WIP: kopia backup script

common/global/backup.nix

@@ -1,6 +1,6 @@
 { pkgs, ... }:
 {
-  environment.systemPackages = [ pkgs.kopia ];
+  environment.systemPackages = [ pkgs.unstable.kopia ];
 
   #  systemd = {
   #    services = {

common/global/kopia-snapshot-backup.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -Eeuxo pipefail
+
+target_path="/persist"
+snapshot_path="$target_path/kopia-backup-snapshot"
+
+if [ -e "$snapshot_path" ] && btrfs subvolume delete "$snapshot_path"; then
+    echo "Deleted leftover old snapshot."
+fi
+
+btrfs subvolume snapshot -r "$target_path" "$snapshot_path"
+
+# --no-send-snapshot-path due to https://github.com/kopia/kopia/issues/4402
+kopia snapshot create --no-send-snapshot-report --override-source "$target_path" "$@" -- "$snapshot_path"
+
+btrfs subvolume delete "$snapshot_path"

common/nomad.nix

@@ -92,8 +92,6 @@ in
     nomad
     wander
     damon
-    # for tiddlypwa
-    deno
   ];
 
   networking.firewall = {

secrets/secrets.yaml

@@ -1,4 +1,6 @@
 ppetru-password: ENC[AES256_GCM,data:ykxGdbwTLNGKGy7PI/6uLyeWzEyfTo6R7d56m8Lb7kyY6rF0ovDzMGv71ruBA3CwznIp5EaCopvKVXf35xIEyptpQJie++ireQ==,iv:ArWScjeDHp/4DurW+id6PLUiwnMVVwk7iD5S9Bzc8lc=,tag:uErsF74I5D1M86Yl78Gqlw==,type:str]
+kopia-c1: ENC[AES256_GCM,data:blR7sTzegbjIN+3WDn8ob9CVrm0=,iv:mkmKuE+1f1mAyxO9day7RLG/aCUWAwNQs5PoDVXlpzg=,tag:Y5UH0w39UQeEg1V51KJj5A==,type:str]
+kopia-zippy: ENC[AES256_GCM,data:UZmeMpQteqX4N6Q0Fto901vQTPQ=,iv:AvZjhd4+RthDLfSQjvmq4KlwKwI0UEKsDWwo6YwXRRc=,tag:ctkBJVdpPLRHOv3np/5/qg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -68,8 +70,8 @@ sops:
             UHZwRmc2NjNDUlJCdWN1V1dhS1RkelEKF1KiZLQvruEAfjwbW8lIyzvcCqeAMReI
             svl1uSaSaxPtCbnc9RA2nfo0vvCoz0a02dhr7CAy3syfQPLLZqRAIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-19T14:26:29Z"
+    lastmodified: "2025-03-10T18:23:09Z"
-    mac: ENC[AES256_GCM,data:/IULS161NWmomr4jkVV2zgPJddcxIazq5AsuY9uNwfIlUDrKBiyhDcFPaQD2Ivih1v//ScphzhmaedMZbIhu88YEiMGSUXHjYtbXU8/Dxs9IvmJIq+e9ao7wgqtB/bc1G2z4aGNKifSwmVm0AClI1xK11e2ik6A9uFwMuYF2i4Y=,iv:MxaXnhyJfXg8qBs1LKl+Qe+oBhlpjaWtWL3JDDcM2ZY=,tag:/4NSLC4ksLNw6HHimS7AHQ==,type:str]
+    mac: ENC[AES256_GCM,data:aI7MI72Iza1fOA69FolDo1eLYB1xw0e7O2EisWi3KJCIyJs8HgcGszwovxAPK2gz6YC2pqu1bvEEw2CcJoaL7zFD+Lkbdw7OpG9gC6+lcDy2CVPoPBbjfG7vUge3qaIw9s9J9hNQm/L7QcpQAu+IksEsHq28tb3pxFr7UX9G9nA=,iv:sz0eVmjG7V0L/85C1wU6dbsCs9fAivbUS6nHmbjyp6M=,tag:KxB2O/2dEysqDUVPp7o8ow==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.4

stateful-commands.txt

@@ -27,3 +27,12 @@ replacing failed / reinstalled gluster volume (c1 in this case). all commands on
   * gluster peer detach c1
   * gluster peer probe 192.168.1.71 (not c1 because switching to IPs to avoid DNS/tailscale issues)
   * gluster volume add-brick compute replica 3 192.168.1.71:/persist/glusterfs/compute/brick1
+
+kopia repository server setup (on a non-NixOS host at the time):
+  * kopia repository create filesystem --path /backup/persist
+  * kopia repository connect filesystem --path=/backup/persist
+  * kopia server user add root@zippy
+    then, add the password to secrets.yaml
+  * kopia server start --address 0.0.0.0:51515 --tls-cert-file ~/kopia-certs/kopia.cert --tls-key-file ~/kopia-certs/kopia.key --tls-generate-cert (first time)
+  * kopia server start --address 0.0.0.0:51515 --tls-cert-file ~/kopia-certs/kopia.cert --tls-key-file ~/kopia-certs/kopia.key (subsequent)
+[TLS is mandatory for this]