nixos-config/modules/restic/system.nix

{ pkgs, config, lib, ... }:
let
  cfg = config.sbruder.restic.system;

  sftpTarget = "u313368-sub4@u313368-sub4.your-storagebox.de";
  sftpPort = 23;
  repository = "sftp://${sftpTarget}:${toString sftpPort}/personal";
  excludes = [
    # Caches
    "/home/*/Downloads/"
    "/home/*/.cache/"
    "/home/*/**/cache/"
    "/home/*/.local/share/Trash" # some gui applications use it
    "/root/.cache"
    "/data/cache/"
    "/var/cache/"

    # Rust
    "/home/*/.rustup/toolchains/"
    "/home/*/.cargo"

    # Misc
    "/home/*/mount"
    "/home/*/mounts"

    # Docker (state should be kept somewhere else)
    "/var/lib/docker/"

    # Static configuration (generated from this repository)
    "/etc/static/"
  ] ++ cfg.extraExcludes;
  excludesFile = pkgs.writeText "excludes.txt" (lib.concatStringsSep "\n" excludes);

  # script to use restic as user without dealing with authentication
  authScript = pkgs.writeShellScriptBin "restic-auth" ''
    ${pkgs.restic}/bin/restic \
      --password-command="pass data/backup/restic-nixos" \
      --repo "${repository}" \
      $@
  '';

  # HACK: NixOS’ nftables implementation runs nft -c inside the build sandbox,
  # where the target host’s cgroups are not available,
  # and therefore fails.
  # This is there to allow my home router to put backup traffic into the right qdisc,
  # as the ip address and port are also used for other things.
  # This is somewhat of an abuse of the DSCP mark.
  qosRules = pkgs.writeText "restic-qos.nft" ''
    table inet restic
    delete table inet restic

    table inet restic {
      chain output {
        type filter hook output priority mangle
        ip version 4 socket cgroupv2 level 1 "restic.slice" ip dscp set af12 return
        ip6 version 6 socket cgroupv2 level 1 "restic.slice" ip6 dscp set af12 return
      }
    }
  '';
in
{
  options.sbruder.restic.system = {
    enable = lib.mkEnableOption "restic";
    timerConfig = lib.mkOption {
      type = with lib.types; attrsOf str;
      default = {
        OnCalendar = "18:00";
        RandomizedDelaySec = "2h";
      };
    };
    extraPaths = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      example = [ "/data" ];
    };
    extraExcludes = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
    };
    uploadLimit = lib.mkOption {
      type = lib.types.nullOr lib.types.int;
      default = null;
    };
    qos = (lib.mkEnableOption "QoS marking (DSCP AF12) of outgoing packets") // { default = !(lib.isNull cfg.uploadLimit); };
    prune = lib.mkEnableOption "pruning";
  };

  config = lib.mkIf cfg.enable {
    sops.secrets = {
      restic-password = { };
      restic-repository = { };
    } // lib.optionalAttrs cfg.prune {
      restic-ssh-key = {
        sopsFile = ../../machines/${config.networking.hostName}/secrets.yaml;
      };
    };

    services.restic.backups.system = {
      inherit (cfg) timerConfig;
      repositoryFile = config.sops.secrets.restic-repository.path;
      passwordFile = config.sops.secrets.restic-password.path;
      paths = [
        "/etc"
        "/home"
        "/root"
        "/srv"
        "/var"
      ] ++ cfg.extraPaths;
      extraBackupArgs = [
        "--compression auto"
        "--exclude-caches"
        "--exclude-file=${excludesFile}"
        "--tag system"
        "--verbose"
      ] ++ lib.optional (cfg.uploadLimit != null) "--limit-upload=${toString cfg.uploadLimit}";
      backupPrepareCommand = ''
        ${pkgs.nftables}/bin/nft -f ${qosRules}
      '';
      backupCleanupCommand = ''
        ${pkgs.nftables}/bin/nft delete table inet restic
      '';
    };

    systemd.services."restic-backups-system".serviceConfig = {
      "Nice" = 10;
      "IOSchedulingClass" = "best-effort";
      "IOSchedulingPriority" = 7;
      Slice = "restic.slice";
    };

