Move lithium to Borg over syncthing

2025-07-20 01:25:42 +03:00 · 2025-07-20 01:25:42 +03:00 · 118fc4ef47
commit 118fc4ef47
parent 3b97d19579
8 changed files with 98 additions and 80 deletions
--- a/disko/zfs-impermanence-backup.nix
+++ b/disko/zfs-impermanence-backup.nix
@ -1,75 +0,0 @@
 {
  disko.devices = {
    disk = {
      main = {
        device = "/dev/sda";
        type = "disk";
        content = {
          type = "gpt";
          partitions = {
            ESP = {
              name = "boot";
              type = "EF00";
              size = "512M";
              content = {
                type = "filesystem";
                format = "vfat";
                mountpoint = "/boot";
                mountOptions = [ "umask=0077" ];
              };
            };
            swap = {
              size = "4G";
              content = {
                type = "swap";
                discardPolicy = "both";
                randomEncryption = true;
              };
            };
            zfs_root = {
              size = "100%";
              content = {
                type = "zfs";
                pool = "zroot";
              };
            };
          };
        };
      };
    };
    zpool = {
      zroot = {
        type = "zpool";
        rootFsOptions = {
          canmount = "off";
          compression = "zstd";
        };
        datasets = {
          nix = {
            type = "zfs_fs";
            mountpoint = "/nix";
            options.mountpoint = "legacy";
          };
          persist = {
            type = "zfs_fs";
            options = {
              mountpoint = "legacy";
              "com.sun:auto-snapshot" = "true";
            };
            mountpoint = "/persist";
          };
          root = {
            type = "zfs_fs";
            mountpoint = "/";
            options.mountpoint = "legacy";
            postCreateHook = "zfs snapshot zroot/root@blank";
          };
          backups = {
            type = "zfs_fs";
            options.mountpoint = "legacy";
          };
        };
      };
    };
  };
 }
--- a/hosts/x86_64-linux/borg.nix
+++ b/hosts/x86_64-linux/borg.nix
@ -0,0 +1,20 @@
 { ... }:
 {
  imports = [ ../../disko/zfs-impermanence.nix ];
  custom = {
    platform = {
      impermanence.enable = true;
      vm.enable = true;
    };
    services = {
      borgServer.enable = true;
      nixCacheClient = {
        enable = true;
        remoteBuilds.exclusive = true;
      };
    };
  };
  networking.hostId = "ef235cc6";
  system.stateVersion = "25.05";
 }
--- a/hosts/x86_64-linux/lithium.nix
+++ b/hosts/x86_64-linux/lithium.nix
@ -23,6 +23,7 @@
    };
    hardware.intelLaptop.enable = true;
    services = {
      borgClient.enable = true;
      nixCacheClient = {
        enable = true;
        remoteBuilds.additional = true;
--- a/modules/networking/ssh-keys.nix
+++ b/modules/networking/ssh-keys.nix
@ -5,6 +5,7 @@
      type = with lib.types; attrsOf str;
      default = {
        vili-bw-main = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJowj9IJIgYjDwZm5mEttiwvPfu1dd4eVTHfaDnbwcOV";
        borg = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIUn+LhJzM1JMXBrlsxhMUmz5dyo+RHYe9IZVnO5oZUa";
        cert-store = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNhPvGogPY/O6kIqrpbz0EcK4L5QQShvD+vuyk7FxFd";
        ci = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA";
        cache = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFgT2MGhvvJkWSNCfN0my/lNsTQtTV6+OcTHBSPVlGFA"; # Duplicate
--- a/modules/services/borg-client.nix
+++ b/modules/services/borg-client.nix
@ -0,0 +1,35 @@
 { config, lib, ... }:
 let
