etorres/nixos
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nixos/base/borg-config.nix

195 lines
4.6 KiB
Nix
Raw Permalink Blame History

# Module: base/borg-config
# This module serves as a wrapper for my backup infrastructure.
# There are two primary backup targets: local and remote.
# Local is a different VM running on the same server, while remote
# is an off-site backup so that I follow the 3-2-1 principle.
#
# Archive retention policy:
# - 7 daily
# - 4 weekly
# - 12 monthly
# - 3 yearly
{
config,
lib,
pkgs,
pkgsUnstable,
inputs,
...
}:
with lib;
let
cfg = config.borg-config;
remotePath = "borg14";
sshCommand = "ssh -i /etc/ssh/ssh_host_ed25519_key";
in
{
options.borg-config = {
enable = mkEnableOption "Enable Eric's borgbackup/borgmatic configuration";
backupLabel = mkOption {
type = types.str;
default = "backup";
description = "Label to give to the backup archives";
example = "syncthing";
};
localRepoPath = mkOption {
type = types.str;
default = "";
description = "Path of local borg repository to send to";
example = "ssh://user@host.domain.com/./";
};
remoteRepoPath = mkOption {
type = types.str;
default = "";
description = "Path of remote borg repository to send to";
example = "ssh://user@host.domain.com/./";
};
sourceDirectories = mkOption {
type = types.listOf types.str;
default = [ ];
description = "List of paths to include in the archives";
example = [
"/mnt/data"
"/opt"
];
};
hcPingUrlLocal = mkOption {
type = types.str;
default = "";
description = "URL of HealthChecks endpoint to send local backup status";
};
hcPingUrlRemote = mkOption {
type = types.str;
default = "";
description = "URL of HealthChecks endpoint to send remote backup status";
};
mariadbDatabases = mkOption {
type = types.listOf types.attrs;
default = [ ];
description = "List of attribute sets that describe MariaDB databases";
example = ''
[
{
name = "test";
username = "user";
password = "password";
}
];
'';
};
postgresqlDatabases = mkOption {
type = types.listOf types.attrs;
default = [ ];
description = "List of attribute sets that describe PostgreSQL databases";
example = ''
[
{
name = "test";
user = "user";
password = "password";
hostname = "localhost";
}
];
'';
};
commands = mkOption {
type = types.listOf types.attrs;
default = [ ];
description = "Configuration for command hooks";
};
};
config = mkIf cfg.enable {
sops.secrets."borgmatic_pass/local" = { };
sops.secrets."borgmatic_pass/remote" = { };
environment.systemPackages = with pkgsUnstable; [
borgbackup
borgmatic
];
services.borgmatic = {
enable = true;
enableConfigCheck = true;
configurations = {
local = {
source_directories = cfg.sourceDirectories;
repositories = [
{
label = cfg.backupLabel;
path = cfg.localRepoPath;
}
];
encryption_passcommand = ''cat ${config.sops.secrets."borgmatic_pass/local".path}'';
compression = "zstd";
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 3;
unknown_unencrypted_repo_access_is_ok = false;
ssh_command = sshCommand;
mariadb_databases = cfg.mariadbDatabases;
postgresql_databases = cfg.postgresqlDatabases;
commands = cfg.commands;
healthchecks = {
ping_url = cfg.hcPingUrlLocal;
};
};
remote = {
source_directories = cfg.sourceDirectories;
repositories = [
{
label = cfg.backupLabel;
path = cfg.remoteRepoPath;
}
];
encryption_passcommand = ''cat ${config.sops.secrets."borgmatic_pass/remote".path}'';
keep_daily = 7;
keep_weekly = 4;
keep_monthly = 12;
keep_yearly = 3;
unknown_unencrypted_repo_access_is_ok = false;
compression = "zstd";
ssh_command = sshCommand;
mariadb_databases = cfg.mariadbDatabases;
postgresql_databases = cfg.postgresqlDatabases;
commands = cfg.commands;
remote_path = remotePath;
healthchecks = {
ping_url = cfg.hcPingUrlRemote;
};
};
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink