From 715e31fa88060d84b0680c878512a1efa8a07cd8 Mon Sep 17 00:00:00 2001
From: Antoine Martin <antoine@alarsyo.net>
Date: Tue, 26 Sep 2023 17:39:47 +0200
Subject: [PATCH] hephaestus: setup restic backups

---
 hosts/hephaestus/default.nix                  | 43 +++++++++++++++++++
 hosts/hephaestus/secrets.nix                  |  3 ++
 .../restic-backup/hephaestus-credentials.age  |  9 ++++
 .../restic-backup/hephaestus-password.age     |  9 ++++
 modules/secrets/secrets.nix                   |  2 +
 5 files changed, 66 insertions(+)
 create mode 100644 modules/secrets/restic-backup/hephaestus-credentials.age
 create mode 100644 modules/secrets/restic-backup/hephaestus-password.age
diff --git a/hosts/hephaestus/default.nix b/hosts/hephaestus/default.nix
index fdf8125..e03ea08 100644
--- a/hosts/hephaestus/default.nix
+++ b/hosts/hephaestus/default.nix
@@ -45,6 +45,49 @@
   my.services = {
     tailscale.enable = true;
     pipewire.enable = true;
+
+    restic-backup = {
+      enable = true;
+      repo = "b2:hephaestus-backup";
+      passwordFile = config.age.secrets."restic-backup/hephaestus-password".path;
+      environmentFile = config.age.secrets."restic-backup/hephaestus-credentials".path;
+
+      timerConfig = {
+        OnCalendar = "*-*-* 13:00:00"; # laptop only gets used during the day
+      };
+
+      paths = [
+        "/home/alarsyo"
+      ];
+      exclude = [
+        "/home/alarsyo/Downloads"
+
+        # Rust builds using half my storage capacity
+        "/home/alarsyo/**/target"
+        "/home/alarsyo/work/rust/build"
+
+        # don't backup nixpkgs
+        "/home/alarsyo/work/nixpkgs"
+
+        "/home/alarsyo/go"
+
+        # C build crap
+        "*.a"
+        "*.o"
+        "*.so"
+
+        ".direnv"
+
+        # test vms
+        "*.qcow2"
+
+        # secrets stay offline
+        "/home/alarsyo/**/secrets"
+
+        # ignore all dotfiles as .config and .cache can become quite big
+        "/home/alarsyo/.*"
+      ];
+    };
   };
 
   virtualisation.docker.enable = true;
diff --git a/hosts/hephaestus/secrets.nix b/hosts/hephaestus/secrets.nix
index 3fbc379..dc35e6d 100644
--- a/hosts/hephaestus/secrets.nix
+++ b/hosts/hephaestus/secrets.nix
@@ -13,6 +13,9 @@
         // attrs;
     in
       lib.mapAttrs toSecret {
+        "restic-backup/hephaestus-credentials" = {};
+        "restic-backup/hephaestus-password" = {};
+
         "users/alarsyo-hashed-password" = {};
         "users/root-hashed-password" = {};
       };
diff --git a/modules/secrets/restic-backup/hephaestus-credentials.age b/modules/secrets/restic-backup/hephaestus-credentials.age
new file mode 100644
index 0000000..77a80ed
--- /dev/null
+++ b/modules/secrets/restic-backup/hephaestus-credentials.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 k2gHjw tTdHZJpSocTHlznYH9eRzeZkrYBbsdT4F8jV1FKw/yk
+xKIkYhL/A8wTy6LqDkTuUvm4rhDI6+DXwjzl43PcR8E
+-> ssh-ed25519 SYm+hA vzQCZWYdgG0yxUEyGJ4Q8EAh1Kzw5CutDa6q6XSaels
+Y7VqpvLfrUvWZcXqGeulRld9kff03kgzz22UBW77AOw
+-> j-c8-grease
+WeQ
+--- KHLA1KlfWM432GDbPIiKInzZeqVRJZ2YCKtF3qClfgs
+ ü8Êâ5œ¢|ŒòQx_5':Á½È´A?îÎÚ¡ÄÛ 	­ØŠ¾þèoA‘x‰)rýd!Š(´®”èÑ¨5£¸ìô~ý\†ŽLd"^ÑZ¨Z^®…Vï/‡§5Ë•¶¢¨Ý¦aè¯²áá¸·o]O/®Eueà†
\ No newline at end of file
diff --git a/modules/secrets/restic-backup/hephaestus-password.age b/modules/secrets/restic-backup/hephaestus-password.age
new file mode 100644
index 0000000..3ed4290
--- /dev/null
+++ b/modules/secrets/restic-backup/hephaestus-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 k2gHjw 2/spllcr7Fo+1sQ4VJW/MywBVUcpKEbicv4vZQyre0c
+Vc2Wugxc5M4i73UKMFXWA2PeHgUOm/+HekoeYt9ycro
+-> ssh-ed25519 SYm+hA KFjo2JVxpdOey8A7GAKeZci+ezE0RYBRKR8vNtloU3M
+SAzpTjF/RGOgjawT2Sk5H7TNnk/SdbksuAcZZqakJOs
+-> !!6BS-grease Gs<Om0
+d7WvJNMg3OX9CwWvGNWCuViu1X+e9oFE5vZQixfaJI3xKax2lTNh
+--- QICRX2ve/1CFNHjnVXDpue3DRlFbTftu9yrWw745gVk
+|†`F…3Þ°˜¤VEû²ÊósßK³ÞQwÿÙ$ùÉŒ{‘¨¯†>¹Hˆ7Þh™î”Ä©Û’2ÅïÂÈÆcH^¸“×÷Ÿ© X_ñæzv'¢ÄÐ!ZkÂš_„þÉ0Ë}Yo•je§¼<icé{SkÁ|1Ÿalé*ü7ÓÖ3ÅŒF«Þ9j¬\§X{¢¾#H7ÑŒ¢!><.^¸¿[ï£q4åpP
\ No newline at end of file
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 0accd18..9f9fc38 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -31,6 +31,8 @@ in {
   "restic-backup/boreal-credentials.age".publicKeys = [alarsyo boreal];
   "restic-backup/hades-password.age".publicKeys = [alarsyo hades];
   "restic-backup/hades-credentials.age".publicKeys = [alarsyo hades];
+  "restic-backup/hephaestus-password.age".publicKeys = [alarsyo hephaestus];
+  "restic-backup/hephaestus-credentials.age".publicKeys = [alarsyo hephaestus];
   "restic-backup/poseidon-password.age".publicKeys = [alarsyo poseidon];
   "restic-backup/poseidon-credentials.age".publicKeys = [alarsyo poseidon];
   "restic-backup/zephyrus-password.age".publicKeys = [alarsyo zephyrus];
