142 lines
3.2 KiB
Nix
142 lines
3.2 KiB
Nix
{
|
|
config,
|
|
hostAddress,
|
|
localAddress,
|
|
subvolumes,
|
|
targetPathSuffix ? "",
|
|
autoStart ? false,
|
|
}:
|
|
let
|
|
passwords = import ../../variables/passwords.crypt.nix;
|
|
subvolumeParentDir = "/var/lib/container-volumes";
|
|
in
|
|
{
|
|
config =
|
|
{ pkgs, ... }:
|
|
{
|
|
system.stateVersion = "20.03"; # Did you read the comment?
|
|
|
|
imports = [ ../profiles/containers/configuration.nix ];
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
btrfs-progs
|
|
btrbk
|
|
];
|
|
|
|
networking.firewall.enable = true;
|
|
|
|
systemd.services."bkp-sync" = {
|
|
enable = true;
|
|
description = "bkp-sync service";
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
};
|
|
|
|
after = [ "bkp-run.service" ];
|
|
|
|
requires = [ "bkp-run.service" ];
|
|
|
|
path = with pkgs; [ utillinux ];
|
|
script = ''
|
|
set -x
|
|
true
|
|
'';
|
|
};
|
|
|
|
systemd.services."bkp-run" = {
|
|
enable = true;
|
|
description = "bkp-run";
|
|
|
|
serviceConfig = {
|
|
Type = "oneshot";
|
|
};
|
|
|
|
partOf = [ "bkp-sync.service" ];
|
|
|
|
path = with pkgs; [
|
|
btrfs-progs
|
|
btrbk
|
|
coreutils
|
|
];
|
|
|
|
script =
|
|
let
|
|
btrbkConf = pkgs.writeText "cfg" ''
|
|
timestamp_format long
|
|
ssh_identity ${passwords.storage.backupTarget.keyPath}
|
|
ssh_user ${passwords.storage.backupTarget.user}
|
|
ssh_compression no
|
|
backend_remote btrfs-progs-sudo
|
|
compat_remote busybox
|
|
btrfs_commit_delete each
|
|
snapshot_create onchange
|
|
snapshot_preserve_min latest
|
|
snapshot_preserve 7d 4w
|
|
target_preserve_min latest
|
|
target_preserve 7d 4w 12m *y
|
|
|
|
volume ${subvolumeParentDir}
|
|
target ${passwords.storage.backupTarget.target}/container-volumes/${targetPathSuffix}
|
|
${builtins.foldl' (sum: elem: sum + " subvolume " + elem + "\n") "" subvolumes}
|
|
'';
|
|
in
|
|
''
|
|
#! ${pkgs.bash}/bin/bash
|
|
set -Eeuxo pipefail
|
|
|
|
btrbk -c ${btrbkConf} --progress ''${@:-run}
|
|
'';
|
|
};
|
|
|
|
systemd.timers."bkp" = {
|
|
description = "Timer to trigger bkp periodically";
|
|
enable = true;
|
|
wantedBy = [
|
|
"timer.target"
|
|
"multi-user.target"
|
|
];
|
|
timerConfig = {
|
|
# Obtained using `systemd-analyze calendar "Wed 23:00"`
|
|
# OnCalendar = "Wed *-*-* 23:00:00";
|
|
OnStartupSec = "1m";
|
|
Unit = "bkp-sync.service";
|
|
OnUnitInactiveSec = "2h";
|
|
Persistent = "true";
|
|
};
|
|
};
|
|
};
|
|
|
|
inherit autoStart;
|
|
|
|
bindMounts = {
|
|
"${subvolumeParentDir}" = {
|
|
hostPath = subvolumeParentDir;
|
|
isReadOnly = false;
|
|
};
|
|
|
|
"/etc/secrets/" = {
|
|
hostPath = "/var/lib/container-volumes/backup/etc-secrets";
|
|
isReadOnly = true;
|
|
};
|
|
|
|
"/dev/fuse" = {
|
|
hostPath = "/dev/fuse";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
|
|
allowedDevices = [
|
|
{
|
|
node = "/dev/fuse";
|
|
modifier = "rw";
|
|
}
|
|
];
|
|
|
|
extraFlags = [ "--resolv-conf=bind-host" ];
|
|
|
|
privateNetwork = true;
|
|
forwardPorts = [ ];
|
|
|
|
inherit hostAddress localAddress;
|
|
}
|