Merge pull request #20 from wi11-holdsworth/enhancement/19

enhancement/19
2025-10-01 00:22:04 +10:00 · 2025-10-01 00:22:04 +10:00 · 219c67cfdb
commit 219c67cfdb
parent 89a68cc0df 649f6d048b
14 changed files with 157 additions and 155 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@ -12,7 +12,7 @@
  # reusable modules
  # keep-sorted start
-  borgbackup-srv.enable = true;
+  borgmatic.enable = true;
  intel-gpu.enable = true;
  server.enable = true;
  # keep-sorted end
--- a/modules/nixos/backup.nix
+++ b/modules/nixos/backup.nix
@ -1,75 +0,0 @@
 service: servicecfg:
 {
  # keep-sorted start
  pkgs,
  config,
  lib,
 # keep-sorted end
 }:
 let
  notify =
    {
      tag,
      msg,
      location,
    }:
    ''
      ${pkgs.curl}/bin/curl \
        -H "X-Tags: ${tag},BorgBackup,Server,${location}" \
        -d "${msg}" \
        ${config.services.ntfy-sh.settings.base-url}/backups
    '';
  notifySuccess =
    context:
    notify {
      tag = "tada";
      msg = "Backup succeeded";
      location = "${context}/${service}";
    };
  notifyFailure =
    context:
    notify {
      tag = "rotating_light";
      msg = "Backup failed, check logs";
      location = "${context}/${service}";
    };
  job =
    context: contextcfg:
    lib.nameValuePair "${context}-${service}" (
      {
        compression = "auto,zstd";
        startAt = "*-*-* 04:00:00 Australia/Melbourne";
        prune.keep = {
          daily = 7;
          weekly = 4;
          monthly = 6;
        };
        postHook = ''
          if [ $exitStatus -eq 0 ]; then
            ${notifySuccess context}
          else 
            ${notifyFailure context}
          fi
        '';
      }
      // contextcfg
      // servicecfg
    );
 in
 builtins.listToAttrs [
  (job "onsite" {
    repo = "/backup/repo";
    encryption = {
      mode = "repokey-blake2";
      passCommand = "cat ${config.age.secrets.borgbackup-server-onsite.path}";
    };
  })
  (job "offsite" {
    repo = "vuc5c3xq@vuc5c3xq.repo.borgbase.com:repo";
    encryption = {
      mode = "repokey-blake2";
      passCommand = "cat ${config.age.secrets.borgbackup-server-offsite.path}";
    };
    environment.BORG_RSH = "ssh -i /home/srv/.ssh/id_ed25519";
  })
 ]
--- a/modules/nixos/bundles/server.nix
+++ b/modules/nixos/bundles/server.nix
@ -1,7 +1,6 @@
 {
  config,
  lib,
  pkgs,
  ...
 }:
 let
@ -32,16 +31,7 @@ in
    users.groups.media = { };
-    services.borgbackup.jobs =
+    services.borgmatic.settings.source_directories = [ "/srv" ];
      import ../backup.nix "srv"
        {
          paths = [ "/srv" ];
        }
        {
          inherit config;
          inherit lib;
          inherit pkgs;
        };
  };
  imports = [ ];
--- a/modules/nixos/features/borgbackup-srv.nix
+++ b/modules/nixos/features/borgbackup-srv.nix
@ -1,31 +0,0 @@
 {
  config,
  lib,
  ...
 }:
 let
  feature = "borgbackup-srv";
 in
 {
  config = lib.mkIf config.${feature}.enable {
    # onsite drive
    services.udisks2.enable = true;
    fileSystems."/backup" = {
      device = "/dev/disk/by-uuid/d3b3d7dc-d634-4327-9ea2-9d8daa4ecf4e";
      fsType = "ext4";
    };
    # secrets
    age.secrets = {
      "borgbackup-server-onsite" = {
        file = ../../../secrets/borgbackup-server-onsite.age;
      };
      "borgbackup-server-offsite" = {
        file = ../../../secrets/borgbackup-server-offsite.age;
      };
    };
  };
  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
 }
--- a/modules/nixos/features/borgmatic.nix
+++ b/modules/nixos/features/borgmatic.nix
@ -0,0 +1,92 @@
 {
  config,
  lib,
  ...
