125 lines
3.1 KiB
Nix
125 lines
3.1 KiB
Nix
<<<<<<< HEAD
|
|
{ config, hostAddress, localAddress, subvolumes, targetPathSuffix ? "" }:
|
|
=======
|
|
{ config, hostAddress, localAddress, subvolumes, targetPathSuffix ? ""
|
|
, autoStart ? false }:
|
|
>>>>>>> 82ff04b (chore: nixfmt *)
|
|
|
|
let
|
|
passwords = import ../../variables/passwords.crypt.nix;
|
|
subvolumeParentDir = "/var/lib/container-volumes";
|
|
|
|
in {
|
|
config = { pkgs, ... }: {
|
|
system.stateVersion = "20.03"; # Did you read the comment?
|
|
|
|
imports = [ ../profiles/containers/configuration.nix ];
|
|
|
|
environment.systemPackages = with pkgs; [ btrfs-progs btrbk ];
|
|
|
|
networking.firewall.enable = true;
|
|
|
|
systemd.services."bkp-sync" = {
|
|
enable = true;
|
|
description = "bkp-sync service";
|
|
|
|
serviceConfig = { Type = "oneshot"; };
|
|
|
|
after = [ "bkp-run.service" ];
|
|
|
|
requires = [ "bkp-run.service" ];
|
|
|
|
path = with pkgs; [ utillinux ];
|
|
script = ''
|
|
set -x
|
|
true
|
|
'';
|
|
};
|
|
|
|
systemd.services."bkp-run" = {
|
|
enable = true;
|
|
description = "bkp-run";
|
|
|
|
serviceConfig = { Type = "oneshot"; };
|
|
|
|
partOf = [ "bkp-sync.service" ];
|
|
|
|
path = with pkgs; [ btrfs-progs btrbk coreutils ];
|
|
|
|
script = let
|
|
btrbkConf = pkgs.writeText "cfg" ''
|
|
timestamp_format long
|
|
ssh_identity ${passwords.storage.backupTarget.keyPath}
|
|
ssh_user ${passwords.storage.backupTarget.user}
|
|
ssh_compression no
|
|
backend_remote btrfs-progs-sudo
|
|
compat_remote busybox
|
|
btrfs_commit_delete each
|
|
snapshot_create onchange
|
|
snapshot_preserve_min latest
|
|
snapshot_preserve 7d 4w
|
|
target_preserve_min latest
|
|
target_preserve 7d 4w 12m *y
|
|
|
|
volume ${subvolumeParentDir}
|
|
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
|
|
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") ""
|
|
subvolumes}
|
|
'';
|
|
in ''
|
|
#! ${pkgs.bash}/bin/bash
|
|
set -Eeuxo pipefail
|
|
|
|
btrbk -c ${btrbkConf} --progress ''${@:-run}
|
|
'';
|
|
};
|
|
|
|
systemd.timers."bkp" = {
|
|
description = "Timer to trigger bkp periodically";
|
|
enable = true;
|
|
wantedBy = [ "timer.target" "multi-user.target" ];
|
|
timerConfig = {
|
|
# Obtained using `systemd-analyze calendar "Wed 23:00"`
|
|
# OnCalendar = "Wed *-*-* 23:00:00";
|
|
OnStartupSec = "1m";
|
|
Unit = "bkp-sync.service";
|
|
OnUnitInactiveSec = "2h";
|
|
Persistent = "true";
|
|
};
|
|
};
|
|
};
|
|
|
|
autoStart = true;
|
|
|
|
bindMounts = {
|
|
"${subvolumeParentDir}" = {
|
|
hostPath = subvolumeParentDir;
|
|
isReadOnly = false;
|
|
};
|
|
|
|
"/etc/secrets/" = {
|
|
hostPath = "/var/lib/container-volumes/backup/etc-secrets";
|
|
isReadOnly = true;
|
|
};
|
|
|
|
"/dev/fuse" = {
|
|
hostPath = "/dev/fuse";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
|
|
allowedDevices = [{
|
|
node = "/dev/fuse";
|
|
modifier = "rw";
|
|
}];
|
|
|
|
<<<<<<< HEAD
|
|
=======
|
|
extraFlags = [ "--resolv-conf=bind-host" ];
|
|
|
|
>>>>>>> 82ff04b (chore: nixfmt *)
|
|
privateNetwork = true;
|
|
forwardPorts = [ ];
|
|
|
|
inherit hostAddress localAddress;
|
|
}
|