diff --git a/nixos/amon/configuration.nix b/nixos/amon/configuration.nix index 5eebdba..0090dcf 100644 --- a/nixos/amon/configuration.nix +++ b/nixos/amon/configuration.nix @@ -5,6 +5,7 @@ [ ./hardware-configuration.nix ../modules/server/docker.nix + ../modules/restic.nix ]; boot.loader.grub.enable = true; diff --git a/nixos/kevin-pc/configuration.nix b/nixos/kevin-pc/configuration.nix index 9dc3932..c174605 100644 --- a/nixos/kevin-pc/configuration.nix +++ b/nixos/kevin-pc/configuration.nix @@ -15,6 +15,7 @@ ../modules/gaming/steam.nix ../modules/gaming/helpers.nix ../modules/barrier.nix + ../modules/restic.nix ]; boot.loader.systemd-boot.enable = true; diff --git a/nixos/kevin-tp/configuration.nix b/nixos/kevin-tp/configuration.nix index 125e5fa..9a83f7e 100644 --- a/nixos/kevin-tp/configuration.nix +++ b/nixos/kevin-tp/configuration.nix @@ -16,6 +16,7 @@ ../modules/gaming/steam.nix ../modules/gaming/helpers.nix ../modules/barrier.nix + ../modules/restic.nix #../modules/mullvad.nix ]; diff --git a/nixos/modules/restic.nix b/nixos/modules/restic.nix new file mode 100644 index 0000000..69250a5 --- /dev/null +++ b/nixos/modules/restic.nix @@ -0,0 +1,58 @@ +{ pkgs, lib, config, ... }: { + environment.systemPackages = with pkgs; [ + restic + ]; + + users.users.restic = { + isNormalUser = true; + extraGroups = [ config.users.groups.keys.name ]; + }; + + security.wrappers.restic = { + source = "${pkgs.restic.out}/bin/restic"; + owner = config.users.users.restic.name; + group = config.users.users.restic.group; + permissions = "u=rwx,g=,o="; + capabilities = "cap_dac_read_search=+ep"; + }; + + + environment.etc = { + "restic/backup-exclude.list" = { + source = "../../restic/backup-exclude.list"; + }; + "restic/backup-iexclude.list" = { + source = "../../restic/backup-iexclude.list"; + }; + "restic/backup.list" = { + source = "../../restic/backup.list"; + }; + "restic/backup.sh" = { + source = "../../restic/backup.sh"; + }; + }; + + sops.secrets."restic/password" = { + sopsFile = ../shared/secrets/restic.yaml; + owner = config.users.users.restic.name; + mode = "0400"; + }; + + sops.secrets."restic/repository" = { + sopsFile = ../shared/secrets/restic.yaml; + owner = config.users.users.restic.name; + mode = "0400"; + }; + + sops.secrets."restic/aws_id" = { + sopsFile = ../shared/secrets/restic.yaml; + owner = config.users.users.restic.name; + mode = "0400"; + }; + + sops.secrets."restic/aws_secret" = { + sopsFile = ../shared/secrets/restic.yaml; + owner = config.users.users.restic.name; + mode = "0400"; + }; +} \ No newline at end of file diff --git a/nixos/shared/secrets/restic.yaml b/nixos/shared/secrets/restic.yaml new file mode 100644 index 0000000..4b660d9 --- /dev/null +++ b/nixos/shared/secrets/restic.yaml @@ -0,0 +1,52 @@ +restic: + password: ENC[AES256_GCM,data:RuvqX5tcbd9MS0Q5lEh5B2Q2MDOdrDfjfnFFnUivig==,iv:i6vINaClC3fWOIRKu4KhOQ4tx6iBeNMkaUqrka80hGI=,tag:7TIObzHeLGz75VUETbc9eQ==,type:str] + repository: ENC[AES256_GCM,data:PQ8fBWEwbWn5H6oIeXVSe4SwU49/V8Dosa8O5ps5oVVeujkd2aLxdCQTU5CiIZO1,iv:ggmKLGueXIU0pCC2b63CS+qgUH0/170WEVLeJABpNF0=,tag:931MhmxAKlULilDI9bsiOQ==,type:str] + aws_id: ENC[AES256_GCM,data:Ar12kzmfeGZVBXHOraSy9U4vBICGFYbEYw==,iv:6Ygk7QOuf5RE9XOJWhmOnuMb5bSO9zhLeHEEGS+4aKk=,tag:x0FYeSEVl/BlIOleWPhCjw==,type:str] + aws_secret: ENC[AES256_GCM,data:3wvOQicZjIA9R1VYbnRLerTvt6hXXDmxuxCB+SA5Vw==,iv:I1vTUfwHmFhz7XotmG9qYshLP7ijiBQatJxvI4smJ2s=,tag:qFcEtKmXWeFnd1/RG7uWfQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1tyq4g2hfuy7ffl8lycl3yj6saxyk56z4xlmtz7krlq7djx6l7f9snd56q6 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSjVNNWM3ejdzV1ZqenE5 + bW9vdEQvMHpXblRFbzF2a0ZUWWI1S1VIQmtnCjNHcVl3cXloamFmZWtJcGRzMW9E + cEg0WE41TGdHV28xQzB2MG4wN0lraVEKLS0tIDJRKzJBVUlPZUhYc1p6NUFaK09F + RHdtNzVVT2xpSUV4WWYxc2YvdDY1QWsKN0rcBiAKtJfQgizDW42XePPp1Jr5Y1/h + WaXYOSeE0IT0vfTUKAaB0ot2LMJjq+2tp9UAhUh6n6PqergfGZG1Kg== + -----END AGE ENCRYPTED FILE----- + - recipient: age17963wrexn2ahn0j39sg6h00wc7q7p4spt64yexg5tzk48x7vyv4sz47c0s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMTZoKzQ3VWZER1B5S3FR + bUc2eXRYaDFxSU5PL0R2RDVyZDV0VVBVT0JVCmVOZlo2OUE1UnBUWjk0TlV6dlVu + d2J0dWxUYnB2eDVPbWxaemcxVVF1MTQKLS0tIDNTWjhIWHFJd1ZuaUpxTWVxd1lw + UVRjdDc4VVRpaE9ZbzBhSEhoMXRmSmMKmebeDZH2faA/qc3PtU3kLZuGiGHNQR1r + K2q1J1z0xWM93YzRq6+tyKqUJC1Ssk1X3I3DTx6XxHA4fhrgt0MXpw== + -----END AGE ENCRYPTED FILE----- + - recipient: age18zsr2dzd23g4x4dsqw5jzn64x7tsezqs72vj2d4hg7r9kxqxuyts69a7zj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhemxpZklGZy80MW5yZnJv + MmFoc2hYY2Fjek1YcmJ3NEprcW5nVVFVMG0wCmp6NlhLcTFiZ1ppT3cxSnZLVG9K + N0prcVRMRG5WWHJMSUJkSE9oYU9weE0KLS0tIGluVFdLMWNrdlJway82MUd0RU81 + eVh5b0dJRFAvNDgreDFJazUvVXN3cGcKoyX7pVZH72SUXGrubs0Xf+SkKGo5XoiD + 6SY01U/araI6OMU5ih9vRgpP/SXB8Kwxuj2gkcLMrArANc610hxoDQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1jxzgv6z7emkv2rqztuuzzeq3qjq9jluu6vg0vljcltyvxps5lv3smltd2t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDR0JZdHlNaXRkRlZndXU1 + Q2R4U2RRUjk1T3lwUmprQ0FOMjRsSUVkZ0JnClExeGpjVytWV3hPQkhWU1lWQWJ2 + OVBtajQzN0VFMVVJblJmMG92VlJPa28KLS0tIEs5ZW16Z29JODRXdElUOXVqM0gz + K0JMMEowTG1FVTVPSm14KzRsRHlKVkkKCTjPapX/wHp7GPQszyMXBVAv8K1ptdTx + iNSBYBzPREr9LzEx9AEAxTvq97RpjngK9mMBVmqPsInELo+WEVHHzg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-25T13:00:05Z" + mac: ENC[AES256_GCM,data:s3aKKATWor0Hl2YDiLfRwkSBWorKU8byC933m0lGhUzBZzCrbBm7+hHKPK5/wBZsf3pTgP5UXsHGEiASff1xbF6zkePi8axriigP6owiRHfVxzhhLuuF0eLeYKSX8M5llsBod5SH765MhusdGvv9HBiWGnPZCKiOgUaxbhiD6GM=,iv:wdv6LWLawEKVl/k9kQ70mrH1aBhsDO+ElqS7YObEk7Y=,tag:S3DaoLfLNneen6LQP35B0Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/restic/backup-exclude.list b/restic/backup-exclude.list new file mode 100644 index 0000000..e69de29 diff --git a/restic/backup-iexclude.list b/restic/backup-iexclude.list new file mode 100644 index 0000000..2392b05 --- /dev/null +++ b/restic/backup-iexclude.list @@ -0,0 +1,65 @@ +# Caches +.cache +cache2 +cache +cached +cachestorage +cacheddata +ledger-db +.compose-cache + +# Logs +logs +log +*.log + +# Package Managers +.npm/_cacache +node_modules +bower_components +vendor +.conan +.local/lib/python* + +# Remakeables +built +build +rendered + +# Downloads +download +downloads + +# Virtual Folders +resticMnt +bupmnt + +# Apps +/home/*/go +/home/linuxbrew +.itch +.steam +.local/share/Steam +.config/itch/apps +.jdks +.minecraft/versions +.minecraft/assets +.minecraft/launcher +.minecraft/libraries +.minecraft/runtime +.minecraft/mods + +# Unimportant configs +.config/discord +.config/Element + +# Backed up elsewhere +.config/code +/home/*/Nextcloud +/home/kevin/Sync +/home/kevin/Syncbox +/home/kevin/tmp +/home/kevin/tmp* + +# ??? +.m2 diff --git a/restic/backup.list b/restic/backup.list new file mode 100644 index 0000000..5275446 --- /dev/null +++ b/restic/backup.list @@ -0,0 +1,21 @@ +# Personal Files +/home +/root + +# Essential System Files +/var/lib/nixos +/etc/ssh/ssh_host_ed25519_key +/etc/ssh/ssh_host_ed25519_key.pub +/etc/ssh/ssh_host_rsa_key +/etc/ssh/ssh_host_rsa_key.pub +/etc/machine-id + +# Services +/srv +/var/backup + +# Configurations +/var/lib/bluetooth +/var/lib/NetworkManager +/var/lib/colord +/var/lib/cups \ No newline at end of file diff --git a/restic/backup.sh b/restic/backup.sh new file mode 100644 index 0000000..37605e9 --- /dev/null +++ b/restic/backup.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash + +# We expect our files to be mounted here +pushd /etc/restic + +export RESTIC_REPOSITORY_FILE=/var/run/secrets/restic/repository +export RESTIC_PASSWORD_FILE=/var/run/secrets/restic/password +export AWS_ACCESS_KEY_ID="$(cat /var/run/secrets/restic/aws_id)" +export AWS_SECRET_ACCESS_KEY="$(cat /var/run/secrets/restic/aws_secret)" + +restic backup --iexclude-file ./backup-iexclude.list --exclude-file ./backup-exclude.list --files-from ./backup.list --exclude-if-present ".nobackup" --exclude-if-present ".git" --exclude-if-present ".nextcloudsync.log" --exclude-if-present ".owncloudsync.log" --tag nixos +restic forget --prune --keep-last 10 --keep-daily 14 --keep-weekly 10 --keep-monthly 24 --keep-yearly 100 + +popd \ No newline at end of file