feat(borgbackup): replace borgmatic

2026-03-09 14:03:47 +11:00 · 2026-03-09 14:03:47 +11:00 · a2d43c4dd9
commit a2d43c4dd9
parent d26b436626
18 changed files with 117 additions and 96 deletions
--- a/modules/nixos/features/borgbackup.nix
+++ b/modules/nixos/features/borgbackup.nix
@ -0,0 +1,57 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  jobConfig = {
+    compression = "auto,zlib";
+    doInit = false;
+    preHook = ''
+      /run/wrappers/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dumpall > /srv/backup/database/postgres/dump.sql
+    '';
+    postHook = ''
+      rm /srv/backup/database/postgres/dump.sql
+    '';
+    prune.keep = {
+      daily = 7;
+      weekly = 4;
+      monthly = 6;
+      yearly = 1;
+    };
+    readWritePaths = [
+      "/srv/backup"
+    ];
+    startAt = "*-*-* 03:00:00";
+    extraCreateArgs = [ "-v" ];
+  };
+in
+{
+  services.borgbackup = {
+    jobs = {
+      onsite = {
+        encryption = {
+          passCommand = "cat ${config.age.secrets.borgbackup-onsite.path}";
+          mode = "repokey-blake2";
+        };
+        removableDevice = true;
+        repo = "/mnt/external/backup/take2";
+      }
+      // jobConfig;
+      offsite = {
+        encryption = {
+          passCommand = "cat ${config.age.secrets.borgbackup-offsite.path}";
+          mode = "repokey-blake2";
+        };
+        environment.BORG_RSH = "ssh -i /home/srv/.ssh/id_ed25519";
+        repo = "ssh://vuc5c3xq@vuc5c3xq.repo.borgbase.com/./repo";
+      }
+      // jobConfig;
+    };
+  };
+
+  age.secrets = {
+    borgbackup-onsite.file = ../../../secrets/borgbackup-onsite.age;
+    borgbackup-offsite.file = ../../../secrets/borgbackup-offsite.age;
+  };
+}
--- a/modules/nixos/features/borgmatic.nix
+++ b/modules/nixos/features/borgmatic.nix
@ -42,12 +42,10 @@
        {
          path = "/mnt/external/backup/repo";
          label = "onsite";
-          # encryption = "repokey-blake2";
        }
        {
          path = "ssh://vuc5c3xq@vuc5c3xq.repo.borgbase.com/./repo";
          label = "offsite";
-          # encryption = "repokey-blake2";
        }
      ];
      retries = 3;
@ -75,8 +73,6 @@
    "borgmatic-pg:${config.age.secrets.borgmatic-pg.path}"
  ];

-  # onsite drive
-
  # secrets
  age.secrets = {
    "borgmatic".file = ../../../secrets/borgmatic.age;
--- a/modules/nixos/features/firefly.nix
+++ b/modules/nixos/features/firefly.nix
@ -24,13 +24,6 @@ in
      };
    };

-    borgmatic.settings.sqlite_databases = [
-      {
-        name = "firefly";
-        path = "/srv/firefly/storage/database/database.sqlite";
-      }
-    ];
-
    caddy.virtualHosts."firefly.fi33.buzz".extraConfig = ''
      root * ${config.services.firefly-iii.package}/public
      php_fastcgi unix//${config.services.phpfpm.pools.firefly-iii.socket}
--- a/modules/nixos/features/immich.nix
+++ b/modules/nixos/features/immich.nix
@ -27,15 +27,6 @@ in
      }
    ];

-    borgmatic.settings.postgresql_databases = [
-      {
-        name = "immich";
-        hostname = "localhost";
-        username = "root";
-        password = "{credential systemd borgmatic-pg}";
-      }
-    ];
-
    caddy.virtualHosts.${hostname}.extraConfig = ''
      reverse_proxy localhost:${toString port}
      tls ${certloc}/cert.pem ${certloc}/key.pem {
--- a/modules/nixos/features/mealie.nix
+++ b/modules/nixos/features/mealie.nix
@ -1,5 +1,5 @@
 {
-  config,
+  pkgs,
  ...
 }:
 let
@ -34,17 +34,14 @@ in
      }
    ];

