# SPDX-FileCopyrightText: 2020-2024 Simon Bruder # # SPDX-License-Identifier: AGPL-3.0-or-later { config, lib, pkgs, ... }: let cfg = config.sbruder.restic; sftpTarget = "u313368-sub4@u313368-sub4.your-storagebox.de"; sftpPort = 23; repository = "sftp://${sftpTarget}:${toString sftpPort}/personal"; mkPruneConfig = { tag, timerConfig }: { inherit repository timerConfig; passwordFile = config.sops.secrets.restic-password.path; paths = [ ]; extraOptions = [ "-o" "sftp.command='ssh -i ${config.sops.secrets.restic-ssh-key.path} -p ${toString sftpPort} ${sftpTarget} -s sftp'" ]; pruneOpts = [ "--compression auto" "--keep-daily 7" "--keep-monthly 12" "--keep-weekly 5" "--keep-yearly 10" "--tag ${tag}" "--verbose" ]; }; in { imports = [ ./system.nix ]; options.sbruder.restic = { enable = lib.mkEnableOption "restic"; authScript.enable = (lib.mkEnableOption "script to use restic as user without dealing with authentication") // { default = cfg.enable && config.sbruder.gui.enable; }; prune.enable = lib.mkEnableOption "pruning"; }; config = lib.mkIf cfg.enable (lib.mkMerge [ { sops.secrets = { restic-password = { }; restic-repository = { }; }; } (lib.mkIf cfg.authScript.enable { environment.systemPackages = [ (pkgs.writeShellScriptBin "restic-auth" '' ${pkgs.restic}/bin/restic \ --password-command="pass data/backup/restic-nixos" \ --repo "${repository}" \ $@ '') ]; }) (lib.mkIf cfg.prune.enable { sops.secrets.restic-ssh-key = { sopsFile = ../../machines/${config.networking.hostName}/secrets.yaml; }; services.restic.backups = { system-prune = mkPruneConfig { tag = "system"; timerConfig = { OnCalendar = "*-1/2-07 03:00:00"; RandomizedDelaySec = "4h"; }; }; }; }) ]); }