fix(viridian): resolve backup system initialization issues
Fix snapper and borgbackup jobs to work with ephemeral-btrfs setup: Snapper fixes: - Remove global /.snapshots mount (use nested subvolumes instead) - Remove unused hostname variable - Snapshots now stored in .snapshots subvolumes within each service Borgbackup fixes: - Add systemd.tmpfiles.rules to create staging directories at boot - Add readWritePaths for staging directories (systemd sandboxing) - Staging directories survive ephemeral root wipes Architecture notes: - Nested .snapshots subvolumes don't require separate mounts - systemd tmpfiles ensures directories exist before services start - ProtectSystem=strict requires explicit ReadWritePaths allowlist
This commit is contained in:
parent
c05598d9e0
commit
7833d89d86
GPG key ID:
8563E358D4E8040E
3 changed files with 18 additions and 13 deletions
|
|
@ -8,7 +8,15 @@
|
||||||
rekeyFile = ./passphrase.age;
|
rekeyFile = ./passphrase.age;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Create staging directory before borg service starts
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /.staging-offsite 0755 root root -"
|
||||||
|
];
|
||||||
|
|
||||||
services.borgbackup.jobs."offsite" = {
|
services.borgbackup.jobs."offsite" = {
|
||||||
|
# Allow writing to staging directory
|
||||||
|
readWritePaths = [ "/.staging-offsite" ];
|
||||||
|
|
||||||
# Create staging snapshots before backup (independent from onsite)
|
# Create staging snapshots before backup (independent from onsite)
|
||||||
preHook = ''
|
preHook = ''
|
||||||
# Create read-only staging snapshots for each service
|
# Create read-only staging snapshots for each service
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,15 @@ in {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Create staging directory before borg service starts
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d /.staging-onsite 0755 root root -"
|
||||||
|
];
|
||||||
|
|
||||||
services.borgbackup.jobs."onsite" = {
|
services.borgbackup.jobs."onsite" = {
|
||||||
|
# Allow writing to staging directory
|
||||||
|
readWritePaths = [ "/.staging-onsite" ];
|
||||||
|
|
||||||
# Create staging snapshots before backup (independent from offsite)
|
# Create staging snapshots before backup (independent from offsite)
|
||||||
preHook = ''
|
preHook = ''
|
||||||
# Create read-only staging snapshots for each service
|
# Create read-only staging snapshots for each service
|
||||||
|
|
|
||||||
|
|
@ -1,17 +1,6 @@
|
||||||
{config, ...}: let
|
{...}: {
|
||||||
hostname = config.networking.hostName;
|
|
||||||
in {
|
|
||||||
# Mount snapshots subvolume at /.snapshots for snapshot storage
|
|
||||||
fileSystems."/.snapshots" = {
|
|
||||||
device = "/dev/disk/by-label/${hostname}";
|
|
||||||
fsType = "btrfs";
|
|
||||||
options = [
|
|
||||||
"subvol=snapshots"
|
|
||||||
"compress=zstd"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
# Configure snapper for automated snapshots
|
# Configure snapper for automated snapshots
|
||||||
|
# Snapshots stored in nested .snapshots subvolumes within each service
|
||||||
services.snapper = {
|
services.snapper = {
|
||||||
# Enable snapper globally
|
# Enable snapper globally
|
||||||
configs = {
|
configs = {
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue