Add Restic configuration

nixos/amon/configuration.nix

@@ -5,6 +5,7 @@
     [
       ./hardware-configuration.nix
       ../modules/server/docker.nix
+      ../modules/restic.nix
     ];
     
   boot.loader.grub.enable = true;

nixos/kevin-pc/configuration.nix

@@ -15,6 +15,7 @@
       ../modules/gaming/steam.nix
       ../modules/gaming/helpers.nix
       ../modules/barrier.nix
+      ../modules/restic.nix
     ];
 
   boot.loader.systemd-boot.enable = true;

nixos/kevin-tp/configuration.nix

@@ -16,6 +16,7 @@
       ../modules/gaming/steam.nix
       ../modules/gaming/helpers.nix
       ../modules/barrier.nix
+      ../modules/restic.nix
       #../modules/mullvad.nix
     ];
 

nixos/modules/restic.nix

@@ -0,0 +1,58 @@
+{ pkgs, lib, config, ... }: {
+  environment.systemPackages = with pkgs; [
+    restic
+  ];
+
+  users.users.restic = {
+    isNormalUser = true;
+    extraGroups = [ config.users.groups.keys.name ];
+  };
+
+  security.wrappers.restic = {
+    source = "${pkgs.restic.out}/bin/restic";
+    owner = config.users.users.restic.name;
+    group = config.users.users.restic.group;
+    permissions = "u=rwx,g=,o=";
+    capabilities = "cap_dac_read_search=+ep";
+  };
+
+
+  environment.etc = {
+    "restic/backup-exclude.list" = {
+        source = "../../restic/backup-exclude.list";
+    };
+    "restic/backup-iexclude.list" = {
+        source = "../../restic/backup-iexclude.list";
+    };
+    "restic/backup.list" = {
+        source = "../../restic/backup.list";
+    };
+    "restic/backup.sh" = {
+        source = "../../restic/backup.sh";
+    };
+  };
+
+  sops.secrets."restic/password" = {
+    sopsFile = ../shared/secrets/restic.yaml;
+    owner = config.users.users.restic.name;
+    mode = "0400";
+  };
+
+  sops.secrets."restic/repository" = {
+    sopsFile = ../shared/secrets/restic.yaml;
+    owner = config.users.users.restic.name;
+    mode = "0400";
+  };
+
+  sops.secrets."restic/aws_id" = {
+    sopsFile = ../shared/secrets/restic.yaml;
+    owner = config.users.users.restic.name;
+    mode = "0400";
+  };
+
+  sops.secrets."restic/aws_secret" = {
+    sopsFile = ../shared/secrets/restic.yaml;
+    owner = config.users.users.restic.name;
+    mode = "0400";
+  };
+}

