From 118fc4ef47d388b4e31f50507dba8d0b6ae400d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vili=20Sinerv=C3=A4?= Date: Sun, 20 Jul 2025 01:25:42 +0300 Subject: [PATCH] Move lithium to Borg over syncthing --- disko/zfs-impermanence-backup.nix | 75 ------------------------------- hosts/x86_64-linux/borg.nix | 20 +++++++++ hosts/x86_64-linux/lithium.nix | 1 + modules/networking/ssh-keys.nix | 1 + modules/services/borg-client.nix | 35 +++++++++++++++ modules/services/borg-server.nix | 16 +++++++ modules/services/syncthing.nix | 5 --- secrets/lithium/borg.yaml | 25 +++++++++++ 8 files changed, 98 insertions(+), 80 deletions(-) delete mode 100644 disko/zfs-impermanence-backup.nix create mode 100644 hosts/x86_64-linux/borg.nix create mode 100644 modules/services/borg-client.nix create mode 100644 modules/services/borg-server.nix create mode 100644 secrets/lithium/borg.yaml diff --git a/disko/zfs-impermanence-backup.nix b/disko/zfs-impermanence-backup.nix deleted file mode 100644 index 65fa4c6..0000000 --- a/disko/zfs-impermanence-backup.nix +++ /dev/null @@ -1,75 +0,0 @@ -{ - disko.devices = { - disk = { - main = { - device = "/dev/sda"; - type = "disk"; - content = { - type = "gpt"; - partitions = { - ESP = { - name = "boot"; - type = "EF00"; - size = "512M"; - content = { - type = "filesystem"; - format = "vfat"; - mountpoint = "/boot"; - mountOptions = [ "umask=0077" ]; - }; - }; - swap = { - size = "4G"; - content = { - type = "swap"; - discardPolicy = "both"; - randomEncryption = true; - }; - }; - zfs_root = { - size = "100%"; - content = { - type = "zfs"; - pool = "zroot"; - }; - }; - }; - }; - }; - }; - zpool = { - zroot = { - type = "zpool"; - rootFsOptions = { - canmount = "off"; - compression = "zstd"; - }; - datasets = { - nix = { - type = "zfs_fs"; - mountpoint = "/nix"; - options.mountpoint = "legacy"; - }; - persist = { - type = "zfs_fs"; - options = { - mountpoint = "legacy"; - "com.sun:auto-snapshot" = "true"; - }; - mountpoint = "/persist"; - }; - root = { - type = "zfs_fs"; - mountpoint = "/"; - options.mountpoint = "legacy"; - postCreateHook = "zfs snapshot zroot/root@blank"; - }; - backups = { - type = "zfs_fs"; - options.mountpoint = "legacy"; - }; - }; - }; - }; - }; -} diff --git a/hosts/x86_64-linux/borg.nix b/hosts/x86_64-linux/borg.nix new file mode 100644 index 0000000..925d4e3 --- /dev/null +++ b/hosts/x86_64-linux/borg.nix @@ -0,0 +1,20 @@ +{ ... }: +{ + imports = [ ../../disko/zfs-impermanence.nix ]; + + custom = { + platform = { + impermanence.enable = true; + vm.enable = true; + }; + services = { + borgServer.enable = true; + nixCacheClient = { + enable = true; + remoteBuilds.exclusive = true; + }; + }; + }; + networking.hostId = "ef235cc6"; + system.stateVersion = "25.05"; +} diff --git a/hosts/x86_64-linux/lithium.nix b/hosts/x86_64-linux/lithium.nix index 66ff9b3..69cedaf 100644 --- a/hosts/x86_64-linux/lithium.nix +++ b/hosts/x86_64-linux/lithium.nix @@ -23,6 +23,7 @@ }; hardware.intelLaptop.enable = true; services = { + borgClient.enable = true; nixCacheClient = { enable = true; remoteBuilds.additional = true; diff --git a/modules/networking/ssh-keys.nix b/modules/networking/ssh-keys.nix index e382b94..c2925cd 100644 --- a/modules/networking/ssh-keys.nix +++ b/modules/networking/ssh-keys.nix @@ -5,6 +5,7 @@ type = with lib.types; attrsOf str; default = { vili-bw-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV"; + borg = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUn+LhJzM1JMXBrlsxhMUmz5dyo+RHYe9IZVnO5oZUa"; cert-store = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd"; ci = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA"; cache = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA"; # Duplicate