defiant: Fix nfs-client, replace borg with restic

hosts/defiant/backup.nix

@@ -1,62 +1,30 @@
 { config, pkgs, lib, ... }:
 {
-  services.borgbackup.jobs =
+  services.restic.backups = let
-    let
+    localJob = name: paths: {
-      borgJob = name: {
+      inherit paths;
-        environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
+      repository = "/mnt/feal-syn1/backup/defiant/${name}";
-        environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
+      passwordFile = config.sops.secrets."restic/${name}".path;
-        repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/defiant/${name}";
+      initialize = true;
-        compression = "auto,zstd";
+      pruneOpts = [
-      };
+        "--keep-daily 3"
-    in {
+        "--keep-weekly 4"
-      postgresDaily = borgJob "postgres::daily" // {
+        "--keep-monthly 3"
-        paths = "/data/backup/postgresql";
+      ];
-        startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
+    };
-        extraInitArgs = "--storage-quota 10G";
+  in {
-        encryption = {
+    postgres = (localJob "postgres" [ "/tank/backup/postgresql" ]) // {
-          mode = "repokey-blake2";
+      timerConfig.OnCalendar = "05:15"; # 2h after postgresqlBackup
-          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
-        };
-      };
-
-      postgresWeekly = borgJob "postgres::weekly" // {
-        paths = "/data/backup/postgresql";
-        startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
-        extraInitArgs = "--storage-quota 10G";
-        encryption = {
-          mode = "repokey-blake2";
-          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
-        };
-      };
-
-      gitea = borgJob "gitea::weekly" // {
-        paths = "/tank/services/gitea";
-        startAt = "Mon *-*-* 05:15:00";
-        extraInitArgs = "--storage-quota 20G";
-        encryption = {
-          mode = "repokey-blake2";
-          passCommand = "cat ${config.sops.secrets."borg/gitea".path}";
-        };
-      };
-
-      minecraft = borgJob "minecraft::weekly" // {
-        paths = "/var/lib/minecraft-wack";
-        startAt = "weekly";
-        extraInitArgs = "--storage-quota 20G";
-        encryption.mode = "none";
-
-        preHook = ''
-          ${pkgs.mcrcon}/bin/mcrcon -p wack "say Starting Backup" "save-off" "save-all"
-        '';
-
-        postHook = ''
-          ${pkgs.mcrcon}/bin/mcrcon -p wack "save-all" "say Completed Backup" "save-on" "save-all"
-        '';
-      };
-
     };
 
-  # TODO: Matrix (keys,media,db), home-assistant, pihole, vaultwarden
+    gitea = (localJob "gitea" [ "/tank/services/gitea" ]);
-  sops.secrets."borg/postgres" = { };
+    matrix-synapse = (localJob "matrix-synapse" [ "/var/lib/matrix-synapse" ]);
-  sops.secrets."borg/gitea" = { };
+    vaultwarden = (localJob "vaultwarden" [ "/var/lib/bitwarden_rs" ]);
+  };
+
+  # TODO: home-assistant, pihole
+  sops.secrets."restic/postgres" = { };
+  sops.secrets."restic/gitea" = { };
+  sops.secrets."restic/matrix-synapse" = { };
+  sops.secrets."restic/vaultwarden" = { };
 }

hosts/defiant/configuration.nix

@@ -5,6 +5,7 @@
     [
       ../../base.nix
       ../../common/metrics-exporters.nix
+      ./filesystems.nix
       ./hardware-configuration.nix
 
       # Infrastructure
@@ -44,16 +45,6 @@
   sops.defaultSopsFile = ../../secrets/defiant/defiant.yaml;
 
   environment.variables = { EDITOR = "vim"; };
-  environment.systemPackages = with pkgs; [
-    zfs
-  ];
-
-  boot = {
-    zfs.extraPools = [ "tank" ];
-    supportedFilesystems = [ "zfs" ];
-    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
-  };
-  services.prometheus.exporters.zfs.enable = true;
 
   virtualisation.docker.enable = true;
   virtualisation.oci-containers.backend = "docker";

hosts/defiant/filesystems.nix

@@ -0,0 +1,29 @@
+{ config, pkgs, lib, ... }:
+{
+  # Boot drives are defined in ./hardware-configuration.nix
+
+  boot = {
+    zfs.extraPools = [ "tank" ];
+    supportedFilesystems = [ "zfs" ];
+    kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  };
+  services.prometheus.exporters.zfs.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    cifs-utils
+    zfs
+  ];
+
+  fileSystems = {
+    "/mnt/feal-syn1/backup" = {
+      device = "feal-syn1.home.feal.no:/volume2/backup";
+      fsType = "nfs";
+      options = [
+        "defaults"
+        "noatime"
+        "rw"
+        "nfsvers=3"
+      ];
+    };
+  };
+}

hosts/defiant/services/postgresql.nix

@@ -7,7 +7,7 @@
 
   services.postgresqlBackup = {
     enable = true;
-    location = "/data/backup/postgresql/";
+    location = "/tank/backup/postgresql";
     startAt = "*-*-* 03:15:00";
 
