users/foo-dogsquared/services/backup: init

YAY! A proper modularized backup system.
2025-01-30 22:57:55 +00:00 · 2024-09-07 22:11:51 +08:00 · 2024-09-07 22:11:51 +08:00 · 7995d92fda
commit 7995d92fda
parent afd189ab81
4 changed files with 147 additions and 0 deletions
--- a/configs/home-manager/foo-dogsquared/default.nix
+++ b/configs/home-manager/foo-dogsquared/default.nix
@ -54,6 +54,8 @@ in
      };
    };

+    services.backup.enable = true;
+
    setups = {
      desktop.enable = true;
      development.enable = true;
--- a/configs/home-manager/foo-dogsquared/modules/default.nix
+++ b/configs/home-manager/foo-dogsquared/modules/default.nix
@ -15,6 +15,7 @@
    ./programs/shell.nix
    ./programs/terminal-multiplexer.nix
    ./programs/vs-code.nix
+    ./services/backup

    ./setups/desktop.nix
    ./setups/development.nix
--- a/configs/home-manager/foo-dogsquared/modules/services/backup/default.nix
+++ b/configs/home-manager/foo-dogsquared/modules/services/backup/default.nix
@ -0,0 +1,117 @@
+{ config, lib, foodogsquaredLib, ... }@attrs:
+
+let
+  userCfg = config.users.foo-dogsquared;
+  cfg = userCfg.services.backup;
+
+  pathPrefix = "borg-backup";
+  getPath = path:
+    config.sops.secrets."${pathPrefix}/${path}".path;
+  isFilesystemSet = setupName:
+    attrs.nixosConfig.suites.filesystem.setups.${setupName}.enable or false;
+
+  hetznerBoxesUser = "u332477";
+  hetznerBoxesServer = "${hetznerBoxesUser}.your-storagebox.de";
+
+  borgmaticCommonConfig = module: lib.mkMerge [
+    module
+
+    {
+      archive_name_format = lib.mkDefault "{fqdn}-home-manager-personal-{now}";
+      patterns = lib.mkBefore [
+        "R ${config.home.homeDirectory}"
+        "! ${config.xdg.dataHome}"
+        "! ${config.xdg.cacheHome}"
+        "- ${config.xdg.configHome}"
+        "- ${config.xdg.userDirs.download}"
+        "+ ${config.xdg.userDirs.extraConfig.XDG_PROJECTS_DIR}"
+        "+ ${config.xdg.userDirs.documents}"
+        "+ ${config.xdg.userDirs.music}"
+        "+ ${config.xdg.userDirs.pictures}"
+        "+ ${config.xdg.userDirs.templates}"
+        "+ ${config.xdg.userDirs.videos}"
+      ];
+      exclude_if_present = [
+        ".nobackup"
+        ".exclude.bak"
+      ];
+      exclude_patterns = [
+        "node_modules/"
+        "*.pyc"
+        "result*/"
+        "*/.vim*.tmp"
+        "target/"
+      ];
+
+      store_config_files = true;
+
+      # Most of these retention settings are meant to have overlaps in the
+      # periodic backups.
+      keep_hourly = 48;
+      keep_daily = 14;
+      keep_weekly = 8;
+      keep_monthly = 12;
+      keep_yearly = 4;
+
+      check_last = 4;
+    }
+  ];
+in
+{
+  options.users.foo-dogsquared.services.backup.enable =
+    lib.mkEnableOption "preferred backup service";
+
+  config = lib.mkIf cfg.enable {
+    sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets.yaml (
+      foodogsquaredLib.sops-nix.attachSopsPathPrefix pathPrefix {
+        "repos/remote-hetzner-boxes-personal/password" = { };
+        "repos/local-external-hdd-personal/password" = { };
+        "repos/local-archive-personal/password" = { };
+      });
+
+    programs.borgmatic.enable = true;
+    programs.borgmatic.backups = lib.mkMerge [
+      {
+        remote-hetzner-boxes-personal = {
