nixos-config/modules/restic/system.nix

98 lines
2.5 KiB
Nix
Raw Normal View History

{ pkgs, config, lib, ... }:
2020-08-22 17:44:39 +02:00
let
cfg = config.sbruder.restic.system;
2020-12-05 14:19:34 +01:00
repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic";
2020-08-22 17:44:39 +02:00
excludes = [
2020-12-21 13:08:22 +01:00
# Caches
2020-08-22 17:44:39 +02:00
"/home/*/Downloads/"
"/home/*/.cache/"
"/home/*/**/cache/"
2020-12-21 13:08:22 +01:00
"/home/*/.local/share/Trash" # some gui applications use it
"/data/cache/"
2020-08-22 17:44:39 +02:00
# Rust
"/home/*/**/target/debug/"
"/home/*/**/target/doc/"
"/home/*/**/target/release/"
"/home/*/**/target/rls/"
"/home/*/**/target/tarpaulin/"
"/home/*/**/target/wasm32-unknown-unknown/"
"/home/*/.rustup/toolchains/"
"/home/*/.cargo"
2020-12-21 13:08:22 +01:00
# Misc
2020-08-22 17:44:39 +02:00
"/home/*/mount"
2020-12-21 13:08:22 +01:00
# Docker (state should be kept somewhere else)
2020-08-22 17:44:39 +02:00
"/var/lib/docker/"
] ++ cfg.extraExcludes;
2021-02-28 11:55:58 +01:00
excludesFile = pkgs.writeText "excludes.txt" (lib.concatStringsSep "\n" excludes);
# script to use restic as user without dealing with authentication
authScript = pkgs.writeShellScriptBin "restic-auth" ''
. <(pass nixos/machines/${config.networking.hostName}/restic-s3 | sed 's/^/export /')
${pkgs.restic}/bin/restic \
--password-command="pass nixos/machines/${config.networking.hostName}/restic-password" \
--repo "${repository}" \
$@
'';
2020-08-22 17:44:39 +02:00
in
{
options.sbruder.restic.system = {
2020-12-05 14:19:34 +01:00
enable = lib.mkEnableOption "restic";
timerConfig = lib.mkOption {
type = with lib.types; attrsOf str;
default = {
OnCalendar = "20:00";
RandomizedDelaySec = "2h";
2020-12-21 12:33:46 +01:00
};
};
extraPaths = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = [ "/data" ];
};
extraExcludes = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
};
2020-08-22 17:44:39 +02:00
};
2020-10-17 09:58:44 +02:00
2020-12-05 14:19:34 +01:00
config = lib.mkIf cfg.enable {
2021-01-06 13:09:29 +01:00
krops.secrets = {
restic-password = { };
restic-s3 = { };
};
services.restic.backups.system = {
inherit repository;
inherit (cfg) timerConfig;
2021-01-06 13:09:29 +01:00
passwordFile = config.krops.secrets.restic-password.path;
s3CredentialsFile = config.krops.secrets.restic-s3.path;
paths = [
"/home"
"/srv"
"/var"
] ++ cfg.extraPaths;
2020-12-05 14:19:34 +01:00
initialize = true;
extraBackupArgs = [
"--exclude-caches"
"--exclude-file=${excludesFile}"
"--tag system"
2020-12-05 14:19:34 +01:00
"--verbose"
];
};
systemd.services."restic-backups-system".serviceConfig = {
2020-12-05 14:19:34 +01:00
"Nice" = 10;
"IOSchedulingClass" = "best-effort";
"IOSchedulingPriority" = 7;
};
environment.systemPackages = [
authScript
];
2020-10-17 09:58:44 +02:00
};
2020-08-22 17:44:39 +02:00
}