nixos/shared/secrets/restic.yaml

@@ -0,0 +1,52 @@
+restic:
+    password: ENC[AES256_GCM,data:RuvqX5tcbd9MS0Q5lEh5B2Q2MDOdrDfjfnFFnUivig==,iv:i6vINaClC3fWOIRKu4KhOQ4tx6iBeNMkaUqrka80hGI=,tag:7TIObzHeLGz75VUETbc9eQ==,type:str]
+    repository: ENC[AES256_GCM,data:PQ8fBWEwbWn5H6oIeXVSe4SwU49/V8Dosa8O5ps5oVVeujkd2aLxdCQTU5CiIZO1,iv:ggmKLGueXIU0pCC2b63CS+qgUH0/170WEVLeJABpNF0=,tag:931MhmxAKlULilDI9bsiOQ==,type:str]
+    aws_id: ENC[AES256_GCM,data:Ar12kzmfeGZVBXHOraSy9U4vBICGFYbEYw==,iv:6Ygk7QOuf5RE9XOJWhmOnuMb5bSO9zhLeHEEGS+4aKk=,tag:x0FYeSEVl/BlIOleWPhCjw==,type:str]
+    aws_secret: ENC[AES256_GCM,data:3wvOQicZjIA9R1VYbnRLerTvt6hXXDmxuxCB+SA5Vw==,iv:I1vTUfwHmFhz7XotmG9qYshLP7ijiBQatJxvI4smJ2s=,tag:qFcEtKmXWeFnd1/RG7uWfQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1tyq4g2hfuy7ffl8lycl3yj6saxyk56z4xlmtz7krlq7djx6l7f9snd56q6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSjVNNWM3ejdzV1ZqenE5
+            bW9vdEQvMHpXblRFbzF2a0ZUWWI1S1VIQmtnCjNHcVl3cXloamFmZWtJcGRzMW9E
+            cEg0WE41TGdHV28xQzB2MG4wN0lraVEKLS0tIDJRKzJBVUlPZUhYc1p6NUFaK09F
+            RHdtNzVVT2xpSUV4WWYxc2YvdDY1QWsKN0rcBiAKtJfQgizDW42XePPp1Jr5Y1/h
+            WaXYOSeE0IT0vfTUKAaB0ot2LMJjq+2tp9UAhUh6n6PqergfGZG1Kg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age17963wrexn2ahn0j39sg6h00wc7q7p4spt64yexg5tzk48x7vyv4sz47c0s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByMTZoKzQ3VWZER1B5S3FR
+            bUc2eXRYaDFxSU5PL0R2RDVyZDV0VVBVT0JVCmVOZlo2OUE1UnBUWjk0TlV6dlVu
+            d2J0dWxUYnB2eDVPbWxaemcxVVF1MTQKLS0tIDNTWjhIWHFJd1ZuaUpxTWVxd1lw
+            UVRjdDc4VVRpaE9ZbzBhSEhoMXRmSmMKmebeDZH2faA/qc3PtU3kLZuGiGHNQR1r
+            K2q1J1z0xWM93YzRq6+tyKqUJC1Ssk1X3I3DTx6XxHA4fhrgt0MXpw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age18zsr2dzd23g4x4dsqw5jzn64x7tsezqs72vj2d4hg7r9kxqxuyts69a7zj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhemxpZklGZy80MW5yZnJv
+            MmFoc2hYY2Fjek1YcmJ3NEprcW5nVVFVMG0wCmp6NlhLcTFiZ1ppT3cxSnZLVG9K
+            N0prcVRMRG5WWHJMSUJkSE9oYU9weE0KLS0tIGluVFdLMWNrdlJway82MUd0RU81
+            eVh5b0dJRFAvNDgreDFJazUvVXN3cGcKoyX7pVZH72SUXGrubs0Xf+SkKGo5XoiD
+            6SY01U/araI6OMU5ih9vRgpP/SXB8Kwxuj2gkcLMrArANc610hxoDQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1jxzgv6z7emkv2rqztuuzzeq3qjq9jluu6vg0vljcltyvxps5lv3smltd2t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDR0JZdHlNaXRkRlZndXU1
+            Q2R4U2RRUjk1T3lwUmprQ0FOMjRsSUVkZ0JnClExeGpjVytWV3hPQkhWU1lWQWJ2
+            OVBtajQzN0VFMVVJblJmMG92VlJPa28KLS0tIEs5ZW16Z29JODRXdElUOXVqM0gz
+            K0JMMEowTG1FVTVPSm14KzRsRHlKVkkKCTjPapX/wHp7GPQszyMXBVAv8K1ptdTx
+            iNSBYBzPREr9LzEx9AEAxTvq97RpjngK9mMBVmqPsInELo+WEVHHzg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-05-25T13:00:05Z"
+    mac: ENC[AES256_GCM,data:s3aKKATWor0Hl2YDiLfRwkSBWorKU8byC933m0lGhUzBZzCrbBm7+hHKPK5/wBZsf3pTgP5UXsHGEiASff1xbF6zkePi8axriigP6owiRHfVxzhhLuuF0eLeYKSX8M5llsBod5SH765MhusdGvv9HBiWGnPZCKiOgUaxbhiD6GM=,iv:wdv6LWLawEKVl/k9kQ70mrH1aBhsDO+ElqS7YObEk7Y=,tag:S3DaoLfLNneen6LQP35B0Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

restic/backup-iexclude.list

@@ -0,0 +1,65 @@
+# Caches
+.cache
+cache2
+cache
+cached
+cachestorage
+cacheddata
+ledger-db
+.compose-cache
+
+# Logs
+logs
+log
+*.log
+
+# Package Managers
+.npm/_cacache
+node_modules
+bower_components
+vendor
+.conan
+.local/lib/python*
+
+# Remakeables
+built
+build
+rendered
+
+# Downloads
+download
+downloads
+
+# Virtual Folders
+resticMnt
+bupmnt
+
+# Apps
+/home/*/go
+/home/linuxbrew
+.itch
+.steam
+.local/share/Steam
+.config/itch/apps
+.jdks
+.minecraft/versions
+.minecraft/assets
+.minecraft/launcher
+.minecraft/libraries
+.minecraft/runtime
+.minecraft/mods
+
+# Unimportant configs
+.config/discord
+.config/Element
+
+# Backed up elsewhere
+.config/code
+/home/*/Nextcloud
+/home/kevin/Sync
+/home/kevin/Syncbox
+/home/kevin/tmp
+/home/kevin/tmp*
+
+# ???
+.m2

restic/backup.list

@@ -0,0 +1,21 @@
+# Personal Files
+/home
+/root
+
+# Essential System Files
+/var/lib/nixos
+/etc/ssh/ssh_host_ed25519_key
+/etc/ssh/ssh_host_ed25519_key.pub
+/etc/ssh/ssh_host_rsa_key
+/etc/ssh/ssh_host_rsa_key.pub
+/etc/machine-id
+
+# Services
+/srv
+/var/backup
+
+# Configurations
+/var/lib/bluetooth
+/var/lib/NetworkManager
+/var/lib/colord
+/var/lib/cups

restic/backup.sh

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# We expect our files to be mounted here
+pushd /etc/restic
+
+export RESTIC_REPOSITORY_FILE=/var/run/secrets/restic/repository
+export RESTIC_PASSWORD_FILE=/var/run/secrets/restic/password
+export AWS_ACCESS_KEY_ID="$(cat /var/run/secrets/restic/aws_id)"
+export AWS_SECRET_ACCESS_KEY="$(cat /var/run/secrets/restic/aws_secret)"
+
+restic backup --iexclude-file ./backup-iexclude.list --exclude-file ./backup-exclude.list --files-from ./backup.list --exclude-if-present ".nobackup" --exclude-if-present ".git" --exclude-if-present ".nextcloudsync.log" --exclude-if-present ".owncloudsync.log" --tag nixos
+restic forget --prune --keep-last 10 --keep-daily 14 --keep-weekly 10 --keep-monthly 24 --keep-yearly 100
+
+popd