feat: set up restic backups for 'andromache' and 'astyanax'

hosts/andromache/default.nix

@@ -26,6 +26,7 @@ in
       device = "/dev/nvme1n1";
     })
     ../../modules/desktops/niri
+    ../../modules/backups
     ../../modules/bluetooth
     ../../modules/keyboard
     (import ../../modules/networking { inherit hostName; })

hosts/astyanax/default.nix

@@ -26,6 +26,7 @@ in
       device = "/dev/nvme0n1";
     })
     ../../modules/desktops/niri
+    ../../modules/backups
     ../../modules/bluetooth
     ../../modules/keyboard
     (import ../../modules/networking { inherit hostName; })

modules/backups/default.nix

@@ -0,0 +1,63 @@
+{
+  lib,
+  config,
+  ...
+}:
+
+let
+  cfg = config.restic-backup;
+in
+{
+  options = {
+    restic-backup = {
+      repository = lib.mkOption {
+        type = lib.types.str;
+        default = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
+      };
+
+      passwordFile = lib.mkOption {
+        type = lib.types.str;
+        default = config.sops.secrets."restic_password".path;
+      };
+
+      paths = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ "/home" ];
+      };
+    };
+  };
+
+  config = {
+    sops.secrets.b2_bucket_name = { };
+
+    sops.templates."restic/repo-${config.networking.hostName}" = {
+      content = "b2:${config.sops.placeholder."b2_bucket_name"}:${config.networking.hostName}";
+    };
+
+    sops.templates."restic/b2-env-${config.networking.hostName}" = {
+      content = ''
+        B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
+        B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
+      '';
+    };
+
+    services.restic.backups.home = {
+      repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
+      passwordFile = cfg.passwordFile;
+      paths = cfg.paths;
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+      };
+      initialize = true;
+      extraBackupArgs = [ "--one-file-system" ];
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 4"
+        "--keep-monthly 6"
+        "--keep-yearly 1"
+      ];
+      environmentFile = config.sops.templates."restic/b2-env-${config.networking.hostName}".path;
+    };
+  };
+}

modules/secrets/default.nix

@@ -32,6 +32,15 @@ in
         "nix_signing_key_astyanax" = { };
         "nix_signing_key_andromache" = { };
         "opencode_api_key".owner = config.users.users.${cfg.username}.name;
+        # TODO: using shared secrets for now, but would be better to to per-host secrets
+        # To add per-host secrets:
+        # "restic_password_${config.networking.hostName}" = { };
+        # "restic_b2_account_id_${config.networking.hostName}" = { };
+        # "restic_b2_account_key_${config.networking.hostName}" = { };
+        "restic_password" = { };
+        "b2_bucket_name" = { };
+        "b2_account_id" = { };
+        "b2_account_key" = { };
       };
 
       templates = {
@@ -86,6 +95,13 @@ in
             }
           '';
         };
+
+        "restic/b2-env" = {
+          content = ''
+            B2_ACCOUNT_ID=${config.sops.placeholder."b2_account_id"}
+            B2_ACCOUNT_KEY=${config.sops.placeholder."b2_account_key"}
+          '';
+        };
       };
     };
   };