radish: add borgbackup

2025-02-18 15:42:55 +02:00
parent 83f9e00416
commit 41bd91deb1
6 changed files with 78 additions and 1 deletions
--- a/hosts/radish/default.nix
+++ b/hosts/radish/default.nix
@@ -13,6 +13,7 @@ in
    ./containers.nix
    ./desktop.nix
    ./users.nix
+    ./secrets.nix
    lanzaboote.nixosModules.lanzaboote
    nixos-hardware.nixosModules.framework-13-7040-amd
    auto-cpufreq.nixosModules.default
--- a/hosts/radish/packages.nix
+++ b/hosts/radish/packages.nix
@@ -1,4 +1,7 @@
-{ pkgs, lib, inputs, ... }:
+{ pkgs, lib, inputs, config, ... }:
+let
+  secrets = config.age.secrets;
+in
 {
  nixpkgs.config.allowUnfree = true;
  nixpkgs.overlays = [ (import ../../custom-pkgs { inherit lib inputs; }) ];
@@ -41,8 +44,62 @@
        HSA_OVERRIDE_GFX_VERSION = "11.0.3";
      };
    };
+
+    borgbackup.jobs.root = {
+      paths = "/";
+      exclude = [
+        "/nix"
+        "/var/cache"
+        "/run"
+        "/sys"
+        "/etc"
+        "/swap"
+        "/proc"
+        "**/node_modules"
+        "**/.cargo"
+        "**/ruby/*/gems"
+        "**/.cache"
+        "**/.meteor"
+        "**/.next"
+        "**/.local/share/containers/cache"
+        "**/.local/share/containers/storage/overlay"
+        "**/.local/share/docker/overlay2"
+        "**/log/*.log"
+        "**/.local/share/Trash"
+      ];
+      environment = {
+        BORG_RSH = "ssh -i /root/.ssh/id_ed25519.borg";
+      };
+      repo = "ssh://u324815-sub2@u324815.your-storagebox.de:23/./backup";
+      encryption = {
+        mode = "repokey";
+        passphrase = "will be overridden from environment file";
+      };
+      extraCreateArgs = [ "--stats" "--progress" ];
+      compression = "auto,zstd";
+      startAt = "daily";
+      persistentTimer = true;
+      preHook = with pkgs; ''
+        ${coreutils}/bin/timeout 60 ${bash}/bin/sh -c '
+          until ${iputils}/bin/ping -c1 your-storagebox.de; do
+            sleep 1
+          done
+        '
+      '';
+      postCreate = with pkgs; ''
+        ${curl}/bin/curl "https://status.freun.dev/api/push/''${UPTIME_KUMA_TOKEN}?status=up&msg=OK&ping="
+      '';
+      prune.keep = {
+        within = "3d";
+        daily = 14;
+        weekly = 8;
+        monthly = -1;
+      };
+    };
  };

+  systemd.services.borgbackup-job-root.serviceConfig.EnvironmentFile = secrets.borgbackup-radish.path;
+
  programs = {
    zsh.enable = true;
    _1password-gui = {
--- a/hosts/radish/secrets.nix
+++ b/hosts/radish/secrets.nix
@@ -0,0 +1,9 @@
+{ lib, ... }:
+{
+  age.secrets = lib.listToAttrs
+    (
+      map (secret: { name = secret; value = { file = ../../secrets/${secret}.age; }; }) [
+        "borgbackup-radish"
+      ]
+    );
+}
--- a/secrets/borgbackup-radish.age
+++ b/secrets/borgbackup-radish.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -21,4 +21,5 @@ in
  "dnote.age".publicKeys = users ++ [ freun-dev ];
  "octodns.age".publicKeys = users ++ [ freun-dev ];
  "mealie.age".publicKeys = users ++ [ freun-dev ];
+  "borgbackup-radish.age".publicKeys = users ++ [ radish ];
 }
--- a/secrets/uptime-kuma-borg-token.age
+++ b/secrets/uptime-kuma-borg-token.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA nk3tPnHuA6Ozpahwot8YpakJXsloy3N9XCg4pZsUkGg
+EMQszNhC3Hzt/MwpxUrjCTuofWkNB883EKlNUEUVbbs
+-> ssh-ed25519 DFiohQ dsyS7ANYPPgBTHyq6n8gRhDSfOZ2k8dy9EgB0lQgdRw
+K4h6JZ4W38zQdff7ZY92ka2q58444EL+nvlJvmxKT2w
+-> ssh-ed25519 hRPDBg 53NZD4bMhGYZ8dkoP4T+LjzFh+3u9WnhMnUTktUFeU4
+U3GYIVhGgV6nCk9P+Fo+CHjBlSEQiiO3nTnJlGklui4
+--- uqnbehYLZuAdETE2fTMaKder1g3P1CCQPVhQqP01sKM
+xŠŸ´:&Ö½Qí<51>FL0$Å§¬QØŒ>b«[ÁŽ¬®°z!