/home/*/.config/environment.d" - "/home/*/.config/systemd" - "/home/*/.gnupg" - "/home/*/.password-store" - "/home/*/.ssh" - "/home/*/.thunderbird" - "/home/*/dotfiles" - "/home/*/library" - ]; - exclude = [ - "*/.cache" - "*.pyc" - "*/node_modules" - "*/.next" - "*/result" - "projects/software/*/build" - "projects/software/*/target" - ]; - repo = "/mnt/external-storage/backups"; - encryption = { - mode = "repokey"; - passCommand = "cat ${config.age.secrets.archive-password.path}"; + systemd.services.borgmatic-external-archive = { + unitConfig = { + Description = "Backup with Borgmatic"; + Wants = [ "network-online.target" ]; + After = [ "network-online.target" ]; + ConditionACPower = true; }; - compression = "lz4"; - prune = { - prefix = "{hostname}-"; - keep = { - within = "1w"; # Keep all archives from the last week. - daily = 30; - weekly = 4; - monthly = -1; # Keep at least one archive for each month. - yearly = 3; - }; + + startAt = "04/3:00:00"; + serviceConfig = { + # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and + # dbus-user-session to be installed. + ExecStartPre = "${pkgs.coreutils}/bin/sleep 1m"; + ExecStart = '' + ${pkgs.systemd}/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" ${pkgs.borgmatic}/bin/borgmatic --verbosity -1 --syslog-verbosity 1 --config ${config.age.secrets.external-backup-borgmatic-settings.path} + ''; + + # Set security-related stuff. + LockPersonality = "true"; + ProtectSystem = "full"; + MemoryDenyWriteExecute = "no"; + NoNewPrivileges = "yes"; + PrivateDevices= "yes"; + PrivateTmp = "yes"; + ProtectClock = "yes"; + ProtectControlGroups = "yes"; + ProtectHostname = "yes"; + ProtectKernelLogs = "yes"; + ProtectKernelModules = "yes"; + ProtectKernelTunables = "yes"; + RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK"; + RestrictNamespaces = "yes"; + RestrictRealtime = "yes"; + RestrictSUIDSGID = "yes"; + SystemCallArchitectures = "native"; + SystemCallFilter = "@system-service"; + SystemCallErrorNumber = "EPERM"; + CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_RAW"; + + # Lower CPU and I/O priority. + Nice = 19; + CPUSchedulingPolicy = "batch"; + IOSchedulingClass = "best-effort"; + IOSchedulingPriority = 7; + IOWeight = 100; + + Restart = "no"; + + # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that + # doesn't support this (pre-240 or so), you may have to remove this option. + LogRateLimitIntervalSec = "0"; }; - startAt = "04/8:00:00"; # Every 8 hours starting at 04:00. }; }; } diff --git a/secrets/archive/borgmatic.json b/secrets/archive/borgmatic.json index 3e156058..599e6807 100644 Binary files a/secrets/archive/borgmatic.json and b/secrets/archive/borgmatic.json differ