restic: Prepare for additional backups

machines/fuuko/configuration.nix

@@ -19,7 +19,9 @@
     wireguard.home.enable = true;
     nginx.hardening.enable = true;
     printing.server.enable = true;
-    restic.system = {
+    restic = {
+      enable = true;
+      backups.system = {
         enable = true;
         qos = true;
         extraPaths = [
@@ -34,6 +36,7 @@
           "/data/torrent"
         ];
       };
+    };
     unfree.allowSoftware = true;
   };
 

machines/fuuko/services/photoprism.nix

@@ -13,7 +13,7 @@
     };
   };
 
-  sbruder.restic.system.extraExcludes = [
+  sbruder.restic.backups.system.extraExcludes = [
     "/var/lib/private/photoprism"
   ];
 

machines/hiroshi/configuration.nix

@@ -12,7 +12,10 @@
 
   sbruder = {
     full = false;
-    restic.system.enable = true;
+    restic = {
+      enable = true;
+      backups.system.enable = true;
+    };
     wireguard.home.enable = true;
     infovhost.enable = true;
     nginx = {

machines/hitagi/configuration.nix

@@ -19,13 +19,16 @@
     gui.enable = true;
     media-proxy.enable = true;
     podman.enable = true;
-    restic.system = {
+    restic = {
+      enable = true;
+      backups.system = {
         enable = true;
         qos = true;
         extraPaths = [
           "/data"
         ];
       };
+    };
     unfree.allowSoftware = true;
     wireguard.home.enable = true;
   };

machines/koyomi/configuration.nix

@@ -12,7 +12,10 @@
   ];
 
   sbruder = {
-    restic.system.enable = true;
+    restic = {
+      enable = true;
+      backups.system.enable = true;
+    };
     wireguard.home.enable = true;
     podman.enable = true;
   };

machines/mayushii/configuration.nix

@@ -19,10 +19,13 @@
     gui.enable = true;
     media-proxy.enable = true;
     podman.enable = true;
-    restic.system = {
+    restic = {
+      enable = true;
+      backups.system = {
         enable = true;
         qos = true;
       };
+    };
     unfree.allowSoftware = true;
     wireguard.home.enable = true;
   };

machines/nunotaba/configuration.nix

@@ -13,10 +13,13 @@
 
   sbruder = {
     gui.enable = true;
-    restic.system = {
+    restic = {
+      enable = true;
+      backups.system = {
         enable = true;
         qos = true;
       };
+    };
     unfree.allowSoftware = true;
     wireguard.home.enable = true;
   };

machines/renge/configuration.nix

@@ -27,9 +27,10 @@
 
   sbruder = {
     nginx.hardening.enable = true;
-    restic.system = {
+    restic = {
       enable = true;
-      prune = true;
+      backups.system.enable = true;
+      prune.enable = true;
     };
     wireguard.home.enable = true;
     infovhost.enable = true;

machines/vueko/configuration.nix

@@ -17,7 +17,10 @@
 
   sbruder = {
     nginx.hardening.enable = true;
-    restic.system.enable = true;
+    restic = {
+      enable = true;
+      backups.system.enable = true;
+    };
     wireguard.home.enable = true;
     full = false;
     infovhost.enable = true;

modules/restic/default.nix

@@ -1,9 +1,78 @@
-# SPDX-FileCopyrightText: 2020-2021 Simon Bruder <simon@sbruder.de>
+# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
 #
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sbruder.restic;
+
+  sftpTarget = "u313368-sub4@u313368-sub4.your-storagebox.de";
+  sftpPort = 23;
+  repository = "sftp://${sftpTarget}:${toString sftpPort}/personal";
+
+  mkPruneConfig = { tag, timerConfig }: {
+    inherit repository timerConfig;
+    passwordFile = config.sops.secrets.restic-password.path;
+    paths = [ ];
+    extraOptions = [
+      "-o"
+      "sftp.command='ssh -i ${config.sops.secrets.restic-ssh-key.path} -p ${toString sftpPort} ${sftpTarget} -s sftp'"
+    ];
+    pruneOpts = [
+      "--compression auto"
+      "--keep-daily 7"
+      "--keep-monthly 12"
+      "--keep-weekly 5"
+      "--keep-yearly 10"
+      "--tag ${tag}"
+      "--verbose"
+    ];
+  };
+in
 {
   imports = [
     ./system.nix
   ];
+
+  options.sbruder.restic = {
+    enable = lib.mkEnableOption "restic";
+    authScript.enable = (lib.mkEnableOption "script to use restic as user without dealing with authentication") // {
+      default = cfg.enable && config.sbruder.gui.enable;
+    };
+    prune.enable = lib.mkEnableOption "pruning";
+  };
+
+  config = lib.mkIf cfg.enable (lib.mkMerge [
+    {
+      sops.secrets = {
+        restic-password = { };
+        restic-repository = { };
+      };
+    }
+    (lib.mkIf cfg.authScript.enable {
+      environment.systemPackages = [
+        (pkgs.writeShellScriptBin "restic-auth" ''
+          ${pkgs.restic}/bin/restic \
+            --password-command="pass data/backup/restic-nixos" \
+            --repo "${repository}" \
+            $@
+        '')
+      ];
+    })
+    (lib.mkIf cfg.prune.enable {
+      sops.secrets.restic-ssh-key = {
+        sopsFile = ../../machines/${config.networking.hostName}/secrets.yaml;
+      };
+
+      services.restic.backups = {
+        system-prune = mkPruneConfig {
+          tag = "system";
+          timerConfig = {
+            OnCalendar = "*-1/2-07 03:00:00";
+            RandomizedDelaySec = "4h";
+          };
+        };
+      };
+    })
+  ]);
 }

