fix(viridian): resolve backup system initialization issues

Fix snapper and borgbackup jobs to work with ephemeral-btrfs setup: Snapper fixes: - Remove global /.snapshots mount (use nested subvolumes instead) - Remove unused hostname variable - Snapshots now stored in .snapshots subvolumes within each service Borgbackup fixes: - Add systemd.tmpfiles.rules to create staging directories at boot - Add readWritePaths for staging directories (systemd sandboxing) - Staging directories survive ephemeral root wipes Architecture notes: - Nested .snapshots subvolumes don't require separate mounts - systemd tmpfiles ensures directories exist before services start - ProtectSystem=strict requires explicit ReadWritePaths allowlist
2025-10-07 09:38:07 +08:00 · 2025-10-07 09:38:07 +08:00 · 7833d89d86
commit 7833d89d86
parent c05598d9e0
3 changed files with 18 additions and 13 deletions
--- a/nixos/viridian/services/borgbackup/offsite.nix
+++ b/nixos/viridian/services/borgbackup/offsite.nix
@ -8,7 +8,15 @@
    rekeyFile = ./passphrase.age;
  };

+  # Create staging directory before borg service starts
+  systemd.tmpfiles.rules = [
+    "d /.staging-offsite 0755 root root -"
+  ];
+
  services.borgbackup.jobs."offsite" = {
+    # Allow writing to staging directory
+    readWritePaths = [ "/.staging-offsite" ];
+
    # Create staging snapshots before backup (independent from onsite)
    preHook = ''
      # Create read-only staging snapshots for each service
--- a/nixos/viridian/services/borgbackup/onsite.nix
+++ b/nixos/viridian/services/borgbackup/onsite.nix
@ -15,7 +15,15 @@ in {
    ];
  };

+  # Create staging directory before borg service starts
+  systemd.tmpfiles.rules = [
+    "d /.staging-onsite 0755 root root -"
+  ];
+
  services.borgbackup.jobs."onsite" = {
+    # Allow writing to staging directory
+    readWritePaths = [ "/.staging-onsite" ];
+
    # Create staging snapshots before backup (independent from offsite)
    preHook = ''
      # Create read-only staging snapshots for each service
--- a/nixos/viridian/services/snapper/default.nix
+++ b/nixos/viridian/services/snapper/default.nix
@ -1,17 +1,6 @@
-{config, ...}: let
-  hostname = config.networking.hostName;
-in {
-  # Mount snapshots subvolume at /.snapshots for snapshot storage
-  fileSystems."/.snapshots" = {
-    device = "/dev/disk/by-label/${hostname}";
-    fsType = "btrfs";
-    options = [
-      "subvol=snapshots"
-      "compress=zstd"
-    ];
-  };
-
+{...}: {
  # Configure snapper for automated snapshots
+  # Snapshots stored in nested .snapshots subvolumes within each service
  services.snapper = {
    # Enable snapper globally
    configs = {