From 0f0f038f5a06088e77d0e1da8680dc977fb62134 Mon Sep 17 00:00:00 2001 From: hektor Date: Tue, 3 Feb 2026 17:35:29 +0100 Subject: [PATCH] feat: set up restic backups for 'andromache' and 'astyanax' --- hosts/andromache/default.nix | 1 + hosts/astyanax/default.nix | 1 + modules/backups/default.nix | 63 ++++++++++++++++++++++++++++++++++++ modules/secrets/default.nix | 16 +++++++++ 4 files changed, 81 insertions(+) create mode 100644 modules/backups/default.nix diff --git a/hosts/andromache/default.nix b/hosts/andromache/default.nix index afd758c..41ffbb8 100644 --- a/hosts/andromache/default.nix +++ b/hosts/andromache/default.nix @@ -26,6 +26,7 @@ in device = "/dev/nvme1n1"; }) ../../modules/desktops/niri + ../../modules/backups ../../modules/bluetooth ../../modules/keyboard (import ../../modules/networking { inherit hostName; }) diff --git a/hosts/astyanax/default.nix b/hosts/astyanax/default.nix index 93490d8..1bd6f22 100644 --- a/hosts/astyanax/default.nix +++ b/hosts/astyanax/default.nix @@ -26,6 +26,7 @@ in device = "/dev/nvme0n1"; }) ../../modules/desktops/niri + ../../modules/backups ../../modules/bluetooth ../../modules/keyboard (import ../../modules/networking { inherit hostName; }) diff --git a/modules/backups/default.nix b/modules/backups/default.nix new file mode 100644 index 0000000..dbcb339 --- /dev/null +++ b/modules/backups/default.nix @@ -0,0 +1,63 @@ +{ + lib, + config, + ... +}: + +let + cfg = config.restic-backup; +in +{ + options = { + restic-backup = { + repository = lib.mkOption { + type = lib.types.str; + default = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}"; + }; + + passwordFile = lib.mkOption { + type = lib.types.str; + default = config.sops.secrets."restic_password".path; + }; + + paths = lib.mkOption { + type = lib.types.listOf lib.types.str; + default = [ "/home" ]; + }; + }; + }; + + config = { + sops.secrets.b2_bucket_name = { }; + + sops.templates."restic/repo-${config.networking.hostName}" = { + content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}"; + }; + + sops.templates."restic/b2-env-${config.networking.hostName}" = { + content = '' + B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"} + B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"} + ''; + }; + + services.restic.backups.home = { + repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path; + passwordFile = cfg.passwordFile; + paths = cfg.paths; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; + initialize = true; + extraBackupArgs = [ "--one-file-system" ]; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 4" + "--keep-monthly 6" + "--keep-yearly 1" + ]; + environmentFile = config.sops.templates."restic/b2-env-${config.networking.hostName}".path; + }; + }; +} diff --git a/modules/secrets/default.nix b/modules/secrets/default.nix index 7943ee7..02ff5df 100644 --- a/modules/secrets/default.nix +++ b/modules/secrets/default.nix @@ -32,6 +32,15 @@ in "nix_signing_key_astyanax" = { }; "nix_signing_key_andromache" = { }; "opencode_api_key".owner = config.users.users.${cfg.username}.name; + # TODO: using shared secrets for now, but would be better to to per-host secrets + # To add per-host secrets: + # "restic_password_${config.networking.hostName}" = { }; + # "restic_b2_account_id_${config.networking.hostName}" = { }; + # "restic_b2_account_key_${config.networking.hostName}" = { }; + "restic_password" = { }; + "b2_bucket_name" = { }; + "b2_account_id" = { }; + "b2_account_key" = { }; }; templates = { @@ -86,6 +95,13 @@ in } ''; }; + + "restic/b2-env" = { + content = '' + B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"} + B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"} + ''; + }; }; }; };