    services.restic.backups.system-prune = lib.mkIf cfg.prune {
      inherit repository;
      passwordFile = config.sops.secrets.restic-password.path;
      timerConfig = {
        OnCalendar = "*-1/2-07 03:00:00";
        RandomizedDelaySec = "4h";
      };
      paths = [ ];
      extraOptions = [
        "-o"
        "sftp.command='ssh -i ${config.sops.secrets.restic-ssh-key.path} -p ${toString sftpPort} ${sftpTarget} -s sftp'"
      ];
      pruneOpts = [
        "--compression auto"
        "--keep-daily 7"
        "--keep-monthly 12"
        "--keep-weekly 5"
        "--keep-yearly 10"
        "--tag system"
        "--verbose"
      ] ++ lib.optional (cfg.uploadLimit != null) "--limit-upload=${toString cfg.uploadLimit}";
    };

    environment.systemPackages = [
      authScript
    ];
  };
}
-												restic: Simplify timerConfig

The upstream restic module validates the types anyway, so I can drop the
ugly expression to copy the option.

											
										
										
											2021-02-28 12:07:18 +01:00
+								{ pkgs, config, lib, ... }:
-												Initial commit

											
										
										
											2020-08-22 17:44:39 +02:00
+								let
-												restic/system: Constantly use system for naming

In the future I may create add other backup jobs, so it should be clear,
that this only backs up the system.

											
										
										
											2021-02-28 12:21:04 +01:00
+								  cfg = config.sbruder.restic.system;
-												Parameterise restic

											
										
										
											2020-12-05 14:19:34 +01:00
-												restic: Use storage box and restic-rest-server

While this setup complicates things, it also should protect me against
(malicious) deletion of old backups.

											
										
										
											2022-08-25 17:18:43 +02:00
+								  sftpTarget = "u313368-sub4@u313368-sub4.your-storagebox.de";
 								  sftpPort = 23;
 								  repository = "sftp://${sftpTarget}:${toString sftpPort}/personal";
-												Initial commit

											
										
										
											2020-08-22 17:44:39 +02:00
+								  excludes = [
-												restic: Clean up excludes

											
										
										
											2020-12-21 13:08:22 +01:00
+								    # Caches
-												Initial commit

											
										
										
											2020-08-22 17:44:39 +02:00
+								    "/home/*/Downloads/"
 								    "/home/*/.cache/"
 								    "/home/*/**/cache/"
-												restic: Clean up excludes

											
										
										
											2020-12-21 13:08:22 +01:00
+								    "/home/*/.local/share/Trash" # some gui applications use it
-												restic/system: Ignore /root/.cache

											
										
										
											2022-04-23 21:10:55 +02:00
+								    "/root/.cache"
-												restic: Clean up excludes

											
										
										
											2020-12-21 13:08:22 +01:00
+								    "/data/cache/"
-												restic/system: Exclude /var/cache

											
										
										
											2022-06-27 14:19:06 +02:00
+								    "/var/cache/"
-												Initial commit

											
										
										
											2020-08-22 17:44:39 +02:00
 								    # Rust
 								    "/home/*/.rustup/toolchains/"
 								    "/home/*/.cargo"
-												restic: Clean up excludes

											
										
										
											2020-12-21 13:08:22 +01:00
+								    # Misc
-												Initial commit

											
										
										
											2020-08-22 17:44:39 +02:00
+								    "/home/*/mount"
-												restic/system: Exclude mounts

											
										
										
											2022-05-15 11:14:34 +02:00
+								    "/home/*/mounts"
-												Initial commit

											
										
										
											2020-08-22 17:44:39 +02:00
-												restic: Clean up excludes

											
										
										
											2020-12-21 13:08:22 +01:00
+								    # Docker (state should be kept somewhere else)
-												Initial commit

											
										
										
											2020-08-22 17:44:39 +02:00
+								    "/var/lib/docker/"
-												restic/system: Include /root and /etc

											
										
										
											2021-04-06 10:47:05 +02:00
 								    # Static configuration (generated from this repository)
 								    "/etc/static/"
-												restic: Parameterise extra paths and excludes

											
										
										
											2020-12-21 13:09:25 +01:00
+								  ] ++ cfg.extraExcludes;
-												restic: Fix typo in excludes filename

											
										
										
											2021-02-28 11:55:58 +01:00
+								  excludesFile = pkgs.writeText "excludes.txt" (lib.concatStringsSep "\n" excludes);
-												restic: Add restic-auth authentication wrapper

											
										
										
											2020-12-21 12:54:33 +01:00
 								  # script to use restic as user without dealing with authentication
 								  authScript = pkgs.writeShellScriptBin "restic-auth" ''
 								    ${pkgs.restic}/bin/restic \
-												restic: Fix restic-auth script

Since I migrated to sops, the password store structure changed.

