Restic for sisko

2024-07-25 16:43:58 +02:00 · 2024-07-25 16:43:58 +02:00 · 71a3654e9a
commit 71a3654e9a
parent 865274a2df
5 changed files with 59 additions and 35 deletions
--- a/modules/restic/default.nix
+++ b/modules/restic/default.nix
@ -3,43 +3,33 @@
  pkgs,
  lib,
  ...
-}: {
-  options.backup = {
-    paths = lib.mkOption {
-      type = lib.types.listOf lib.types.path;
-      default = [];
+}: let
+  user = "u382036-sub1";
+  host = "u382036.your-storagebox.de";
+  port = "23";
+in {
+  age.secrets = {
+    HETZNER_STORAGE_BOX_SISKO_SSH_PASSWORD = {
+      file = ../../secrets/hetzner-storage-box-sisko-ssh-password.age;
+      owner = "root";
    };
-  };
-  config.services.restic = {
-    backups = {
-      hetzner = {
-        paths = config.backup.paths;
-        passwordFile = config.age.secrets.restic-hetzner-password.path;
-        extraOptions = [
-          # Use the host ssh key, for authorizing new hosts:
-          # cat /etc/ssh/ssh_host_ed25519_key.pub | ssh -p23 u382036-sub1@u382036-sub1.your-storagebox.de install-ssh-key
-          "sftp.command='ssh -p23 u382036-sub1@u382036-sub1.your-storagebox.de -i /etc/ssh/ssh_host_ed25519_key -s sftp'"
-        ];
-        repository = "sftp://u382036-sub1@u382036-sub1.your-storagebox.de:23/";
-        initialize = true;
-        timerConfig.OnCalendar = "daily";
-        timerConfig.RandomizedDelaySec = "1h";
-      };
+    SISKO_RESTIC_PASSWORD = {
+      file = ../../secrets/sisko-restic-password.age;
+      owner = "root";
    };
  };

-  config.environment.systemPackages = builtins.map (path:
-    pkgs.writeShellApplication {
-      name = "restic-restore-${builtins.replaceStrings ["/"] ["-"] path}";
-      runtimeInputs = with pkgs; [restic];
-      text = ''
-        restic -r ${config.services.restic.backups.hetzner.repository} \
-          ${lib.concatMapStringsSep ''\'' (option: "-o ${option}") config.services.restic.backups.hetzner.extraOptions} \
-          --password-file ${config.services.restic.backups.hetzner.passwordFile} \
-          restore latest \
-          --path "${path}"\
-          --target "$1"
-      '';
-    })
-  config.services.restic.backups.hetzner.paths;
+  services.openssh.knownHosts."${host}".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
+
+  services.restic.backups.sisko = {
+    paths = ["/persist"];
+    passwordFile = config.age.secrets.SISKO_RESTIC_PASSWORD.path;
+    extraOptions = [
+      "sftp.command='${lib.getExe pkgs.sshpass} -f ${config.age.secrets.HETZNER_STORAGE_BOX_SISKO_SSH_PASSWORD.path} ssh -p${port} ${user}@${host} -s sftp'"
+    ];
+    repository = "sftp://${user}@${host}:${port}/";
+    initialize = true;
+    timerConfig.OnCalendar = "daily";
+    timerConfig.RandomizedDelaySec = "1h";
+  };
 }