nixos-config/hosts/x86_64-linux/beleth/borg.nix

94 lines
3.7 KiB
Nix
Raw Permalink Normal View History

2024-07-01 20:45:31 +02:00
{
config,
lib,
pkgs,
...
}: {
2024-06-21 12:46:25 +02:00
#
# BACKUP
2024-07-05 20:44:42 +02:00
# Check via nix-shell -p borgbackup --run "borg info --rsh 'ssh -p 23 -i /home/moe/.ssh/storagebox_nextcloud_data' u410986-sub1@u410986-sub1.your-storagebox.de:nx-data"
2024-06-21 12:46:25 +02:00
# 0. Add subaccount on storagebox
# 1. ssh-keygen -t ed25519 -f ~/.ssh/storagebox_nextcloud_data
# 2. pwgen 128
# 3. Add private key as secret
# 4. add passphrase as secret
# 5. add ssh public key to subaccount on storagebox!
2024-07-05 20:44:42 +02:00
# ssh -p 23 u410986-sub1@u410986-sub1.your-storagebox.de
2024-06-21 12:46:25 +02:00
# 6. set permissions
# .ssh 0700
# .ssh/authorized_keys 0600
#
2024-07-05 20:44:42 +02:00
# Retrieve via 'ssh-keyscan -p 23 u410986-sub1.your-storagebox.de'
2024-06-21 12:46:25 +02:00
programs.ssh.knownHosts = {
"storagebox" = {
hostNames = [
2024-07-05 20:44:42 +02:00
"[u410986-sub1.your-storagebox.de]:23"
"[u410986-sub2.your-storagebox.de]:23"
2024-06-21 12:46:25 +02:00
];
publicKey = ''
2024-07-06 16:42:49 +02:00
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA5EB5p/5Hp3hGW1oHok+PIOH9Pbn7cnUiGmUEBrCVjnAw+HrKyN8bYVV0dIGllswYXwkG/+bgiBlE6IVIBAq+JwVWu1Sss3KarHY3OvFJUXZoZyRRg/Gc/+LRCE7lyKpwWQ70dbelGRyyJFH36eNv6ySXoUYtGkwlU5IVaHPApOxe4LHPZa/qhSRbPo2hwoh0orCtgejRebNtW5nlx00DNFgsvn8Svz2cIYLxsPVzKgUxs8Zxsxgn+Q/UvR7uq4AbAhyBMLxv7DjJ1pc7PJocuTno2Rw9uMZi1gkjbnmiOh6TTXIEWbnroyIhwc8555uto9melEUmWNQ+C+PwAK+MPw==
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAGK0po6usux4Qv2d8zKZN1dDvbWjxKkGsx7XwFdSUCnF19Q8psHEUWR7C/LtSQ5crU/g+tQVRBtSgoUcE8T+FWp5wBxKvWG2X9gD+s9/4zRmDeSJR77W6gSA/+hpOZoSE+4KgNdnbYSNtbZH/dN74EG7GLb/gcIpbUUzPNXpfKl7mQitw==
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs
2024-06-21 12:46:25 +02:00
'';
};
};
services.borgbackup.jobs = {
nextcloud_data = {
user = "nextcloud";
group = "nextcloud";
2024-07-01 20:45:31 +02:00
paths = ["${config.services.nextcloud.datadir}"];
2024-06-21 12:46:25 +02:00
preHook = ''
${config.services.nextcloud.occ}/bin/nextcloud-occ maintenance:mode --on
'';
postHook = ''
${config.services.nextcloud.occ}/bin/nextcloud-occ maintenance:mode --off
'';
2024-07-05 20:44:42 +02:00
repo = "u410986-sub1@u410986-sub1.your-storagebox.de:nx-data";
2024-06-21 12:46:25 +02:00
encryption = {
mode = "repokey-blake2";
2024-07-05 20:44:42 +02:00
passCommand = "cat ${config.sops.secrets.backup_nextcloud_data_passphrase.path}";
2024-06-21 12:46:25 +02:00
};
environment = {
2024-07-05 20:44:42 +02:00
BORG_RSH = "ssh -p 23 -i ${config.sops.secrets.backup_nextcloud_data_ssh.path}";
2024-06-21 12:46:25 +02:00
};
compression = "auto,lzma";
startAt = "Mon *-*-* 00:00:00"; # Monday at 00:00; Storagebox does a snapshot Fridays at 00:00
};
nextcloud_database = {
user = "nextcloud";
group = "nextcloud";
dumpCommand = pkgs.writeShellScript "builder.sh" ''
${config.services.postgresql.package}/bin/pg_dump nextcloud -U nextcloud --no-password
'';
preHook = ''
${config.services.nextcloud.occ}/bin/nextcloud-occ maintenance:mode --on
'';
postHook = ''
${config.services.nextcloud.occ}/bin/nextcloud-occ maintenance:mode --off
'';
2024-07-05 20:44:42 +02:00
repo = "u410986-sub2@u410986-sub2.your-storagebox.de:nx-db";
2024-06-21 12:46:25 +02:00
encryption = {
mode = "repokey-blake2";
2024-07-05 20:44:42 +02:00
passCommand = "cat ${config.sops.secrets.backup_nextcloud_database_passphrase.path}";
2024-06-21 12:46:25 +02:00
};
environment = {
2024-07-05 20:44:42 +02:00
BORG_RSH = "ssh -p 23 -i ${config.sops.secrets.backup_nextcloud_database_ssh.path}";
2024-06-21 12:46:25 +02:00
};
compression = "auto,lzma";
startAt = "Mon *-*-* 01:00:00"; # Monday at 01:00; Storagebox does a snapshot Fridays at 00:00
};
};
systemd.services."borgbackup-job-nextcloud_data" = {
2024-07-01 20:45:31 +02:00
onFailure = ["notify-email@%i.service"];
onSuccess = ["notify-email@%i.service"];
2024-06-21 12:46:25 +02:00
};
systemd.services."borgbackup-job-nextcloud_database" = {
2024-07-01 20:45:31 +02:00
onFailure = ["notify-email@%i.service"];
onSuccess = ["notify-email@%i.service"];
2024-06-21 12:46:25 +02:00
};
}