feat: replace borgbackup and bespoke backup function with borgmatic

2025-10-01 00:18:12 +10:00 · 2025-10-01 00:18:12 +10:00 · 3a679356ad
commit 3a679356ad
parent 89a68cc0df
9 changed files with 113 additions and 127 deletions
--- a/modules/nixos/backup.nix
+++ b/modules/nixos/backup.nix
@ -1,75 +0,0 @@
-service: servicecfg:
-{
-  # keep-sorted start
-  pkgs,
-  config,
-  lib,
-# keep-sorted end
-}:
-let
-  notify =
-    {
-      tag,
-      msg,
-      location,
-    }:
-    ''
-      ${pkgs.curl}/bin/curl \
-        -H "X-Tags: ${tag},BorgBackup,Server,${location}" \
-        -d "${msg}" \
-        ${config.services.ntfy-sh.settings.base-url}/backups
-    '';
-  notifySuccess =
-    context:
-    notify {
-      tag = "tada";
-      msg = "Backup succeeded";
-      location = "${context}/${service}";
-    };
-  notifyFailure =
-    context:
-    notify {
-      tag = "rotating_light";
-      msg = "Backup failed, check logs";
-      location = "${context}/${service}";
-    };
-  job =
-    context: contextcfg:
-    lib.nameValuePair "${context}-${service}" (
-      {
-        compression = "auto,zstd";
-        startAt = "*-*-* 04:00:00 Australia/Melbourne";
-        prune.keep = {
-          daily = 7;
-          weekly = 4;
-          monthly = 6;
-        };
-        postHook = ''
-          if [ $exitStatus -eq 0 ]; then
-            ${notifySuccess context}
-          else 
-            ${notifyFailure context}
-          fi
-        '';
-      }
-      // contextcfg
-      // servicecfg
-    );
-in
-builtins.listToAttrs [
-  (job "onsite" {
-    repo = "/backup/repo";
-    encryption = {
-      mode = "repokey-blake2";
-      passCommand = "cat ${config.age.secrets.borgbackup-server-onsite.path}";
-    };
-  })
-  (job "offsite" {
-    repo = "vuc5c3xq@vuc5c3xq.repo.borgbase.com:repo";
-    encryption = {
-      mode = "repokey-blake2";
-      passCommand = "cat ${config.age.secrets.borgbackup-server-offsite.path}";
-    };
-    environment.BORG_RSH = "ssh -i /home/srv/.ssh/id_ed25519";
-  })
-]
--- a/modules/nixos/features/borgbackup-srv.nix
+++ b/modules/nixos/features/borgbackup-srv.nix
@ -1,31 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-let
-  feature = "borgbackup-srv";
-in
-{
-  config = lib.mkIf config.${feature}.enable {
-    # onsite drive
-    services.udisks2.enable = true;
-
-    fileSystems."/backup" = {
-      device = "/dev/disk/by-uuid/d3b3d7dc-d634-4327-9ea2-9d8daa4ecf4e";
-      fsType = "ext4";
-    };
-
-    # secrets
-    age.secrets = {
-      "borgbackup-server-onsite" = {
-        file = ../../../secrets/borgbackup-server-onsite.age;
-      };
-      "borgbackup-server-offsite" = {
-        file = ../../../secrets/borgbackup-server-offsite.age;
-      };
-    };
-  };
-
-  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
-}
--- a/modules/nixos/features/borgmatic.nix
+++ b/modules/nixos/features/borgmatic.nix
@ -0,0 +1,92 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  feature = "borgmatic";
+in
+{
+  config = lib.mkIf config.${feature}.enable {
+    # service
+    services.borgmatic = {
+      enable = true;
+      settings = {
+        # keep-sorted start block=yes
+        compression = "auto,zlib";
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+        keep_yearly = 1;
+        repositories = [
+          {
+            path = "/backup/repo";
+            label = "onsite";
+            # encryption = "repokey-blake2";
+          }
+          {
+            path = "ssh://vuc5c3xq@vuc5c3xq.repo.borgbase.com/./repo";
+            label = "offsite";
+            # encryption = "repokey-blake2";
+          }
+        ];
+        encryption_passcommand = "cat ${config.age.secrets.borgmatic.path}";
+        ssh_command = "ssh -i /home/srv/.ssh/id_ed25519";
+        ntfy = {
+          topic = "backups";
+          server = config.services.ntfy-sh.settings.base-url;
+          finish = {
+            title = "Ping!";
+            message = "Your backups have succeeded :)";
+            tags = "tada,BorgBackup,Server";
+          };
+          fail = {
+            title = "Ping!";
+            message = "Your backups have failed :(";
+            tags = "rotating_light,BorgBackup,Server";
+          };
+          states = [
+            "finish"
+            "fail"
+          ];
+        };
+        retries = 3;
+        retry_wait = 10;
+        # keep-sorted end
+      };
+    };
+
+    # postgres
+    services.postgresql.ensureUsers = [
+      {
+        name = "root";
+      }
+    ];
+    systemd.services.postgresql.postStart = lib.mkAfter ''
+      /run/current-system/sw/bin/psql postgres -c "GRANT pg_read_all_data TO root"
+    '';
+    systemd.services.borgmatic.path = [
+      config.services.postgresql.package
+    ];
+
+    # credentials
+    systemd.services.borgmatic.serviceConfig.LoadCredential = [
+      "borgmatic-pg:${config.age.secrets.borgmatic-pg.path}"
+    ];
+
+    # onsite drive
+    services.udisks2.enable = true;
+    fileSystems."/backup" = {
+      device = "/dev/disk/by-uuid/d3b3d7dc-d634-4327-9ea2-9d8daa4ecf4e";
+      fsType = "ext4";
+    };
+
+    # secrets
+    age.secrets = {
+      "borgmatic".file = ../../../secrets/borgmatic.age;
+      "borgmatic-pg".file = ../../../secrets/borgmatic-pg.age;
+    };
+  };
+
+  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
+}