clan-core/clanModules/borgbackup/default.nix

{
  config,
  lib,
  pkgs,
  ...
}:
let
  cfg = config.clan.borgbackup;
  preBackupScript = ''
    declare -A preCommandErrors

    ${lib.concatMapStringsSep "\n" (
      state:
      lib.optionalString (state.preBackupCommand != null) ''
        echo "Running pre-backup command for ${state.name}"
        if ! /run/current-system/sw/bin/${state.preBackupCommand}; then
          preCommandErrors["${state.name}"]=1
        fi
      ''
    ) (lib.attrValues config.clan.core.state)}

    if [[ ''${#preCommandErrors[@]} -gt 0 ]]; then
      echo "pre-backup commands failed for the following services:"
      for state in "''${!preCommandErrors[@]}"; do
        echo "  $state"
      done
      exit 1
    fi
  '';
in
{
  options.clan.borgbackup.destinations = lib.mkOption {
    type = lib.types.attrsOf (
      lib.types.submodule (
        { name, ... }:
        {
          options = {
            name = lib.mkOption {
              type = lib.types.strMatching "^[a-zA-Z0-9._-]+$";
              default = name;
              description = "the name of the backup job";
            };
            repo = lib.mkOption {
              type = lib.types.str;
              description = "the borgbackup repository to backup to";
            };
            rsh = lib.mkOption {
              type = lib.types.str;
              default = "ssh -i ${
                config.clan.core.facts.services.borgbackup.secret."borgbackup.ssh".path
              } -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=Yes";
              defaultText = "ssh -i \${config.clan.core.facts.services.borgbackup.secret.\"borgbackup.ssh\".path} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";
              description = "the rsh to use for the backup";
            };
          };
        }
      )
    );
    default = { };
    description = ''
      destinations where the machine should be backuped to
    '';
  };

  imports = [
    (lib.mkRemovedOptionModule [
      "clan"
      "borgbackup"
      "enable"
    ] "Just define clan.borgbackup.destinations to enable it")
  ];

  config = lib.mkIf (cfg.destinations != { }) {
    systemd.services = lib.mapAttrs' (
      _: dest:
      lib.nameValuePair "borgbackup-job-${dest.name}" {
        # since borgbackup mounts the system read-only, we need to run in a ExecStartPre script, so we can generate additional files.
        serviceConfig.ExecStartPre = [
          (''+${pkgs.writeShellScript "borgbackup-job-${dest.name}-pre-backup-commands" preBackupScript}'')
        ];
      }
    ) cfg.destinations;

    services.borgbackup.jobs = lib.mapAttrs (_: dest: {
      paths = lib.unique (
        lib.flatten (map (state: state.folders) (lib.attrValues config.clan.core.state))
      );
      exclude = [ "*.pyc" ];
      repo = dest.repo;
      environment.BORG_RSH = dest.rsh;
      compression = "auto,zstd";
      startAt = "*-*-* 01:00:00";
      persistentTimer = true;

      encryption = {
        mode = "repokey";
        passCommand = "cat ${config.clan.core.facts.services.borgbackup.secret."borgbackup.repokey".path}";
      };

      prune.keep = {
        within = "1d"; # Keep all archives from the last day
        daily = 7;
        weekly = 4;
        monthly = 0;
      };
    }) cfg.destinations;

    clan.core.facts.services.borgbackup = {
      public."borgbackup.ssh.pub" = { };
      secret."borgbackup.ssh" = { };
      secret."borgbackup.repokey" = { };
      generator.path = [
        pkgs.openssh
        pkgs.coreutils
        pkgs.xkcdpass
      ];
      generator.script = ''
        ssh-keygen -t ed25519 -N "" -f "$secrets"/borgbackup.ssh
        mv "$secrets"/borgbackup.ssh.pub "$facts"/borgbackup.ssh.pub
        xkcdpass -n 4 -d - > "$secrets"/borgbackup.repokey
      '';
    };

