1
0
Fork 0
selfhostblocks/modules/blocks/borgbackup.nix

296 lines
9.8 KiB
Nix
Raw Normal View History

2023-12-08 10:44:47 -08:00
{ config, pkgs, lib, utils, ... }:
2023-06-22 21:22:34 -07:00
let
2024-08-20 07:09:10 +02:00
cfg = config.shb.borgbackup;
2023-06-22 21:22:34 -07:00
instanceOptions = {
2024-08-20 07:09:10 +02:00
enable = lib.mkEnableOption "shb borgbackup";
2023-06-22 21:22:34 -07:00
keySopsFile = lib.mkOption {
2024-08-20 07:09:10 +02:00
description = "Sops file that holds this instance's repository key and passphrase.";
2023-06-22 21:22:34 -07:00
type = lib.types.path;
example = "secrets/backup.yaml";
};
2024-08-20 07:09:10 +02:00
encryptionKeyFile = lib.mkOption {
description = "Encryption key for the backup.";
type = lib.types.path;
};
encryption_passcommand = "cat /run/secrets/borgmatic/passphrases/${if isNull instance.secretName then name else instance.secretName}";
borg_keys_directory = "/run/secrets/borgmatic/keys";
2023-06-22 21:22:34 -07:00
sourceDirectories = lib.mkOption {
2024-08-20 07:09:10 +02:00
description = "Source directories.";
2023-06-22 21:22:34 -07:00
type = lib.types.nonEmptyListOf lib.types.str;
};
excludePatterns = lib.mkOption {
2024-08-20 07:09:10 +02:00
description = "Exclude patterns.";
2023-06-22 21:22:34 -07:00
type = lib.types.listOf lib.types.str;
default = [];
};
2023-09-25 20:27:35 -07:00
secretName = lib.mkOption {
description = "Secret name, if null use the name of the backup instance.";
type = lib.types.nullOr lib.types.str;
default = null;
};
2023-06-22 21:22:34 -07:00
repositories = lib.mkOption {
2023-11-30 12:06:41 -08:00
description = "Repositories to back this instance to.";
2023-12-08 10:44:47 -08:00
type = lib.types.nonEmptyListOf (lib.types.submodule {
options = {
path = lib.mkOption {
type = lib.types.str;
description = "Repository location";
};
timerConfig = lib.mkOption {
type = lib.types.attrsOf utils.systemdUtils.unitOptions.unitOption;
default = {
OnCalendar = "daily";
Persistent = true;
};
description = ''When to run the backup. See {manpage}`systemd.timer(5)` for details.'';
example = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
Persistent = true;
};
};
};
});
2023-06-22 21:22:34 -07:00
};
retention = lib.mkOption {
description = "Retention options.";
type = lib.types.attrsOf (lib.types.oneOf [ lib.types.int lib.types.nonEmptyStr ]);
default = {
keep_within = "1d";
keep_hourly = 24;
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 6;
};
};
consistency = lib.mkOption {
2024-08-20 07:09:10 +02:00
description = "Consistency frequency options.";
2023-06-22 21:22:34 -07:00
type = lib.types.attrsOf lib.types.nonEmptyStr;
default = {};
example = {
repository = "2 weeks";
archives = "1 month";
};
};
hooks = lib.mkOption {
2024-08-20 07:09:10 +02:00
description = "Hooks to run before or after the backup.";
2023-06-22 21:22:34 -07:00
default = {};
type = lib.types.submodule {
options = {
before_backup = lib.mkOption {
description = "Hooks to run before backup";
type = lib.types.listOf lib.types.str;
default = [];
};
after_backup = lib.mkOption {
description = "Hooks to run after backup";
type = lib.types.listOf lib.types.str;
