services: setup restic backups service

2021-08-09 19:34:23 +02:00 · 2021-08-09 19:34:23 +02:00 · a763e0549f
parent 1a0f0da28d
commit a763e0549f
6 changed files with 91 additions and 2 deletions
--- a/hosts/poseidon/default.nix
+++ b/hosts/poseidon/default.nix
@ -66,9 +66,9 @@ in
      websocketPort = 3012;
    };

-    borg-backup = {
+    restic-backup = {
      enable = true;
-      repo = secrets.borg-backup.poseidon-repo;
+      repo = secrets.restic-backup.poseidon-repo;
    };

    fail2ban = {
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -17,6 +17,7 @@ with lib;
    gandiKey = lib.fileContents ./gandi-api-key.secret;

    borg-backup = import ./borg-backup { inherit lib; };
+    restic-backup = import ./restic-backup { inherit lib; };

    matrixEmailConfig = import ./matrix-email-config.nix;
  };
--- a/secrets/restic-backup/default.nix
+++ b/secrets/restic-backup/default.nix
@ -0,0 +1,4 @@
+{ lib }:
+{
+  poseidon-repo = lib.fileContents ./poseidon-repo.secret;
+}
--- a/secrets/restic-backup/poseidon-repo.secret
+++ b/secrets/restic-backup/poseidon-repo.secret
--- a/services/default.nix
+++ b/services/default.nix
@ -20,6 +20,7 @@
    ./pipewire.nix
    ./postgresql-backup.nix
    ./postgresql.nix
+    ./restic-backup.nix
    ./tailscale.nix
    ./tgv.nix
    ./transmission.nix
--- a/services/restic-backup.nix
+++ b/services/restic-backup.nix
@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.my.services.restic-backup;
+  secrets = config.my.secrets;
+  excludeArg = with builtins; with pkgs;
+    "--exclude-file=" + (writeText "excludes.txt" (concatStringsSep "\n" cfg.exclude));
+  makePruneOpts = pruneOpts:
+    attrsets.mapAttrsToList (name: value: "--keep-${name} ${toString value}") pruneOpts;
+in {
+  options.my.services.restic-backup = {
+    enable = mkEnableOption "Enable Restic backups for this host";
+
+    repo = mkOption {
+      type = types.str;
+      default = null;
+      example = "/mnt/hdd";
+      description = "Restic backup repo";
+
+    };
+
+    paths = mkOption {
+      type = with types; listOf str;
+      default = [ ];
+      example = [
+        "/var/lib"
+        "/home"
+      ];
+      description = "Paths to backup";
+    };
+
+    exclude = mkOption {
+      type = with types; listOf str;
+      default = [ ];
+      example = [
+        # very large paths
+        "/var/lib/docker"
+        "/var/lib/systemd"
+        "/var/lib/libvirt"
+
+        # temporary files created by `cargo` and `go build`
+        "**/target"
+        "/home/*/go/bin"
+        "/home/*/go/pkg"
+      ];
+      description = "Paths to exclude from backup";
+    };
+
+    prune = mkOption {
+      type = types.attrs;
+      default = {
+        daily = 7;
+        weekly = 4;
+        monthly = 6;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.restic ];
+
+    services.restic.backups.backblaze = {
+      initialize = true;
+
+      paths = cfg.paths;
+
+      repository = cfg.repo;
+      passwordFile = "/root/restic/password";
+      s3CredentialsFile = "/root/restic/creds";
+
+      extraBackupArgs = [ ]
+        ++ optional (builtins.length cfg.exclude != 0) excludeArg;
+
+      timerConfig = {
+        OnCalendar = "daily";
+      };
+
+      pruneOpts = makePruneOpts cfg.prune;
+    };
+  };
+}