feat(viridian): implement comprehensive 3-2-1 backup strategy

Add automated snapshot and backup system with three independent tiers: Snapper (hourly local snapshots): - Configure snapper for all srv-* subvolumes - Tiered retention: 24 hourly, 7 daily, 4 weekly, 12 monthly - Snapshots stored at /.snapshots on viridian drive - Provides fast operational rollback for user errors Borgbackup onsite (hourly local backups): - Independent staging snapshots at /.staging-onsite - Repository on data drive at /srv/borg-repo - Unencrypted (physical security assumed) - Matches snapper retention policy - Fast local disaster recovery Borgbackup offsite (daily remote backups): - Independent staging snapshots at /.staging-offsite - Encrypted backups to borgbase repository - Retention: 7 daily, 4 weekly, 12 monthly - Remote disaster recovery with prune policy Architecture decisions: - Separate staging directories prevent job conflicts - Staging snapshots decouple borg jobs from snapper - Consistent zstd,9 compression across both borg jobs - Special case handling for containers subvolume path
2025-10-06 20:59:26 +08:00 · 2025-10-06 20:59:26 +08:00 · c05598d9e0
commit c05598d9e0
parent b0bfb37d3c
5 changed files with 231 additions and 36 deletions
--- a/nixos/viridian/services/borgbackup/default.nix
+++ b/nixos/viridian/services/borgbackup/default.nix
@ -1,38 +1,6 @@
-{config, ...}: {
-  age.secrets.borgbackup = {
-    rekeyFile = ./passphrase.age;
-  };
-
-  services.borgbackup.jobs."borgbase" = {
-    paths = [
-      # Websites
-      "/srv/lighttpd/sajenim.dev"
-      # Services
-      "/var/lib/crowdsec"
-      "/var/lib/forgejo"
-      "/var/lib/opengist"
-      "/var/lib/traefik"
-      "/srv/minecraft"
-      # Multimedia
-      "/srv/multimedia/containers/jellyfin"
-      "/srv/multimedia/containers/lidarr"
-      "/srv/multimedia/containers/prowlarr"
-      "/srv/multimedia/containers/qbittorrent"
-      "/srv/multimedia/containers/radarr"
-      "/srv/multimedia/containers/sonarr"
-    ];
-
-    repo = "r7ag7x1w@r7ag7x1w.repo.borgbase.com:repo";
-    encryption = {
-      mode = "repokey-blake2";
-      passCommand = "cat ${config.age.secrets.borgbackup.path}";
-    };
-    environment.BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
-    compression = "auto,lzma";
-    startAt = "daily";
-  };
-
-  programs.ssh.knownHostsFiles = [
-    ./borgbase_hosts
+{...}: {
+  imports = [
+    ./offsite.nix
+    ./onsite.nix
  ];
 }