2025-10-01 00:22:04 +10:00
9 changed files with 113 additions and 127 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@ -12,7 +12,7 @@
  # reusable modules
  # keep-sorted start
-  borgbackup-srv.enable = true;
+  borgmatic.enable = true;
  intel-gpu.enable = true;
  server.enable = true;
  # keep-sorted end
--- a/modules/nixos/backup.nix
+++ b/modules/nixos/backup.nix
@ -1,75 +0,0 @@
 service: servicecfg:
 {
  # keep-sorted start
  pkgs,
  config,
  lib,
 # keep-sorted end
 }:
 let
  notify =
    {
      tag,
      msg,
      location,
    }:
    ''
      ${pkgs.curl}/bin/curl \
        -H "X-Tags: ${tag},BorgBackup,Server,${location}" \
        -d "${msg}" \
        ${config.services.ntfy-sh.settings.base-url}/backups
    '';
  notifySuccess =
    context:
    notify {
      tag = "tada";
      msg = "Backup succeeded";
      location = "${context}/${service}";
    };
  notifyFailure =
    context:
    notify {
      tag = "rotating_light";
      msg = "Backup failed, check logs";
      location = "${context}/${service}";
    };
  job =
    context: contextcfg:
    lib.nameValuePair "${context}-${service}" (
      {
        compression = "auto,zstd";
        startAt = "*-*-* 04:00:00 Australia/Melbourne";
        prune.keep = {
          daily = 7;
          weekly = 4;
          monthly = 6;
        };
        postHook = ''
          if [ $exitStatus -eq 0 ]; then
            ${notifySuccess context}
          else 
            ${notifyFailure context}
          fi
        '';
      }
      // contextcfg
      // servicecfg
    );
 in
 builtins.listToAttrs [
  (job "onsite" {
    repo = "/backup/repo";
    encryption = {
      mode = "repokey-blake2";
      passCommand = "cat ${config.age.secrets.borgbackup-server-onsite.path}";
    };
  })
  (job "offsite" {
    repo = "vuc5c3xq@vuc5c3xq.repo.borgbase.com:repo";
    encryption = {
      mode = "repokey-blake2";
      passCommand = "cat ${config.age.secrets.borgbackup-server-offsite.path}";
    };
    environment.BORG_RSH = "ssh -i /home/srv/.ssh/id_ed25519";
  })
 ]
--- a/modules/nixos/features/borgbackup-srv.nix
+++ b/modules/nixos/features/borgbackup-srv.nix
@ -1,31 +0,0 @@
 {
  config,
  lib,
  ...
 }:
 let
  feature = "borgbackup-srv";
 in
 {
  config = lib.mkIf config.${feature}.enable {
    # onsite drive
    services.udisks2.enable = true;
    fileSystems."/backup" = {
      device = "/dev/disk/by-uuid/d3b3d7dc-d634-4327-9ea2-9d8daa4ecf4e";
      fsType = "ext4";
    };
    # secrets
    age.secrets = {
      "borgbackup-server-onsite" = {
        file = ../../../secrets/borgbackup-server-onsite.age;
      };
      "borgbackup-server-offsite" = {
        file = ../../../secrets/borgbackup-server-offsite.age;
      };
    };
  };
  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
 }
--- a/modules/nixos/features/borgmatic.nix
+++ b/modules/nixos/features/borgmatic.nix
@ -0,0 +1,92 @@
 {
  config,
  lib,
  ...
 }:
 let
  feature = "borgmatic";
 in
 {
  config = lib.mkIf config.${feature}.enable {
    # service
    services.borgmatic = {
      enable = true;
      settings = {
        # keep-sorted start block=yes
        compression = "auto,zlib";
        keep_daily = 7;
        keep_weekly = 4;
        keep_monthly = 6;
        keep_yearly = 1;
        repositories = [
          {
            path = "/backup/repo";
            label = "onsite";
            # encryption = "repokey-blake2";
          }
          {
            path = "ssh://vuc5c3xq@vuc5c3xq.repo.borgbase.com/./repo";
            label = "offsite";
            # encryption = "repokey-blake2";
          }
        ];
        encryption_passcommand = "cat ${config.age.secrets.borgmatic.path}";
        ssh_command = "ssh -i /home/srv/.ssh/id_ed25519";
        ntfy = {
          topic = "backups";
          server = config.services.ntfy-sh.settings.base-url;
          finish = {
            title = "Ping!";
            message = "Your backups have succeeded :)";
