Enable restic backups

2023-12-26 11:02:49 +01:00 · 2023-12-26 11:02:49 +01:00 · 106a9c3630
commit 106a9c3630
parent 31056ba23a
27 changed files with 396 additions and 304 deletions
--- a/modules/ccr/default.nix
+++ b/modules/ccr/default.nix
@ -61,6 +61,11 @@ in {
      type = types.listOf types.deferredModule;
      default = [];
    };
+
+    backupPaths = lib.mkOption {
+      type = types.listOf types.str;
+      default = [];
+    };
  };

  config = lib.mkIf cfg.enable {
@ -68,6 +73,8 @@ in {
    ccr.extraGroups = ["wheel" "fuse" "video" "dialout" "systemd-journal" "camera"];
    ccr.modules = ["shell" "git" "nix-index"];

+    backup.paths = cfg.backupPaths;
+
    users.users.${cfg.username} = {
      inherit (config.ccr) hashedPassword extraGroups description;
      uid = 1000;
--- a/modules/home-assistant/default.nix
+++ b/modules/home-assistant/default.nix
@ -159,6 +159,10 @@ in {
    };
  };

+  backup.paths = [
+    "/var/lib/hass"
+  ];
+
  # virtualisation.oci-containers = {
  #   backend = "podman";
  #   containers.homeassistant = {
--- a/modules/restic/default.nix
+++ b/modules/restic/default.nix
@ -0,0 +1,45 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  options.backup = {
+    paths = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      default = [];
+    };
+  };
+  config.services.restic = {
+    backups = {
+      hetzner = {
+        paths = config.backup.paths;
+        passwordFile = config.age.secrets.restic-hetzner-password.path;
+        extraOptions = [
+          # Use the host ssh key, for authorizing new hosts:
+          # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh -p23 u382036-sub1@u382036-sub1.your-storagebox.de install-ssh-key
+          "sftp.command='ssh -p23 u382036-sub1@u382036-sub1.your-storagebox.de -i /etc/ssh/ssh_host_ed25519_key -s sftp'"
+        ];
+        repository = "sftp://u382036-sub1@u382036-sub1.your-storagebox.de:23/";
+        initialize = true;
+        timerConfig.OnCalendar = "daily";
+        timerConfig.RandomizedDelaySec = "1h";
+      };
+    };
+  };
+
+  config.environment.systemPackages = builtins.map (path:
+    pkgs.writeShellApplication {
+      name = "restic-restore-${builtins.replaceStrings ["/"] ["-"] path}";
+      runtimeInputs = with pkgs; [restic];
+      text = ''
+        restic -r ${config.services.restic.backups.hetzner.repository} \
+          ${lib.concatMapStringsSep ''\'' (option: "-o ${option}") config.services.restic.backups.hetzner.extraOptions} \
+          --password-file ${config.services.restic.backups.hetzner.passwordFile} \
+          restore latest \
+          --path "${path}"\
+          --target "$1"
+      '';
+    })
+  config.services.restic.backups.hetzner.paths;
+}