nixos-config/modules/restic/system.nix

120 lines
3.1 KiB
Nix
Raw Normal View History

{ pkgs, config, lib, ... }:
2020-08-22 17:44:39 +02:00
let
cfg = config.sbruder.restic.system;
2020-12-05 14:19:34 +01:00
repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic";
2020-08-22 17:44:39 +02:00
excludes = [
2020-12-21 13:08:22 +01:00
# Caches
2020-08-22 17:44:39 +02:00
"/home/*/Downloads/"
"/home/*/.cache/"
"/home/*/**/cache/"
2020-12-21 13:08:22 +01:00
"/home/*/.local/share/Trash" # some gui applications use it
"/data/cache/"
2020-08-22 17:44:39 +02:00
# Rust
"/home/*/.rustup/toolchains/"
"/home/*/.cargo"
2020-12-21 13:08:22 +01:00
# Misc
2020-08-22 17:44:39 +02:00
"/home/*/mount"
2020-12-21 13:08:22 +01:00
# Docker (state should be kept somewhere else)
2020-08-22 17:44:39 +02:00
"/var/lib/docker/"
2021-04-06 10:47:05 +02:00
# Static configuration (generated from this repository)
"/etc/static/"
] ++ cfg.extraExcludes;
2021-02-28 11:55:58 +01:00
excludesFile = pkgs.writeText "excludes.txt" (lib.concatStringsSep "\n" excludes);
# script to use restic as user without dealing with authentication
authScript = pkgs.writeShellScriptBin "restic-auth" ''
. <(pass data/wasabi/restic-nixos | sed 's/^/export /')
${pkgs.restic}/bin/restic \
--password-command="pass data/backup/restic-nixos" \
--repo "${repository}" \
$@
'';
2020-08-22 17:44:39 +02:00
in
{
options.sbruder.restic.system = {
2020-12-05 14:19:34 +01:00
enable = lib.mkEnableOption "restic";
timerConfig = lib.mkOption {
type = with lib.types; attrsOf str;
default = {
OnCalendar = "18:00";
RandomizedDelaySec = "2h";
2020-12-21 12:33:46 +01:00
};
};
extraPaths = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "/data" ];
};
extraExcludes = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
uploadLimit = lib.mkOption {
type = lib.types.nullOr lib.types.int;
default = 1500;
};
prune = lib.mkEnableOption "pruning";
2020-08-22 17:44:39 +02:00
};
2020-10-17 09:58:44 +02:00
2020-12-05 14:19:34 +01:00
config = lib.mkIf cfg.enable {
sops.secrets = {
2021-01-06 13:09:29 +01:00
restic-password = { };
restic-s3 = { };
};
services.restic.backups.system = {
inherit repository;
inherit (cfg) timerConfig;
passwordFile = config.sops.secrets.restic-password.path;
environmentFile = config.sops.secrets.restic-s3.path;
paths = [
2021-04-06 10:47:05 +02:00
"/etc"
"/home"
2021-04-06 10:47:05 +02:00
"/root"
"/srv"
"/var"
] ++ cfg.extraPaths;
2020-12-05 14:19:34 +01:00
extraBackupArgs = [
"--exclude-caches"
"--exclude-file=${excludesFile}"
"--tag system"
2020-12-05 14:19:34 +01:00
"--verbose"
] ++ lib.optional (cfg.uploadLimit != null) "--limit-upload=${toString cfg.uploadLimit}";
2020-12-05 14:19:34 +01:00
};
systemd.services."restic-backups-system".serviceConfig = {
2020-12-05 14:19:34 +01:00
"Nice" = 10;
"IOSchedulingClass" = "best-effort";
"IOSchedulingPriority" = 7;
};
services.restic.backups.system-prune = lib.mkIf cfg.prune {
inherit repository;
passwordFile = config.sops.secrets.restic-password.path;
environmentFile = config.sops.secrets.restic-s3.path;
timerConfig = {
OnCalendar = "*-1/2-07 03:00:00";
RandomizedDelaySec = "4h";
};
paths = [ ];
pruneOpts = [
"--keep-daily 7"
"--keep-monthly 12"
"--keep-weekly 5"
"--keep-yearly 10"
"--tag system"
"--verbose"
] ++ lib.optional (cfg.uploadLimit != null) "--limit-upload=${toString cfg.uploadLimit}";
};
environment.systemPackages = [
authScript
];
2020-10-17 09:58:44 +02:00
};
2020-08-22 17:44:39 +02:00
}