Improve backup service

modules/nixos/hardware-setup/backup-archive.nix

@@ -14,7 +14,7 @@ in {
       message = "Agenix module is not enabled.";
     }];
 
-    age.secrets.archive-password.file = ../../../secrets/archive/password;
+    age.secrets.external-backup-borgmatic-settings.file = lib.getSecret "archive/password";
     fileSystems."/mnt/external-storage" = {
       device = "/dev/disk/by-uuid/665A391C5A38EB07";
       fsType = "ntfs";
@@ -32,46 +32,58 @@ in {
       ];
     };
 
-    services.borgbackup.jobs.external-storage = {
+    systemd.services.borgmatic-external-archive = {
-      dateFormat = "+%F-%H-%M-%S-%z";
+      unitConfig = {
-      doInit = false;
+        Description = "Backup with Borgmatic";
-      removableDevice = true;
+        Wants = [ "network-online.target" ];
-      paths = [
+        After = [ "network-online.target" ];
-        "/home/*/.config/environment.d"
+        ConditionACPower = true;
-        "/home/*/.config/systemd"
-        "/home/*/.gnupg"
-        "/home/*/.password-store"
-        "/home/*/.ssh"
-        "/home/*/.thunderbird"
-        "/home/*/dotfiles"
-        "/home/*/library"
-      ];
-      exclude = [
-        "*/.cache"
-        "*.pyc"
-        "*/node_modules"
-        "*/.next"
-        "*/result"
-        "projects/software/*/build"
-        "projects/software/*/target"
-      ];
-      repo = "/mnt/external-storage/backups";
-      encryption = {
-        mode = "repokey";
-        passCommand = "cat ${config.age.secrets.archive-password.path}";
       };
-      compression = "lz4";
+
-      prune = {
+      startAt = "04/3:00:00";
-        prefix = "{hostname}-";
+      serviceConfig = {
-        keep = {
+        # Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
-          within = "1w"; # Keep all archives from the last week.
+        # dbus-user-session to be installed.
-          daily = 30;
+        ExecStartPre = "${pkgs.coreutils}/bin/sleep 1m";
-          weekly = 4;
+        ExecStart = ''
-          monthly = -1; # Keep at least one archive for each month.
+          ${pkgs.systemd}/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" ${pkgs.borgmatic}/bin/borgmatic --verbosity -1 --syslog-verbosity 1 --config ${config.age.secrets.external-backup-borgmatic-settings.path}
-          yearly = 3;
+        '';
-        };
+
+        # Set security-related stuff.
+        LockPersonality = "true";
+        ProtectSystem = "full";
+        MemoryDenyWriteExecute = "no";
+        NoNewPrivileges = "yes";
+        PrivateDevices= "yes";
+        PrivateTmp = "yes";
+        ProtectClock = "yes";
+        ProtectControlGroups = "yes";
+        ProtectHostname = "yes";
+        ProtectKernelLogs = "yes";
+        ProtectKernelModules = "yes";
+        ProtectKernelTunables = "yes";
+        RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+        RestrictNamespaces = "yes";
+        RestrictRealtime = "yes";
+        RestrictSUIDSGID = "yes";
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+        SystemCallErrorNumber = "EPERM";
+        CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_RAW";
+
+        # Lower CPU and I/O priority.
+        Nice = 19;
+        CPUSchedulingPolicy = "batch";
+        IOSchedulingClass = "best-effort";
+        IOSchedulingPriority = 7;
+        IOWeight = 100;
+
+        Restart = "no";
+
+        # Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
+        # doesn't support this (pre-240 or so), you may have to remove this option.
+        LogRateLimitIntervalSec = "0";
       };
-      startAt = "04/8:00:00"; # Every 8 hours starting at 04:00.
     };
   };
 }