 }:
 let
  feature = "borgmatic";
 in
 {
  config = lib.mkIf config.${feature}.enable {
    # service
    services.borgmatic = {
      enable = true;
      settings = {
        # keep-sorted start block=yes
        compression = "auto,zlib";
        keep_daily = 7;
        keep_weekly = 4;
        keep_monthly = 6;
        keep_yearly = 1;
        repositories = [
          {
            path = "/backup/repo";
            label = "onsite";
            # encryption = "repokey-blake2";
          }
          {
            path = "ssh://vuc5c3xq@vuc5c3xq.repo.borgbase.com/./repo";
            label = "offsite";
            # encryption = "repokey-blake2";
          }
        ];
        encryption_passcommand = "cat ${config.age.secrets.borgmatic.path}";
        ssh_command = "ssh -i /home/srv/.ssh/id_ed25519";
        ntfy = {
          topic = "backups";
          server = config.services.ntfy-sh.settings.base-url;
          finish = {
            title = "Ping!";
            message = "Your backups have succeeded :)";
            tags = "tada,BorgBackup,Server";
          };
          fail = {
            title = "Ping!";
            message = "Your backups have failed :(";
            tags = "rotating_light,BorgBackup,Server";
          };
          states = [
            "finish"
            "fail"
          ];
        };
        retries = 3;
        retry_wait = 10;
        # keep-sorted end
      };
    };
    # postgres
    services.postgresql.ensureUsers = [
      {
        name = "root";
      }
    ];
    systemd.services.postgresql.postStart = lib.mkAfter ''
      /run/current-system/sw/bin/psql postgres -c "GRANT pg_read_all_data TO root"
    '';
    systemd.services.borgmatic.path = [
      config.services.postgresql.package
    ];
    # credentials
    systemd.services.borgmatic.serviceConfig.LoadCredential = [
      "borgmatic-pg:${config.age.secrets.borgmatic-pg.path}"
    ];
    # onsite drive
    services.udisks2.enable = true;
    fileSystems."/backup" = {
      device = "/dev/disk/by-uuid/d3b3d7dc-d634-4327-9ea2-9d8daa4ecf4e";
      fsType = "ext4";
    };
    # secrets
    age.secrets = {
      "borgmatic".file = ../../../secrets/borgmatic.age;
      "borgmatic-pg".file = ../../../secrets/borgmatic-pg.age;
    };
  };
  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
 }
--- a/modules/nixos/features/immich.nix
+++ b/modules/nixos/features/immich.nix
@ -16,6 +16,18 @@ in
        mediaLocation = "/srv/immich";
      };
      # database backup
      borgmatic.settings = {
        postgresql_databases = [
          {
            name = "immich";
            hostname = "localhost";
            username = "root";
            password = "{credential systemd borgmatic-pg}";
          }
        ];
      };
      nginx = {
        clientMaxBodySize = "50000M";
        virtualHosts."${feature}.fi33.buzz" = {
--- a/modules/nixos/features/miniflux.nix
+++ b/modules/nixos/features/miniflux.nix
@ -20,6 +20,18 @@ in
        };
      };
      # database backup
      borgmatic.settings = {
        postgresql_databases = [
          {
            name = "miniflux";
            hostname = "localhost";
            username = "root";
            password = "{credential systemd borgmatic-pg}";
          }
        ];
      };
      # reverse proxy
      nginx = {
        virtualHosts."${feature}.fi33.buzz" = {
--- a/modules/nixos/features/paperless.nix
+++ b/modules/nixos/features/paperless.nix
@ -22,6 +22,18 @@ in
        };
      };
      # database backup
      borgmatic.settings = {
        postgresql_databases = [
          {
            name = "paperless";
            hostname = "localhost";