diff --git a/modules/services/borg-client.nix b/modules/services/borg-client.nix new file mode 100644 index 0000000..a43fa95 --- /dev/null +++ b/modules/services/borg-client.nix @@ -0,0 +1,35 @@ +{ config, lib, ... }: +let + cfg = config.custom.services.borgClient; + host = config.networking.hostName; +in +{ + options.custom.services.borgClient.enable = lib.mkEnableOption "the BorgBackup client"; + + config = lib.mkIf cfg.enable { + sops.secrets.borg-passphrase = { + sopsFile = ../../secrets/${host}/borg.yaml; + }; + + services.borgbackup.jobs.persist = { + compression = "auto,zstd,16"; + encryption = { + mode = "repokey"; + passCommand = "cat ${config.sops.secrets.borg-passphrase.path}"; + }; + environment = { + BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key"; + }; + paths = "/persist"; + persistentTimer = true; + prune.keep = { + within = "1d"; + daily = 7; + weekly = 4; + monthly = 12; + }; + repo = "borg@borg.vsinerva.fi:/persist/borg/${host}"; + startAt = "*-*-* *:00/10:00"; + }; + }; +} diff --git a/modules/services/borg-server.nix b/modules/services/borg-server.nix new file mode 100644 index 0000000..bfc3642 --- /dev/null +++ b/modules/services/borg-server.nix @@ -0,0 +1,16 @@ +{ config, lib, ... }: +let + cfg = config.custom.services.borgServer; +in +{ + options.custom.services.borgServer.enable = lib.mkEnableOption "the BorgBackup server"; + + config = lib.mkIf cfg.enable { + services.borgbackup.repos = { + lithium = { + path = "/persist/borg/lithium"; + authorizedKeys = [ config.custom.sshKeys.lithium ]; + }; + }; + }; +} diff --git a/modules/services/syncthing.nix b/modules/services/syncthing.nix index 62f08d6..f6b348d 100644 --- a/modules/services/syncthing.nix +++ b/modules/services/syncthing.nix @@ -41,10 +41,6 @@ in id = "2MRUBSY-NHXYMAW-SY22RHP-CNNMHKR-DPDKMM4-2XV5F6M-6KSNLQI-DD4EOAM"; addresses = [ "tcp://helium.vsinerva.fi:22000" ]; }; - "lithium" = { - id = "S4ZORDV-QBY7QC7-FQHADMZ-NQSKJUA-7B7LQNS-CWJLSMG-JPMN7YJ-OVRDZQA"; - addresses = [ "tcp://lithium.vsinerva.fi:22000" ]; - }; }) ]; @@ -55,7 +51,6 @@ in [ "syncthing" ] (lib.mkIf (config.networking.hostName == "syncthing") [ "helium" - "lithium" ]) ]; versioning = { diff --git a/secrets/lithium/borg.yaml b/secrets/lithium/borg.yaml new file mode 100644 index 0000000..37380e0 --- /dev/null +++ b/secrets/lithium/borg.yaml @@ -0,0 +1,25 @@ +borg-passphrase: ENC[AES256_GCM,data:K79Gdgv9o7jKQPpCS4LE2GHpItID82FAHg==,iv:qEVoiN77dRJxWmYWYXBfjpaafeKCxcsC8r0dV7wvqhY=,tag:n1QJ9t/qJ1cmjeDeWfjLgQ==,type:str] +sops: + age: + - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZFJVOVFqaDNaYm9hSDZ1 + TVNCQS82aERCdWJUcDVpam53OXFHcEpOZjFVCjVWcEw5UW1wTmJySXJ4dXpQWENQ + b1p6QTlqVHY0WW5pa3d2d1B0dTkrNm8KLS0tIC9BeWtrR1V4SEFPL3RLMEdnUVd3 + TVViNzJqQlhEL1p6N1dKVDlrdUZ5ZzgKCyDfeVIp20EMnf9Brmx3DvDoOCDIY+et + zrXQmLpWxrmpx8kHix/OpUKcOI6Q8xVU9TBMVLmeOhGbKZrVLayxeA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1yrfr0q72nqa842t0mzckeemfww28qzcd3wqmrd8mvzwvgpzssvlq9ruzlk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMXA0VWRkREhXZnhqUloy + dHRyYVFhMXFVZm1QVHVabGI2ZW40YTdpNmp3CkFQZll4NEcyZzRDNFg1UFhYVUdT + QldLRlNQbk5HdFBzQ3lvSnNIMXowQVUKLS0tIGg5dmduZXJhbDBzMnNKYUxwYW1x + dmNpQmZvNVFWb0pqSHRqQ2xacS94ckkKGmZtKUn8HBYOpEWEHr4a/m2rFc98p6r2 + phggYGtk1C4oMR6Qgnnx6JAbjDO85gFQQlL965xV+E4UcgpC2mxh7A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-19T20:47:22Z" + mac: ENC[AES256_GCM,data:UVUQhbb3jpkeGIj6Tngi9P0ZXT5tqA6ORO+MxXQtKXZKbBHsw2u0rChuxZfxxz0D7MfLr6p//sHxEH10H9knfeidWM9KBkqSHzyZXgMoAcygMt2NhL0buUDI8JZ8FKOJgBuKbl9P+V6ak3Ky8hgSKxaGY6TBQmX91MEVbtCeNQM=,iv:fELBdkmFmiBUU9V0uGLqOvWQFAwX9awMuOOs+dsTfhg=,tag:sw56wMkWj27p2A/0ib5EuQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2