Simon Bruder
e9dc4601ad
It already is initialised, and NixOS’ initialisation always prints all existing snapshots to the journal which makes it almost impossible to find the logs from the regular backup.
106 lines
2.7 KiB
Nix
106 lines
2.7 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
let
|
|
cfg = config.sbruder.restic.system;
|
|
|
|
repository = "s3:https://s3.eu-central-1.wasabisys.com/sbruder-restic";
|
|
excludes = [
|
|
# Caches
|
|
"/home/*/Downloads/"
|
|
"/home/*/.cache/"
|
|
"/home/*/**/cache/"
|
|
"/home/*/.local/share/Trash" # some gui applications use it
|
|
"/data/cache/"
|
|
|
|
# Rust
|
|
"/home/*/**/target/debug/"
|
|
"/home/*/**/target/doc/"
|
|
"/home/*/**/target/release/"
|
|
"/home/*/**/target/rls/"
|
|
"/home/*/**/target/tarpaulin/"
|
|
"/home/*/**/target/wasm32-unknown-unknown/"
|
|
"/home/*/.rustup/toolchains/"
|
|
"/home/*/.cargo"
|
|
|
|
# Misc
|
|
"/home/*/mount"
|
|
|
|
# Docker (state should be kept somewhere else)
|
|
"/var/lib/docker/"
|
|
|
|
# Static configuration (generated from this repository)
|
|
"/etc/static/"
|
|
] ++ cfg.extraExcludes;
|
|
excludesFile = pkgs.writeText "excludes.txt" (lib.concatStringsSep "\n" excludes);
|
|
|
|
# script to use restic as user without dealing with authentication
|
|
authScript = pkgs.writeShellScriptBin "restic-auth" ''
|
|
. <(pass data/wasabi/restic-nixos | sed 's/^/export /')
|
|
${pkgs.restic}/bin/restic \
|
|
--password-command="pass data/backup/restic-nixos" \
|
|
--repo "${repository}" \
|
|
$@
|
|
'';
|
|
in
|
|
{
|
|
options.sbruder.restic.system = {
|
|
enable = lib.mkEnableOption "restic";
|
|
timerConfig = lib.mkOption {
|
|
type = with lib.types; attrsOf str;
|
|
default = {
|
|
OnCalendar = "20:00";
|
|
RandomizedDelaySec = "2h";
|
|
};
|
|
};
|
|
extraPaths = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
example = [ "/data" ];
|
|
};
|
|
extraExcludes = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
};
|
|
uploadLimit = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.int;
|
|
default = 1500;
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
sops.secrets = {
|
|
restic-password = { };
|
|
restic-s3 = { };
|
|
};
|
|
|
|
services.restic.backups.system = {
|
|
inherit repository;
|
|
inherit (cfg) timerConfig;
|
|
passwordFile = config.sops.secrets.restic-password.path;
|
|
s3CredentialsFile = config.sops.secrets.restic-s3.path;
|
|
paths = [
|
|
"/etc"
|
|
"/home"
|
|
"/root"
|
|
"/srv"
|
|
"/var"
|
|
] ++ cfg.extraPaths;
|
|
extraBackupArgs = [
|
|
"--exclude-caches"
|
|
"--exclude-file=${excludesFile}"
|
|
"--tag system"
|
|
"--verbose"
|
|
] ++ lib.optional (cfg.uploadLimit != null) "--limit-upload=${toString cfg.uploadLimit}";
|
|
};
|
|
|
|
systemd.services."restic-backups-system".serviceConfig = {
|
|
"Nice" = 10;
|
|
"IOSchedulingClass" = "best-effort";
|
|
"IOSchedulingPriority" = 7;
|
|
};
|
|
|
|
environment.systemPackages = [
|
|
authScript
|
|
];
|
|
};
|
|
}
|