blake/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: blake:f2c320d9ee80c2c8f3973903b82f8ef4b5ddcf2a
Branches Tags
blake:trunk
...
compare: blake:c8e7d0ac7f78365cd9981fc2d58d9cfebaaaf4c2
Branches Tags
blake:trunk

4 Commits
f2c320d9ee ... c8e7d0ac7f

Author SHA1 Message Date
blake
c8e7d0ac7f touch up mc backups 2025-10-18 18:09:36 -05:00
blake
4991af44c3 fin backups 2025-10-18 17:58:05 -05:00
blake
7fd8610476 fin backups 2025-10-18 17:57:38 -05:00
blake
3eb9c9b402 backups shenanagians 2025-10-18 17:06:33 -05:00
27 changed files with 228 additions and 506 deletions
Expand all files Collapse all files

99
bin/borg_lf.sh Executable file
View File

@@ -0,0 +1,99 @@
#!/usr/bin/env bash
set -euo pipefail
# --- SUDO CHECK ---
if [ "$EUID" -ne 0 ]; then
echo "This script requires root privileges. Re-running with sudo..."
exec sudo "$0" "$@"
fi
# --- HANDLE OPTIONS ---
BORG_PASSPHRASE=""
SHOW_FOLDERS_ONLY=false
SHOW_FILES=false # Default to showing files and directories
while getopts "k:fp" opt; do
case "$opt" in
k)
BORG_PASSPHRASE=$(<"$OPTARG")
if [ -z "$BORG_PASSPHRASE" ]; then
echo "Error: The key file is empty."
exit 1
fi
echo "Using passphrase from key file: $OPTARG"
;;
f)
SHOW_FOLDERS_ONLY=true
echo "Only directories will be shown in fzf by default."
SHOW_FILES=false
;;
p)
SHOW_FILES=true
echo "Both files and directories will be shown in fzf."
;;
*)
echo "Usage: $0 [-k passphrase_file] [-f] [-p] <repo>"
exit 1
;;
esac
done
shift $((OPTIND - 1))
# --- FALLBACK TO /run/secrets/borg_passwd IF NO KEY FILE ---
if [ -z "$BORG_PASSPHRASE" ]; then
if [ $# -eq 0 ]; then
BORG_PASSPHRASE=$(<"/run/secrets/borg_passwd")
echo "Using passphrase from /run/secrets/borg_passwd"
else
# Prompt user for passphrase if neither -k nor /run/secrets/borg_passwd is available
read -s -p "Enter Borg repository passphrase: " BORG_PASSPHRASE
echo
fi
fi
export BORG_PASSPHRASE
# --- DEFAULT REPO ---
REPO="${1:-/holocron/archives/servers/snowbelle}"
# --- CHECK REQUIRED COMMANDS ---
for cmd in borg fzf find tree cp mkdir; do
command -v "$cmd" >/dev/null || { echo "Error: '$cmd' is required but not installed."; exit 1; }
done
# --- LIST ARCHIVES (sorted, newest last) ---
mapfile -t archives < <(borg list --format="{archive}{NL}" "$REPO" | sort -r)
if [ ${#archives[@]} -eq 0 ]; then
echo "No archives found in $REPO"
exit 1
fi
# --- FZF ARCHIVE SELECT ---
selected=$(printf '%s\n' "${archives[@]}" | fzf --prompt="Select archive: " --height=40% --border)
if [ -z "$selected" ]; then
echo "No archive selected."
exit 1
fi
echo "Selected archive: $selected"
# --- GENERATE A UNIQUE, SHORTER MOUNT POINT ---
MOUNT_POINT="/tmp/$(uuidgen | sha256sum | head -c 2)-restore-${selected}"
mkdir -p "$MOUNT_POINT"
# --- MOUNT ARCHIVE ---
echo "Mounting '$selected' to $MOUNT_POINT..."
borg mount "$REPO::$selected" "$MOUNT_POINT"
cleanup() {
echo "Unmounting archive..."
borg umount "$MOUNT_POINT" >/dev/null 2>&1 || true
rmdir "$MOUNT_POINT" >/dev/null 2>&1 || true
}
trap cleanup EXIT INT TERM
if [ ! -d "$MOUNT_POINT" ]; then
echo "Error: mount failed."
exit 1
fi
lf $MOUNT_POINT

