From c7106f2bb833c331f003aa6fbc6d12eb0f37cc26 Mon Sep 17 00:00:00 2001 From: prescientmoon Date: Thu, 30 May 2024 02:35:16 +0200 Subject: [PATCH] Set up restic --- .../optional/services/restic/default.nix | 67 +++++++++++++++++++ .../common/optional/services/restic/url.txt | 1 + hosts/nixos/common/secrets.example.yaml | 1 + hosts/nixos/common/secrets.yaml | 5 +- hosts/nixos/lapetus/default.nix | 1 + hosts/nixos/tethys/default.nix | 3 +- scripts/setup-rsync-ssh.sh | 2 + 7 files changed, 77 insertions(+), 3 deletions(-) create mode 100644 hosts/nixos/common/optional/services/restic/default.nix create mode 100644 hosts/nixos/common/optional/services/restic/url.txt create mode 100644 scripts/setup-rsync-ssh.sh diff --git a/hosts/nixos/common/optional/services/restic/default.nix b/hosts/nixos/common/optional/services/restic/default.nix new file mode 100644 index 0000000..e1f46db --- /dev/null +++ b/hosts/nixos/common/optional/services/restic/default.nix @@ -0,0 +1,67 @@ +{ config, lib, ... }: +let + backupUrl = lib.removeSuffix "\n" (builtins.readFile ./url.txt); + + # {{{ Backup helper + createBackup = { name, paths, exclude, pruneOpts }: { + inherit pruneOpts paths; + + initialize = true; + repository = "sftp:${backupUrl}:backups/${config.networking.hostName}/${name}"; + passwordFile = config.sops.secrets.backup_password.path; + extraOptions = [ "sftp.args='-i ${config.users.users.pilot.home}/.ssh/id_ed25519'" ]; + + exclude = [ + # Syncthing / direnv / git stuff + ".direnv" + ".git" + ".stfolder" + ".stversions" + ] ++ exclude; + }; + # }}} +in +{ + sops.secrets.backup_password.sopsFile = ../../../secrets.yaml; + + services.restic.backups = { + # {{{ Data + data = createBackup { + name = "data"; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 12" + "--keep-yearly 0" + ]; + + paths = [ "/persist/data" ]; + exclude = [ + # Projects are available on github and in my own forge already + "/persist/data${config.users.users.pilot.home}/projects" + ]; + }; + # }}} + # {{{ State + state = createBackup { + name = "state"; + pruneOpts = [ + "--keep-daily 3" + "--keep-weekly 1" + "--keep-monthly 1" + "--keep-yearly 0" + ]; + + paths = [ "/persist/state" ]; + exclude = + let home = "/persist/state/${config.users.users.pilot.home}"; + in + [ + "${home}/discord" # There's lots of cache stored in here + "${home}/steam" # Games can be quite big + ]; + }; + # }}} + }; +} + diff --git a/hosts/nixos/common/optional/services/restic/url.txt b/hosts/nixos/common/optional/services/restic/url.txt new file mode 100644 index 0000000..e18c513 --- /dev/null +++ b/hosts/nixos/common/optional/services/restic/url.txt @@ -0,0 +1 @@ +zh4347@zh4347.rsync.net diff --git a/hosts/nixos/common/secrets.example.yaml b/hosts/nixos/common/secrets.example.yaml index b54ae4a..ef574c5 100644 --- a/hosts/nixos/common/secrets.example.yaml +++ b/hosts/nixos/common/secrets.example.yaml @@ -4,3 +4,4 @@ wireless: | ... pilot_password: ... cloudflare_dns_api_token: ... +backup_password: ... diff --git a/hosts/nixos/common/secrets.yaml b/hosts/nixos/common/secrets.yaml index 903d901..291e79a 100644 --- a/hosts/nixos/common/secrets.yaml +++ b/hosts/nixos/common/secrets.yaml @@ -1,6 +1,7 @@ wireless: ENC[AES256_GCM,data:Ib0PdBd2r/DPyE6Ah9NffT8Tw8c2y+seGFrE0e9GkyRaStdYMiiIlWCiaBO0u1HHaVV+2MQ33MnMdqyCGRlqGk45kl0GIwVR5iAiSYnobj/6wcse+kx/+5mzNOHXD1kJRGJBm5+SN9ntiGABNkQXJdn/Qoc/ukY1uaGe2nBeFKmGdD9JL7KfgdI5jYjQYyDbCL9JUszxkXNcplIRBAAy8JDaBVeo9HgI0QDIZToPKwuEeQoA9XzdimrjbCazlZy3ZvjAuoQXmrc1nIRHF5GabSRGTFTnTfcBeW2fGpUxmIhLyucn2DIQBXLm+RDdMLWoqcGbKiLVqKyUXck3ZZyoHMf2b9N52xMUwcS7,iv:ozkDwWmurWTD8TZHGvWL9Yh8cOrP1PzSBkz+1bBZybo=,tag:iGPjRaOoGRcOWJMweTL2yA==,type:str] pilot_password: ENC[AES256_GCM,data:PiKJCv5x68O9HFM4UvqLnsSPtqFslBLeAg67OkvFAbw7WaqbXh/p5SQblhPHcJ7jQDc4kI3XesOxruZrfJ0aZNDV1g7MWecgKg==,iv:EVs/m83Zfx2NRQMO52cF6pCe1ETpYfaR6lmXg2Na/DI=,tag:dl2x1aTsaTgtHEZYdW2lmg==,type:str] cloudflare_dns_api_token: ENC[AES256_GCM,data:SAIMCvKOpGb5g9s03Xapc08KpOgLI+qlT5oiH/uNGxV+9JFSX3nvmQ==,iv:HFKcmHRG4EEOuJ8gRD0ZWsE18SLaZjewMSLznboLUeI=,tag:z21GURSxvNmZ4qkbri9mDQ==,type:str] +backup_password: ENC[AES256_GCM,data:Tu7ODTALfQLX7Mbo/BqiM6gaErGv07urwN1iHwGgurKWDuuE1h5NMV5J0cJqW6orTIloVtoZTJgSJ2lZlMcfUQ==,iv:78ha833ZzgEDChIuGjCMVA89U4qY9lWqUmfPCiiQeQM=,tag:u8KWw/060UVP+OOoPhbjRA==,type:str] sops: kms: [] gcp_kms: [] @@ -34,8 +35,8 @@ sops: WFd4ZFNHWG5Cakw5cU9MRE9HWHQ4THMKr/S7v1Oj3zQziMtI/NuFVm6AaJF5JV5U sEr2nEptYFz4G6YL5psQGXHaKzQKBg+crgKRbYL4akhqT7pfYPC0bQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-20T18:01:20Z" - mac: ENC[AES256_GCM,data:6B+Oo7R2QhfD/1Nv+RMafWvoOTyC6qefFrdgfVu5DjSoAjucWV+8d0l5KgFude3ju4WWDi+Jv4boN/0pGEmgqaztTiSuLStzSoVcqYSUxHxSLjl2XJycqptcFN37GUCqCpyRpN6me1sylaTqbCUtd2acd+v/9Z12bXiGGvNY+Qc=,iv:6VGZmHbMFlCjkKIN8gvkJYQjQsIF0gQZQ1WNpn01UHk=,tag:3uvqMXaG/A/qqq9LRlR27w==,type:str] + lastmodified: "2024-05-29T22:07:18Z" + mac: ENC[AES256_GCM,data:HQJU1hZs8S4b8LAPdAg1/IuIX3VETXHrE/lKzODjCb/ndWV8Qh5v8OKg4X8xFw13PJpEeQqIznh6qplxMHJYGcYnUK/TSTP+399BZ3M0NLGWyF0vfFn1JIKu7zg8iHpi491/T+I6TDy5hp9+Y6V0sjpZ4pEzhZTwPW9t+NieSbQ=,iv:lNu0aLUO2P+2Mq7kVDGt6llshu5wgb++3VMX91w1a+8=,tag:WSoUh4XnRenvhb+vwLUpRg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/hosts/nixos/lapetus/default.nix b/hosts/nixos/lapetus/default.nix index 377f52b..33c4666 100644 --- a/hosts/nixos/lapetus/default.nix +++ b/hosts/nixos/lapetus/default.nix @@ -3,6 +3,7 @@ ../common/global ../common/users/pilot.nix ../common/optional/services/kanata.nix + ../common/optional/services/restic ./services/syncthing.nix ./services/whoogle.nix diff --git a/hosts/nixos/tethys/default.nix b/hosts/nixos/tethys/default.nix index 2968ea8..2167fde 100644 --- a/hosts/nixos/tethys/default.nix +++ b/hosts/nixos/tethys/default.nix @@ -9,9 +9,10 @@ ../common/optional/greetd.nix ../common/optional/quietboot.nix ../common/optional/desktop/steam.nix - ../common/optional/services/kanata.nix ../common/optional/desktop/xdg-portal.nix ../common/optional/wayland/hyprland.nix + ../common/optional/services/kanata.nix + ../common/optional/services/restic ./hardware ./boot.nix diff --git a/scripts/setup-rsync-ssh.sh b/scripts/setup-rsync-ssh.sh new file mode 100644 index 0000000..2f7b547 --- /dev/null +++ b/scripts/setup-rsync-ssh.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +scp ~/.ssh/id_ed25519.pub $(cat ../hosts/nixos/common/optional/services/restic/url.txt):.ssh/authorized_keys