ad-nix/nixos/services/restic.nix

{ config, pkgs, userSettings, ... }:
{

  sops.secrets.restic_password = {
    owner = config.users.users.${userSettings.userName}.name;
    mode = "0440";
  };

  environment.systemPackages = with pkgs; [
    restic
    (pkgs.writeShellScriptBin "restic-backup" "sudo systemctl start restic-backups-localBackup.service")
    (pkgs.writeShellScriptBin "restic-backup-check" "sudo journalctl -b -u restic-backups-localBackup.service")
  ];

  environment.variables = {
    RESTIC_REPOSITORY = "/mnt/restic/appdaemon";
    RESTIC_PASSWORD = "${builtins.readFile config.sops.secrets."restic_password".path}";
  };

  services.restic.backups = {
    localBackup = {
      repository = "/mnt/restic/appdaemon";
      passwordFile = config.sops.secrets."restic_password".path;
      initialize = true;
      timerConfig = {
        OnCalendar = "03:00";
        RandomizedDelaySec = "2h";
        Persistent = true;
      };
      paths = [
        "/home"
        "/conf"
        "/etc/nixos"
        "/etc/ssh"  # necessary for SOPS nix to have the same keys
      ];
      exclude = [
        ".cache"
        ".vscode*"
        ".devenv"
        ".venv"
        "build"
        "dist"
        "__pycache__"
        "*.egg-info"
        "namespaces"
      ];
    };
  };
}