73
bin/lf_borg.sh
View File

@@ -1,73 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
# --- Configuration ---
DEFAULT_REPO="/holocron/archives/homelab"
SECRET_PATH="/run/secrets/borg_passwd"
# --- Usage ---
# ./browse-borg-root.sh [optional-path-to-repo]
REPO="${1:-$DEFAULT_REPO}"
# --- Always escalate to root at start ---
if [[ $EUID -ne 0 ]]; then
exec sudo --preserve-env=BORG_PASSPHRASE,BORG_REPO "$0" "$@"
fi
# --- Determine passphrase ---
if [[ -z "${BORG_PASSPHRASE:-}" ]]; then
if [[ "$REPO" == /holocron* && -f "$SECRET_PATH" ]]; then
echo "Using default Borg passphrase from $SECRET_PATH"
BORG_PASSPHRASE=$(<"$SECRET_PATH")
else
read -rsp "Enter Borg passphrase: " BORG_PASSPHRASE
echo
fi
fi
export BORG_PASSPHRASE
# --- Check dependencies ---
for cmd in borg fzf lf; do
if ! command -v "$cmd" &>/dev/null; then
echo "Error: '$cmd' is required but not installed." >&2
exit 1
fi
done
# --- Verify repo exists ---
if [[ ! -d "$REPO" ]]; then
echo "Error: repository path '$REPO' not found."
exit 1
fi
# --- List archives (newest on bottom) ---
archives=$(borg list --format "{archive} {time}\n" "$REPO" \
| sort -k2 \
| awk '{print $1}')
if [[ -z "$archives" ]]; then
echo "No archives found in $REPO"
exit 0
fi
# --- Select archive with fzf ---
archive=$(echo "$archives" | fzf --reverse --prompt="Select archive: ")
if [[ -z "$archive" ]]; then
echo "No archive selected."
exit 0
fi
# --- Mount ---
MOUNT_DIR=$(mktemp -d -t borg-mnt-XXXXXX)
echo "Mounting archive '$archive' at $MOUNT_DIR..."
cleanup() {
echo "Unmounting archive..."
borg umount "$MOUNT_DIR" >/dev/null 2>&1 || true
rmdir "$MOUNT_DIR" >/dev/null 2>&1 || true
}
trap cleanup EXIT INT TERM
borg mount "$REPO::$archive" "$MOUNT_DIR"
lf "$MOUNT_DIR"

3
hosts/nixos/snowbelle/configuration.nix
View File

@@ -18,8 +18,6 @@ in
system = {
ssh.enable = true;
backups.enable = true;
backups.repo = "/holocron/archives/servers/snowbelle";
sops.enable = true;
podman.enable = true;
yubikey.enable = true;
@@ -36,6 +34,7 @@ in
};
homelab = {
enable = true;
backups.enable = true;
motd.enable = true;
gitea.enable = true;
glance.enable = true;

2
modules/holocron/copyparty/default.nix
View File

@@ -151,7 +151,7 @@ in {
};
# add to backups
system.backups.baks = {
homelab.backups.baks = {
${service} = {
paths = [cfg.data_dir];
};

2
modules/homelab/arr/bazarr/default.nix
View File

@@ -92,7 +92,7 @@ in
icon = "di:${service}"; }];
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

2
modules/homelab/arr/prowlarr/default.nix
View File

@@ -94,7 +94,7 @@ in
icon = "di:${service}"; }];
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

2
modules/homelab/arr/radarr/default.nix
View File

@@ -97,7 +97,7 @@ in
icon = "di:${service}"; }];
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

2
modules/homelab/arr/sonarr/default.nix
View File

@@ -95,7 +95,7 @@ in
icon = "di:${service}"; }];
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

2
modules/homelab/audiobookshelf/default.nix
View File

@@ -98,7 +98,7 @@ in
icon = "di:${service}"; }];
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

