backup: Configure borg serve on nuc

My laptop now uses BorgBackup over SSH. This allow me to run backups over my Tailnet even when I'm aways from home.
wagdav · Nov 3, 2024 · 84272b7 · 84272b7
1 parent 0cdaf6f
commit 84272b7
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -32,6 +32,16 @@ My [rcfiles](https://github.com/wagdav/rcfiles) repository completes the
 configuration of my laptop.  Those files live in a separate repository because
 I also use them on my work computer which doesn't run NixOS.
 
+A periodic job backs up my home directory.  The remote connection uses an SSH
+key which I store in `/root/keys`:
+
+```
+sudo ssh-keygen -N '' -t ed25519 -f /root/keys/id_ed25519-borg-x1
+```
+
+The [backup server configuration](./modules/backup.nix) references the public
+part of this key.
+
 ## Servers
 
 The server's configuration is in the `nixosConfigurations` attribute of

diff --git a/host-nuc.nix b/host-nuc.nix
@@ -4,6 +4,7 @@
   imports = [
     ./hardware/nuc.nix
     ./modules/alertmanager.nix
+    ./modules/backup.nix
     ./modules/cachix.nix
     ./modules/consul/server.nix
     ./modules/git.nix

diff --git a/modules/backup.nix b/modules/backup.nix
@@ -0,0 +1,28 @@
+{ config, lib, ... }:
+
+{
+  imports = [
+    ./nas.nix
+  ];
+
+  users.users.borg = {
+    isNormalUser = lib.mkForce true;
+    isSystemUser = lib.mkForce false;
+    uid = 1000;
+    extraGroups = [ "git" ];
+  };
+  users.groups.borg = {
+    gid = 1000;
+  };
+
+  systemd.services.borgbackup-repo-x1.serviceConfig = {
+    User = "borg";
+  };
+
+  services.borgbackup.repos = {
+    x1 = {
+      authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDYh9g6mgiD2ckSeeZ+eXhEYSnFPo1/jNKpmhTX5U5i3 root@x1" ];
+      path = "/mnt/nas/backup/borg/x1";
+    };
+  };
+}
diff --git a/modules/git.nix b/modules/git.nix
@@ -67,11 +67,5 @@ in
     };
   };
 
-  users.users.borg = {
-    isNormalUser = true;
-    uid = 1000;
-    extraGroups = [ "git" ];
-  };
-
   networking.firewall.allowedTCPPorts = [ httpPort ];
 }
diff --git a/x1.nix b/x1.nix
@@ -202,10 +202,10 @@
       "- **/.swp"
       "- **"
     ];
-    repo = "/mnt/nas/backup/borg/x1";
+    repo = "borg@nuc:.";
+    environment = { BORG_RSH = "ssh -i /root/keys/id_ed25519-borg-x1"; };
     encryption.mode = "none";
     doInit = false;
-    user = "dwagner";
     startAt = "daily";
     persistentTimer = true;
     prune.keep = {