  cfg = config.custom.services.borgClient;
  host = config.networking.hostName;
 in
 {
  options.custom.services.borgClient.enable = lib.mkEnableOption "the BorgBackup client";
  config = lib.mkIf cfg.enable {
    sops.secrets.borg-passphrase = {
      sopsFile = ../../secrets/${host}/borg.yaml;
    };
    services.borgbackup.jobs.persist = {
      compression = "auto,zstd,16";
      encryption = {
        mode = "repokey";
        passCommand = "cat ${config.sops.secrets.borg-passphrase.path}";
      };
      environment = {
        BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
      };
      paths = "/persist";
      persistentTimer = true;
      prune.keep = {
        within = "1d";
        daily = 7;
        weekly = 4;
        monthly = 12;
      };
      repo = "borg@borg.vsinerva.fi:/persist/borg/${host}";
      startAt = "*-*-* *:00/10:00";
    };
  };
 }
--- a/modules/services/borg-server.nix
+++ b/modules/services/borg-server.nix
@ -0,0 +1,16 @@
 { config, lib, ... }:
 let
  cfg = config.custom.services.borgServer;
 in
 {
  options.custom.services.borgServer.enable = lib.mkEnableOption "the BorgBackup server";
  config = lib.mkIf cfg.enable {
    services.borgbackup.repos = {
      lithium = {
        path = "/persist/borg/lithium";
        authorizedKeys = [ config.custom.sshKeys.lithium ];
      };
    };
  };
 }
--- a/modules/services/syncthing.nix
+++ b/modules/services/syncthing.nix
@ -41,10 +41,6 @@ in
              id = "2MRUBSY-NHXYMAW-SY22RHP-CNNMHKR-DPDKMM4-2XV5F6M-6KSNLQI-DD4EOAM";
              addresses = [ "tcp://helium.vsinerva.fi:22000" ];
            };
            "lithium" = {
              id = "S4ZORDV-QBY7QC7-FQHADMZ-NQSKJUA-7B7LQNS-CWJLSMG-JPMN7YJ-OVRDZQA";
              addresses = [ "tcp://lithium.vsinerva.fi:22000" ];
            };
          })
        ];
@ -55,7 +51,6 @@ in
                [ "syncthing" ]
                (lib.mkIf (config.networking.hostName == "syncthing") [
                  "helium"
                  "lithium"
                ])
              ];
              versioning = {
--- a/secrets/lithium/borg.yaml
+++ b/secrets/lithium/borg.yaml
@ -0,0 +1,25 @@
 borg-passphrase: ENC[AES256_GCM,data:K79Gdgv9o7jKQPpCS4LE2GHpItID82FAHg==,iv:qEVoiN77dRJxWmYWYXBfjpaafeKCxcsC8r0dV7wvqhY=,tag:n1QJ9t/qJ1cmjeDeWfjLgQ==,type:str]
 sops:
    age:
        - recipient: age1pvkuvcc38pke3euzsjzpgp6s6v3jykug2e69rplytdy7gxntm5jsraxhvp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZFJVOVFqaDNaYm9hSDZ1
            TVNCQS82aERCdWJUcDVpam53OXFHcEpOZjFVCjVWcEw5UW1wTmJySXJ4dXpQWENQ
            b1p6QTlqVHY0WW5pa3d2d1B0dTkrNm8KLS0tIC9BeWtrR1V4SEFPL3RLMEdnUVd3
            TVViNzJqQlhEL1p6N1dKVDlrdUZ5ZzgKCyDfeVIp20EMnf9Brmx3DvDoOCDIY+et
            zrXQmLpWxrmpx8kHix/OpUKcOI6Q8xVU9TBMVLmeOhGbKZrVLayxeA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1yrfr0q72nqa842t0mzckeemfww28qzcd3wqmrd8mvzwvgpzssvlq9ruzlk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTMXA0VWRkREhXZnhqUloy
            dHRyYVFhMXFVZm1QVHVabGI2ZW40YTdpNmp3CkFQZll4NEcyZzRDNFg1UFhYVUdT
            QldLRlNQbk5HdFBzQ3lvSnNIMXowQVUKLS0tIGg5dmduZXJhbDBzMnNKYUxwYW1x
            dmNpQmZvNVFWb0pqSHRqQ2xacS94ckkKGmZtKUn8HBYOpEWEHr4a/m2rFc98p6r2
            phggYGtk1C4oMR6Qgnnx6JAbjDO85gFQQlL965xV+E4UcgpC2mxh7A==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-07-19T20:47:22Z"
    mac: ENC[AES256_GCM,data:UVUQhbb3jpkeGIj6Tngi9P0ZXT5tqA6ORO+MxXQtKXZKbBHsw2u0rChuxZfxxz0D7MfLr6p//sHxEH10H9knfeidWM9KBkqSHzyZXgMoAcygMt2NhL0buUDI8JZ8FKOJgBuKbl9P+V6ak3Ky8hgSKxaGY6TBQmX91MEVbtCeNQM=,iv:fELBdkmFmiBUU9V0uGLqOvWQFAwX9awMuOOs+dsTfhg=,tag:sw56wMkWj27p2A/0ib5EuQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2