79 lines
2 KiB
Nix
79 lines
2 KiB
Nix
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
let
|
|
cfg = config.sbruder.restic;
|
|
|
|
sftpTarget = "u313368-sub4@u313368-sub4.your-storagebox.de";
|
|
sftpPort = 23;
|
|
repository = "sftp://${sftpTarget}:${toString sftpPort}/personal";
|
|
|
|
mkPruneConfig = { tag, timerConfig }: {
|
|
inherit repository timerConfig;
|
|
passwordFile = config.sops.secrets.restic-password.path;
|
|
paths = [ ];
|
|
extraOptions = [
|
|
"-o"
|
|
"sftp.command='ssh -i ${config.sops.secrets.restic-ssh-key.path} -p ${toString sftpPort} ${sftpTarget} -s sftp'"
|
|
];
|
|
pruneOpts = [
|
|
"--compression auto"
|
|
"--keep-daily 7"
|
|
"--keep-monthly 12"
|
|
"--keep-weekly 5"
|
|
"--keep-yearly 10"
|
|
"--tag ${tag}"
|
|
"--verbose"
|
|
];
|
|
};
|
|
in
|
|
{
|
|
imports = [
|
|
./system.nix
|
|
];
|
|
|
|
options.sbruder.restic = {
|
|
enable = lib.mkEnableOption "restic";
|
|
authScript.enable = (lib.mkEnableOption "script to use restic as user without dealing with authentication") // {
|
|
default = cfg.enable && config.sbruder.gui.enable;
|
|
};
|
|
prune.enable = lib.mkEnableOption "pruning";
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable (lib.mkMerge [
|
|
{
|
|
sops.secrets = {
|
|
restic-password = { };
|
|
restic-repository = { };
|
|
};
|
|
}
|
|
(lib.mkIf cfg.authScript.enable {
|
|
environment.systemPackages = [
|
|
(pkgs.writeShellScriptBin "restic-auth" ''
|
|
${pkgs.restic}/bin/restic \
|
|
--password-command="pass data/backup/restic-nixos" \
|
|
--repo "${repository}" \
|
|
$@
|
|
'')
|
|
];
|
|
})
|
|
(lib.mkIf cfg.prune.enable {
|
|
sops.secrets.restic-ssh-key = {
|
|
sopsFile = ../../machines/${config.networking.hostName}/secrets.yaml;
|
|
};
|
|
|
|
services.restic.backups = {
|
|
system-prune = mkPruneConfig {
|
|
tag = "system";
|
|
timerConfig = {
|
|
OnCalendar = "*-1/2-07 03:00:00";
|
|
RandomizedDelaySec = "4h";
|
|
};
|
|
};
|
|
};
|
|
})
|
|
]);
|
|
}
|