            tags = "tada,BorgBackup,Server";
          };
          fail = {
            title = "Ping!";
            message = "Your backups have failed :(";
            tags = "rotating_light,BorgBackup,Server";
          };
          states = [
            "finish"
            "fail"
          ];
        };
        retries = 3;
        retry_wait = 10;
        # keep-sorted end
      };
    };
    # postgres
    services.postgresql.ensureUsers = [
      {
        name = "root";
      }
    ];
    systemd.services.postgresql.postStart = lib.mkAfter ''
      /run/current-system/sw/bin/psql postgres -c "GRANT pg_read_all_data TO root"
    '';
    systemd.services.borgmatic.path = [
      config.services.postgresql.package
    ];
    # credentials
    systemd.services.borgmatic.serviceConfig.LoadCredential = [
      "borgmatic-pg:${config.age.secrets.borgmatic-pg.path}"
    ];
    # onsite drive
    services.udisks2.enable = true;
    fileSystems."/backup" = {
      device = "/dev/disk/by-uuid/d3b3d7dc-d634-4327-9ea2-9d8daa4ecf4e";
      fsType = "ext4";
    };
    # secrets
    age.secrets = {
      "borgmatic".file = ../../../secrets/borgmatic.age;
      "borgmatic-pg".file = ../../../secrets/borgmatic-pg.age;
    };
  };
  options.${feature}.enable = lib.mkEnableOption "enables ${feature}";
 }
--- a/secrets/borgbackup-server-offsite.age
+++ b/secrets/borgbackup-server-offsite.age
@ -1,9 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 LtK9yQ ffY9sDLotAZPq7WYBhBCo/+CG8hs8oSb+Zc26XQ5Kxs
 7JwKBUAUWfuOyfaf/pVcq1zv58OtrPAh9wGqPcEhlt8
 -> ssh-ed25519 qLT+DQ ulTuZ469zjWcwcuH54SUDaAsaNcpEqXkO0cdGsv2tEE
 jwqDMwd/hyHvT+FQjHj8fziycK9WMGJqM6UZKB1yXrQ
 -> ssh-ed25519 7+xRyQ ZcybG8n14hpc/B9p1KWDzCi9T2UmVzzsTG32LtKtNFY
 81CixZ1eUgAZLS1LDceYeoGbKUPVqqzqjjJ7ACUHCCc
 --- 5eJlsZeXReu93xYN6WLtKfFycFyTZyrt0aMYgERe9ME
 ÝÇ"ôŒº4<14>XêtºQqwáýÁ‹˜Æ(„¾Þ¸ƒ±‚…ò‹èÊ3’.JI¼‹ä6-)ö§áì,˜ó<>ªÕ²ÚqÁI~b®
--- a/secrets/borgbackup-server-onsite.age
+++ b/secrets/borgbackup-server-onsite.age
@ -1,9 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 LtK9yQ klX5fjSXRPWV/ALNcTZ8UIVFEftuS0bMx0oZ0jZDSBQ
 swtF1Mvup7JZszfPgXwZ2363Qrt3oUdP1AWfd0Je8h0
 -> ssh-ed25519 qLT+DQ IN4GfoKDEtcs/lbobggKfdbFn8EdqpBv7KRJqs0nxg8
 X+hti2ZVCqZPHV54QzwZN1nQTdBbU/ZaF7iz1QspIW4
 -> ssh-ed25519 7+xRyQ TFU9KepaxamXUcwNrwDv368JvfmLb0Aq1oeuQoX3A2g
 XQZxEmfduYOcDoXZuL9ywH2UdJmFsM6mQDqX5SBkvko
 --- ud8jMRGHEN6/q5o0GhZdt+Nh38Bhg6nh/ugTPTJFYtI
 ÝuI,ÈÏÖþmîWïJÁzÙP/†.]‡ÇmÝøã¶<C3A3>káb¸há‹+úˆ‚—éîýéJXZ/¡qåX	×Qa.¨¢/ˆ²¿9Á
--- a/secrets/borgmatic-pg.age
+++ b/secrets/borgmatic-pg.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 qLT+DQ C3A3TKOyIWzbW8JupvhTmLKetnr+0uzkPq985NA0DCs
 ahrHVR7WadjOfOXBWOqBAf9L0UdCNeD0Ynk6sKDF7WM
 -> ssh-ed25519 7+xRyQ evZ6zSS3olbORnqiCnEAL68D1FNPgg2oBoJSaquLAAA
 BYoo9AVOHsRsTbXkRQdS/7WN25vBuJOAb0YfnSY+hGQ
 -> ssh-ed25519 LtK9yQ jLIdKPvVhPsRIJevWLmads3P2hM29c0B143OWoINzlY
 ziCUQ1TtB6BUgbNZ/zFXoaOtpxyrbKobsTvXo/dSpSA
 --- Q6JHS+5vuYLIqyIb6x3qCbIJvsjk2++ovL1zkVGs69o
 <EFBFBD>ãì‡½NM1±WBýy•M.ù²ø-Ø|GlºÈ]¡8Z,(5è±²P¶èè!ÿpmp¡¢°Eaû¤;<3B>Ôâ¿Ä(tq!ÊKÕU4×m
--- a/secrets/borgmatic.age
+++ b/secrets/borgmatic.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 qLT+DQ zfLZc8A30KjoMrhUSl4OgTp+Yg11fmVjDioxtIYMqDU
 URhJwUCElaJcSd+k5wBQAXvdC/68ZcCA5WbHGAJTYfY
 -> ssh-ed25519 7+xRyQ mrGrjW0fQIRNMDdw4Hoc9N/xAEm1P0IFukShfeVdKE8
 yLUmj7LBfHQ/i4buBB57ktNUOnHpoC8NYTQUnK5e5y4
 -> ssh-ed25519 LtK9yQ THjOsSIr/DQTulFlwd4r5DYb73VQ0vWgyDHkfJV3NR0
 Dl8FwK1WciiEMs5MdrFcUIOFGmlbZf3APOWzLN6rkOE
 --- 3mjYPT9APy0F5NNbbCIQhzZ0XjKBtB9YGGS3t37eoRU
 ôT^væ—U‹§òÏ{™>[÷õ¦dhé§PC6þZ|é£ûýK|~lÝ<6C>bŒÀD¢ûÖÙt”Î„¨ø]¨’1P$ø10¨¿ïAý±$
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -15,8 +15,8 @@ let
 in
 {
  # keep-sorted start
-  "borgbackup-server-offsite.age".publicKeys = users;
+  "borgmatic.age".publicKeys = users;
-  "borgbackup-server-onsite.age".publicKeys = users;
+  "borgmatic-pg.age".publicKeys = users;
  "copyparty-will.age".publicKeys = users;
  "immich.age".publicKeys = users;
  "jellyfin.age".publicKeys = users;