mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-01-31 22:57:55 +00:00
90 lines
3.1 KiB
Nix
90 lines
3.1 KiB
Nix
# This is my external hard drive.
|
|
{ config, options, lib, pkgs, ... }:
|
|
|
|
# TODO: Make this a generic service.
|
|
# There are multiple external storage drives now.
|
|
let cfg = config.modules.hardware-setup.backup-archive;
|
|
in {
|
|
options.modules.hardware-setup.backup-archive.enable = lib.mkEnableOption
|
|
"external hard drive and automated backup service with BorgBackup";
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
assertions = [{
|
|
assertion = config.modules.agenix.enable;
|
|
message = "Agenix module is not enabled.";
|
|
}];
|
|
|
|
age.secrets.external-backup-borgmatic-settings.file =
|
|
lib.getSecret "archive/borgmatic.json";
|
|
fileSystems."/mnt/external-storage" = {
|
|
device = "/dev/disk/by-uuid/665A391C5A38EB07";
|
|
fsType = "ntfs";
|
|
noCheck = true;
|
|
options = [
|
|
"nofail"
|
|
"noauto"
|
|
"user"
|
|
|
|
# See systemd.mount.5 and systemd.automount.5 manual page for more
|
|
# details.
|
|
"x-systemd.automount"
|
|
"x-systemd.device-timeout=2"
|
|
"x-systemd.idle-timeout=2"
|
|
];
|
|
};
|
|
|
|
systemd.services.borgmatic-external-archive = {
|
|
unitConfig = {
|
|
Description = "Backup with Borgmatic";
|
|
Wants = [ "network-online.target" ];
|
|
After = [ "network-online.target" ];
|
|
};
|
|
|
|
startAt = "04/2:00:00";
|
|
serviceConfig = {
|
|
# Delay start to prevent backups running during boot. Note that systemd-inhibit requires dbus and
|
|
# dbus-user-session to be installed.
|
|
ExecStartPre = "${pkgs.coreutils}/bin/sleep 1m";
|
|
ExecStart = ''
|
|
${pkgs.systemd}/bin/systemd-inhibit --who="borgmatic" --why="Prevent interrupting scheduled backup" ${pkgs.borgmatic}/bin/borgmatic --verbosity -1 --syslog-verbosity 1 --config ${config.age.secrets.external-backup-borgmatic-settings.path}
|
|
'';
|
|
|
|
# Set security-related stuff.
|
|
LockPersonality = "true";
|
|
ProtectSystem = "full";
|
|
MemoryDenyWriteExecute = "no";
|
|
NoNewPrivileges = "yes";
|
|
PrivateDevices = "yes";
|
|
PrivateTmp = "yes";
|
|
ProtectClock = "yes";
|
|
ProtectControlGroups = "yes";
|
|
ProtectHostname = "yes";
|
|
ProtectKernelLogs = "yes";
|
|
ProtectKernelModules = "yes";
|
|
ProtectKernelTunables = "yes";
|
|
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
|
|
RestrictNamespaces = "yes";
|
|
RestrictRealtime = "yes";
|
|
RestrictSUIDSGID = "yes";
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = "@system-service";
|
|
SystemCallErrorNumber = "EPERM";
|
|
CapabilityBoundingSet = "CAP_DAC_READ_SEARCH CAP_NET_RAW";
|
|
|
|
# Lower CPU and I/O priority.
|
|
Nice = 19;
|
|
CPUSchedulingPolicy = "batch";
|
|
IOSchedulingClass = "best-effort";
|
|
IOSchedulingPriority = 7;
|
|
IOWeight = 100;
|
|
|
|
Restart = "no";
|
|
|
|
# Prevent rate limiting of borgmatic log events. If you are using an older version of systemd that
|
|
# doesn't support this (pre-240 or so), you may have to remove this option.
|
|
LogRateLimitIntervalSec = "0";
|
|
};
|
|
};
|
|
};
|
|
}
|