2021-02-28 12:07:18 +01:00
|
|
|
{ pkgs, config, lib, ... }:
|
2020-08-22 17:44:39 +02:00
|
|
|
let
|
2021-02-28 12:21:04 +01:00
|
|
|
cfg = config.sbruder.restic.system;
|
2020-12-05 14:19:34 +01:00
|
|
|
|
2020-12-21 12:50:30 +01:00
|
|
|
repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic";
|
2020-08-22 17:44:39 +02:00
|
|
|
excludes = [
|
2020-12-21 13:08:22 +01:00
|
|
|
# Caches
|
2020-08-22 17:44:39 +02:00
|
|
|
"/home/*/Downloads/"
|
|
|
|
"/home/*/.cache/"
|
|
|
|
"/home/*/**/cache/"
|
2020-12-21 13:08:22 +01:00
|
|
|
"/home/*/.local/share/Trash" # some gui applications use it
|
|
|
|
"/data/cache/"
|
2020-08-22 17:44:39 +02:00
|
|
|
|
|
|
|
# Rust
|
|
|
|
"/home/*/**/target/debug/"
|
|
|
|
"/home/*/**/target/doc/"
|
|
|
|
"/home/*/**/target/release/"
|
|
|
|
"/home/*/**/target/rls/"
|
|
|
|
"/home/*/**/target/tarpaulin/"
|
|
|
|
"/home/*/**/target/wasm32-unknown-unknown/"
|
|
|
|
"/home/*/.rustup/toolchains/"
|
|
|
|
"/home/*/.cargo"
|
|
|
|
|
2020-12-21 13:08:22 +01:00
|
|
|
# Misc
|
2020-08-22 17:44:39 +02:00
|
|
|
"/home/*/mount"
|
|
|
|
|
2020-12-21 13:08:22 +01:00
|
|
|
# Docker (state should be kept somewhere else)
|
2020-08-22 17:44:39 +02:00
|
|
|
"/var/lib/docker/"
|
2020-12-21 13:09:25 +01:00
|
|
|
] ++ cfg.extraExcludes;
|
2021-02-28 11:55:58 +01:00
|
|
|
excludesFile = pkgs.writeText "excludes.txt" (lib.concatStringsSep "\n" excludes);
|
2020-12-21 12:54:33 +01:00
|
|
|
|
|
|
|
# script to use restic as user without dealing with authentication
|
|
|
|
authScript = pkgs.writeShellScriptBin "restic-auth" ''
|
|
|
|
. <(pass nixos/machines/${config.networking.hostName}/restic-s3 | sed 's/^/export /')
|
|
|
|
${pkgs.restic}/bin/restic \
|
|
|
|
--password-command="pass nixos/machines/${config.networking.hostName}/restic-password" \
|
|
|
|
--repo "${repository}" \
|
|
|
|
$@
|
|
|
|
'';
|
2020-08-22 17:44:39 +02:00
|
|
|
in
|
|
|
|
{
|
2021-02-28 12:21:04 +01:00
|
|
|
options.sbruder.restic.system = {
|
2020-12-05 14:19:34 +01:00
|
|
|
enable = lib.mkEnableOption "restic";
|
2021-02-28 12:07:18 +01:00
|
|
|
timerConfig = lib.mkOption {
|
|
|
|
type = with lib.types; attrsOf str;
|
|
|
|
default = {
|
|
|
|
OnCalendar = "20:00";
|
|
|
|
RandomizedDelaySec = "2h";
|
2020-12-21 12:33:46 +01:00
|
|
|
};
|
2021-02-28 12:07:18 +01:00
|
|
|
};
|
2020-12-21 13:09:25 +01:00
|
|
|
extraPaths = lib.mkOption {
|
|
|
|
type = lib.types.listOf lib.types.str;
|
|
|
|
default = [ ];
|
|
|
|
example = [ "/data" ];
|
|
|
|
};
|
|
|
|
extraExcludes = lib.mkOption {
|
|
|
|
type = lib.types.listOf lib.types.str;
|
|
|
|
default = [ ];
|
|
|
|
};
|
2020-08-22 17:44:39 +02:00
|
|
|
};
|
2020-10-17 09:58:44 +02:00
|
|
|
|
2020-12-05 14:19:34 +01:00
|
|
|
config = lib.mkIf cfg.enable {
|
2021-01-06 13:09:29 +01:00
|
|
|
krops.secrets = {
|
|
|
|
restic-password = { };
|
|
|
|
restic-s3 = { };
|
|
|
|
};
|
|
|
|
|
2021-01-08 21:33:45 +01:00
|
|
|
services.restic.backups.system = {
|
2020-12-21 12:50:30 +01:00
|
|
|
inherit repository;
|
2021-02-28 12:07:18 +01:00
|
|
|
inherit (cfg) timerConfig;
|
2021-01-06 13:09:29 +01:00
|
|
|
passwordFile = config.krops.secrets.restic-password.path;
|
|
|
|
s3CredentialsFile = config.krops.secrets.restic-s3.path;
|
2020-12-21 13:09:25 +01:00
|
|
|
paths = [
|
|
|
|
"/home"
|
|
|
|
"/srv"
|
|
|
|
"/var"
|
|
|
|
] ++ cfg.extraPaths;
|
2020-12-05 14:19:34 +01:00
|
|
|
initialize = true;
|
|
|
|
extraBackupArgs = [
|
|
|
|
"--exclude-caches"
|
|
|
|
"--exclude-file=${excludesFile}"
|
2021-02-28 12:21:04 +01:00
|
|
|
"--tag system"
|
2020-12-05 14:19:34 +01:00
|
|
|
"--verbose"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2021-01-08 21:33:45 +01:00
|
|
|
systemd.services."restic-backups-system".serviceConfig = {
|
2020-12-05 14:19:34 +01:00
|
|
|
"Nice" = 10;
|
|
|
|
"IOSchedulingClass" = "best-effort";
|
|
|
|
"IOSchedulingPriority" = 7;
|
|
|
|
};
|
2020-12-21 12:54:33 +01:00
|
|
|
|
|
|
|
environment.systemPackages = [
|
|
|
|
authScript
|
|
|
|
];
|
2020-10-17 09:58:44 +02:00
|
|
|
};
|
2020-08-22 17:44:39 +02:00
|
|
|
}
|