            username = "root";
            password = "{credential systemd borgmatic-pg}";
          }
        ];
      };
      # reverse proxy
      nginx = {
        virtualHosts."${feature}.fi33.buzz" = {
--- a/modules/nixos/features/syncthing.nix
+++ b/modules/nixos/features/syncthing.nix
@ -63,24 +63,14 @@ in
        };
      };
-      # backup
+      borgmatic.settings =
      borgbackup.jobs =
        # we only need one syncthing host to be backed up
        # choose server because borgbackup is the most fleshed out
        # on srv currently
        if userName == "srv" then
          import ../backup.nix feature
          {
-              paths = [
+            source_directories = [
              "/home/srv/.config/syncthing"
              "/home/srv/Sync"
            ];
          }
            {
              inherit config;
              inherit lib;
              inherit pkgs;
            }
        else
          null;
--- a/secrets/borgbackup-server-offsite.age
+++ b/secrets/borgbackup-server-offsite.age
@ -1,9 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 LtK9yQ ffY9sDLotAZPq7WYBhBCo/+CG8hs8oSb+Zc26XQ5Kxs
 7JwKBUAUWfuOyfaf/pVcq1zv58OtrPAh9wGqPcEhlt8
 -> ssh-ed25519 qLT+DQ ulTuZ469zjWcwcuH54SUDaAsaNcpEqXkO0cdGsv2tEE
 jwqDMwd/hyHvT+FQjHj8fziycK9WMGJqM6UZKB1yXrQ
 -> ssh-ed25519 7+xRyQ ZcybG8n14hpc/B9p1KWDzCi9T2UmVzzsTG32LtKtNFY
 81CixZ1eUgAZLS1LDceYeoGbKUPVqqzqjjJ7ACUHCCc
 --- 5eJlsZeXReu93xYN6WLtKfFycFyTZyrt0aMYgERe9ME
 ÝÇ"ôŒº4<14>XêtºQqwáýÁ‹˜Æ(„¾Þ¸ƒ±‚…ò‹èÊ3’.JI¼‹ä6-)ö§áì,˜ó<>ªÕ²ÚqÁI~b®
--- a/secrets/borgbackup-server-onsite.age
+++ b/secrets/borgbackup-server-onsite.age
@ -1,9 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 LtK9yQ klX5fjSXRPWV/ALNcTZ8UIVFEftuS0bMx0oZ0jZDSBQ
 swtF1Mvup7JZszfPgXwZ2363Qrt3oUdP1AWfd0Je8h0
 -> ssh-ed25519 qLT+DQ IN4GfoKDEtcs/lbobggKfdbFn8EdqpBv7KRJqs0nxg8
 X+hti2ZVCqZPHV54QzwZN1nQTdBbU/ZaF7iz1QspIW4
 -> ssh-ed25519 7+xRyQ TFU9KepaxamXUcwNrwDv368JvfmLb0Aq1oeuQoX3A2g
 XQZxEmfduYOcDoXZuL9ywH2UdJmFsM6mQDqX5SBkvko
 --- ud8jMRGHEN6/q5o0GhZdt+Nh38Bhg6nh/ugTPTJFYtI
 ÝuI,ÈÏÖþmîWïJÁzÙP/†.]‡ÇmÝøã¶<C3A3>káb¸há‹+úˆ‚—éîýéJXZ/¡qåX	×Qa.¨¢/ˆ²¿9Á
--- a/secrets/borgmatic-pg.age
+++ b/secrets/borgmatic-pg.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 qLT+DQ C3A3TKOyIWzbW8JupvhTmLKetnr+0uzkPq985NA0DCs
 ahrHVR7WadjOfOXBWOqBAf9L0UdCNeD0Ynk6sKDF7WM
 -> ssh-ed25519 7+xRyQ evZ6zSS3olbORnqiCnEAL68D1FNPgg2oBoJSaquLAAA
 BYoo9AVOHsRsTbXkRQdS/7WN25vBuJOAb0YfnSY+hGQ
 -> ssh-ed25519 LtK9yQ jLIdKPvVhPsRIJevWLmads3P2hM29c0B143OWoINzlY
 ziCUQ1TtB6BUgbNZ/zFXoaOtpxyrbKobsTvXo/dSpSA
 --- Q6JHS+5vuYLIqyIb6x3qCbIJvsjk2++ovL1zkVGs69o
 <EFBFBD>ãì‡½NM1±WBýy•M.ù²ø-Ø|GlºÈ]¡8Z,(5è±²P¶èè!ÿpmp¡¢°Eaû¤;<3B>Ôâ¿Ä(tq!ÊKÕU4×m
--- a/secrets/borgmatic.age
+++ b/secrets/borgmatic.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 qLT+DQ zfLZc8A30KjoMrhUSl4OgTp+Yg11fmVjDioxtIYMqDU
 URhJwUCElaJcSd+k5wBQAXvdC/68ZcCA5WbHGAJTYfY
 -> ssh-ed25519 7+xRyQ mrGrjW0fQIRNMDdw4Hoc9N/xAEm1P0IFukShfeVdKE8
 yLUmj7LBfHQ/i4buBB57ktNUOnHpoC8NYTQUnK5e5y4
 -> ssh-ed25519 LtK9yQ THjOsSIr/DQTulFlwd4r5DYb73VQ0vWgyDHkfJV3NR0
 Dl8FwK1WciiEMs5MdrFcUIOFGmlbZf3APOWzLN6rkOE
 --- 3mjYPT9APy0F5NNbbCIQhzZ0XjKBtB9YGGS3t37eoRU
 ôT^væ—U‹§òÏ{™>[÷õ¦dhé§PC6þZ|é£ûýK|~lÝ<6C>bŒÀD¢ûÖÙt”Î„¨ø]¨’1P$ø10¨¿ïAý±$
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -15,8 +15,8 @@ let
 in
 {
  # keep-sorted start
-  "borgbackup-server-offsite.age".publicKeys = users;
+  "borgmatic.age".publicKeys = users;
-  "borgbackup-server-onsite.age".publicKeys = users;
+  "borgmatic-pg.age".publicKeys = users;
  "copyparty-will.age".publicKeys = users;
  "immich.age".publicKeys = users;
  "jellyfin.age".publicKeys = users;