yanlin/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

remove gotify and borg integrety check

Browse source
This commit is contained in:
Yan Lin 2025-10-10 01:24:22 +02:00
parent 4e4294d334
commit 397e97561c
11 changed files with 18 additions and 986 deletions
Download patch file Download diff file Expand all files Collapse all files

192
modules/borg-client.nix
View file

@ -139,56 +139,6 @@ in
example = "echo 'Backup completed.'";
description = "Commands to run after successful backup";
};
enableNotifications = mkOption {
type = types.bool;
default = false;
description = "Enable Gotify notifications for backup status";
};
gotifyUrl = mkOption {
type = types.str;
default = "";
example = "https://notify.yanlincs.com";
description = "Gotify server URL for notifications";
};
gotifyToken = mkOption {
type = types.str;
default = "";
example = "Ac9qKFH5cA.7Yly";
description = "Gotify API token for notifications";
};
enableIntegrityCheck = mkOption {
type = types.bool;
default = false;
description = "Enable regular integrity checks of the Borg repository";
};
integrityCheckFrequency = mkOption {
type = types.str;
default = "weekly";
example = "Sun *-*-* 04:00:00";
description = "Systemd timer frequency for integrity checks (OnCalendar format)";
};
integrityCheckDepth = mkOption {
type = types.enum [ "repository" "archives" "data" ];
default = "archives";
description = ''
Depth of integrity check:
- repository: Check repository consistency only (fastest)
- archives: Check repository and archive metadata (recommended)
- data: Full data verification including content (slowest)
'';
};
integrityCheckLastArchives = mkOption {
type = types.int;
default = 3;
description = "Number of most recent archives to check when using data verification";
};
};
config = mkIf cfg.enable {
@ -244,36 +194,8 @@ in
"--keep-yearly ${toString keepYearly}"
];
in ''
# Error handling function for notifications
send_error_notification() {
local error_msg="$1"
echo "ERROR: $error_msg" >&2
if [ "${toString cfg.enableNotifications}" = "1" ] && [ -n "${cfg.gotifyUrl}" ] && [ -n "${cfg.gotifyToken}" ]; then
/home/yanlin/.config/nix/scripts/gotify-notify.sh \
"${cfg.gotifyUrl}" \
"${cfg.gotifyToken}" \
"high" \
"Backup Failed" \
"$error_msg" || echo "Failed to send error notification" >&2
fi
}
# Helper function for safe notifications (non-blocking)
send_success_notification() {
local message="$1"
echo "INFO: $message"
if [ "${toString cfg.enableNotifications}" = "1" ] && [ -n "${cfg.gotifyUrl}" ] && [ -n "${cfg.gotifyToken}" ]; then
/home/yanlin/.config/nix/scripts/gotify-notify.sh \
"${cfg.gotifyUrl}" \
"${cfg.gotifyToken}" \
"normal" \
"Backup Completed" \
"$message" || echo "Failed to send success notification (non-critical)" >&2
fi
}
# Only trap critical failures - not notification or parsing failures
trap 'send_error_notification "Critical backup failure with exit code $? at line $LINENO"; exit 1' ERR
# Error handling
trap 'echo "ERROR: Critical backup failure with exit code $? at line $LINENO" >&2; exit 1' ERR
set -e
# Set SSH command for remote repositories
@ -394,15 +316,12 @@ in
# Add basic success info
BACKUP_STATS="Backup completed successfully. ''$BACKUP_STATS"
echo "Backup statistics: ''$BACKUP_STATS"
# Send notification (non-blocking)
send_success_notification "''$BACKUP_STATS"
} || {
echo "WARNING: Statistics extraction or notification failed, but backup succeeded" >&2
send_success_notification "Backup completed successfully for ${config.networking.hostName}"
echo "WARNING: Statistics extraction failed, but backup succeeded" >&2
