1
0
Fork 0
forked from emily/nixfiles
nixfiles-emily/modules/restic/default.nix
2024-11-09 17:40:43 +01:00

65 lines
2 KiB
Nix

{ config, lib, pkgs, ... }: let
cfg = config.kyouma.restic;
in {
options.kyouma.restic = let
inherit (lib) mkOption types;
in {
enable = lib.mkEnableOption "Enable restic backup";
paths = mkOption {
description = "paths to backup";
type = with types; listOf path;
default = [];
};
pruneOpts = mkOption {
description = "paths to backup";
type = with types; listOf str;
default = [
"--keep-hourly 24"
"--keep-daily 14"
"--keep-weekly 8"
"--keep-monthly 12"
];
};
remote = mkOption {
description = "restic remote to use";
type = types.nonEmptyStr;
default = "zh3485.rsync.net";
};
remoteUser = mkOption {
description = "remote ssh user";
type = types.nonEmptyStr;
default = "";
};
user = mkOption {
description = "user who runs the backup job";
type = types.nonEmptyStr;
default = "root";
};
repo = mkOption {
description = "restic repo";
type = types.nonEmptyStr;
default = "${config.networking.hostName}-backup";
};
};
config = lib.mkIf cfg.enable {
sops.secrets."restic/${cfg.remoteUser}/password" = {
sopsFile = ../../secrets/restic/${cfg.remoteUser}.yaml;
};
sops.secrets."restic/${cfg.remoteUser}/id_ed25519" = {
sopsFile = ../../secrets/restic/${cfg.remoteUser}.yaml;
};
services.restic.backups."${config.networking.hostName}-${cfg.remote}" = {
inherit (cfg) paths user pruneOpts;
initialize = true;
repository = "sftp:${cfg.remoteUser}@${cfg.remote}:${cfg.repo}";
passwordFile = config.sops.secrets."restic/${cfg.remoteUser}/password".path;
extraOptions = let
knownHost = pkgs.writeText "${cfg.remote}-known-host" (builtins.readFile ./${cfg.remote}/ssh_host_ed25519_key.pub);
sshKey = config.sops.secrets."restic/${cfg.remoteUser}/id_ed25519".path;
in [
"sftp.command='ssh ${cfg.remoteUser}@${cfg.remote} -i ${sshKey} -o UserKnownHostsFile=${knownHost} -s sftp'"
];
};
};
}