gorgon: set up offsite backup

2023-06-18 14:34:42 +02:00 · 2023-06-18 14:34:42 +02:00 · 57d04d981f
commit 57d04d981f
parent 8dcc5a1f2f
3 changed files with 45 additions and 1 deletions
--- a/nixos/configurations.nix
+++ b/nixos/configurations.nix
@ -47,7 +47,6 @@ in
          ];
          home-manager.users.dadada = import ../home/home;
        })
-      ./modules/profiles/laptop.nix
      ./gorgon/configuration.nix
    ];
  };
--- a/nixos/gorgon/configuration.nix
+++ b/nixos/gorgon/configuration.nix
@ -42,9 +42,17 @@ let
 in
 {
  imports = [
+    ../modules/profiles/laptop.nix
    ./hardware-configuration.nix
  ];

+  dadada.backupClient.backup2 = {
+    enable = true;
+    passphrasePath = config.age.secrets."${config.networking.hostName}-backup-passphrase".path;
+    sshIdentityFile = config.age.secrets."${config.networking.hostName}-backup-ssh-key".path;
+    repo = "u355513-sub1@u355513-sub1.your-storagebox.de:/home/backup";
+  };
+
  nix.extraOptions = ''
    experimental-features = nix-command flakes
    # Prevent garbage collection for nix shell and direnv
--- a/nixos/modules/backup.nix
+++ b/nixos/modules/backup.nix
@ -56,6 +56,24 @@ in
          default = "/var/lib/borgbackup/bs/id_ed25519";
        };
      };
+      backup2 = {
+        enable = mkEnableOption "Enable backup to Hetzner storage box";
+        passphrasePath = mkOption {
+          type = types.str;
+          description = "The path to the passphrase file.";
+          default = "/var/lib/borgbackup/backup2/passphrase";
+        };
+        sshIdentityFile = mkOption {
+          type = types.str;
+          description = "Path to the SSH key that is used to transmit the backup.";
+          default = "/var/lib/borgbackup/backup2/id_ed25519";
+        };
+        repo = mkOption {
+          type = types.str;
+          description = "URL to the repo inside the sub-account.";
+          example = "u355513-sub1@u355513-sub1.your-storagebox.de:borg";
+        };
+      };
    };
  };

@ -119,5 +137,24 @@ in
        BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
      };
    };
+
+    services.borgbackup.jobs.backup2 = mkIf cfg.backup2.enable {
+      paths = "/";
+      exclude = backupExcludes;
+      repo = cfg.backup2.repo;
+      doInit = true;
+      environment = {
+        BORG_RSH = "ssh -6 -p23 -i ${cfg.backup2.sshIdentityFile} -o 'StrictHostKeyChecking accept-new' -o 'TCPKeepAlive=yes'";
+      };
+      encryption = {
+        mode = "repokey";
+        passCommand = "cat ${cfg.backup2.passphrasePath}";
+      };
+      compression = "auto,lz4";
+      startAt = "daily";
+      environment = {
+        BORG_RELOCATED_REPO_ACCESS_IS_OK = "no";
+      };
+    };
  };
 }