feat(backups): add local harddrive backup service and docs

rubenhoenle · Nov 10, 2024 · 8245d91 · 8245d91
1 parent 4d7afa3
commit 8245d91
Show file tree

Hide file tree

Showing 5 changed files with 73 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -17,6 +17,8 @@ _Don't forget to specify root as username when connecting to the initrd ssh sess
 
 ## Backups
 
+### Offsite backup
+
 ```bash
 # start
 systemctl start restic-backups-fullbackup
@@ -34,6 +36,30 @@ restic-fullbackup ls latest /var/lib/
 /run/current-system/sw/bin/restic-fullbackup restore --target / latest
 ```
 
+### Local harddrive backup
+
+```bash
+# IMPORTANT: the mount/unmount pkgs are only available for the root user
+
+# mount the HDD backup drive
+hdd-mount
+
+# starting the HDD backup
+systemctl start restic-backups-hdd
+
+# showing the status of the HDD backup
+systemctl status restic-backups-hdd
+
+# unmount the HDD backup drive
+hdd-unmount
+
+# showing the snapshots of the HDD backup
+restic-hdd snapshots
+
+# restoring the backup from the HDD
+restic-hdd restore latest --target /
+```
+
 ## Podman containers
 
 To view the logs of the podman containers specified in the nix config, use the following command:

diff --git a/modules/users.nix b/modules/users.nix
@@ -1,4 +1,8 @@
 { pkgs, ... }:
+let
+  hddMountScript = import ../pkgs/hdd-mount.nix { inherit pkgs; };
+  hddUnmountScript = import ../pkgs/hdd-unmount.nix { inherit pkgs; };
+in
 {
   users.users.ruben = {
     isNormalUser = true;
@@ -16,4 +20,6 @@
 
   /* group which provides access to restic agenix secrets */
   users.groups.backup = { };
+
+  users.users.root.packages = [ hddMountScript hddUnmountScript ];
 }
diff --git a/pkgs/hdd-mount.nix b/pkgs/hdd-mount.nix
@@ -0,0 +1,7 @@
+{ pkgs, ... }: pkgs.writeShellApplication {
+  name = "hdd-mount";
+  text = ''
+    mkdir -p /mnt/SAMSUNG
+    mount LABEL=SAMSUNG /mnt/SAMSUNG
+  '';
+}
diff --git a/pkgs/hdd-unmount.nix b/pkgs/hdd-unmount.nix
@@ -0,0 +1,6 @@
+{ pkgs, ... }: pkgs.writeShellApplication {
+  name = "hdd-unmount";
+  text = ''
+    umount LABEL=SAMSUNG
+  '';
+}
diff --git a/services/backup.nix b/services/backup.nix
@@ -11,6 +11,12 @@ let
       cfg.paperless.backupPrepareCommandExport
     ]
   ));
+  backupPrepareScriptHdd = pkgs.writeText "backup-hdd-prepare-script.sh" (pkgs.lib.strings.concatLines (
+    [ ] ++ pkgs.lib.ifEnable cfg.paperless.enable [
+      cfg.paperless.backupPrepareCommandDatabase
+      cfg.paperless.backupPrepareCommandExport
+    ]
+  ));
 
   excludeFile = pkgs.writeText "restic-excludes.txt"
     ''
@@ -32,24 +38,27 @@ let
       /home/ruben/.zsh_history
       /home/ruben/.zshrc
     '';
+  restic-common = {
+    paths = [ "/home/ruben" ]
+      ++ pkgs.lib.ifEnable cfg.gitserver.enable [ cfg.gitserver.path ]
+      ++ pkgs.lib.ifEnable cfg.fileserver.enable [ cfg.fileserver.path ]
+      ++ pkgs.lib.ifEnable cfg.phone-backup.enable [ cfg.phone-backup.path ]
+      ++ pkgs.lib.ifEnable cfg.paperless.enable [ cfg.paperless.path cfg.paperless.backup-path ];
+  };
 in
 {
   options.ruben.fullbackup.enable = lib.mkEnableOption "full backup";
 
   config = lib.mkIf (cfg.fullbackup.enable)
     {
-      /* backup service */
+      /* automated backup service */
       services.restic.backups.fullbackup = {
         user = "root";
         initialize = true;
         passwordFile = config.age.secrets.resticPassword.path;
         repository = "s3:https://s3.eu-central-003.backblazeb2.com/nixos-server-restic-backup/system-backup/${hostname}";
         environmentFile = config.age.secrets.backblazeB2ResticS3EnvironmentSecrets.path;
-        paths = [ "/home/ruben" ]
-          ++ pkgs.lib.ifEnable cfg.gitserver.enable [ cfg.gitserver.path ]
-          ++ pkgs.lib.ifEnable cfg.fileserver.enable [ cfg.fileserver.path ]
-          ++ pkgs.lib.ifEnable cfg.phone-backup.enable [ cfg.phone-backup.path ]
-          ++ pkgs.lib.ifEnable cfg.paperless.enable [ cfg.paperless.path cfg.paperless.backup-path ];
+        paths = restic-common.paths;
         backupPrepareCommand = "${pkgs.bash}/bin/bash ${backupPrepareScript}";
         pruneOpts = [
           "--keep-hourly 48"
@@ -66,11 +75,11 @@ in
         };
       };
 
+      /* monitoring for automated backup */
       systemd.services."restic-backups-fullbackup" = {
         onSuccess = [ "[email protected]" ];
         onFailure = [ "[email protected]" ];
       };
-
       systemd.services."restic-notify-fullbackup@" =
         let
           script = pkgs.writeText "restic-notify-fullbackup.sh"
@@ -85,5 +94,17 @@ in
             ExecStart = "${pkgs.bash}/bin/bash ${script}";
           };
         };
+
+      /* restic backup service to a local drive */
+      services.restic.backups.hdd = {
+        user = "root";
+        initialize = true;
+        passwordFile = config.age.secrets.resticPassword.path;
+        repository = "/mnt/SAMSUNG/restic-nixos-server";
+        paths = restic-common.paths;
+        backupPrepareCommand = "${pkgs.bash}/bin/bash ${backupPrepareScriptHdd}";
+        extraBackupArgs = [ "--exclude-caches" "--exclude-file=${excludeFile}" ];
+        timerConfig = null;
+      };
     };
 }