From 3997805f5acf89548d9fda6b2865e2c2c592f750 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foo.dogsquared@gmail.com>
Date: Sun, 19 Dec 2021 17:37:22 +0800
Subject: [PATCH] Improve backup service

---
 .../nixos/hardware-setup/backup-archive.nix   |  90 ++++++++++--------
 secrets/archive/borgmatic.json                | Bin 1847 -> 1773 bytes
 2 files changed, 51 insertions(+), 39 deletions(-)

diff --git a/modules/nixos/hardware-setup/backup-archive.nix b/modules/nixos/hardware-setup/backup-archive.nix
index b505a2b9..f8f71c40 100644
--- a/modules/nixos/hardware-setup/backup-archive.nix
+++ b/modules/nixos/hardware-setup/backup-archive.nix
@@ -14,7 +14,7 @@ in {
       message = "Agenix module is not enabled.";
     }];
 
-    age.secrets.archive-password.file = ../../../secrets/archive/password;
+    age.secrets.external-backup-borgmatic-settings.file = lib.getSecret "archive/password";
     fileSystems."/mnt/external-storage" = {
       device = "/dev/disk/by-uuid/665A391C5A38EB07";
       fsType = "ntfs";
@@ -32,46 +32,58 @@ in {
       ];
     };
 
-    services.borgbackup.jobs.external-storage = {
-      dateFormat = "+%F-%H-%M-%S-%z";
-      doInit = false;
-      removableDevice = true;
-      paths = [
-        "/home/*/.config/environment.d"
-        "/home/*/.config/systemd"
-        "/home/*/.gnupg"
-        "/home/*/.password-store"
-        "/home/*/.ssh"
-        "/home/*/.thunderbird"
-        "/home/*/dotfiles"
-        "/home/*/library"
-      ];
-      exclude = [
-        "*/.cache"
-        "*.pyc"
-        "*/node_modules"
-        "*/.next"
-        "*/result"
-        "projects/software/*/build"
-        "projects/software/*/target"
-      ];
-      repo = "/mnt/external-storage/backups";
-      encryption = {
-        mode = "repokey";
-        passCommand = "cat ${config.age.secrets.archive-password.path}";
+    systemd.services.borgmatic-external-archive = {
+      unitConfig = {
+        Description = "Backup with Borgmatic";
+        Wants = [ "network-online.target" ];
+        After = [ "network-online.target" ];
+        ConditionACPower = true;
       };
-      compression = "lz4";
-      prune = {
-        prefix = "{hostname}-";
-        keep = {
-          within = "1w"; # Keep all archives from the last week.
-          daily = 30;
-          weekly = 4;
-          monthly = -1; # Keep at least one archive for each month.
-          yearly = 3;
-        };
+
+      startAt = "04/3:00:00";
+      serviceConfig = {
+        # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
+        # dbus-user-session to be installed.
+        ExecStartPre = "${pkgs.coreutils}/bin/sleep 1m";
+        ExecStart = ''
+          ${pkgs.systemd}/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" ${pkgs.borgmatic}/bin/borgmatic --verbosity -1 --syslog-verbosity 1 --config ${config.age.secrets.external-backup-borgmatic-settings.path}
+        '';
+
+        # Set security-related stuff.
+        LockPersonality = "true";
+        ProtectSystem = "full";
+        MemoryDenyWriteExecute = "no";
+        NoNewPrivileges = "yes";
+        PrivateDevices= "yes";
+        PrivateTmp = "yes";
+        ProtectClock = "yes";
+        ProtectControlGroups = "yes";
+        ProtectHostname = "yes";
+        ProtectKernelLogs = "yes";
+        ProtectKernelModules = "yes";
+        ProtectKernelTunables = "yes";
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+        RestrictNamespaces = "yes";
+        RestrictRealtime = "yes";
+        RestrictSUIDSGID = "yes";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+        SystemCallErrorNumber = "EPERM";
+        CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_RAW";
+
+        # Lower CPU and I/O priority.
+        Nice = 19;
+        CPUSchedulingPolicy = "batch";
+        IOSchedulingClass = "best-effort";
+        IOSchedulingPriority = 7;
+        IOWeight = 100;
+
+        Restart = "no";
+
+        # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
+        # doesn't support this (pre-240 or so), you may have to remove this option.
+        LogRateLimitIntervalSec = "0";
       };
-      startAt = "04/8:00:00"; # Every 8 hours starting at 04:00.
     };
   };
 }
diff --git a/secrets/archive/borgmatic.json b/secrets/archive/borgmatic.json
index 3e15605832b8ff2a4ccbc9c7f4b0bcf0acfb9365..599e6807a89ad48c38737002da33c1c39b7602e7 100644
GIT binary patch
delta 1729
zcmV;y20r<>4($z)EPqKxFfe3VXJ;!pL03s=cVbU&RBtmgXj)P^Su;07ZD(mkM=wc3
zYh*Y@I0{W@Mrm?pdNx`$RY+%Sazj!xa&u)vD|TvWHfDM`WlCy7Gca^RLsfZdSqd#a
zAaiqQEoEdfH8n9gAW~IYS#VJxLv2`5dS-D(OjlB2WK~U9cScxaX*F<2YH34wNHb+o
zYIJy3a#mwUGcQ;)3Tj6|D?xW<VliQOM?^4UX=*u4M_MyVPdPO?LP|MWLT+tYFjqok
zLNQNck?|LQFL`idS~O#0S#V=yMNKhAGg(?VPDxs6Q8ZRbH%e7#Z!2bRV>C!&c4==4
zQEX{MY;ieLQA{^9Qb9OoFKtsqF*Qj|K`>A`T5wQLY*$TVVQEoeF;Q6xEj}PNM{q`5
zUoB^HWnpt=AYgcAP)#^(ZVFH~aCdHYa%V<oO*KP*K`>8ENi|V+OhR~4X;pVmLRC*I
zZZt+^X)APXL}F-mH%l-<Sz>xvGG<F;F<E6}dQn*lRai?xD_2K1aWOP8OmcT)QbIym
zH8N)kEiEk|D?vnhVo7RCQAAByc57ExQA$TeOJ_DoNKHahcttO9Xg6(1Vp&>IFK~AX
z*2GJHNsW}O@EjpVb<gM_4L!<Jvs@i5;ZLmohorX~Dl2V0Io%DTEzAa>kpUDi5<5=q
z-6aie82ONmb56F=C`AA<jNDlF1e27UcKeYzo9W1BmYkO3?8gquEnWaQuBl>UIlSbK
z5USc+0vh;_Ysh86zcLrD4TT{$(9BIDFemMQHYX8G3C_2Ad1zT*{sPf83UI?`iQpjo
zrm30x@_|FT4vbk-hrF(e@tRfYa?Y0M!g}8+w60XaGp{-Hr*ewZ%^|PMN*p{Gl6$Wu
zQ|NOHb`cvJYtnd>(I>B^(5HcAfpXR8S*C|mSD0?}JQ5<K0;MqRH?ii=rmI2+pU^XZ
zPNBraunz));vjt`zZgKjw$t<mN<*crQo~D#V<6!h7DBF8)~4Rulu>+*MH<uxAFHNv
z-Z=xG`cxGq|6*gzJY$<NV}EVm)e4@yfF8Rl?9Otn&hx+g`#*mq#5dU;oB?n=&{jaC