     # Each service is registered in its own configuration file

secrets/defiant/defiant.yaml

@@ -11,9 +11,11 @@ vaultwarden:
     admintoken: ENC[AES256_GCM,data:sUPOe3goxpJFpe5fBdwcM5Z6+DXNdZr5Xd6HzRUb7LtDk9IUtwL4wtlckwnMRoLF628XvCV3ObrX2UmTqUX/6pWqLkWL/vWb3C8ogq4=,iv:vvO9nEkCjcKvl+ILEMlMorMmvyNM1juRYRnEolwg9sQ=,tag:wFnz9oOA+ZGrb4UqKrtUcA==,type:str]
 microbin:
     secrets: ENC[AES256_GCM,data:B2yOSEXFyge7fgphtKcy8CjaeEiwmHAxgGoiqa4lmQtRtnxy5UuH3dFuCXHvbd3n6YA24zX3ANIQpj6ilT4I96+P+L9TjA==,iv:3mryQf3GdKCqBkLsfyqJk5ZN+/gOEbL/LmEzreINGME=,tag:YD8uvkS23c5B7J9srRrU9w==,type:str]
-borg:
+restic:
-    postgres: ENC[AES256_GCM,data:vwfLF2qkUMl9b/4oYVm+pzfbbw==,iv:+QlTXjowne2d+ufw9YbhgaAIVvYg78LkMS0BqfPwoRI=,tag:JAbR3/DbYp+vRApJteg4zA==,type:str]
+    gitea: ENC[AES256_GCM,data:3RqbDR8h+htdKoThpp2mptB3QuMmNSaFIw6ORGMxpcs=,iv:ZqG4zlsMPh9PmsCZ/deEON6weY+p5rAUN2dEJGzEfOY=,tag:4jN00VnwOpId+Zp8qF5tmQ==,type:str]
-    gitea: ENC[AES256_GCM,data:GIZ/wkzEkm6DUZETv8GpXd8k5w==,iv:MLnVtrev+poT+3D5+o5UV8FBQWpvqlYAkcXMF53bKJw=,tag:89zkLJNZw04ZPyqvpspgsw==,type:str]
+    matrix-synapse: ENC[AES256_GCM,data:wJMtOS8IH6lY8ni2h5hO0zJN6JbJUpfeSp44iTpEcZM=,iv:45BBv5kPCmbW68k59FuuVf22JTrWtDWNEiovPuCOn/M=,tag:sslqD1foO8FeD7Oll8sGFg==,type:str]
+    postgres: ENC[AES256_GCM,data:FsXVw4nd+7bwaX4UL0/ShuQRDbLJEPlAasMaV4LNP88=,iv:/0GLzTyrJB5+DQcsxFJxuDVQpsj87levnKUd+/T6rAw=,tag:ndE3UJpMW/mLot4Ar8xY1A==,type:str]
+    vaultwarden: ENC[AES256_GCM,data:tZKf1jeQPBASruDP67NrVfwFoAZ20whQIHf1SWIQz0s=,iv:kyfqvEf/DiAGHAU99HVGri15kluewijkSPOCGKjxIaQ=,tag:tmDQPH2IjjUV5wLegXXybg==,type:str]
 keycloak:
     postgres: ENC[AES256_GCM,data:OYvpSyBAQfAJg4/syz1r,iv:Ge6m63YPl+gJPepIRmBz747bXqUo65MHQaRn1S/8m2I=,tag:18bFwYtmcslXlgflfYqM8w==,type:str]
 sops:
@@ -40,8 +42,8 @@ sops:
             RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
             fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-25T17:49:30Z"
+    lastmodified: "2024-10-05T08:43:32Z"
-    mac: ENC[AES256_GCM,data:17W0WL9NkwEi/zofBffNtns4kxykfpOV05ukHDpkNjmlrRKxTJtlpRLdSb0JGaAxPm15f2fdjDmKl7gkDm09SRXMRwxyntix2ZjvMPx9pXgoMfiZfc6Cn3GwGco3Eajvpm8tS7DKaWfToC+XYvxjeHhyFhDbI7xMf7LcB2s+OOI=,iv:v5rAcMz5142AKKx7CQLTRBR3tGMWe1LSM0VHaDI5Nbk=,tag:GxoQjPE8ox45Udx/id+Y/g==,type:str]
+    mac: ENC[AES256_GCM,data:UMaxVqcS9SK/OclUe5k547zScx5BhAJt4f87Sfw2Ctdx6ZJRbju4310TeZUygzge4/OrCywD+9R09FzR65OBvIDxvUIqOblqzrYiHK6xRUSkUtLJEb8gzD7ycsccHaHpLYom0zbSixmMUDSthn2rexQixin9gUGVq+x9I3Z/sPk=,iv:oZAcTHjeFQjxZrNmQmJS3kJiXs1IcDbYJOo44kI3f5Y=,tag:7GINKR+6WMhlDAzeDOyrog==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1