											
										
										
											2021-05-27 14:38:33 +02:00
+								      --password-command="pass data/backup/restic-nixos" \
-												restic: Add restic-auth authentication wrapper

											
										
										
											2020-12-21 12:54:33 +01:00
+								      --repo "${repository}" \
 								      $@
 								  '';
-												restic: Use QoS instead of uploadLimit

This implements a crude mechanism for signalling my router to add the
packets to its own qdisc.

The way in which this is implemented with nftables is hacky because of
NixOS’ limitations on build-time checking (which obviously can’t know
about the existence of cgroups on the target).

											
										
										
											2023-10-07 22:32:10 +02:00
 								  # HACK: NixOS’ nftables implementation runs nft -c inside the build sandbox,
 								  # where the target host’s cgroups are not available,
 								  # and therefore fails.
 								  # This is there to allow my home router to put backup traffic into the right qdisc,
 								  # as the ip address and port are also used for other things.
 								  # This is somewhat of an abuse of the DSCP mark.
 								  qosRules = pkgs.writeText "restic-qos.nft" ''
 								    table inet restic
 								    delete table inet restic
 								    table inet restic {
 								      chain output {
 								        type filter hook output priority mangle
 								        ip version 4 socket cgroupv2 level 1 "restic.slice" ip dscp set af12 return
 								        ip6 version 6 socket cgroupv2 level 1 "restic.slice" ip6 dscp set af12 return
 								      }
 								    }
 								  '';
-												Initial commit

											
										
										
											2020-08-22 17:44:39 +02:00
+								in
 								{
-												restic/system: Constantly use system for naming

In the future I may create add other backup jobs, so it should be clear,
that this only backs up the system.

											
										
										
											2021-02-28 12:21:04 +01:00
+								  options.sbruder.restic.system = {
-												Parameterise restic

											
										
										
											2020-12-05 14:19:34 +01:00
+								    enable = lib.mkEnableOption "restic";
-												restic: Simplify timerConfig

The upstream restic module validates the types anyway, so I can drop the
ugly expression to copy the option.

											
										
										
											2021-02-28 12:07:18 +01:00
+								    timerConfig = lib.mkOption {
 								      type = with lib.types; attrsOf str;
 								      default = {
-												restic/system: Start earlier

This avoids the backup failing due to clients being suspended during the
backup.

											
										
										
											2022-01-22 10:32:51 +01:00
+								        OnCalendar = "18:00";
-												restic: Simplify timerConfig

The upstream restic module validates the types anyway, so I can drop the
ugly expression to copy the option.

											
										
										
											2021-02-28 12:07:18 +01:00
+								        RandomizedDelaySec = "2h";
-												Reformat restic module

											
										
										
											2020-12-21 12:33:46 +01:00
+								      };
-												restic: Simplify timerConfig

The upstream restic module validates the types anyway, so I can drop the
ugly expression to copy the option.

											
										
										
											2021-02-28 12:07:18 +01:00
+								    };
-												restic: Parameterise extra paths and excludes

											
										
										
											2020-12-21 13:09:25 +01:00
+								    extraPaths = lib.mkOption {
 								      type = lib.types.listOf lib.types.str;
 								      default = [ ];
 								      example = [ "/data" ];
 								    };
 								    extraExcludes = lib.mkOption {
 								      type = lib.types.listOf lib.types.str;
 								      default = [ ];
 								    };
-												restic/system: Limit upload to 1.5M by default

											
										
										
											2021-03-08 18:43:48 +01:00
+								    uploadLimit = lib.mkOption {
 								      type = lib.types.nullOr lib.types.int;
-												restic: Do not limit upload by default

This allows servers that have a fast internet connection to complete
their backup in seconds instead of minutes.

