dotfiles/modules/nixos/services/backups.nix

104 lines
2.9 KiB
Nix
Raw Normal View History

2024-01-10 04:11:11 +00:00
# This is my setup for backing up SQlite databases and other systems to S3 or
# S3-equivalent services (like Backblaze B2).
2024-04-20 13:42:06 +00:00
{ config, lib, ... }:
{
options = {
2022-12-21 21:18:03 +00:00
backup.s3 = {
endpoint = lib.mkOption {
2023-01-21 14:29:03 +00:00
type = lib.types.nullOr lib.types.str;
description = "S3 endpoint for backups";
2022-12-21 21:18:03 +00:00
default = null;
};
bucket = lib.mkOption {
2023-01-21 14:29:03 +00:00
type = lib.types.nullOr lib.types.str;
description = "S3 bucket for backups";
2022-12-21 21:18:03 +00:00
default = null;
};
accessKeyId = lib.mkOption {
2023-01-21 14:29:03 +00:00
type = lib.types.nullOr lib.types.str;
description = "S3 access key ID for backups";
2022-12-21 21:18:03 +00:00
default = null;
};
2024-12-12 15:11:35 +00:00
glacierBucket = lib.mkOption {
type = lib.types.nullOr lib.types.str;
description = "S3 bucket for glacier backups";
default = null;
};
};
};
2023-01-21 14:29:03 +00:00
config = lib.mkIf (config.backup.s3.endpoint != null) {
2022-10-16 03:47:21 +00:00
users.groups.backup = { };
secrets.backup = {
2023-02-28 02:02:45 +00:00
source = ../../../private/backup.age;
dest = "${config.secretsDirectory}/backup";
2022-10-16 03:47:21 +00:00
group = "backup";
permissions = "0440";
};
2022-10-16 19:06:56 +00:00
users.users.litestream.extraGroups = [ "backup" ];
services.litestream = {
enable = true;
environmentFile = config.secrets.backup.dest;
2023-02-28 02:02:45 +00:00
settings = { };
2022-10-16 19:06:56 +00:00
};
2024-09-14 21:57:05 +00:00
# Broken on 2024-08-23
# https://github.com/NixOS/nixpkgs/commit/0875d0ce1c778f344cd2377a5337a45385d6ffa0
insecurePackages = [ "litestream-0.3.13" ];
2024-09-14 21:57:05 +00:00
2022-10-16 19:06:56 +00:00
# Wait for secret to exist
systemd.services.litestream = {
after = [ "backup-secret.service" ];
requires = [ "backup-secret.service" ];
2022-12-22 00:31:25 +00:00
environment.AWS_ACCESS_KEY_ID = config.backup.s3.accessKeyId;
2022-10-16 19:06:56 +00:00
};
# # Backup library to object storage
# services.restic.backups.calibre = {
# user = "calibre-web";
# repository =
2022-12-22 00:31:25 +00:00
# "s3://${config.backup.s3.endpoint}/${config.backup.s3.bucket}/calibre";
# paths = [
# "/var/books"
# "/var/lib/calibre-web/app.db"
# "/var/lib/calibre-web/gdrive.db"
# ];
# initialize = true;
# timerConfig = { OnCalendar = "00:05:00"; };
2022-12-22 00:31:25 +00:00
# environmentFile = backup.s3File;
# };
2024-12-12 15:11:35 +00:00
secrets.s3-glacier = {
source = ../../../private/s3-glacier.age;
dest = "${config.secretsDirectory}/s3-glacier";
};
secrets.restic = {
source = ../../../private/restic.age;
dest = "${config.secretsDirectory}/restic";
};
2024-12-26 21:49:24 +00:00
services.restic.backups = lib.mkIf (config.backup.s3.glacierBucket != null) {
2024-12-12 15:11:35 +00:00
default = {
repository = "s3:s3.us-east-1.amazonaws.com/${config.backup.s3.glacierBucket}/restic";
2024-12-26 21:49:24 +00:00
paths = [ ];
2024-12-12 15:11:35 +00:00
environmentFile = config.secrets.s3-glacier.dest;
passwordFile = config.secrets.restic.dest;
pruneOpts = [
"--keep-daily 14"
"--keep-weekly 6"
"--keep-monthly 12"
"--keep-yearly 100"
];
};
};
};
}