+          initService.enable = true;
+          initService.startAt = "04:30";
+          settings = borgmaticCommonConfig {
+            encryption_passcommand = "cat ${getPath "repos/remote-hetzner-boxes-personal/password"}";
+            repositories = lib.singleton {
+              path = "ssh://${hetznerBoxesUser}@${hetznerBoxesServer}:23/./borg/users/${config.home.username}";
+              label = "remote-hetzner-boxes";
+            };
+          };
+        };
+      }
+
+      (lib.mkIf (isFilesystemSet "external-hdd") {
+        local-external-hdd-personal = {
+          initService.enable = true;
+          initService.startAt = "04:30";
+          settings = borgmaticCommonConfig {
+            encryption_passcommand = "cat ${getPath "repos/local-external-hdd-personal/password"}";
+            repositories = lib.singleton {
+              path = attrs.nixosConfig.state.paths.external-hdd;
+              label = "local-external-hdd";
+            };
+          };
+        };
+      })
+
+      (lib.mkIf (isFilesystemSet "archive") {
+        local-archive-personal = {
+          initService.enable = true;
+          initService.startAt = "04:30";
+          settings = borgmaticCommonConfig {
+            encryption_passcommand = "cat ${getPath "repos/local-archive-personal/password"}";
+            repositories = lib.singleton {
+              path = attrs.nixosConfig.state.paths.archive;
+              label = "local-archive";
+            };
+          };
+        };
+      })
+    ];
+  };
+}
--- a/configs/home-manager/foo-dogsquared/modules/services/backup/secrets.yaml
+++ b/configs/home-manager/foo-dogsquared/modules/services/backup/secrets.yaml
@ -0,0 +1,27 @@
+repos:
+    remote-hetzner-boxes-personal:
+        password: ENC[AES256_GCM,data:VAwukJ6oP0ZuYQGEdS3JVyGHIIUKhcK3Z3bSfoLdwWVP+SU1078YLjusWg==,iv:wMiWIEZknA0c+OFdI+3+yw0Y9WXkqTWOpkn0FnXjYxI=,tag:VKFvr8Ik+eVaMajJPbn09g==,type:str]
+    local-external-hdd-personal:
+        password: ENC[AES256_GCM,data:o5zV5Q+Bg+hXVtb7w+IE6mMSFG0GKbsl9Y5GZR2yiHTmUdvH2r7p3CoDFJAV1Us=,iv:HxtXlYOyV1kDhzBPBjNDGwH1ciYbQtcnTZzrgwiSjLw=,tag:ApoenU3Tmg1nltJgNCTlkg==,type:str]
+    local-archive-personal:
+        password: ENC[AES256_GCM,data:01UTj28FJegt2USisJ7YPk8zjzUcVhg6VdWzmNJrbJHqzKwA90B1eH6hL4Q2BPQC1tRks2MxPQ==,iv:ScV3wpC2pp3ZCRqmVhPy4R3QMpOd4yEl3h9DwimKi1I=,tag:y8XuQ5vBM0rzmDMD/NKjZw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17he74we2sm7q7ufv6x26n83hs42v6gkj984m6kwf9xtjduyccqmqtpv37q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCOTB1YzlhMWdXNnl2L0l6
+            dllncG9uN0lzNUtJdmh3SjdzSEhZd001Q0FnCkFDZ2lYb2ZWZi9vTG5OditUOE50
+            U08yZGZCaEkzU0pNcFI1WDEwNTlqdHcKLS0tIHRWdEVuM2VqaGYrclllMHJFazls
+            dGgwbzdJd0xCOHh1eFBTMTkwbnFIOTAKBUjwZqUsUM8qRvRtg0KHm8VNddGPRwJG
+            4EwQfN16XVASb44X03c1wKlP4Pdch3Vkxvxo/UzawuZS92TRbZkQVA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-07T06:24:59Z"
+    mac: ENC[AES256_GCM,data:Yf1vU6+oQR1Ao+1haKxKvLmYkjPFr9RnzlOk8wrMs+bHwkpO979rz/PsOhvVGoJMas4fHiIsnpsx3efSf9Kg5UrGb40pJ/uZTWGr9LpeMczD7WyqK/3l9XSbIWAzRqZ6lp5JEBqLqmbwPHOVBI64bakHmQLNklNIGMYVd+hk5gw=,iv:rh3qSSbc2Sv6VottndPLr/bqAnEc+tjxVvQ7MEu0IqI=,tag:nSrREELrPM8mgar5A7tBpA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0