zXlnR!2d3dA>xd&?)+sxvDov-8{a*Wj&Kyr-E9lBUL0DgRWg%X(^)&iB*o;25cPxXJ
z$o4w-O6$%axOVY$W2T6q8tV`xNX^Xo^%1QYw3%RQezeg7!UP-!KTp3y2FV_HdUI8i
zm+_?qUnSjD(h{b61N1d0vkZ{kx{<ZeQ%z8xD7$1)LDgEnyV2he01ioAz?unvC@dco
zM3qEJuZua2+1@6U?pmM@<pk{T(ILBc9ky<M<n)0m3XuLdMCT@xC`BGjR#kpPy_=?G
zr*-4my?ZW&H&)t_HB!N*+4vg5JrHvhSJ!&<6+1s@i*Rp3$yD!aF~h+_@o@}-);9*`
z|FvfZW}$640u@g0{sugLs|3D(HpRYkjI~>nj^%5+VeLX1l6<SHXX@eLLT;hVyTely
z&^8w96rw47DJ3+OMO71l_VSQI$KD7VYbNP#+>)!2mkOq;l%;dg=q${dWFDSDr=WoI
z!O@!5qrY@ySnrlm7adbFmW7T?4bH|WDHrfS18RzO;q0M-j%@D^eiVm)2BzIr4K5Q%
zyU3zuJkN1^+QuSaZgVe6l0xDo0vm0FG$B+%JvS%`Z&L<@S6k*M7;VsGnUO75`Gk&p
z(ZxSrXxv);xvBG=h5ytPP-03}0*GE3P6WK=6L6yOp@r2N`zEvk-$(#`g+?JZ>~37X
zjI}`jo;A}y-ZYU2%i?i=&T=4QBpaHCVd8p!$t=1lulr3Is-8?!S*~{ht$Sf*t956y
z=ziR1*O1;9+TtdeoIA2Pz=)2eX|TXQ-0+h9;`=C?IWmeh894+ncLv3eCjVk@_Zt2D
zmQBavd>l|uTr{om_@~)QQzzg$gZ*8xOQoG~wjpLQX2|t!`e$>0O)OjaV4`)Ym<KnD
zyC1ikyOo}h0q-S0Xm#pr#BN*X3-X?VBk&b1-JuBWCZ#h1J%U0z6xJ6}@OW#Z47we9
zhZp}|Dr(-Lq7yA(>{*_L5zJVD+$Qps;D+G&Ql`p=D{4wR;WhDdoPXv5_#!#g!=N_2
z!fB_U4tk{Rs2+!KHDvVyp{SXrB0j9_fs$(y&BPBG9~(CB$V;#0tt+0yfCeJQSc8Oh
z#Pdw4-We#)Swyp|@5AE2_^d2zC&kvIA#M&+Jr7wr8PRJKssX}L%)mueRJENH-TbAN
XOJXgD_^yVM1gZ6Lx`Eh)cl<xB=fVHm

delta 1804
zcmV+n2lM#t4Yv-EEPq&1aCbv)OiD*?Q9*EaZdEH#WpQ(HVO2wEM?+0eS#@J(QDQhW
zZ&o)%Zwg0uFE&wVQ7<zxH#0F<S2r+4dO=e!bU|8GXEH}gc5yT?Y*KndFK9+WX9_Jo
zAaiqQEoEdfH8n9gAW~IYS#VJxPDf~BO;U7NNH1q@R#I3iX-0KqIay;vM@dd$PB2<z
zGiPphbwhG`R7F;A3T{#|R#!7CL{B$!NKtTYb8}5tM0ZLyPfap7Q*w1wY(r{tP)jgv
zRWxgBk?|LQMnh;yRZU5CH)uFGT2Mu7YfCg?d2&HXNl|!CZA)uvYk4wpI96><YDaSl
zWO+qFL}yA^O)_^^K}a-KFmO(FIYVV+FJ@&+S!*~*a8YS%H%de_R4a1|Ej}Q7Q!sr+
zH!Wv!Wnpt=AX+|RGCv?>X&^>lQ+-nkD>G(hZBb8ub}~##OgL$6VoXLyK}d0PI978q
zGFEa)bxwIfXe(7mFF8$XWO6uDYAb42K~qjcVOU~XQBh-5YYKEZWod0SZ!kw$ZANNq
zcWqH*LsLa;P&sFAMrUScH9|LJcSu)xYjg@NEiE8LL`!9MS9WYgR%Bu?by#yoW^Yq9