echo "Backup completed successfully for ${config.networking.hostName}"
}
echo "Backup process completed successfully"
@ -421,97 +340,8 @@ in
};
};
# Enable and start the timers
systemd.targets.multi-user.wants = [ "borg-backup.timer" ]
++ (if cfg.enableIntegrityCheck then [ "borg-integrity-check.timer" ] else []);
# Systemd service for integrity checks
systemd.services.borg-integrity-check = mkIf cfg.enableIntegrityCheck {
description = "Borg Repository Integrity Check";
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
# Add borg and required tools to the service's PATH
path = [ pkgs.borgbackup pkgs.openssh pkgs.curl ];
serviceConfig = {
Type = "oneshot";
User = "root";
Group = "root";
# Security settings
PrivateTmp = true;
ProtectSystem = "strict";
# Disable ProtectHome for SSH repositories to allow SSH key access
ProtectHome = mkIf (!(lib.hasPrefix "ssh://" cfg.repositoryUrl)) "read-only";
# Only add ReadWritePaths for local repositories
ReadWritePaths = mkIf (!(lib.hasPrefix "ssh://" cfg.repositoryUrl)) [ cfg.repositoryUrl ];
# Environment
Environment = [
"BORG_REPO=${cfg.repositoryUrl}"
"BORG_RELOCATED_REPO_ACCESS_IS_OK=yes"
"BORG_UNKNOWN_UNENCRYPTED_REPO_ACCESS_IS_OK=no"
];
EnvironmentFile = mkIf (cfg.passphraseFile != "") cfg.passphraseFile;
};
script = ''
# Set SSH command for remote repositories
export BORG_RSH="${cfg.sshCommand}"
# Load passphrase from environment file
if [ -f "${cfg.passphraseFile}" ]; then
source "${cfg.passphraseFile}"
fi
# Ensure root has access to SSH keys for remote repositories
if [[ "${cfg.repositoryUrl}" == ssh://* ]]; then
mkdir -p /root/.ssh
chmod 700 /root/.ssh
# Copy SSH config if it exists
if [ -f /home/yanlin/.ssh/config ]; then
cp /home/yanlin/.ssh/config /root/.ssh/config
chmod 600 /root/.ssh/config
fi
# Copy necessary SSH keys
if [ -d /home/yanlin/.ssh/keys ]; then
cp -r /home/yanlin/.ssh/keys /root/.ssh/
chmod -R 600 /root/.ssh/keys
fi
# Copy known_hosts to avoid host key verification issues
if [ -f /home/yanlin/.ssh/known_hosts ]; then
cp /home/yanlin/.ssh/known_hosts /root/.ssh/known_hosts
chmod 600 /root/.ssh/known_hosts
fi
fi
# Run the integrity check script
/home/yanlin/.config/nix/scripts/borg-integrity-check.sh \
"${cfg.repositoryUrl}" \
"${cfg.integrityCheckDepth}" \
"${toString cfg.integrityCheckLastArchives}" \
"${toString cfg.enableNotifications}" \
"${cfg.gotifyUrl}" \
"${cfg.gotifyToken}" \
"${config.networking.hostName}"
'';
};
# Systemd timer for scheduled integrity checks
systemd.timers.borg-integrity-check = mkIf cfg.enableIntegrityCheck {
description = "Borg Integrity Check Timer";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = cfg.integrityCheckFrequency;
Persistent = true;
RandomizedDelaySec = "1h"; # Add randomization to avoid load spikes
};
};
# Enable and start the backup timer
systemd.targets.multi-user.wants = [ "borg-backup.timer" ];
# Create a convenience script for manual backups
environment.etc."borg-backup-manual" = {
@ -536,10 +366,6 @@ in
borg-backup-now = "sudo systemctl start borg-backup.service";
borg-list = "BORG_REPO='${cfg.repositoryUrl}' BORG_RSH='${cfg.sshCommand}' borg list";
borg-info = "BORG_REPO='${cfg.repositoryUrl}' BORG_RSH='${cfg.sshCommand}' borg info";
} // (if cfg.enableIntegrityCheck then {
borg-check-now = "sudo systemctl start borg-integrity-check.service";
borg-check-status = "systemctl status borg-integrity-check.service borg-integrity-check.timer";
borg-check-logs = "journalctl -u borg-integrity-check.service -f";
} else {});
};
};
}