Move all nixos-modules out of qois subfolder

2025-03-21 19:20:28 +02:00 · 2025-03-21 19:20:28 +02:00 · 97d1a30329
commit 97d1a30329
parent d49f58265f
22 changed files with 3 additions and 14 deletions
--- a/nixos-modules/backup-client/README.md
+++ b/nixos-modules/backup-client/README.md
@ -0,0 +1,6 @@
+# Backup Module
+
+This module creates a host-based backup job `system-${target-hostname}` (currently with borg).
+The module has sensible defaults for a whole system, note however that individual services/paths must be included or excluded added manually.
+
+Target hosts should use the [Backup Server Module](../backup-server).
--- a/nixos-modules/backup-client/default.nix
+++ b/nixos-modules/backup-client/default.nix
@ -0,0 +1,103 @@
+{
+  config,
+  lib,
+  options,
+  pkgs,
+  self,
+  ...
+}:
+
+let
+  cfg = config.qois.backup-client;
+  defaultIncludePaths = [
+    "/etc"
+    "/home"
+    "/root"
+  ];
+  defaultExcludePaths = [
+    "/root/.cache"
+    "/root/.config/borg"
+  ];
+  defaultSopsPasswordFile = "system/backup/password";
+in
+with lib;
+{
+  options.qois.backup-client =
+    let
+      pathsType = with types; listOf str;
+    in
+    {
+      enable = mkEnableOption "Enable this host to execute backups.";
+
+      targets = mkOption {
+        type = with types; listOf (enum (attrNames config.qois.meta.hosts));
+        default = [
+          "cyprianspitz"
+        ];
+        description = "Target hosts to make backups to. Must be configured to receive backups in the backplane network.";
+      };
+
+      includePaths = mkOption {
+        type = pathsType;
+        default = [ ];
+        description = "Paths that are included in backup. The backup module always includes: ${concatStringsSep ", " defaultIncludePaths}";
+      };
+
+      excludePaths = mkOption {
+        type = pathsType;
+        default = [ ];
+        description = "Paths that are excluded in backup. The backup module always excludes: ${concatStringsSep ", " defaultExcludePaths}";
+      };
+
+      passwordFile = mkOption {
+        type = with types; nullOr str;
+        default = null;
+        example = "config.sops.secrets.${defaultSopsPasswordFile}.path";
+        description = "Path to password file. Taken from sops host secret ${defaultSopsPasswordFile} by default, must be randomly generated per host.";
+      };
+
+      networkName = mkOption {
+        type = types.enum (attrNames config.qois.meta.network.virtual);
+        default = "backplane";
+        description = "Name of virtual network through which the backups should be done";
+      };
+    };
+
+  config.services.borgbackup.jobs = mkIf cfg.enable (
+    builtins.listToAttrs (
+      map (backupHost: {
+        name = "system-${backupHost}";
+        value = {
+          repo = "borg@${config.qois.meta.network.virtual.${cfg.networkName}.hosts.${backupHost}.v4.ip}:.";
+          environment.BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+
+          paths = defaultIncludePaths ++ cfg.includePaths;
+          exclude = defaultExcludePaths ++ cfg.excludePaths;
+
+          doInit = true;
+          encryption = {
+            mode = "repokey";
+            passCommand =
+              let
+                passFile =
+                  if cfg.passwordFile != null then
+                    cfg.passwordFile
+                  else
+                    config.sops.secrets.${defaultSopsPasswordFile}.path;
+              in
+              "cat ${passFile}";
+          };
+
+          startAt = "07:06";
+          persistentTimer = true;
+        };
+      }) cfg.targets
+    )
+  );
+
+  config.sops.secrets = mkIf (cfg.enable && cfg.passwordFile == null) {
+    ${defaultSopsPasswordFile} = {
+      restartUnits = map (target: "borgbackup-job-system-${target}.service") cfg.targets;
+    };
+  };
+}