calcite: add restic

This commit is contained in:
xinyangli 2023-12-01 22:22:43 +08:00
parent 28bb623cc1
commit 9bec6270ef
5 changed files with 97 additions and 6 deletions

View file

@ -7,6 +7,7 @@
./hardware-configuration.nix ./hardware-configuration.nix
./network.nix ./network.nix
../sops.nix ../sops.nix
../restic.nix
]; ];
# Bootloader. # Bootloader.
@ -174,9 +175,9 @@
android-studio android-studio
# Gnome tweaks # Gnome tweaks
gnomeExtensions.dash-to-dock
gnomeExtensions.tray-icons-reloaded
gnomeExtensions.paperwm gnomeExtensions.paperwm
gnomeExtensions.search-light
gnomeExtensions.tray-icons-reloaded
gnome.gnome-tweaks gnome.gnome-tweaks
gthumb gthumb
@ -235,11 +236,20 @@
nix.extraOptions = '' nix.extraOptions = ''
!include "${config.sops.secrets.github_public_token.path}" !include "${config.sops.secrets.github_public_token.path}"
''; '';
sops = {
secrets.github_public_token = { sops.secrets = {
restic_repo_calcite_password = {
owner = "xin"; owner = "xin";
sopsFile = ./secrets.yaml;
};
restic_repo_calcite = {
owner = "xin";
sopsFile = ./secrets.yaml;
}; };
}; };
custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path;
custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path;
# MTP support # MTP support
services.gvfs.enable = true; services.gvfs.enable = true;

View file

@ -0,0 +1,31 @@
restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str]
restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMDdkc2RUVlR5aEFtZ01l
d3EzaG9RNFd1QTVrNFIrZlJmOXNVWG1jRFJNCnFqL2VrUFljdGdGMW02RnJkNGxm
dmhUS0pMOURyWWkyVlp1UDQ5ZG11U2cKLS0tIDBiNnI0Qm5QN04zQ3NpTVMzNGpY
eFlOKzdGa0FRZ0R5Um12bUE2T0ZzbHMK62B0QniOnaUKLGrrRV934PqbCbUKtK3u
hN+53kRiitkL1gmaGqRbfu4FMns9VPKdoyfECcJ39HyScl9ZEj8mMw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycTBkMWlWMncybUFraS9R
ZWFjOGdDRlFLV2RlZHVFSEhMdExaekJWMFQwCk5hbFJhQ3cvbG9qdERnbFhLTnFs
NXQvcndjNHBMdk1XOTYydVlDMzk0Y0UKLS0tIGpLM20zTnREdllxRlc1SnJEVFBZ
WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-30T16:43:19Z"
mac: ENC[AES256_GCM,data:U3TilLQvxM01gwIkBM4vT53JRBiE4VBOC0T6dxLjZ9btVMEhGp3MNQMRK0I06JP/vm532/oOTh/No/AwdzOpXxlfNY/hxxij03v83cZraSy8eT53uFV2TfU9HELVmmItqV2rJ96jBvCIzZJ+uif1OwIefcU+ii/MC333sW5DL1A=,iv:9pKUp08MPtECxUE3gxud/4220RsJ/d+xOFljntOdxfo=,tag:vvFpZRDoIz4NGll5XxRhAg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

47
machines/restic.nix Normal file
View file

@ -0,0 +1,47 @@
{ config, pkgs, lib, ... }:
let
cfg = config.custom.restic;
in
{
options = {
custom.restic = {
repositoryFile = lib.mkOption {
type = lib.types.str;
default = "";
};
passwordFile = lib.mkOption {
type = lib.types.str;
default = "";
};
};
};
config = {
services.restic.backups = {
remotebackup = {
repositoryFile = cfg.repositoryFile;
passwordFile = cfg.passwordFile;
paths = [
"/home"
"/var/lib"
];
exclude = [
"/home/*/.cache"
"/home/*/.cargo"
"/home/*/.local/share/Steam"
"/home/*/.local/share/flatpak"
];
timerConfig = {
OnCalendar = "00:05";
RandomizedDelaySec = "5h";
};
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
};
};
};
}

View file

@ -49,8 +49,8 @@ sops:
TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb
naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig== naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-25T11:52:08Z" lastmodified: "2023-11-30T16:23:27Z"
mac: ENC[AES256_GCM,data:Qfz/3UP6ZDOZZupdkass7+Lv2ssgXwMW5mZ3w1mGpmo4Fq+8yQbNnQTLi78+R79bn+ntonexf51WUo0uwfYGtt+9YbbDSYxO7iaFhJ/e3sroo2tVO5gbkKByEMSYx/zkz8SYpg9fwGvjLl/8YurSnuyrI1mppkcu4AY75jeo9Iw=,iv:iPKUHm1Ui9MIhtrddskBX9pMna0y1w5gASbtsOY0LKc=,tag:03M0N7mWD6zSG2tSh7jffQ==,type:str] mac: ENC[AES256_GCM,data:TMy8toui6/DbFpyc+K7r+DN6Q21W9XKNxZeB44hJ+Sw3i+z46/m+lNJYbFVn/l/g7KykWMCi0UP8bgQtRrf6ARqyZkgXX/2H3FRyC1WXY9IJFXib05TtvXQQCkqscyWjEjkGBR8VREkVGCKEZAKdHqXFve70FrlxiWZgDv6QrIM=,iv:ukv1Mo6bwrTjsLnKzOesZiT1z5k6nvg7F8dk4fUsDUI=,tag:JM/iCdj+broRn1AxD2tQTg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1

View file

@ -6,6 +6,9 @@
# TODO: How to generate this key when bootstrap? # TODO: How to generate this key when bootstrap?
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
secrets = { secrets = {
github_public_token = {
owner = "xin";
};
clash_subscription_link = { clash_subscription_link = {
owner = "root"; owner = "root";
}; };