75
modules/homelab/backups/default.nix Normal file
View File

@@ -0,0 +1,75 @@
{
config,
lib,
pkgs,
...
}:
/**/
let
cfg = config.homelab.backups;
sec = config.sops.secrets;
in {
options.homelab.backups = {
enable = lib.mkEnableOption "enables borg backups for state files and db backup services";
baks = lib.mkOption {
type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
default = {};
description = "backup jobs, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
};
backup_repo = lib.mkOption {
type = lib.types.path;
default = "/holocron/archives/homelab";
description = "path to take daily backups to with borg!";
};
};
config = lib.mkIf cfg.enable {
# backups homelab with borg
services.borgbackup.jobs.homelab = lib.mkIf (cfg.baks != {}) {
archiveBaseName = "homelab";
repo = cfg.backup_repo;
paths = lib.flatten (lib.attrsets.mapAttrsToList (_: arg: arg.paths) cfg.baks);
compression = "auto,zstd";
startAt = "daily";
group = "archives";
encryption.mode = "repokey-blake2";
encryption.passCommand = "cat ${sec."borg_passwd".path}";
extraArgs = ["--verbose" "--show-rc" "--umask" "0007"];
extraCreateArgs = ["--list" "--stats" "--filter" "AME"];
prune.keep = {
within = "1d"; # Keep all archives from the last day
daily = 7;
weekly = 12;
monthly = -1; # Keep at least one archive for each month
};
};
# mysql backups currently minecraft_recpro is the only thing using this
services.mysqlBackup = lib.mkIf config.services.mysql.enable {
enable = true;
location = "/var/backup/mysql";
user = "root";
calendar = "*-*-* *:59:45"; # goes fast, included in back up with server dirs at **:00
compressionAlg = "zstd";
databases = config.services.mysql.ensureDatabases; # set to all databases defined in esure databases
};
# postgresql backups currently immich is the only user
services.postgresqlBackup = lib.mkIf config.services.postgresql.enable {
enable = true;
location = "/var/backup/postgresql";
compression = "zstd"; # optional: "xz", "zstd", "none"
startAt = "03:59"; # the dump is included in a backup taken at 4:00
databases = config.services.postgresql.ensureDatabases; # set to all databases defined in esure databases
};
# helpful and for scripts
environment.systemPackages = with pkgs; [borgbackup tree];
sops.secrets = {
"borg_passwd" = {
owner = "root";
group = "root";
};
};
};
}

2
modules/homelab/caddy/default.nix
View File

@@ -95,7 +95,7 @@ in
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

37
modules/homelab/default.nix
View File

@@ -37,21 +37,12 @@ in
type = lib.types.str;
description = "base domain used for reverse proxy";
};
baks = lib.mkOption {
type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
default = {};
description = "backup jobs, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
};
backup_repo = lib.mkOption {
type = lib.types.path;
default = "/holocron/archives/homelab";
description = "path to take daily backups to with borg!";
};
};
# the order determines the order in glance :3
imports = [
./motd
./backups
./glance
./caddy
./home/zigbee2mqtt
@@ -84,31 +75,5 @@ in
};
};
# backups homelab with borg
services.borgbackup.jobs.homelab = {
archiveBaseName = "homelab";
repo = cfg.backup_repo;
paths = lib.flatten (lib.attrsets.mapAttrsToList (_: arg: arg.paths) config.system.backups.baks);
compression = "auto,zstd";
startAt = "daily";
group = "archives";
encryption.mode = "repokey-blake2";
encryption.passCommand = "cat ${config.sops.secrets."borg_passwd".path}";
extraArgs = ["--verbose" "--show-rc" "--umask" "0007"];
extraCreateArgs = ["--list" "--stats" "--filter" "AME"];
prune.keep = {
within = "1d"; # Keep all archives from the last day
daily = 7;
weekly = 12;
monthly = -1; # Keep at least one archive for each month
};
};
sops.secrets = {
"borg_passwd" = {
owner = "root";
group = "root";
};
};
};
}

2
modules/homelab/gitea/default.nix
View File

@@ -125,7 +125,7 @@ in
};
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

2
modules/homelab/glance/default.nix
View File

@@ -313,7 +313,7 @@ in
};
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = {
paths = [ cfg.data_dir ];
};

2
modules/homelab/home/homeassistant/default.nix
View File

@@ -109,7 +109,7 @@ in
icon = "di:${nixservice}"; }];
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

2
modules/homelab/home/mosquitto/default.nix
View File

@@ -92,7 +92,7 @@ in
};
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

2
modules/homelab/home/zigbee2mqtt/default.nix
View File

@@ -123,7 +123,7 @@ in
};
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

14
modules/homelab/immich/default.nix
View File

@@ -5,7 +5,14 @@
inputs,
unstable_pkgs,
...
}: let
}:
/*
to restore database ensure it exists
sudo -u postgres psql -c "DROP DATABASE IF EXISTS immich; CREATE DATABASE immich;"
zstd -dc <path_to_backup> | sudo -u postgres psql -d immich
*/
let
service = "immich";
cfg = config.homelab.${service};
sec = config.sops.secrets;
@@ -107,8 +114,11 @@ in {
}
];
# add postgresql database that is automatically created to the backup list
services.postgresqlBackup.databases = ["immich"]; # set to all databases defined in esure databases
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = {paths = [cfg.data_dir "/var/lib/redis-immich" "/var/backup/postgresql/immich.sql.zstd"];};
};
};

