cristiancmoises/guix-vault
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Guix-native, reproducible backup and disaster-recovery system
2 commits 1 branch 0 tags 50 KiB
  • Scheme 100%
Find a file
Exact
Berkeley 1de3870463
 Example
2026-02-10 18:45:30 -03:00
guixvault Initial clean slate commit 2026-02-09 21:51:58 -03:00
guixvault-test Initial clean slate commit 2026-02-09 21:51:58 -03:00
cli.scm Initial clean slate commit 2026-02-09 21:51:58 -03:00
example-config.scm Example 2026-02-10 18:45:30 -03:00
README.md Initial clean slate commit 2026-02-09 21:51:58 -03:00
service.scm Initial clean slate commit 2026-02-09 21:51:58 -03:00

README.md

GUIX VAULT

Guix-native, reproducible backup and disaster-recovery system
Inspired by tools like Veeam — but designed correctly for GNU/Linux and declarative systems.

GuixVault treats systems as data, not pets.

Core Principles

  • Filesystem snapshots
  • Deduplicated encrypted backups
  • Full GNU Guix system state recovery
  • Agentless orchestration
  • Strong isolation and security primitives
  • No vendor lock-in
  • No opaque binaries
  • No YAML sprawl

Key Features

  • Snapshot-based backups (ZFS, Btrfs, basic LVM support)
  • Deduplicated, encrypted archives via BorgBackup
  • Full system recovery (kernel, services, users, boot configuration)
  • Reproducible disaster recovery
  • Agentless remote orchestration (via SSH)
  • Namespace sandboxing (unshare)
  • Pure Guix-native architecture
  • CLI-first, automation-friendly

Architecture Overview

Filesystem
   ↓
Snapshot (ZFS / Btrfs / LVM)
   ↓
Borg (deduplication + encryption)
   ↓
Guix system state
   ↓
Immutable backup storage

Comparison with Traditional Backup Tools

Feature Traditional Tools GuixVault
What is backed up Files / directories Entire system state
Restore method Custom scripts Reproducible builds
Agent requirement Usually required Agentless
Configuration style Imperative Declarative
Vendor lock-in Common None
Ecosystem Mixed / proprietary Pure Guix

Project Structure

guix-vault/
├── cli.scm                 # CLI entrypoint
├── service.scm             # Guix Shepherd service
├── example-config.scm      # Declarative config example
├── guixvault/              # Guile modules
│   ├── core.scm
│   ├── snapshot.scm
│   ├── borg.scm
│   ├── system.scm
│   ├── remote.scm
│   └── hardening.scm
└── guixvault-test/
    └── test-config.scm

Requirements

  • GNU Guix
  • Guile
  • BorgBackup
  • Supported filesystem:
    • ZFS or
    • Btrfs or
    • LVM (basic)

Install common dependencies:

guix install borgbackup btrfs-progs

(ZFS requires appropriate kernel modules and system configuration.)

Quick Start (Safe Test)

  1. Enter the project directory
cd ~/guix-vault
  1. Verify module layout
ls guixvault/core.scm
  1. Example test configuration (save as e.g. test-config.scm)
'((fs-type        . btrfs)
  (source         . "data")
  (snapshot-path  . "snapshots")
  (borg-repo      . "repo")
  (system-target  . "system"))
  1. Run GuixVault
GUILE_AUTO_COMPILE=0 guile -L . cli.scm \
  --config guixvault-test/test-config.scm

If Borg commands and/or snapshot operations appear → basic functionality works.

Testing Levels

  • Level 0 — Code/module loading sanity check (no root, no real I/O)
  • Level 1 — Real backups using loopback Btrfs image + Borg (safe, recommended first step)
  • Level 2 — Full system restore testing (VM only includes guix system reconfigure)
  • Level 3 — Production usage (ZFS datasets, immutable storage, offsite copies)

Backup Workflow

  1. Create filesystem snapshot
  2. Archive snapshot contents with BorgBackup
  3. Prune old archives according to policy
  4. Capture Guix system state:
    • guix describe output
    • System configuration file
    • System derivation

This preserves everything required for bare-metal reproducible recovery.

Restore Workflow

guixvault --config your-config.scm --restore

Actions performed:

  • Restore Guix channels and package versions
  • Re-apply system configuration (guix system reconfigure)
  • Rebuild kernel, services, user accounts, etc.

→ Bit-for-bit reproducible system (given same hardware/drivers)

Security Model

  • Namespace isolation via unshare
  • Fully agentless operation
  • Immutable backup targets preferred
  • Cryptographically verifiable Guix builds
  • Designed to integrate with: AppArmor, Landlock, seccomp

Zero trust assumed for the runtime environment.

Philosophy

Backups are not enough. Reproducibility is recovery.

Target audience:

  • Guix / functional deployment users
  • Security-conscious sysadmins
  • Infrastructure-as-code practitioners
  • People frustrated with opaque backup solutions

⚠️ Important Disclaimer

GuixVault is powerful software - use with care.

  • Always test restores in a virtual machine first
  • Understand your filesystem snapshot semantics
  • Never perform the first production restore on bare metal
  • Verify backup integrity regularly

You own your infrastructure. Operate it wisely.