nixConfig/nixos/modules/borgbackup.nix
2024-08-19 13:14:45 +02:00

172 lines
6.3 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
config,
lib,
pkgs,
...
}: let
inherit
(lib)
mkIf
mkEnableOption
;
cfg = config.services.mathebau-borgbackup;
in {
imports = [];
options.services.mathebau-borgbackup = {
enable = mkEnableOption "mathebau borgbackup service";
};
config = mkIf cfg.enable {
services.borgbackup = {
# repos are made available at ssh://borg@hostname and served according to the presented ssh-key
# If you think about adding keys of nix machines:
# Congratulations, you are the first person to make backups from a nixos machine.
# Your won the task of automatizing this endeavor, so in future we don't need to hand copy any
# ssh keys anymore.
repos = {
aphoom-zhah = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8pI6uinXezAMH4vG2yEbu/yOYU5vXcsZN74tYgV+Wj Aphoom-Zhah Backup"
];
path = "/var/lib/backups/aphoom-zhah";
# subrepos are allowed because each vm creates at least one repo below this filepath and yibb-tstll even more
allowSubRepos = true;
};
azathoth = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGBEwllQ77ktoirXX6dJ6ET8TfK4lzq0aaq+X4rrX2Vk Azathoth Backup"
];
path = "/var/lib/backups/azathoth";
allowSubRepos = true;
};
cthulhu = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSJl1MvabUADTdOCgufsBzn1tIIpxMq4iDcYZsaW1lV Cthulhu Backup"
];
path = "/var/lib/backups/cthulhu";
allowSubRepos = true;
};
dagon = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaTBennwqT9eB43gVD1nM1os3dMPZ8RWwIKPEjqMK5V Dagon Backup"
];
path = "/var/lib/backups/dagon";
allowSubRepos = true;
};
eihort = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLoDxtY4Tp6NKxLt9oHmWT6w4UpU6eA1TnPU2Ut83BN Eihort Backup"
];
path = "/var/lib/backups/eihort";
allowSubRepos = true;
};
fsaccount = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+Y7fQTYdIWHehrKdk92CaJ0AisEux4OrS4nIyMstU4 FS Account Backup"
];
path = "/var/lib/backups/fsaccount";
allowSubRepos = true;
};
hastur = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILeDvTyOUdIPARatX0PPhHgrV1gjERWLt2Twa8E2GETb Hastur Backupsystem"
];
path = "/var/lib/backups/hastur";
allowSubRepos = true;
};
ithaqua = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJmBf8cz3FTDdeuxWbp1MO2yPT5rvH8ZIGUzfogjpXi Ithaqua Backup"
];
path = "/var/lib/backups/ithaqua";
allowSubRepos = true;
};
lobon = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEptjf1UWRlo6DG9alAIRwkSDUAVHwDKkHC6/DeYKzi Lobon Backup"
];
path = "/var/lib/backups/lobon";
allowSubRepos = true;
};
sanctamariamaterdei = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9Le5OI4ympQ0mQKYHmxgxGF598rzpD5VVpWK1mGfd8 Sanctamariamaterdei Backupsystem"
];
path = "/var/lib/backups/sanctamariamaterdei";
allowSubRepos = true;
};
tsathoggua = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKS9/1lFOhv+3sNuGcysM3TYh2xRrjMeAZX3K7CBx0QW Tsathoggua Backup"
];
path = "/var/lib/backups/tsathoggua";
allowSubRepos = true;
};
uvhash = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB8DjIqgFgmYhQnTLpbqL0r7xBPb8TPy6SO5RhQ31OGj Uvhash Backup"
];
path = "/var/lib/backups/uvhash";
allowSubRepos = true;
};
yibb-tstll = {
authorizedKeysAppendOnly = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINlnGOV58Ks9lu+WTI4F7QAHtDrJq2jY8ZocITZG8K0+ Yibb-Tstll Backup"
];
path = "/var/lib/backups/yibb-tstll";
allowSubRepos = true;
};
};
# Configure backup of files on the department's fs account:
# This job first copies the files to the local account 'fsaccount' in tmpfs
# and then takes a regular backup of the mirrored folder.
# See also https://borgbackup.readthedocs.io/en/stable/deployment/pull-backup.html
# which does not work due to missing permissions.
jobs.fsaccount = {
preHook = ''
mkdir -p /home/fsaccount/sicherung # Create if it does not exist
${pkgs.rsync}/bin/rsync --rsh='ssh -i /run/secrets/backupKey' --recursive --delete fachschaft@gw1.mathematik.tu-darmstadt.de:/home/fachschaft/* /home/fsaccount/sicherung
'';
paths = "/home/fsaccount/sicherung";
encryption.mode = "none"; # Otherwise the key is next to the backup or we have human interaction.
environment = {
BORG_RSH = "ssh -i /run/secrets/backupKey";
# “Borg ensures that backups are not created on random drives that just happen to contain a Borg repository.”
# https://borgbackup.readthedocs.io/en/stable/deployment/automated-local.html
# We don't want this in order to not need to persist borg cache and simplify new deployments.
BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK = "yes";
};
repo = "borg@localhost:fsaccount";
startAt = "daily";
user = "fsaccount";
group = "users";
readWritePaths = ["/home/fsaccount"];
};
};
# Extra user for FS account backup
users.users = {
fsaccount = {
description = "FS Account backup";
isSystemUser = true;
home = "/home/fsaccount";
createHome = true;
group = "users";
};
};
environment.persistence.${config.impermanence.name} = {
users.fsaccount.files = [
{
file = ".ssh/known_hosts";
parentDirectory = {
mode = "u=rwx,g=,o=";
user = "fsaccount";
group = "users";
};
}
];
};
};
}