changing to real restic service

2026-03-15 23:08:24 -05:00
parent 621dda40eb
commit 3f743280ee
4 changed files with 150 additions and 20 deletions
--- a/modules/hosts/john-pc-ubuntu.nix
+++ b/modules/hosts/john-pc-ubuntu.nix
@@ -22,6 +22,7 @@ in
      desktop
      step-ssh-user
      mtls
+      restic
    ];
    targets.genericLinux.enable = true;

@@ -33,7 +34,7 @@ in
    home.packages = with pkgs; [
      nixos-rebuild
      (writeShellScriptBin "test-push" ''
-        nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@${testTarget}
+        nixos-rebuild switch --flake ${flakeDir}#soteria --target-host root@${testTarget}
      '')
    ];

@@ -76,26 +77,35 @@ in
      };
    };
    sops.secrets."restic_password/john_ubuntu" = {
-      path = "${config.xdg.configHome}/resticprofile/password.txt";
+      path = "${config.xdg.configHome}/restic/password.txt";
+      mode = "0400";
    };
-    programs.resticprofile = {
-      enable= true;
-      profiles = {
-        default = {
-          "inherit" = "base";
-          repository = "rest:https://soteria.john-stream.com/john-ubuntu";
-          cacert = "${CACert}";
-          tls-client-cert = "${mtlsBundle}";
-          backup = {
-            source = [
-              "${config.xdg.userDirs.documents}"
-              "/conf"
-            ];
-            schedule = "*-*-* *:15,30,45:00";
-          };
-        };
-      };
+    restic = {
+      passwordFile = "${config.xdg.configHome}/restic/password.txt";
+      paths = [
+        "${config.xdg.userDirs.documents}"
+        "/conf"
+      ];
    };
+
+    # programs.resticprofile = {
+    #   enable= true;
+    #   profiles = {
+    #     default = {
+    #       "inherit" = "base";
+    #       repository = "rest:https://soteria.john-stream.com/john-ubuntu";
+    #       cacert = "${CACert}";
+    #       tls-client-cert = "${mtlsBundle}";
+    #       backup = {
+    #         source = [
+    #           "${config.xdg.userDirs.documents}"
+    #           "/conf"
+    #         ];
+    #         schedule = "*-*-* *:15,30,45:00";
+    #       };
+    #     };
+    #   };
+    # };
  };

  flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
--- a/modules/hosts/soteria.nix
+++ b/modules/hosts/soteria.nix
@@ -0,0 +1,44 @@
+{ inputs, ... }:
+let
+  username = "john";
+  hostname = "soteria";
+  caURL = "https://janus.john-stream.com/";
+in
+{
+  flake.nixosConfigurations."${hostname}" = inputs.nixpkgs.lib.nixosSystem {
+    modules = with inputs.self.modules; [
+      nixos.lxc
+      nixos.sops
+      nixos.step-ssh-host
+      inputs.home-manager.nixosModules.home-manager
+      nixos."${username}"
+      nixos.zsh
+      nixos.login-text
+      nixos.mtls
+      {
+        networking.hostName = hostname;
+        step-ssh-host = {
+          hostname = hostname;
+          caURL = caURL;
+        };
+        mtls = {
+          enable = true;
+          subject = hostname;
+          caURL = caURL;
+          san = [
+            "${hostname}.john-stream.com"
+            # "192.168.1.244"
+          ];
+        };
+
+        home-manager.users."${username}" = {
+          imports = with inputs.self.modules.homeManager; [
+            sops
+            step-ssh-user
+          ];
+          shell.program = "zsh";
+        };
+      }
+    ];
+  };
+}
--- a/modules/services/restic/base-profile.yaml
+++ b/modules/services/restic/base-profile.yaml
@@ -8,7 +8,7 @@ base:
    keep-hourly: '8'
    keep-daily: '14'
    keep-weekly: '8'
-    keep-monthyl: '6'
+    keep-monthly: '6'
  backup:
    verbose: true
    exclude:
--- a/modules/services/restic/restic.nix
+++ b/modules/services/restic/restic.nix
@@ -0,0 +1,76 @@
+{ ... }:
+let
+  resticFactory = repoName: {
+    repository = "rest:https://soteria.john-stream.com/${repoName}";
+    timerConfig = {
+      OnCalendar = "00:05";
+      Persistent = true;
+      RandomizedDelaySec = "5h";
+    };
+    runCheck = true;
+    pruneOpts = [
+      "--keep-last 10"
+      "--keep-hourly 8"
+      "--keep-daily 14"
+      "--keep-weekly 8"
+      "--keep-monthly 12"
+    ];
+    exclude = [
+      ".cache"
+      ".devenv"
+      ".rustup"
+      ".cargo"
+      ".venv"
+      ".pyenv"
+      ".vscode*"
+      "data/postgres"
+      "build"
+      "__pycache__"
+      "*.log"
+      "*.egg-info"
+      "*.csv"
+      "*.m4a"
+      ".local/share/Steam"
+      ".local/share/Trash"
+      "dist"
+      "/home/*/Pictures"
+      "/home/*/Videos"
+      "/home/*/go"
+      "/home/*/snap"
+      "/home/john/john-nas"
+    ];
+  };
+in {
+  flake.modules.homeManager.restic = { config, pkgs, lib, ... }:
+    let
+      cfg = config.restic;
+    in
+    {
+      options.restic = {
+        repoName = lib.mkOption {
+          description = "Name of the restic repo to use";
+          type = lib.types.str;
+          default = "john-ubuntu";
+        };
+        passwordFile = lib.mkOption {
+          description = "String path to the restic password file";
+          type = lib.types.str;
+        };
+        paths = lib.mkOption {
+          description = "List of string paths to include in the backup";
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+        };
+      };
+
+      config = {
+        services.restic = {
+          enable = true;
+          backups.${cfg.repoName} = (resticFactory cfg.repoName) // {
+            passwordFile = cfg.passwordFile;
+            paths = cfg.paths;
+          };
+        };
+      };
+    };
+}