2
modules/homelab/jellyfin/default.nix
View File

@@ -93,7 +93,7 @@ in
icon = "di:${service}"; }];
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

26
modules/homelab/minecraft_recpro/default.nix
View File

@@ -3,14 +3,22 @@
config,
lib,
...
}: let
}:
/*
to restore db make sure it exists with rebuild or command below
then use zstd command to decompress and restore in one go
mysql -u root -p -e "CREATE DATABASE IF NOT EXISTS minecraft_recpro_db;"
zstd -dc <path_to_backup> | mysql -u root -p minecraft_recpro_db
*/
let
service = "minecraft_recpro";
cfg = config.gameservers.${service};
sec = config.sops.secrets;
servers = {
velocity = {
data_dir = "/var/lib/gameservers/minecraft_recpro/velocity";
db_dumb_dir = "/var/backup/mysql/${service}_db.zst";
db_dump = "/var/backup/mysql/${service}_db.zst";
ram = "2G";
};
smp = {
@@ -138,8 +146,20 @@ in {
services.borgbackup.jobs.${service} = {
archiveBaseName = service;
repo = cfg.backup_repo;
paths = lib.flatten (lib.attrValues (lib.mapAttrs (_: srv: [srv.data_dir]) servers));
paths = lib.flatten (
lib.attrValues (
lib.mapAttrs (_: srv:
[srv.data_dir]
++ (
if builtins.hasAttr "db_dump" srv
then [srv.db_dump]
else []
))
servers
)
);
compression = "auto,zstd";
preHook = "systemctl start mysql-backup.service";
startAt = "*-*-* *:00:00";
group = "archives";
encryption.mode = "repokey-blake2";

2
modules/homelab/qbittorrent/default.nix
View File

@@ -131,7 +131,7 @@ in
icon = "di:${service}"; }];
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

2
modules/homelab/uptime-kuma/default.nix
View File

@@ -93,7 +93,7 @@ in
icon = "di:${service}"; }];
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

2
modules/homelab/vaultwarden/default.nix
View File

@@ -113,7 +113,7 @@ in
};
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

2
modules/homelab/yacreader/default.nix
View File

@@ -101,7 +101,7 @@ in
icon = "di:yac-reader"; }];
# add to backups
homelab.baks = {
homelab.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};

92
modules/system/backups/default.nix
View File

@@ -1,92 +0,0 @@
{
config,
lib,
pkgs,
...
}:
/*
this module enables a backup script made with borg!
to use import & set the options below
to declare a backup add the following code
to a module and it will backup all listed paths
in a borg archive to the specified repo
| <3yy> |
V V
system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
*/
let
cfg = config.system.backups;
sec = config.sops.secrets;
borg = "${pkgs.borgbackup}/bin/borg";
in {
options.system.backups = {
enable = lib.mkEnableOption "enables backups with borg";
baks = lib.mkOption {
type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
default = {};
description = "backup jobs, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
};
gameserver_baks = lib.mkOption {
type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
default = {};
description = "backup jobs for game servers, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
};
repo = lib.mkOption {
type = lib.types.path;
default = "/holocron/archives/devices/snowbelle";
description = "borg repository path";
};
gameserver_repo = lib.mkOption {
type = lib.types.path;
default = "/holocron/archives/gameservers/borg";
description = "borg repository path";
};
passwd_file = lib.mkOption {
type = lib.types.path;
default = sec."borg_passwd".path;
description = "borg repository passphrase file";
};
mode = lib.mkOption {
type = lib.types.str;
default = "split"; # "all"
description = "choice between creating one archive of all paths or one archive per service";
};
};
config = lib.mkIf (cfg.enable && cfg.baks != {}) {
# db backups
services.mysqlBackup = lib.mkIf config.services.mysql.enable {
# mc servers use this
enable = true;
location = "/var/backup/mysql";
user = "root";
calendar = "*-*-* *:59:50";
compressionAlg = "zstd";
databases = config.services.mysql.ensureDatabases; # set to all databases defined in esure databases
};
services.postgresqlBackup = lib.mkIf config.services.postgresql.enable {
# immich uses this
enable = true;
location = "/var/backup/postgresql";
compression = "zstd"; # optional: "xz", "zstd", "none"
startAt = "03:59";
databases = ["immich"]; # set to all databases defined in esure databases
#databases = config.services.postgresql.ensureDatabases; # set to all databases defined in esure databases
};
# helpful
environment.systemPackages = with pkgs; [borgbackup tree];
# declare secret for repo password
sops.secrets = {
"borg_passwd" = {
owner = "root";
group = "root";
};
};
};
}