-    # borgmatic.settings = {
-    #   source_directories = [ ];
-    #   postgresql_databases = [
-    #     {
-    #       name = "mealie";
-    #       hostname = "localhost";
-    #       username = "root";
-    #       password = "{credential systemd borgmatic-pg}";
-    #     }
-    #   ];
-    # };
+    borgbackup.jobs = {
+      onsite = {
+        paths = [ "/var/lib/mealie" ];
+      };
+      offsite = {
+        paths = [ "/var/lib/mealie" ];
+      };
+    };

    caddy.virtualHosts.${hostname}.extraConfig = ''
      reverse_proxy localhost:${toString port}
--- a/modules/nixos/features/miniflux.nix
+++ b/modules/nixos/features/miniflux.nix
@ -34,15 +34,6 @@ in
      }
    ];

-    borgmatic.settings.postgresql_databases = [
-      {
-        name = "miniflux";
-        hostname = "localhost";
-        username = "root";
-        password = "{credential systemd borgmatic-pg}";
-      }
-    ];
-
    caddy.virtualHosts.${hostname}.extraConfig = ''
      reverse_proxy localhost:${toString port}
      tls ${certloc}/cert.pem ${certloc}/key.pem {
--- a/modules/nixos/features/ntfy-sh.nix
+++ b/modules/nixos/features/ntfy-sh.nix
@ -20,11 +20,9 @@ in
        auth-default-access = "deny-all";
        auth-users = [
          "Debit3885:$2a$12$ZeFimzdifNFSmf0W2oi.vuZfsqae75md9nhC/Q2BcKMyvDO8T.uEK:admin"
-          "borgmatic:$2a$12$ZeFimzdifNFSmf0W2oi.vuZfsqae75md9nhC/Q2BcKMyvDO8T.uEK:user"
          "gatus:$2a$12$OswG3sB8oDaB.KpawKM3P.78dID.Tj/0y5qeVD5BE6EH5bpGKe.na:user"
        ];
        auth-access = [
-          "borgmatic:backups:wo"
          "gatus:services:wo"
        ];
      };
@ -44,10 +42,9 @@ in
      }
    ];

-    borgmatic.settings = {
-      source_directories = [
-        "/var/lib/ntfy-sh/user.db"
-      ];
+    borgbackup.jobs = {
+      onsite.paths = [ "/var/lib/ntfy-sh" ];
+      offsite.paths = [ "/var/lib/ntfy-sh" ];
    };

    caddy.virtualHosts.${hostname}.extraConfig = ''
--- a/modules/nixos/features/paperless.nix
+++ b/modules/nixos/features/paperless.nix
@ -36,17 +36,6 @@ in
      }
    ];

-    borgmatic.settings = {
-      postgresql_databases = [
-        {
-          name = "paperless";
-          hostname = "localhost";
-          username = "root";
-          password = "{credential systemd borgmatic-pg}";
-        }
-      ];
-    };
-
    caddy.virtualHosts.${hostname}.extraConfig = ''
      reverse_proxy localhost:${toString port}
      tls ${certloc}/cert.pem ${certloc}/key.pem {
--- a/modules/nixos/features/prowlarr.nix
+++ b/modules/nixos/features/prowlarr.nix
@ -1,3 +1,7 @@
+{
+  pkgs,
+  ...
+}:
 let
  port = 5009;
  certloc = "/var/lib/acme/fi33.buzz";
@ -28,7 +32,14 @@ in
      }
    ];

-    borgmatic.settings.source_directories = [ "/var/lib/prowlarr" ];
+    borgbackup.jobs = {
+      onsite = {
+        paths = [ "/var/lib/prowlarr" ];
+      };
+      offsite = {
+        paths = [ "/var/lib/prowlarr" ];
+      };
+    };

    caddy.virtualHosts.${hostname}.extraConfig = ''
      reverse_proxy localhost:${toString port}
--- a/modules/nixos/features/syncthing.nix
+++ b/modules/nixos/features/syncthing.nix
@ -73,12 +73,16 @@ in
      }
    ];

-    borgmatic.settings =
+    borgbackup.jobs =
      if userName == "srv" then
        {
-          source_directories = [
+          onsite.paths = [
            "/home/srv/.config/syncthing"
-            "/home/srv/Sync"
+            "/home/srv/Sync/"
+          ];
+          offsite.paths = [
+            "/home/srv/.config/syncthing"
+            "/home/srv/Sync/"
          ];
        }
      else