											
										
										
											2022-08-25 23:21:35 +02:00
+								      default = null;
-												restic/system: Limit upload to 1.5M by default

											
										
										
											2021-03-08 18:43:48 +01:00
+								    };
-												restic: Use QoS instead of uploadLimit

This implements a crude mechanism for signalling my router to add the
packets to its own qdisc.

The way in which this is implemented with nftables is hacky because of
NixOS’ limitations on build-time checking (which obviously can’t know
about the existence of cgroups on the target).

											
										
										
											2023-10-07 22:32:10 +02:00
+								    qos = (lib.mkEnableOption "QoS marking (DSCP AF12) of outgoing packets") // { default = !(lib.isNull cfg.uploadLimit); };
-												restic: Make restic prune regularily on fuuko

Closes #41.

											
										
										
											2021-05-28 14:54:45 +02:00
+								    prune = lib.mkEnableOption "pruning";
-												Initial commit

											
										
										
											2020-08-22 17:44:39 +02:00
+								  };
-												restic: Set nice and ionice

											
										
										
											2020-10-17 09:58:44 +02:00
-												Parameterise restic

											
										
										
											2020-12-05 14:19:34 +01:00
+								  config = lib.mkIf cfg.enable {
-												Use sops for secrets

Since I currently do not have access to sayuri, sayuri’s migration is
not done yet. The host keys and wg-home-private-key secret still have to
be added.

											
										
										
											2021-03-01 15:27:18 +01:00
+								    sops.secrets = {
-												Overhaul secrets management

											
										
										
											2021-01-06 13:09:29 +01:00
+								      restic-password = { };
-												restic: Use storage box and restic-rest-server

While this setup complicates things, it also should protect me against
(malicious) deletion of old backups.

											
										
										
											2022-08-25 17:18:43 +02:00
+								      restic-repository = { };
 								    } // lib.optionalAttrs cfg.prune {
 								      restic-ssh-key = {
 								        sopsFile = ../../machines/${config.networking.hostName}/secrets.yaml;
 								      };
-												Overhaul secrets management

											
										
										
											2021-01-06 13:09:29 +01:00
+								    };
-												restic: Remove hostname from service name

											
										
										
											2021-01-08 21:33:45 +01:00
+								    services.restic.backups.system = {
-												restic: Simplify timerConfig

The upstream restic module validates the types anyway, so I can drop the
ugly expression to copy the option.

											
										
										
											2021-02-28 12:07:18 +01:00
+								      inherit (cfg) timerConfig;
-												restic: Use storage box and restic-rest-server

While this setup complicates things, it also should protect me against
(malicious) deletion of old backups.

											
										
										
											2022-08-25 17:18:43 +02:00
+								      repositoryFile = config.sops.secrets.restic-repository.path;
-												Use sops for secrets

Since I currently do not have access to sayuri, sayuri’s migration is
not done yet. The host keys and wg-home-private-key secret still have to
be added.

											
										
										
											2021-03-01 15:27:18 +01:00
+								      passwordFile = config.sops.secrets.restic-password.path;
-												restic: Parameterise extra paths and excludes

											
										
										
											2020-12-21 13:09:25 +01:00
+								      paths = [
-												restic/system: Include /root and /etc

											
										
										
											2021-04-06 10:47:05 +02:00
+								        "/etc"
-												restic: Parameterise extra paths and excludes

											
										
										
											2020-12-21 13:09:25 +01:00
+								        "/home"
-												restic/system: Include /root and /etc

											
										
										
											2021-04-06 10:47:05 +02:00
+								        "/root"
-												restic: Parameterise extra paths and excludes

											
										
										
											2020-12-21 13:09:25 +01:00
+								        "/srv"
 								        "/var"
 								      ] ++ cfg.extraPaths;
-												Parameterise restic

											
										
										
											2020-12-05 14:19:34 +01:00
+								      extraBackupArgs = [
-												restic/system: Enable compression

Fixes #66.

