VSinerva/nixos-conf
1
0
Fork 0
Code Activity Actions

Move lithium to Borg over syncthing

Browse source
This commit is contained in:
Vili Sinervä 2025-07-20 01:25:42 +03:00
parent 3b97d19579
commit 118fc4ef47
Signed by: Vili Sinervä
SSH key fingerprint: SHA256:FladqYjaE4scJY3Hi+gnShZ6ygnTJgixy0I6BAoHyos
8 changed files with 98 additions and 80 deletions
Download patch file Download diff file Expand all files Collapse all files

75
disko/zfs-impermanence-backup.nix
View file

@ -1,75 +0,0 @@
{
disko.devices = {
disk = {
main = {
device = "/dev/sda";
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
name = "boot";
type = "EF00";
size = "512M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
mountOptions = [ "umask=0077" ];
};
};
swap = {
size = "4G";
content = {
type = "swap";
discardPolicy = "both";
randomEncryption = true;
};
};
zfs_root = {
size = "100%";
content = {
type = "zfs";
pool = "zroot";
};
};
};
};
};
};
zpool = {
zroot = {
type = "zpool";
rootFsOptions = {
canmount = "off";
compression = "zstd";
};
datasets = {
nix = {
type = "zfs_fs";
mountpoint = "/nix";
options.mountpoint = "legacy";
};
persist = {
type = "zfs_fs";
options = {
mountpoint = "legacy";
"com.sun:auto-snapshot" = "true";
};
mountpoint = "/persist";
};
root = {
type = "zfs_fs";
mountpoint = "/";
options.mountpoint = "legacy";
postCreateHook = "zfs snapshot zroot/root@blank";
};
backups = {
type = "zfs_fs";
options.mountpoint = "legacy";
};
};
};
};
};
}

20
hosts/x86_64-linux/borg.nix Normal file
View file

@ -0,0 +1,20 @@
{ ... }:
{
imports = [ ../../disko/zfs-impermanence.nix ];
custom = {
platform = {
impermanence.enable = true;
vm.enable = true;
};
services = {
borgServer.enable = true;
nixCacheClient = {
enable = true;
remoteBuilds.exclusive = true;
};
};
};
networking.hostId = "ef235cc6";
system.stateVersion = "25.05";
}

1
hosts/x86_64-linux/lithium.nix
View file

@ -23,6 +23,7 @@
};
hardware.intelLaptop.enable = true;
services = {
borgClient.enable = true;
nixCacheClient = {
enable = true;
remoteBuilds.additional = true;

1
modules/networking/ssh-keys.nix
View file

@ -5,6 +5,7 @@
type = with lib.types; attrsOf str;
default = {
vili-bw-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
borg = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUn+LhJzM1JMXBrlsxhMUmz5dyo+RHYe9IZVnO5oZUa";
cert-store = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd";
ci = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA";
cache = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA"; # Duplicate

35
modules/services/borg-client.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, lib, ... }:
let
cfg = config.custom.services.borgClient;
host = config.networking.hostName;
in
{
options.custom.services.borgClient.enable = lib.mkEnableOption "the BorgBackup client";
config = lib.mkIf cfg.enable {
sops.secrets.borg-passphrase = {
sopsFile = ../../secrets/${host}/borg.yaml;
};
services.borgbackup.jobs.persist = {
compression = "auto,zstd,16";
encryption = {
mode = "repokey";
passCommand = "cat ${config.sops.secrets.borg-passphrase.path}";
};
environment = {
BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
};
paths = "/persist";
persistentTimer = true;
prune.keep = {
within = "1d";
daily = 7;
weekly = 4;
monthly = 12;
};
repo = "borg@borg.vsinerva.fi:/persist/borg/${host}";
startAt = "*-*-* *:00/10:00";
};
};
}

16
modules/services/borg-server.nix Normal file
View file

@ -0,0 +1,16 @@
{ config, lib, ... }:
let
cfg = config.custom.services.borgServer;
in
{
options.custom.services.borgServer.enable = lib.mkEnableOption "the BorgBackup server";
config = lib.mkIf cfg.enable {
services.borgbackup.repos = {
lithium = {
path = "/persist/borg/lithium";
authorizedKeys = [ config.custom.sshKeys.lithium ];
};
};
};
}

5
modules/services/syncthing.nix
View file

@ -41,10 +41,6 @@ in
id = "2MRUBSY-NHXYMAW-SY22RHP-CNNMHKR-DPDKMM4-2XV5F6M-6KSNLQI-DD4EOAM";
addresses = [ "tcp://helium.vsinerva.fi:22000" ];
};
"lithium" = {
id = "S4ZORDV-QBY7QC7-FQHADMZ-NQSKJUA-7B7LQNS-CWJLSMG-JPMN7YJ-OVRDZQA";
addresses = [ "tcp://lithium.vsinerva.fi:22000" ];
};
})
];
@ -55,7 +51,6 @@ in
[ "syncthing" ]
(lib.mkIf (config.networking.hostName == "syncthing") [
"helium"
"lithium"
])
];
versioning = {

25
secrets/lithium/borg.yaml Normal file
View file

@ -0,0 +1,25 @@
borg-passphrase: ENC[AES256_GCM,data:K79Gdgv9o7jKQPpCS4LE2GHpItID82FAHg==,iv:qEVoiN77dRJxWmYWYXBfjpaafeKCxcsC8r0dV7wvqhY=,tag:n1QJ9t/qJ1cmjeDeWfjLgQ==,type:str]
sops:
age:
- recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZFJVOVFqaDNaYm9hSDZ1
TVNCQS82aERCdWJUcDVpam53OXFHcEpOZjFVCjVWcEw5UW1wTmJySXJ4dXpQWENQ
b1p6QTlqVHY0WW5pa3d2d1B0dTkrNm8KLS0tIC9BeWtrR1V4SEFPL3RLMEdnUVd3
TVViNzJqQlhEL1p6N1dKVDlrdUZ5ZzgKCyDfeVIp20EMnf9Brmx3DvDoOCDIY+et
zrXQmLpWxrmpx8kHix/OpUKcOI6Q8xVU9TBMVLmeOhGbKZrVLayxeA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yrfr0q72nqa842t0mzckeemfww28qzcd3wqmrd8mvzwvgpzssvlq9ruzlk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMXA0VWRkREhXZnhqUloy
dHRyYVFhMXFVZm1QVHVabGI2ZW40YTdpNmp3CkFQZll4NEcyZzRDNFg1UFhYVUdT
QldLRlNQbk5HdFBzQ3lvSnNIMXowQVUKLS0tIGg5dmduZXJhbDBzMnNKYUxwYW1x
dmNpQmZvNVFWb0pqSHRqQ2xacS94ckkKGmZtKUn8HBYOpEWEHr4a/m2rFc98p6r2
phggYGtk1C4oMR6Qgnnx6JAbjDO85gFQQlL965xV+E4UcgpC2mxh7A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-19T20:47:22Z"
mac: ENC[AES256_GCM,data:UVUQhbb3jpkeGIj6Tngi9P0ZXT5tqA6ORO+MxXQtKXZKbBHsw2u0rChuxZfxxz0D7MfLr6p//sHxEH10H9knfeidWM9KBkqSHzyZXgMoAcygMt2NhL0buUDI8JZ8FKOJgBuKbl9P+V6ak3Ky8hgSKxaGY6TBQmX91MEVbtCeNQM=,iv:fELBdkmFmiBUU9V0uGLqOvWQFAwX9awMuOOs+dsTfhg=,tag:sw56wMkWj27p2A/0ib5EuQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2