first steps with backup

2019-06-15 10:27:05 +02:00 · 2019-06-15 10:27:05 +02:00 · 67af66939c
parent b4dee75932
commit 67af66939c
2 changed files with 42 additions and 0 deletions
--- a/borgbackup.nix
+++ b/borgbackup.nix
@ -0,0 +1,41 @@
+{ pkgs, stdenv, ... }:
+
+let
+  borgPassCommand = pkgs.writeScript "borgPassCommand" ''
+    #!${stdenv.shell}
+    set -euo pipefail
+    # Make sure everything but the password ends up on stderr
+    exec 3>&1 >&2
+    mkdir -p /var/lib/borgbackup
+    chown root:root /var/lib/borgbackup
+    chmod 700 /var/lib/borgbackup
+    if [ ! -s /var/lib/borgbackup/sshkey ]; then
+      ${pkgs.openssh}/bin/ssh-keygen -t rsa -b 4096 -N "" -f /var/lib/borgbackup/sshkey
+    fi
+    if [ ! -s /var/lib/borgbackup/repokey ]; then
+      head -c 1024 /dev/urandom | base64 > /var/lib/borgbackup/repokey
+      chmod 400 /var/lib/borgbackup/repokey
+    fi
+    # Password needs to go into fd 3 as that is the real stdout
+    cat /var/lib/borgbackup/repokey >&3
+    '';
+in
+{
+  services.borgbackup.jobs.postfixadmin = {
+    readWritePaths = [ "/var/lib/borgbackup" ];
+    paths = "/var/lib/postfixadmin";
+    exclude = [  ];
+    repo = "mail2@host01.hamburg.freifunk.net:backup/postfixadmin";
+    prune.keep = {
+      within = "2d";
+      daily = 7;
+      weekly = 2;
+    };
+    encryption = {
+      mode = "repokey";
+      passCommand = borgPassCommand;
+    };
+    compression = "auto,lz4";
+    startAt = "hourly";
+    };
+}
--- a/configuration.nix
+++ b/configuration.nix
@ -11,6 +11,7 @@
      ./sshusers.nix
      ./variables.nix
      ./mailserver.nix
+      ./borgbackup.nix
    ];

  # Configuration options for the mailserver