infrastructure/nixos-modules/qois/backup-client/default.nix

104 lines
2.9 KiB
Nix
Raw Permalink Normal View History

2024-10-02 15:52:04 +02:00
{
config,
lib,
options,
pkgs,
self,
...
}:
let
cfg = config.qois.backup-client;
defaultIncludePaths = [
"/etc"
"/home"
"/root"
];
defaultExcludePaths = [
"/root/.cache"
"/root/.config/borg"
];
defaultSopsPasswordFile = "system/backup/password";
in
with lib;
{
options.qois.backup-client =
let
pathsType = with types; listOf str;
in
{
enable = mkEnableOption "Enable this host to execute backups.";
targets = mkOption {
type = with types; listOf (enum (attrNames config.qois.meta.hosts));
default = [
"cyprianspitz"
];
description = "Target hosts to make backups to. Must be configured to receive backups in the backplane network.";
};
includePaths = mkOption {
type = pathsType;
default = [ ];
description = "Paths that are included in backup. The backup module always includes: ${concatStringsSep ", " defaultIncludePaths}";
};
excludePaths = mkOption {
type = pathsType;
default = [ ];
description = "Paths that are excluded in backup. The backup module always excludes: ${concatStringsSep ", " defaultExcludePaths}";
};
passwordFile = mkOption {
type = with types; nullOr str;
default = null;
example = "config.sops.secrets.${defaultSopsPasswordFile}.path";
description = "Path to password file. Taken from sops host secret ${defaultSopsPasswordFile} by default, must be randomly generated per host.";
};
networkName = mkOption {
type = types.enum (attrNames config.qois.meta.network.virtual);
default = "backplane";
description = "Name of virtual network through which the backups should be done";
};
};
config.services.borgbackup.jobs = mkIf cfg.enable (
builtins.listToAttrs (
map (backupHost: {
name = "system-${backupHost}";
value = {
repo = "borg@${config.qois.meta.network.virtual.${cfg.networkName}.hosts.${backupHost}.v4.ip}:.";
environment.BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
paths = defaultIncludePaths ++ cfg.includePaths;
exclude = defaultExcludePaths ++ cfg.excludePaths;
doInit = true;
encryption = {
mode = "repokey";
passCommand =
let
passFile =
if cfg.passwordFile != null then
cfg.passwordFile
else
config.sops.secrets.${defaultSopsPasswordFile}.path;
in
"cat ${passFile}";
};
startAt = "07:06";
persistentTimer = true;
};
}) cfg.targets
)
);
config.sops.secrets = mkIf (cfg.enable && cfg.passwordFile == null) {
${defaultSopsPasswordFile} = {
restartUnits = map (target: "borgbackup-job-system-${target}.service") cfg.targets;
};
};
}