    environment.systemPackages = [
      (pkgs.writeShellScriptBin "borgbackup-create" ''
        set -efu -o pipefail
        ${lib.concatMapStringsSep "\n" (dest: ''
          systemctl start borgbackup-job-${dest.name}
        '') (lib.attrValues cfg.destinations)}
      '')
      (pkgs.writeShellScriptBin "borgbackup-list" ''
        set -efu
        (${
          lib.concatMapStringsSep "\n" (
            dest:
            # we need yes here to skip the changed url verification
            ''yes y | borg-job-${dest.name} list --json | jq '[.archives[] | {"name": ("${dest.name}::${dest.repo}::" + .name)}]' ''
          ) (lib.attrValues cfg.destinations)
        }) | ${pkgs.jq}/bin/jq -s 'add'
      '')
      (pkgs.writeShellScriptBin "borgbackup-restore" ''
        set -efux
        cd /
        IFS=':' read -ra FOLDER <<< "$FOLDERS"
        job_name=$(echo "$NAME" | ${pkgs.gawk}/bin/awk -F'::' '{print $1}')
        backup_name=''${NAME#"$job_name"::}
        if ! command -v borg-job-"$job_name" &> /dev/null; then
          echo "borg-job-$job_name not found: Backup name is invalid" >&2
          exit 1
        fi
        yes y | borg-job-"$job_name" extract --list "$backup_name" "''${FOLDER[@]}"
      '')
    ];

    clan.core.backups.providers.borgbackup = {
      list = "borgbackup-list";
      create = "borgbackup-create";
      restore = "borgbackup-restore";
    };
  };
}
re-format with nixfmt 2024-03-17 18:48:49 +00:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`
backups: add clanCore backup & clan borgbackup module 2023-11-23 14:43:25 +00:00			`let`
			`cfg = config.clan.borgbackup;`
borgbackup: move preBackupScript to a different systemd context 2024-06-10 12:54:01 +00:00			`preBackupScript = ''`
			`declare -A preCommandErrors`

			`${lib.concatMapStringsSep "\n" (`
			`state:`
			`lib.optionalString (state.preBackupCommand != null) ''`
			`echo "Running pre-backup command for ${state.name}"`
clan.core.state: wrap all commands in shell scripts Otherwise we cannot execute them via ssh and also have nix store dependencies. 2024-06-19 09:42:14 +00:00			`if ! /run/current-system/sw/bin/${state.preBackupCommand}; then`
borgbackup: move preBackupScript to a different systemd context 2024-06-10 12:54:01 +00:00			`preCommandErrors["${state.name}"]=1`
			`fi`
			`''`
refactor: rename clanCore -> clan.core 2024-06-17 10:42:28 +00:00			`) (lib.attrValues config.clan.core.state)}`
borgbackup: move preBackupScript to a different systemd context 2024-06-10 12:54:01 +00:00
			`if [[ ''${#preCommandErrors[@]} -gt 0 ]]; then`
clan.core.state: wrap all commands in shell scripts Otherwise we cannot execute them via ssh and also have nix store dependencies. 2024-06-19 09:42:14 +00:00			`echo "pre-backup commands failed for the following services:"`
borgbackup: move preBackupScript to a different systemd context 2024-06-10 12:54:01 +00:00			`for state in "''${!preCommandErrors[@]}"; do`
			`echo " $state"`
			`done`
			`exit 1`
			`fi`
			`'';`
backups: add clanCore backup & clan borgbackup module 2023-11-23 14:43:25 +00:00			`in`
			`{`
clan.borgbackup: drop enable option 2024-03-08 10:12:34 +00:00			`options.clan.borgbackup.destinations = lib.mkOption {`
re-format with nixfmt 2024-03-17 18:48:49 +00:00			`type = lib.types.attrsOf (`
			`lib.types.submodule (`
			`{ name, ... }:`
			`{`
			`options = {`
			`name = lib.mkOption {`
rework backup interface to no longer need to list backups to restore them 2024-03-20 06:13:01 +00:00			`type = lib.types.strMatching "^[a-zA-Z0-9._-]+$";`
re-format with nixfmt 2024-03-17 18:48:49 +00:00			`default = name;`
			`description = "the name of the backup job";`
			`};`
			`repo = lib.mkOption {`
			`type = lib.types.str;`
			`description = "the borgbackup repository to backup to";`
			`};`
			`rsh = lib.mkOption {`
			`type = lib.types.str;`
			`default = "ssh -i ${`
refactor: rename clanCore -> clan.core 2024-06-17 10:42:28 +00:00			`config.clan.core.facts.services.borgbackup.secret."borgbackup.ssh".path`
borbackup: set `IdentitiesOnly=Yes` Since `borgbackup` is run as root user it might try other ssh keys. 2024-06-09 22:16:38 +00:00			`} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=Yes";`
refactor: rename clanCore -> clan.core 2024-06-17 10:42:28 +00:00			`defaultText = "ssh -i \${config.clan.core.facts.services.borgbackup.secret.\"borgbackup.ssh\".path} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null";`
re-format with nixfmt 2024-03-17 18:48:49 +00:00			`description = "the rsh to use for the backup";`
			`};`
			`};`
			`}`
			`)`
			`);`
clan.borgbackup: drop enable option 2024-03-08 10:12:34 +00:00			`default = { };`
			`description = ''`
			`destinations where the machine should be backuped to`
			`'';`
backups: add clanCore backup & clan borgbackup module 2023-11-23 14:43:25 +00:00			`};`
clan.borgbackup: drop enable option 2024-03-08 10:12:34 +00:00
re-format with nixfmt 2024-03-17 18:48:49 +00:00			`imports = [`
			`(lib.mkRemovedOptionModule [`
			`"clan"`
			`"borgbackup"`
			`"enable"`
			`] "Just define clan.borgbackup.destinations to enable it")`
			`];`
clan.borgbackup: drop enable option 2024-03-08 10:12:34 +00:00
fix backup not beeing activated 2024-03-12 12:17:04 +00:00			`config = lib.mkIf (cfg.destinations != { }) {`
borgbackup: move preBackupScript to a different systemd context 2024-06-10 12:54:01 +00:00			`systemd.services = lib.mapAttrs' (`
			`_: dest:`
			`lib.nameValuePair "borgbackup-job-${dest.name}" {`
			`# since borgbackup mounts the system read-only, we need to run in a ExecStartPre script, so we can generate additional files.`
			`serviceConfig.ExecStartPre = [`
			`(''+${pkgs.writeShellScript "borgbackup-job-${dest.name}-pre-backup-commands" preBackupScript}'')`
			`];`
			`}`
			`) cfg.destinations;`