modules/restic/system.nix

@@ -4,11 +4,8 @@
 
 { pkgs, config, lib, ... }:
 let
-  cfg = config.sbruder.restic.system;
+  cfg = config.sbruder.restic.backups.system;
 
-  sftpTarget = "u313368-sub4@u313368-sub4.your-storagebox.de";
-  sftpPort = 23;
-  repository = "sftp://${sftpTarget}:${toString sftpPort}/personal";
   excludes = [
     # Caches
     "/home/*/Downloads/"
@@ -37,14 +34,6 @@ let
   ] ++ cfg.extraExcludes;
   excludesFile = pkgs.writeText "excludes.txt" (lib.concatStringsSep "\n" excludes);
 
-  # script to use restic as user without dealing with authentication
-  authScript = pkgs.writeShellScriptBin "restic-auth" ''
-    ${pkgs.restic}/bin/restic \
-      --password-command="pass data/backup/restic-nixos" \
-      --repo "${repository}" \
-      $@
-  '';
-
   # HACK: NixOS’ nftables implementation runs nft -c inside the build sandbox,
   # where the target host’s cgroups are not available,
   # and therefore fails.
@@ -65,8 +54,8 @@ let
   '';
 in
 {
-  options.sbruder.restic.system = {
+  options.sbruder.restic.backups.system = {
-    enable = lib.mkEnableOption "restic";
+    enable = lib.mkEnableOption "restic system backup";
     timerConfig = lib.mkOption {
       type = with lib.types; attrsOf str;
       default = {
@@ -88,19 +77,9 @@ in
       default = null;
     };
     qos = (lib.mkEnableOption "QoS marking (DSCP AF12) of outgoing packets") // { default = !(isNull cfg.uploadLimit); };
-    prune = lib.mkEnableOption "pruning";
   };
 
   config = lib.mkIf cfg.enable {
-    sops.secrets = {
-      restic-password = { };
-      restic-repository = { };
-    } // lib.optionalAttrs cfg.prune {
-      restic-ssh-key = {
-        sopsFile = ../../machines/${config.networking.hostName}/secrets.yaml;
-      };
-    };
-
     services.restic.backups.system = {
       inherit (cfg) timerConfig;
       repositoryFile = config.sops.secrets.restic-repository.path;
@@ -134,32 +113,5 @@ in
       "IOSchedulingPriority" = 7;
       Slice = "restic.slice";
     };
-
-    services.restic.backups.system-prune = lib.mkIf cfg.prune {
-      inherit repository;
-      passwordFile = config.sops.secrets.restic-password.path;
-      timerConfig = {
-        OnCalendar = "*-1/2-07 03:00:00";
-        RandomizedDelaySec = "4h";
-      };
-      paths = [ ];
-      extraOptions = [
-        "-o"
-        "sftp.command='ssh -i ${config.sops.secrets.restic-ssh-key.path} -p ${toString sftpPort} ${sftpTarget} -s sftp'"
-      ];
-      pruneOpts = [
-        "--compression auto"
-        "--keep-daily 7"
-        "--keep-monthly 12"
-        "--keep-weekly 5"
-        "--keep-yearly 10"
-        "--tag system"
-        "--verbose"
-      ] ++ lib.optional (cfg.uploadLimit != null) "--limit-upload=${toString cfg.uploadLimit}";
-    };
-
-    environment.systemPackages = [
-      authScript
-    ];
   };
 }