279
modules/system/backups/default.nix.old
View File

@@ -1,279 +0,0 @@
{
config,
lib,
pkgs,
...
}:
/*
this module enables a backup script made with borg!
to use import & set the options below
to declare a backup add the following code
to a module and it will backup all listed paths
in a borg archive to the specified repo
| <3yy> |
V V
system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
*/
let
cfg = config.system.backups;
sec = config.sops.secrets;
borg = "${pkgs.borgbackup}/bin/borg";
in {
options.system.backups = {
enable = lib.mkEnableOption "enables backups with borg";
baks = lib.mkOption {
type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
default = {};
description = "backup jobs, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
};
gameserver_baks = lib.mkOption {
type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
default = {};
description = "backup jobs for game servers, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
};
repo = lib.mkOption {
type = lib.types.path;
default = "/holocron/archives/devices/snowbelle";
description = "borg repository path";
};
gameserver_repo = lib.mkOption {
type = lib.types.path;
default = "/holocron/archives/gameservers/borg";
description = "borg repository path";
};
passwd_file = lib.mkOption {
type = lib.types.path;
default = sec."borg_passwd".path;
description = "borg repository passphrase file";
};
mode = lib.mkOption {
type = lib.types.str;
default = "split"; # "all"
description = "choice between creating one archive of all paths or one archive per service";
};
};
config = lib.mkIf (cfg.enable && cfg.baks != {}) {
# create and or set perms for repo dirs
systemd.tmpfiles.rules = [
"d ${cfg.repo} 2770 root archives - -"
"d ${cfg.gameserver_repo} 2770 root archives - -"
];
# create servie to backup services
systemd.services.backups = {
description = "backup services with borg!";
path = [pkgs.borgbackup];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "archives"; # make perms shake out
UMask = "0007"; # make perms shake out
# the actual script borg is using
ExecStart = pkgs.writeShellScript "borg-backup" ''
backup() {
set -euo pipefail
export BORG_PASSPHRASE="$(cat ${cfg.passwd_file})"
export BORG_REPO="${cfg.repo}"
timestamp="$(date +'%Y-%m-%d_%H:%M:%S')"
mode=split
# init repo in needed
if ! borg info "$BORG_REPO" >/dev/null 2>&1; then
echo "Initializing Borg repo at $BORG_REPO"
borg init --encryption=repokey "$BORG_REPO"
fi
borg break-lock "$BORG_REPO" || true
echo "starting backup at $timestamp"
if [ "$mode" = "split" ]; then
# loop for each backup
${lib.concatStringsSep "\n\n" (lib.mapAttrsToList (
bak_name: bak_paths: ''
echo "------------ Backing up ${bak_name} ------------"
archive="$timestamp-${bak_name}"
echo "backing up: ${lib.concatStringsSep " " bak_paths.paths} $archive"
borg create \
--verbose \
--filter AME \
--list \
--stats \
--show-rc \
--compression lz4 \
"$BORG_REPO::$archive" \
${lib.concatStringsSep " " bak_paths.paths}
echo "pruning old backups for ${bak_name}..."
borg prune -v --list "$BORG_REPO" \
--glob-archives "*-${bak_name}" \
--keep-daily=7 \
--keep-weekly=52 \
--keep-monthly=-1
echo "backup run complete at \"$BORG_REPO::$archive\""
''
)
cfg.baks)}
exit 0
else
# flatten all paths from cfg.baks into one big list
all_paths="${
lib.concatStringsSep " "
(lib.flatten
(lib.mapAttrsToList (_: bak: bak.paths) cfg.baks))
}"
borg create \
--verbose \
--filter AME \
--list \
--stats \
--show-rc \
--compression lzma,9 \
"$BORG_REPO::$timestamp-${toString config.networking.hostName}" \
$all_paths
echo "pruning old backups for ${toString config.networking.hostName}..."
borg prune -v --list "$BORG_REPO" \
--glob-archives "*-${toString config.networking.hostName}" \
--keep-daily=7 \
--keep-weekly=52 \
--keep-monthly=-1