default = [];
};
};
};
};
environmentFile = lib.mkOption {
type = lib.types.bool;
description = "Add environment file to be read by the systemd service.";
default = false;
example = true;
};
};
2023-09-25 20:27:35 -07:00
repoSlugName = name: builtins.replaceStrings ["/" ":"] ["_" "_"] (lib.strings.removePrefix "/" name);
2023-06-22 21:22:34 -07:00
in
{
2024-08-20 07:09:10 +02:00
options.shb.borgbackup = {
2023-06-22 21:22:34 -07:00
user = lib.mkOption {
2023-11-30 12:06:41 -08:00
description = "Unix user doing the backups.";
2023-06-22 21:22:34 -07:00
type = lib.types.str;
default = "backup";
};
group = lib.mkOption {
2023-11-30 12:06:41 -08:00
description = "Unix group doing the backups.";
2023-06-22 21:22:34 -07:00
type = lib.types.str;
default = "backup";
};
instances = lib.mkOption {
2023-11-30 12:06:41 -08:00
description = "Each instance is a backup setting";
2023-06-22 21:22:34 -07:00
default = {};
type = lib.types.attrsOf (lib.types.submodule {
options = instanceOptions;
});
};
borgServer = lib.mkOption {
2023-11-30 12:06:41 -08:00
description = "Add borgbackup package so external backups can use this server as a remote.";
2023-06-22 21:22:34 -07:00
default = false;
example = true;
type = lib.types.bool;
};
# Taken from https://github.com/HubbeKing/restic-kubernetes/blob/73bfbdb0ba76939a4c52173fa2dbd52070710008/README.md?plain=1#L23
performance = lib.mkOption {
description = "Reduce performance impact of backup jobs.";
default = {};
type = lib.types.submodule {
options = {
niceness = lib.mkOption {
type = lib.types.ints.between (-20) 19;
description = "nice priority adjustment, defaults to 15 for ~20% CPU time of normal-priority process";
default = 15;
};
ioSchedulingClass = lib.mkOption {
type = lib.types.enum [ "idle" "best-effort" "realtime" ];
2024-08-20 07:09:10 +02:00
description = "ionice scheduling class, defaults to best-effort IO.";
default = "best-effort";
};
ioPriority = lib.mkOption {
type = lib.types.nullOr (lib.types.ints.between 0 7);
2024-08-20 07:09:10 +02:00
description = "ionice priority, defaults to 7 for lowest priority IO.";
default = 7;
};
};
};
};
2023-06-22 21:22:34 -07:00
};
config = lib.mkIf (cfg.instances != {}) (
let
2023-10-21 21:41:17 -07:00
enabledInstances = lib.attrsets.filterAttrs (k: i: i.enable) cfg.instances;
in lib.mkMerge [
# Secrets configuration
2023-06-22 21:22:34 -07:00
{
users.users = {
${cfg.user} = {
name = cfg.user;
group = cfg.group;
home = "/var/lib/backup";
createHome = true;
isSystemUser = true;
2023-09-25 20:27:35 -07:00
extraGroups = [ "keys" ];
2023-06-22 21:22:34 -07:00
};
};
users.groups = {
${cfg.group} = {
name = cfg.group;
};
};
sops.secrets =
let
mkSopsSecret = name: instance: (
[
{
2023-09-25 20:27:35 -07:00
"${instance.backend}/passphrases/${if isNull instance.secretName then name else instance.secretName}" = {
2023-06-22 21:22:34 -07:00
sopsFile = instance.keySopsFile;
mode = "0440";
owner = cfg.user;
group = cfg.group;
};
}
2023-12-08 10:44:47 -08:00
] ++ lib.optional ((lib.filter ({path, ...}: lib.strings.hasPrefix "s3" path) instance.repositories) != []) {
2023-09-25 20:27:35 -07:00