											
										
										
											2022-12-13 09:59:31 +01:00
+								        "--compression auto"
-												Parameterise restic

											
										
										
											2020-12-05 14:19:34 +01:00
+								        "--exclude-caches"
 								        "--exclude-file=${excludesFile}"
-												restic/system: Constantly use system for naming

In the future I may create add other backup jobs, so it should be clear,
that this only backs up the system.

											
										
										
											2021-02-28 12:21:04 +01:00
+								        "--tag system"
-												Parameterise restic

											
										
										
											2020-12-05 14:19:34 +01:00
+								        "--verbose"
-												restic/system: Limit upload to 1.5M by default

											
										
										
											2021-03-08 18:43:48 +01:00
+								      ] ++ lib.optional (cfg.uploadLimit != null) "--limit-upload=${toString cfg.uploadLimit}";
-												Upgrade to 23.11

Flake lock file updates:

• Updated input 'bang-evaluator':
    'git+https://git.sbruder.de/simon/bangs?ref=refs/heads/master&rev=7fc3d5019c907566abbad8f84ba9555a5786bd01' (2021-08-01)
  → 'git+https://git.sbruder.de/simon/bangs?ref=refs/heads/master&rev=a06c68c44862f74757a203e2df41ea83c33722d9' (2023-12-02)
• Updated input 'home-manager':
    'github:nix-community/home-manager/04bac349d585c9df38d78e0285b780a140dc74a4' (2023-11-12)
  → 'github:nix-community/home-manager/aeb2232d7a32530d3448318790534d196bf9427a' (2023-11-24)
• Updated input 'home-manager-unstable':
    'github:nix-community/home-manager/9a4725afa67db35cdf7be89f30527d745194cafa' (2023-11-19)
  → 'github:nix-community/home-manager/4a8545f5e737a6338814a4676dc8e18c7f43fc57' (2023-12-01)
• Updated input 'nix-pre-commit-hooks':
    'github:cachix/pre-commit-hooks.nix/e558068cba67b23b4fbc5537173dbb43748a17e8' (2023-11-15)
  → 'github:cachix/pre-commit-hooks.nix/e5ee5c5f3844550c01d2131096c7271cec5e9b78' (2023-11-25)
• Updated input 'nixos-hardware':
    'github:nixos/nixos-hardware/1721da31f9b30cbf4460c4ec5068b3b6174a4694' (2023-11-18)
  → 'github:nixos/nixos-hardware/8772491ed75f150f02552c60694e1beff9f46013' (2023-11-29)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/9fb122519e9cd465d532f736a98c1e1eb541ef6f' (2023-11-16)
  → 'github:nixos/nixpkgs/5de0b32be6e85dc1a9404c75131316e4ffbc634c' (2023-12-01)
• Updated input 'nixpkgs-overlay':
    'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=refs/heads/master&rev=c8a17806a75733dec2ecdd8f0021c70d1f9dfc43' (2023-10-04)
  → 'git+https://git.sbruder.de/simon/nixpkgs-overlay?ref=refs/heads/master&rev=37f80d1593ab856372cc0da199f49565f3b05c71' (2023-12-02)
• Updated input 'nixpkgs-overlay/poetry2nix':
    'github:nix-community/poetry2nix/093383b3d7fdd36846a7d84e128ca11865800538' (2023-09-22)
  → 'github:nix-community/poetry2nix/7acb78166a659d6afe9b043bb6fe5cb5e86bb75e' (2023-12-01)
• Updated input 'nixpkgs-overlay/poetry2nix/nix-github-actions':
    'github:nix-community/nix-github-actions/165b1650b753316aa7f1787f3005a8d2da0f5301' (2023-07-09)
  → 'github:nix-community/nix-github-actions/4bb5e752616262457bc7ca5882192a564c0472d2' (2023-11-03)
• Added input 'nixpkgs-overlay/poetry2nix/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Added input 'nixpkgs-overlay/poetry2nix/treefmt-nix':
    'github:numtide/treefmt-nix/e82f32aa7f06bbbd56d7b12186d555223dc399d1' (2023-11-12)
• Added input 'nixpkgs-overlay/poetry2nix/treefmt-nix/nixpkgs':
    follows 'nixpkgs-overlay/poetry2nix/nixpkgs'
• Updated input 'nixpkgs-unstable':
    'github:nixos/nixpkgs/c757e9bd77b16ca2e03c89bf8bc9ecb28e0c06ad' (2023-11-17)
  → 'github:nixos/nixpkgs/e92039b55bcd58469325ded85d4f58dd5a4eaf58' (2023-11-29)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/49a87c6c827ccd21c225531e30745a9a6464775c' (2023-11-19)
  → 'github:Mic92/sops-nix/e19071f9958c8da4f4347d3d78790d97e98ba22f' (2023-12-02)
• Updated input 'sops-nix/nixpkgs-stable':
    'github:NixOS/nixpkgs/decdf666c833a325cb4417041a90681499e06a41' (2023-11-18)
  → 'github:NixOS/nixpkgs/dfb95385d21475da10b63da74ae96d89ab352431' (2023-11-25)

