zephyrus: setup restic backup with agenix secrets

2022-01-17 22:00:51 +01:00 · 2022-01-17 22:00:51 +01:00 · c3fcb0154f
parent a0ead30194
commit c3fcb0154f
4 changed files with 51 additions and 0 deletions
--- a/hosts/zephyrus/default.nix
+++ b/hosts/zephyrus/default.nix
@ -43,6 +43,35 @@ in
    tailscale.enable = true;

    pipewire.enable = true;
+
+    restic-backup = {
+      enable = true;
+      repo = "b2:zephyrus-backup";
+      passwordFile = config.age.secrets."restic-backup/zephyrus-password".path;
+      environmentFile = config.age.secrets."restic-backup/zephyrus-credentials".path;
+
+      paths = [
+        "/home/alarsyo"
+      ];
+      exclude = [
+        "/home/alarsyo/Downloads"
+
+        # Rust builds using half my storage capacity
+        "/home/alarsyo/*/target"
+        "/home/alarsyo/work/rust/build"
+
+        # don't backup nixpkgs
+        "/home/alarsyo/work/nixpkgs"
+
+        # C build crap
+        "*.a"
+        "*.o"
+        "*.so"
+
+        # ignore all dotfiles as .config and .cache can become quite big
+        "/home/alarsyo/.*"
+      ];
+    };
  };

  services = {
--- a/modules/secrets/restic-backup/zephyrus-credentials.age
+++ b/modules/secrets/restic-backup/zephyrus-credentials.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZQuVNA KjrRurc5ztGrYO2wx0ToE8E4Yz2sbNwPi4zCGAJUK3k
+U1Ox1U4Z9ssleGchzMJGpQjFaRoqMYSLhKHXj1F2/U
+-> ssh-ed25519 k2gHjw W35K39F0sREO2igYKaa3zr1LKgF6xiU5YtMq3RYqkC4
+YJV8kdjMJSoRX7iLw2bQXET9zOudFuhZeHqPqHkNjuc
+-> (aAM-grease j{6WJ 3C&
+Pfh0krD/ClkQcByosGU3CxPivvPei5tXWZHh6odkWxn29iqsKT6L1ihEgYJDlopA
+8ODR4G4ax6ZY13O+qjc
+--- ugjGDcsxbwlKmTN+4lUyrhD6GJPl0qk4i+4OLS2NRP0
+]#z…ƒã‹p¢¶X7Ó™	¼1mê%wýFÒ
4õÒØ³Äcp+Q2¹ú“<C3BA>×ì¢pmxx>Åˆœ)Eô;~äî<>¢ÔsÆx[S$z¥¨&øžùrBSVÄzÿ÷þ\SXøærdö×\ÜóŠ5Tªfÿ|¿ô
+TÜ
--- a/modules/secrets/restic-backup/zephyrus-password.age
+++ b/modules/secrets/restic-backup/zephyrus-password.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 ZQuVNA H3/RLTRU8T3JY99f+b9xT5oIqPCDyxjRfFbJ7iR3/zE
+CTLpdnGapstc+/epugi1CxIZ3T7JZgE4Ew14B2WuanY
+-> ssh-ed25519 k2gHjw wEnvcV2UApJ1MMyIQgSSkF+zhG+fugEiCieCpPBdJyc
+polPsTGun9e6Bq6rogQBrmT32GQXiixxlKmuRpDDM0c
+-> Jt-grease rX6~
+RL6JmjlIQaG17HQQFY3hTYtTiL12Sr3RX/Scv6gO7gO8
+--- eUEOS9mtYxxW2bqzEpD+ZsyYjhHWCArPd2PiFn6wMF4
+ƒ*@ò-úñæÀ£’¬…9ÂÜpMDŸ¸™I{ázÃ¼ke°K);‰ü+úU¥îñOZâ{ÙBSx’/ÑLI¡”G «9—‰	”þ1É:YÝ½°4x:K—f¹Žq‘ö9ï˜a¥Oº[jNåÇXq¡‘,âÏæZü=*˜'€'t×„ƒÍ	
²ˆö¿!vWòÛ6n›†ÅéG&QwõÚG
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -11,4 +11,6 @@ let
  all = users ++ machines;
 in
 {
+  "restic-backup/zephyrus-password.age".publicKeys = [ alarsyo zephyrus ];
+  "restic-backup/zephyrus-credentials.age".publicKeys = [ alarsyo zephyrus ];
 }