132 lines
2.9 KiB
Nix
132 lines
2.9 KiB
Nix
{ config
|
|
, hostAddress
|
|
, localAddress
|
|
, subvolumes
|
|
, targetPathSuffix ? ""
|
|
}:
|
|
|
|
let
|
|
passwords = import ../../variables/passwords.crypt.nix;
|
|
subvolumeParentDir = "/var/lib/container-volumes";
|
|
|
|
in {
|
|
config = { pkgs, ... }: {
|
|
imports = [
|
|
../profiles/containers/configuration.nix
|
|
];
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
btrfs-progs
|
|
btrbk
|
|
];
|
|
|
|
networking.firewall.enable = true;
|
|
|
|
systemd.services."bkp-sync" = {
|
|
enable = true;
|
|
description = "bkp-sync service";
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
};
|
|
|
|
after = [
|
|
"bkp-run.service"
|
|
];
|
|
|
|
requires = [
|
|
"bkp-run.service"
|
|
];
|
|
|
|
path = with pkgs; [ utillinux ];
|
|
script = ''
|
|
set -x
|
|
true
|
|
'';
|
|
};
|
|
|
|
systemd.services."bkp-run" = {
|
|
enable = true;
|
|
description = "bkp-run";
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
};
|
|
|
|
partOf = [
|
|
"bkp-sync.service"
|
|
];
|
|
|
|
path = with pkgs; [ btrfs-progs btrbk coreutils ];
|
|
|
|
script = let
|
|
btrbkConf = pkgs.writeText "cfg" ''
|
|
timestamp_format long
|
|
ssh_identity ${passwords.storage.homeChBackup.keyPath}
|
|
ssh_user ${passwords.storage.homeChBackup.user}
|
|
ssh_compression no
|
|
backend_remote btrfs-progs-sudo
|
|
compat_remote busybox
|
|
btrfs_commit_delete each
|
|
snapshot_create onchange
|
|
snapshot_preserve_min latest
|
|
snapshot_preserve 7d 4w
|
|
target_preserve_min latest
|
|
target_preserve 7d 4w 12m *y
|
|
|
|
volume ${subvolumeParentDir}
|
|
target ${passwords.storage.homeChBackup.target}/container-volumes/${targetPathSuffix}
|
|
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes}
|
|
'';
|
|
in ''
|
|
#! ${pkgs.bash}/bin/bash
|
|
set -Eeuxo pipefail
|
|
|
|
btrbk -c ${btrbkConf} --progress ''${@:-run}
|
|
'';
|
|
};
|
|
|
|
systemd.timers."bkp" = {
|
|
description = "Timer to trigger bkp periodically";
|
|
enable = true;
|
|
wantedBy = [ "timer.target" "multi-user.target" ];
|
|
timerConfig = {
|
|
# Obtained using `systemd-analyze calendar "Wed 23:00"`
|
|
# OnCalendar = "Wed *-*-* 23:00:00";
|
|
OnStartupSec="1m";
|
|
Unit = "bkp-sync.service";
|
|
OnUnitInactiveSec="2h";
|
|
Persistent="true";
|
|
};
|
|
};
|
|
};
|
|
|
|
autoStart = true;
|
|
|
|
bindMounts = {
|
|
"${subvolumeParentDir}" = {
|
|
hostPath = subvolumeParentDir;
|
|
isReadOnly = false;
|
|
};
|
|
|
|
"/etc/secrets/" = {
|
|
hostPath = "/var/lib/container-volumes/backup/etc-secrets";
|
|
isReadOnly = true;
|
|
};
|
|
|
|
"/dev/fuse" = {
|
|
hostPath = "/dev/fuse";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
|
|
allowedDevices = [
|
|
{ node = "/dev/fuse"; modifier = "rw"; }
|
|
];
|
|
|
|
privateNetwork = true;
|
|
forwardPorts = [
|
|
];
|
|
|
|
inherit hostAddress localAddress;
|
|
}
|