echo "backup run complete at \"$BORG_REPO::${toString config.networking.hostName}\""
exit 0
fi
}
start_time=$(date +%s)
backup
end_time=$(date +%s)
exec_time=$((end_time - start_time))
cpu_usage=$(top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print 100 - $1"%"}')
echo ""
echo "backup stats:"
echo "exec time: $exec_time"
echo "cpu usage: $cpu_usage"
'';
};
};
# create timer to run backups daily
systemd.timers.backups = {
description = "daily borg backup timer";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "04:00";
Persistent = true;
};
};
# create servie to backup gameservers (back these up hourly)
systemd.services.gameserver_backups = {
description = "backup services with borg!";
path = [pkgs.borgbackup];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "archives"; # make perms shake out
UMask = "0007"; # make perms shake out
# the actual script borg is using
ExecStart = pkgs.writeShellScript "borg-gameserver_backup" ''
backup() {
set -euo pipefail
export BORG_PASSPHRASE="$(cat ${cfg.passwd_file})"
export BORG_REPO="${cfg.gameserver_repo}"
timestamp="$(date +'%Y-%m-%d_%H:%M:%S')"
# init repo in needed
if ! borg info "$BORG_REPO" >/dev/null 2>&1; then
echo "Initializing Borg repo at $BORG_REPO"
borg init --encryption=repokey "$BORG_REPO"
fi
borg break-lock "$BORG_REPO" || true
echo "starting backup at $timestamp"
# loop for each backup
${lib.concatStringsSep "\n\n" (lib.mapAttrsToList (
bak_name: bak_paths: ''
echo "------------ Backing up ${bak_name} ------------"
archive="$timestamp-${bak_name}"
echo "backing up: ${lib.concatStringsSep " " bak_paths.paths} $archive"
borg create \
--verbose \
--filter AME \
--list \
--stats \
--show-rc \
--compression lz4 \
"$BORG_REPO::$archive" \
${lib.concatStringsSep " " bak_paths.paths}
echo "pruning old backups for ${bak_name}..."
borg prune -v --list "$BORG_REPO" \
--glob-archives "*-${bak_name}" \
--keep-hourly=24 \
--keep-daily=7 \
--keep-weekly=12 \
--keep-monthly=12
echo "backup run complete at \"$BORG_REPO::$archive\""
''
)
cfg.gameserver_baks)}
exit 0
}
start_time=$(date +%s)
backup
end_time=$(date +%s)
exec_time=$((end_time - start_time))
cpu_usage=$(top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print 100 - $1"%"}')
echo ""
echo "backup stats:"
echo "exec time: $exec_time"
echo "cpu usage: $cpu_usage"
'';
};
};
# create timer to run backups daily
systemd.timers.gameserver_backups = {
description = "daily borg backup timer";
wantedBy = ["timers.target"];
timerConfig = {
OnCalendar = "*-*-* *:00:00"; # every hour, at :01 (one min after db dump)
Persistent = true;
};
};
# db backups
services.mysqlBackup = lib.mkIf config.services.mysql.enable {
# mc servers use this
enable = true;
location = "/var/backup/mysql";
user = "root";
calendar = "*-*-* *:59:00";
compressionAlg = "zstd";
databases = config.services.mysql.ensureDatabases; # set to all databases defined in esure databases
};
services.postgresqlBackup = lib.mkIf config.services.postgresql.enable {
# immich uses this
enable = true;
location = "/var/backup/postgresql";
compression = "zstd"; # optional: "xz", "zstd", "none"
startAt = "03:58";
databases = ["immich"]; # set to all databases defined in esure databases
#databases = config.services.postgresql.ensureDatabases; # set to all databases defined in esure databases
};
# install borg binary
environment.systemPackages = with pkgs; [borgbackup tree];
# declare secret for repo password
sops.secrets = {
"borg_passwd" = {
owner = "root";
group = "root";
};
};
};
}

2
modules/system/default.nix
View File

@@ -6,7 +6,6 @@
}: {
imports = [
./ssh
./backups
./sops
./docker
./podman
@@ -19,7 +18,6 @@
];
system.ssh.enable = lib.mkDefault true;
system.backups.enable = lib.mkDefault true;
system.sops.enable = lib.mkDefault true;
system.docker.enable = lib.mkDefault false;
system.tailscale.enable = lib.mkDefault true;