zD^_cNVntX?Y*AQAT5E4tQ#L|wVPiN7V3l|X1N-WD{Hw={5%G76JEit2o(ex&Ka{fv
zND;oFZC}EzQUpfgi>j&I*_qID3%l{C0c7lMo9k6z@gi&`MAL<l)qX}jCy_Je<x#`q
z1=8(Cp!6F6EfAq@BzSUi7wG&S4I#6v(%~zAUA6bPu)t%erJIHu-2%p^Zar!cN;IKd
z4-<-3NT-eG|7pnz=~3rkeW>qK*wW;xUou9u8ey{MFq(680!59Q2Ttm0mBfB}s3Ux@
zpb&nj0*p|#4d3mk-V#<8{AED*loZ&@l$u%36o~;b6~J~SNkG03ez;d@^kl`crg0{J
zJlW)Nk2)j63=)3F&wm3;x(Q=UW!&#wsDHNgC8hf3eB$-sBz&pRBREO8CN2wP6p*b2
zV7Y8XGe5!Ml@UYkA~n*p)_k#x#Y^mIG5ylgNEI1CuwM+yd@_bP;Bvc7)0oO=DpHt5
zNG)26X(|74ixH(9-j3LoeICKjCMG3+#VxBJ){9oJYTrUiQOPxa!`p1j{IkTwg?zU~
zlvR<@f(RxCgmCeCRz3FI+8ktd6HfDlw~`Fr^0U&@u+nS_26HC%EJ|*m7E3MPN~tjv
zyYQlD6vAvODV^kHGMPQZI#oX&hI;%UbFkx4JaY8%Q(CgD3$6)c_F8UU!gTY0TOcBf
zilJR_Lktna<w`u=vU!o=h&bwjomaN+d_E@dQ7g!AC5T6>+z_ZJ%FA^uFe^+9NZ-vd
z!@<xMYAiVLOJ}s&<&6RB+TQ}0<9Aj#>k7yAd21qH*bFnFGXJHjROh7)ljPJwA@&go
zB3hO)ABXel$+Q+lTx83!SNfZOpO}<u7q%_L-pfG1D-=mF*95y<CHh62CyvdZ5kk@}
zYcl}1QIz#?{!pTR@l#$o{fr7)k4-v`=NrOEe$R#ls>TB+HFlO&7IJTdN6UD&Fkr~O
zgvv+JZFSg4*ahT2DS3$l!sqvVe7IkbR_HU#NcMf}H(1NjX|JknXdX*{No{iwW5yq$
z((x?jin@z*DA@E{(03sLZls}Rr|TYXFC+=km*PjSUbuSCv08h=UKOP6e!1TX-LSkw
z`Mz@$Vtc;47`hEXB7(oR$2PbZzi?GnD!kvNIRB^ns_2JKd;X^<3Eb5z$o05^Ag#Jy
zXPu`G1)EY2xdib=WA@2^qGf^prgur~g5^*(cH+}=TDPrabFxDcS{<$*fh+iDN;LFM
z0EUYrPg$=2{z`YT$8Y#XX<qk$;F?K-{=r=-uaZ>ktKv3}KhdtmsqnGjMyJTaYakm1
zt6T7;%^PJ_X%-C?J3TbBQjW{ODId=_WratB&Z#Zs1S^nLkO;+p2!{|UtHkLHE9f8K
zY_660+bHqN7oceif<8<Ponf9`=@bK3cb9iHHC(Imtg(sJd0#YZm`;pFj>W69Oo4s9
z8GwK|n}1jgWp-y6a1)sEUWJ)|&oxK<h(uet;G1!s7jgPAF$tEz)cymo=8;ep2*BoA
zuRm0K*Gr{0pJ_IK6nGC&_(a%5WMuhrm*Gw#2<kN#q7kVUc==h(FHp?kt9LJ`3lOVH
z6VW?!tZf;`G9}9>uB%tq=q*bCqfZfOrL3c`=^seH?fDd%Fpe5JP~vhDn6fm~H?Gt?
zdAJda>lZju&XH2S6BTgXAc7gkuS&O5_{FcrI=6`s+c*6?Ux9L&<hRqe3LZUHF{sR#
uYPOQw0`a^=vl@uI8m(_Lb+j6Re;7q<g&MkUowQ%!c^PSXIU|u%>ivSfF(xVi