re-format with nixfmt 2024-03-17 18:48:49 +00:00			`services.borgbackup.jobs = lib.mapAttrs (_: dest: {`
add postgresql backup hooks 2024-05-31 14:36:37 +00:00			`paths = lib.unique (`
refactor: rename clanCore -> clan.core 2024-06-17 10:42:28 +00:00			`lib.flatten (map (state: state.folders) (lib.attrValues config.clan.core.state))`
add postgresql backup hooks 2024-05-31 14:36:37 +00:00			`);`
re-format with nixfmt 2024-03-17 18:48:49 +00:00			`exclude = [ "*.pyc" ];`
			`repo = dest.repo;`
			`environment.BORG_RSH = dest.rsh;`
			`compression = "auto,zstd";`
			`startAt = "--* 01:00:00";`
			`persistentTimer = true;`
backups: add clanCore backup & clan borgbackup module 2023-11-23 14:43:25 +00:00
re-format with nixfmt 2024-03-17 18:48:49 +00:00			`encryption = {`
			`mode = "repokey";`
refactor: rename clanCore -> clan.core 2024-06-17 10:42:28 +00:00			`passCommand = "cat ${config.clan.core.facts.services.borgbackup.secret."borgbackup.repokey".path}";`
re-format with nixfmt 2024-03-17 18:48:49 +00:00			`};`
encrypt backups by default 2024-02-22 13:50:07 +00:00
re-format with nixfmt 2024-03-17 18:48:49 +00:00			`prune.keep = {`
			`within = "1d"; # Keep all archives from the last day`
			`daily = 7;`
			`weekly = 4;`
			`monthly = 0;`
			`};`
			`}) cfg.destinations;`
backups: add clanCore backup & clan borgbackup module 2023-11-23 14:43:25 +00:00
refactor: rename clanCore -> clan.core 2024-06-17 10:42:28 +00:00			`clan.core.facts.services.borgbackup = {`
migrate secrets to new api 2024-03-28 09:30:37 +00:00			`public."borgbackup.ssh.pub" = { };`
			`secret."borgbackup.ssh" = { };`
			`secret."borgbackup.repokey" = { };`
re-format with nixfmt 2024-03-17 18:48:49 +00:00			`generator.path = [`
			`pkgs.openssh`
			`pkgs.coreutils`
			`pkgs.xkcdpass`
			`];`
backups: implement list the easy way 2023-12-06 16:12:38 +00:00			`generator.script = ''`
			`ssh-keygen -t ed25519 -N "" -f "$secrets"/borgbackup.ssh`
			`mv "$secrets"/borgbackup.ssh.pub "$facts"/borgbackup.ssh.pub`
encrypt backups by default 2024-02-22 13:50:07 +00:00			`xkcdpass -n 4 -d - > "$secrets"/borgbackup.repokey`
backups: implement list the easy way 2023-12-06 16:12:38 +00:00			`'';`
			`};`

