jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions

mkRestic modifications, will add mkBorg later and use that instead.

Browse source
This commit is contained in:
Joseph Hanson 2025-02-09 19:26:53 -06:00
parent 4a4cce4e94
commit f02407bfca
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
1 changed files with 107 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

209
nixos/modules/nixos/lib.nix
View file

@ -3,44 +3,43 @@
config, config,
pkgs, pkgs,
... ...
}: }: {
{
# container builder # container builder
lib.mySystem.mkContainer = lib.mySystem.mkContainer = options: (
options: let
( containerExtraOptions =
let lib.optionals (lib.attrsets.attrByPath ["caps" "privileged"] false options) ["--privileged"]
containerExtraOptions = ++ lib.optionals (lib.attrsets.attrByPath ["caps" "readOnly"] false options) ["--read-only"]
lib.optionals (lib.attrsets.attrByPath [ "caps" "privileged" ] false options) [ "--privileged" ] ++ lib.optionals (lib.attrsets.attrByPath ["caps" "tmpfs"] false options) (
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "readOnly" ] false options) [ "--read-only" ] map (folders: "--tmpfs=${folders}") options.caps.tmpfsFolders
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "tmpfs" ] false options) ( )
map (folders: "--tmpfs=${folders}") options.caps.tmpfsFolders ++ lib.optionals (lib.attrsets.attrByPath ["caps" "noNewPrivileges"] false options) [
) "--security-opt=no-new-privileges"
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "noNewPrivileges" ] false options) [ ]
"--security-opt=no-new-privileges" ++ lib.optionals (lib.attrsets.attrByPath ["caps" "dropAll"] false options) ["--cap-drop=ALL"];
] in {
++ lib.optionals (lib.attrsets.attrByPath [ "caps" "dropAll" ] false options) [ "--cap-drop=ALL" ]; ${options.app} = {
in image = "${options.image}";
{ user = "${options.user}:${options.group}";
${options.app} = { environment =
image = "${options.image}"; {
user = "${options.user}:${options.group}";
environment = {
TZ = config.time.timeZone; TZ = config.time.timeZone;
} // lib.attrsets.attrByPath [ "env" ] { } options; }
dependsOn = lib.attrsets.attrByPath [ "dependsOn" ] [ ] options; // lib.attrsets.attrByPath ["env"] {} options;
entrypoint = lib.attrsets.attrByPath [ "entrypoint" ] null options; dependsOn = lib.attrsets.attrByPath ["dependsOn"] [] options;
cmd = lib.attrsets.attrByPath [ "cmd" ] [ ] options; entrypoint = lib.attrsets.attrByPath ["entrypoint"] null options;
environmentFiles = lib.attrsets.attrByPath [ "envFiles" ] [ ] options; cmd = lib.attrsets.attrByPath ["cmd"] [] options;
volumes = [ environmentFiles = lib.attrsets.attrByPath ["envFiles"] [] options;
volumes =
[
"/etc/localtime:/etc/localtime:ro" "/etc/localtime:/etc/localtime:ro"
] ++ lib.attrsets.attrByPath [ "volumes" ] [ ] options; ]
ports = lib.attrsets.attrByPath [ "ports" ] [ ] options; ++ lib.attrsets.attrByPath ["volumes"] [] options;
extraOptions = containerExtraOptions; ports = lib.attrsets.attrByPath ["ports"] [] options;
}; extraOptions = containerExtraOptions;
} };
); }
);
## Creates a standardized restic backup configuration for both local and remote backups per app. ## Creates a standardized restic backup configuration for both local and remote backups per app.
# One S3 bucket per server. Each app has its own repository in the bucket. # One S3 bucket per server. Each app has its own repository in the bucket.
@ -76,73 +75,79 @@
# This creates two backup jobs: # This creates two backup jobs:
# - nextcloud-local: backs up to local storage # - nextcloud-local: backs up to local storage
# - nextcloud-remote: backs up to remote storage (e.g. S3) # - nextcloud-remote: backs up to remote storage (e.g. S3)
lib.mySystem.mkRestic = lib.mySystem.mkRestic = options: let
options: # excludePaths is optional
let excludePaths =
# excludePaths is optional if builtins.hasAttr "excludePaths" options
excludePaths = if builtins.hasAttr "excludePaths" options then options.excludePaths else [ ]; then options.excludePaths
# Decide which mutually exclusive options to use else [];
remoteResticTemplateFile = # Decide which mutually exclusive options to use
if builtins.hasAttr "remoteResticTemplateFile" options then remoteResticTemplateFile =
options.remoteResticTemplateFile if builtins.hasAttr "remoteResticTemplateFile" options
else then options.remoteResticTemplateFile
null; else null;
remoteResticTemplate = remoteResticTemplate =
if builtins.hasAttr "remoteResticTemplate" options then options.remoteResticTemplate else null; if builtins.hasAttr "remoteResticTemplate" options
# 2:05 daily backup with 3h random delay then options.remoteResticTemplate
timerConfig = { else null;
OnCalendar = "06:05"; # night snap is taken at 02:10 # 2:05 daily backup with 3h random delay
Persistent = true; timerConfig = null;
RandomizedDelaySec = "30m"; #{
}; #OnCalendar = "00:20"; # night snap is taken at 02:10
# 7 daily, 5 weekly, 12 monthly backups #Persistent = true;
pruneOpts = [ #RandomizedDelaySec = "30m";
"--keep-daily 7" #};
"--keep-weekly 5" # 7 daily, 5 weekly, 12 monthly backups
]; pruneOpts = [
# Initialize the repository if it doesn't exist "--keep-daily 7"
initialize = true; "--keep-weekly 5"
# Only one backup is ever running at a time it's safe to say that we can remove stale locks ];
backupPrepareCommand = '' # Initialize the repository if it doesn't exist
# remove stale locks - this avoids some occasional annoyance initialize = true;
# # Only one backup is ever running at a time it's safe to say that we can remove stale locks
${pkgs.restic}/bin/restic unlock --remove-all || true backupPrepareCommand = ''
''; # remove stale locks - this avoids some occasional annoyance
in #
{ ${pkgs.restic}/bin/restic unlock --remove-all || true
# local backup '';
"${options.app}-local" = { in {
inherit # local backup
pruneOpts "${options.app}-local" = {
timerConfig inherit
initialize pruneOpts
backupPrepareCommand timerConfig
; initialize
inherit (options) user passwordFile environmentFile; backupPrepareCommand
# Move the path to the zfs snapshot path ;
paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths; inherit (options) user passwordFile environmentFile;
exclude = map ( # Move the path to the zfs snapshot path
paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
exclude =
map (
x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}" x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}"
) options.excludePaths; )
repository = "${options.localResticTemplate}"; options.excludePaths;
}; repository = "${options.localResticTemplate}";
# remote backup
"${options.app}-remote" = {
inherit
pruneOpts
timerConfig
initialize
backupPrepareCommand
;
inherit (options) user passwordFile environmentFile;
# Move the path to the zfs snapshot path
paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
repository = remoteResticTemplate;
repositoryFile = remoteResticTemplateFile;
exclude = map (
x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}"
) options.excludePaths;
};
}; };
# remote backup
"${options.app}-remote" = {
inherit
pruneOpts
timerConfig
initialize
backupPrepareCommand
;
inherit (options) user passwordFile environmentFile;
# Move the path to the zfs snapshot path
paths = map (x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}") options.paths;
repository = remoteResticTemplate;
repositoryFile = remoteResticTemplateFile;
exclude =
map (
x: "${config.mySystem.services.zfs-nightly-snap.mountPath}/${x}"
)
options.excludePaths;
};
};
} }