"${instance.backend}/environmentfiles/${if isNull instance.secretName then name else instance.secretName}" = {
2023-06-22 21:22:34 -07:00
sopsFile = instance.keySopsFile;
mode = "0440";
owner = cfg.user;
group = cfg.group;
};
2023-12-08 10:44:47 -08:00
} ++ lib.optionals (instance.backend == "borgmatic") (lib.flatten (map ({path, ...}: {
"${instance.backend}/keys/${repoSlugName path}" = {
2023-09-25 20:27:35 -07:00
key = "${instance.backend}/keys/${if isNull instance.secretName then name else instance.secretName}";
sopsFile = instance.keySopsFile;
mode = "0440";
owner = cfg.user;
group = cfg.group;
};
}) instance.repositories))
2023-06-22 21:22:34 -07:00
);
in
2023-10-21 21:41:17 -07:00
lib.mkMerge (lib.flatten (lib.attrsets.mapAttrsToList mkSopsSecret enabledInstances));
}
# Borgmatic configuration
{
2024-08-20 07:09:10 +02:00
systemd.timers.borgmatic = lib.mkIf (enabledInstances != {}) {
2023-06-22 21:22:34 -07:00
timerConfig = {
OnCalendar = "hourly";
};
};
2024-08-20 07:09:10 +02:00
systemd.services.borgmatic = lib.mkIf (enabledInstances != {}) {
2023-06-22 21:22:34 -07:00
serviceConfig = {
User = cfg.user;
Group = cfg.group;
2023-09-25 20:27:35 -07:00
ExecStartPre = [ "" ]; # Do not sleep before starting.
2023-06-22 21:22:34 -07:00
ExecStart = [ "" "${pkgs.borgmatic}/bin/borgmatic --verbosity -1 --syslog-verbosity 1" ];
# For borgmatic, since we have only one service, we need to merge all environmentFile
# from all instances.
2023-10-21 21:41:17 -07:00
EnvironmentFile = lib.mapAttrsToList (name: value: value.environmentFile) enabledInstances;
2023-06-22 21:22:34 -07:00
};
};
2024-08-20 07:09:10 +02:00
systemd.packages = lib.mkIf (enabledInstances != {}) [ pkgs.borgmatic ];
2023-06-22 21:22:34 -07:00
environment.systemPackages = (
lib.optionals cfg.borgServer [ pkgs.borgbackup ]
2024-08-20 07:09:10 +02:00
++ lib.optionals (enabledInstances != {}) [ pkgs.borgbackup pkgs.borgmatic ]
2023-06-22 21:22:34 -07:00
);
environment.etc =
let
mkSettings = name: instance: {
"borgmatic.d/${name}.yaml".text = lib.generators.toYAML {} {
location =
{
source_directories = instance.sourceDirectories;
2023-12-08 10:44:47 -08:00
repositories = map ({path, ...}: path) instance.repositories;
2023-06-22 21:22:34 -07:00
}
// (lib.attrsets.optionalAttrs (builtins.length instance.excludePatterns > 0) {
excludePatterns = instance.excludePatterns;
});
storage = {
2024-08-20 07:09:10 +02:00
encryption_passcommand = "cat ${instance.encryptionKeyFile}";
2023-09-25 20:27:35 -07:00
borg_keys_directory = "/run/secrets/borgmatic/keys";
2023-06-22 21:22:34 -07:00
};
retention = instance.retention;
consistency.checks =
let
mkCheck = name: frequency: {
inherit name frequency;
};
in
lib.attrsets.mapAttrsToList mkCheck instance.consistency;
# hooks = lib.mkMerge [
# lib.optionalAttrs (builtins.length instance.hooks.before_backup > 0) {
# inherit (instance.hooks) before_backup;
# }
# lib.optionalAttrs (builtins.length instance.hooks.after_backup > 0) {
# inherit (instance.hooks) after_backup;
# }
# ];
};
};
in
2024-08-20 07:09:10 +02:00
lib.mkMerge (lib.attrsets.mapAttrsToList mkSettings enabledInstances);
}
]);
2023-06-22 21:22:34 -07:00
}