backups: no longer interpret backup interface as bash commands 2024-03-20 06:28:02 +00:00			`environment.systemPackages = [`
			`(pkgs.writeShellScriptBin "borgbackup-create" ''`
			`set -efu -o pipefail`
			`${lib.concatMapStringsSep "\n" (dest: ''`
			`systemctl start borgbackup-job-${dest.name}`
			`'') (lib.attrValues cfg.destinations)}`
			`'')`
			`(pkgs.writeShellScriptBin "borgbackup-list" ''`
make backup provider more generic 2024-03-19 16:25:31 +00:00			`set -efu`
add localbackup provider 2024-03-19 18:23:14 +00:00			`(${`
			`lib.concatMapStringsSep "\n" (`
fix case when we have multiple backup destinations 2024-03-19 17:57:14 +00:00			`dest:`
rework backup interface to no longer need to list backups to restore them 2024-03-20 06:13:01 +00:00			`# we need yes here to skip the changed url verification`
			`''yes y \| borg-job-${dest.name} list --json \| jq '[.archives[] \| {"name": ("${dest.name}::${dest.repo}::" + .name)}]' ''`
fix case when we have multiple backup destinations 2024-03-19 17:57:14 +00:00			`) (lib.attrValues cfg.destinations)`
backups: no longer interpret backup interface as bash commands 2024-03-20 06:28:02 +00:00			`}) \| ${pkgs.jq}/bin/jq -s 'add'`
			`'')`
			`(pkgs.writeShellScriptBin "borgbackup-restore" ''`
			`set -efux`
backups: support services for restore 2023-12-08 17:40:18 +00:00			`cd /`
borgbackup: try to fix 2024-06-04 14:27:53 +00:00			`IFS=':' read -ra FOLDER <<< "$FOLDERS"`
backups: no longer interpret backup interface as bash commands 2024-03-20 06:28:02 +00:00			`job_name=$(echo "$NAME" \| ${pkgs.gawk}/bin/awk -F'::' '{print $1}')`
backups: fix name extraction for borgbackup restore 2024-03-20 06:54:28 +00:00			`backup_name=''${NAME#"$job_name"::}`
backups: no longer interpret backup interface as bash commands 2024-03-20 06:28:02 +00:00			`if ! command -v borg-job-"$job_name" &> /dev/null; then`
			`echo "borg-job-$job_name not found: Backup name is invalid" >&2`
			`exit 1`
			`fi`
backups: fix name extraction for borgbackup restore 2024-03-20 06:54:28 +00:00			`yes y \| borg-job-"$job_name" extract --list "$backup_name" "''${FOLDER[@]}"`
backups: no longer interpret backup interface as bash commands 2024-03-20 06:28:02 +00:00			`'')`
			`];`

refactor: rename clanCore -> clan.core 2024-06-17 10:42:28 +00:00			`clan.core.backups.providers.borgbackup = {`
backups: no longer interpret backup interface as bash commands 2024-03-20 06:28:02 +00:00			`list = "borgbackup-list";`
			`create = "borgbackup-create";`
			`restore = "borgbackup-restore";`
backups: add clanCore backup & clan borgbackup module 2023-11-23 14:43:25 +00:00			`};`
			`};`
			`}`