											
										
										
											2023-12-02 18:54:23 +01:00
+								      backupPrepareCommand = ''
 								        ${pkgs.nftables}/bin/nft -f ${qosRules}
 								      '';
 								      backupCleanupCommand = ''
 								        ${pkgs.nftables}/bin/nft delete table inet restic
 								      '';
-												Parameterise restic

											
										
										
											2020-12-05 14:19:34 +01:00
+								    };
-												restic: Remove hostname from service name

											
										
										
											2021-01-08 21:33:45 +01:00
+								    systemd.services."restic-backups-system".serviceConfig = {
-												Parameterise restic

											
										
										
											2020-12-05 14:19:34 +01:00
+								      "Nice" = 10;
 								      "IOSchedulingClass" = "best-effort";
 								      "IOSchedulingPriority" = 7;
-												restic: Use QoS instead of uploadLimit

This implements a crude mechanism for signalling my router to add the
packets to its own qdisc.

The way in which this is implemented with nftables is hacky because of
NixOS’ limitations on build-time checking (which obviously can’t know
about the existence of cgroups on the target).

											
										
										
											2023-10-07 22:32:10 +02:00
+								      Slice = "restic.slice";
-												Parameterise restic

											
										
										
											2020-12-05 14:19:34 +01:00
+								    };
-												restic: Add restic-auth authentication wrapper

											
										
										
											2020-12-21 12:54:33 +01:00
-												restic: Make restic prune regularily on fuuko

Closes #41.

											
										
										
											2021-05-28 14:54:45 +02:00
+								    services.restic.backups.system-prune = lib.mkIf cfg.prune {
 								      inherit repository;
 								      passwordFile = config.sops.secrets.restic-password.path;
 								      timerConfig = {
 								        OnCalendar = "*-1/2-07 03:00:00";
 								        RandomizedDelaySec = "4h";
 								      };
 								      paths = [ ];
-												restic: Use storage box and restic-rest-server

While this setup complicates things, it also should protect me against
(malicious) deletion of old backups.

											
										
										
											2022-08-25 17:18:43 +02:00
+								      extraOptions = [
 								        "-o"
 								        "sftp.command='ssh -i ${config.sops.secrets.restic-ssh-key.path} -p ${toString sftpPort} ${sftpTarget} -s sftp'"
 								      ];
-												restic: Make restic prune regularily on fuuko

Closes #41.

											
										
										
											2021-05-28 14:54:45 +02:00
+								      pruneOpts = [
-												restic/system: Enable compression

Fixes #66.

											
										
										
											2022-12-13 09:59:31 +01:00
+								        "--compression auto"
-												restic: Make restic prune regularily on fuuko

Closes #41.

											
										
										
											2021-05-28 14:54:45 +02:00
+								        "--keep-daily 7"
 								        "--keep-monthly 12"
 								        "--keep-weekly 5"
 								        "--keep-yearly 10"
 								        "--tag system"
 								        "--verbose"
 								      ] ++ lib.optional (cfg.uploadLimit != null) "--limit-upload=${toString cfg.uploadLimit}";
 								    };
-												restic: Add restic-auth authentication wrapper

											
										
										
											2020-12-21 12:54:33 +01:00
+								    environment.systemPackages = [
 								      authScript
 								    ];
-												restic: Set nice and ionice

											
										
										
											2020-10-17 09:58:44 +02:00
+								  };
-												Initial commit

											
										
										
											2020-08-22 17:44:39 +02:00
+								}