defiant: Fix nfs-client, replace borg with restic

2025-10-06 04:53:57 +02:00 · 2024-10-05 10:53:54 +02:00
parent 6de16fb116
commit b17ff565c3
5 changed files with 63 additions and 73 deletions
--- a/hosts/defiant/backup.nix
+++ b/hosts/defiant/backup.nix
@@ -1,62 +1,30 @@
 { config, pkgs, lib, ... }:
 {
-  services.borgbackup.jobs =
-    let
-      borgJob = name: {
-        environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
-        environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
-        repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/defiant/${name}";
-        compression = "auto,zstd";
-      };
-    in {
-      postgresDaily = borgJob "postgres::daily" // {
-        paths = "/data/backup/postgresql";
-        startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
-        extraInitArgs = "--storage-quota 10G";
-        encryption = {
-          mode = "repokey-blake2";
-          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
-        };
-      };
-
-      postgresWeekly = borgJob "postgres::weekly" // {
-        paths = "/data/backup/postgresql";
-        startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
-        extraInitArgs = "--storage-quota 10G";
-        encryption = {
-          mode = "repokey-blake2";
-          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
-        };
-      };
-
-      gitea = borgJob "gitea::weekly" // {
-        paths = "/tank/services/gitea";
-        startAt = "Mon *-*-* 05:15:00";
-        extraInitArgs = "--storage-quota 20G";
-        encryption = {
-          mode = "repokey-blake2";
-          passCommand = "cat ${config.sops.secrets."borg/gitea".path}";
-        };
-      };
-
-      minecraft = borgJob "minecraft::weekly" // {
-        paths = "/var/lib/minecraft-wack";
-        startAt = "weekly";
-        extraInitArgs = "--storage-quota 20G";
-        encryption.mode = "none";
-
-        preHook = ''
-          ${pkgs.mcrcon}/bin/mcrcon -p wack "say Starting Backup" "save-off" "save-all"
-        '';
-
-        postHook = ''
-          ${pkgs.mcrcon}/bin/mcrcon -p wack "save-all" "say Completed Backup" "save-on" "save-all"
-        '';
-      };
-
+  services.restic.backups = let
+    localJob = name: paths: {
+      inherit paths;
+      repository = "/mnt/feal-syn1/backup/defiant/${name}";
+      passwordFile = config.sops.secrets."restic/${name}".path;
+      initialize = true;
+      pruneOpts = [
+        "--keep-daily 3"
+        "--keep-weekly 4"
+        "--keep-monthly 3"
+      ];
+    };
+  in {
+    postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
+      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
    };

-  # TODO: Matrix (keys,media,db), home-assistant, pihole, vaultwarden
-  sops.secrets."borg/postgres" = { };
-  sops.secrets."borg/gitea" = { };
+    gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
+    matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
+    vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
+  };
+
+  # TODO: home-assistant, pihole
+  sops.secrets."restic/postgres" = { };
+  sops.secrets."restic/gitea" = { };
+  sops.secrets."restic/matrix-synapse" = { };
+  sops.secrets."restic/vaultwarden" = { };
 }
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@@ -5,6 +5,7 @@
    [
      ../../base.nix
      ../../common/metrics-exporters.nix
+      ./filesystems.nix
      ./hardware-configuration.nix

      # Infrastructure
@@ -44,16 +45,6 @@
  sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;

  environment.variables = { EDITOR = "vim"; };
-  environment.systemPackages = with pkgs; [
-    zfs
-  ];
-
-  boot = {
-    zfs.extraPools = [ "tank" ];
-    supportedFilesystems = [ "zfs" ];
-    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-  };
-  services.prometheus.exporters.zfs.enable = true;

  virtualisation.docker.enable = true;
  virtualisation.oci-containers.backend = "docker";
--- a/hosts/defiant/filesystems.nix
+++ b/hosts/defiant/filesystems.nix
@@ -0,0 +1,29 @@
+{ config, pkgs, lib, ... }:
+{
+  # Boot drives are defined in ./hardware-configuration.nix
+
+  boot = {
+    zfs.extraPools = [ "tank" ];
+    supportedFilesystems = [ "zfs" ];
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  };
+  services.prometheus.exporters.zfs.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    cifs-utils
+    zfs
+  ];
+
+  fileSystems = {
+    "/mnt/feal-syn1/backup" = {
+      device = "feal-syn1.home.feal.no:/volume2/backup";
+      fsType = "nfs";
+      options = [
+        "defaults"
+        "noatime"
+        "rw"
+        "nfsvers=3"
+      ];
+    };
+  };
+}
--- a/hosts/defiant/services/postgresql.nix
+++ b/hosts/defiant/services/postgresql.nix
@@ -7,7 +7,7 @@

  services.postgresqlBackup = {
    enable = true;
-    location = "/data/backup/postgresql/";
+    location = "/tank/backup/postgresql";
    startAt = "*-*-* 03:15:00";

    # Each service is registered in its own configuration file