init

modules/borg_hetzner_nixos.nix

@@ -0,0 +1,54 @@
+{ config, pkgs, ... }:
+let
+  name = "hetzner_nixos";
+  hostname = config.networking.hostName;
+  remotehost = "u555679-sub2@u555679-sub2.your-storagebox.de";
+  backuppath = "/backup/snapshot";
+  borgHook = toString /etc/nixos/scripts/borgHook.sh;
+in
+{
+
+  sops.secrets."borg/hetzner/mcserver/${hostname}" = {};
+
+  services.borgbackup.jobs."${name}" = {
+    paths = [
+      "${backuppath}/etc"
+      "${backuppath}/home"
+      "${backuppath}/root"
+      "${backuppath}/var"
+    ];
+    exclude = [
+      "${backuppath}*/.cache"
+      "${backuppath}/home/*/build"
+      "${backuppath}/var/log"
+      "${backuppath}/var/lib/nextcloud/data/appdata_ocnc33s4dl6i/preview"
+      "${backuppath}/var/lib/postgresql/*/"
+      "${backuppath}/var/lib/mysql/*"
+      "${backuppath}/var/lib/containers"
+      "${backuppath}/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots"
+    ];
+    #repo = "borg@nasty:.";
+    repo = "ssh://${remotehost}:23/./${hostname}";
+    compression = "zstd,10";
+    encryption.mode = "repokey";
+    encryption.passCommand = "cat /run/secrets/borg/hetzner/mcserver/${hostname}";
+    environment.BORG_RSH = "ssh -i /root/.ssh/id_hetzner_nixos";
+    extraCreateArgs = "--verbose --stats";
+    extraArgs = [ "--remote-path=borg-1.4" ];
+    startAt = "00:10";
+    preHook = "${borgHook} pre ${backuppath}"; #create snapshot for consistent filesystem
+    postCreate = "${borgHook} post ${backuppath}"; #delete snapshot again
+  };
+
+  systemd.services."borgbackup-job-${name}" = {
+    environment = {
+      BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
+    };
+    path = [ pkgs.btrfs-progs pkgs.mount pkgs.umount pkgs.lvm2 pkgs.bash ];
+    serviceConfig = {
+      ReadWritePaths = [ "/backup" "/var/lock/lvm" "/etc/lvm" ];
+    };
+  };
+}
+
+# vim: set et ts=2 sw=2 ai: