-
Notifications
You must be signed in to change notification settings - Fork 0
/
backup.nix
104 lines (98 loc) · 2.85 KB
/
backup.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
{ config, lib, ... }:
let
inherit (lib)
filterAttrs
mapAttrs
mkIf
mkEnableOption
mkOption
types
;
cfg = config.my-nixos.backup;
eachTarget = filterAttrs (user: cfg: cfg.enable) cfg;
targetOpts = {
options = with types; {
enable = mkEnableOption ''this backup target'';
paths = mkOption {
description = ''Paths to backup.'';
example = [
/home/alex/.bash_history
/home/alex/.local/share/qutebrowser/history.sqlite
];
type = listOf str;
default = [ ];
};
exclude = mkOption {
description = ''Paths to exclude from backup.'';
example = [ /home/alex/.cache ];
type = listOf str;
default = [ ];
};
pruneOpts = mkOption {
description = ''
A list of options (--keep-\* et al.) for 'restic forget
--prune', to automatically prune old snapshots. The
'forget' command is run *after* the 'backup' command, so
keep that in mind when constructing the --keep-\* options.
'';
type = listOf str;
default = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
timerConfig = mkOption {
description = ''
When to run the backup. See {manpage}`systemd.timer(5)` for
details. If null no timer is created and the backup will only
run when explicitly started.
'';
type = anything;
default = {
OnCalendar = "01:00";
Persistent = true;
};
};
privateKeyFile = mkOption {
description = ''
Location of the private key file used to connect with target.
Match with a public key in `my-nixos.users.backup.keys`.
'';
type = str;
default = "/home/backup/.ssh/id_ed25519";
};
};
};
in
{
options.my-nixos.backup = mkOption {
type = types.attrsOf (types.submodule targetOpts);
default = { };
description = ''Definition of backup targets.'';
};
config = mkIf (eachTarget != { }) {
age.secrets."linux-passwd-plain-backup" = {
file = ../secrets/linux-passwd-plain-backup.age;
owner = "backup";
group = "backup";
};
services.openssh.knownHosts = mapAttrs (target: cfg: {
publicKeyFile = ../keys/ssh-host-${target}.pub;
}) eachTarget;
services.restic.backups = mapAttrs (target: targetCfg: {
inherit (targetCfg)
paths
exclude
pruneOpts
timerConfig
;
repository = "sftp:backup@${target}:repository";
initialize = true;
user = "root";
passwordFile = config.age.secrets."linux-passwd-plain-backup".path;
extraOptions = [ "sftp.command='ssh backup@${target} -i ${targetCfg.privateKeyFile} -s sftp'" ];
}) eachTarget;
};
}