calcite: add restic

2023-12-01 22:22:43 +08:00 · 2023-12-01 22:22:43 +08:00 · 9bec6270ef
commit 9bec6270ef
parent 28bb623cc1
5 changed files with 97 additions and 6 deletions
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@ -7,6 +7,7 @@
      ./hardware-configuration.nix
      ./network.nix
      ../sops.nix
+      ../restic.nix
    ];

  # Bootloader.
@ -174,9 +175,9 @@
    android-studio

    # Gnome tweaks
-    gnomeExtensions.dash-to-dock
-    gnomeExtensions.tray-icons-reloaded
    gnomeExtensions.paperwm
+    gnomeExtensions.search-light
+    gnomeExtensions.tray-icons-reloaded
    gnome.gnome-tweaks
    gthumb

@ -235,11 +236,20 @@
  nix.extraOptions = ''
    !include "${config.sops.secrets.github_public_token.path}"
  '';
-  sops = {
-    secrets.github_public_token = {
+
+  sops.secrets = {
+    restic_repo_calcite_password = {
      owner = "xin";
+      sopsFile = ./secrets.yaml;
+    };
+    restic_repo_calcite = {
+      owner = "xin";
+      sopsFile = ./secrets.yaml;
    };
  };
+  custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path;
+  custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path;
+

  # MTP support
  services.gvfs.enable = true;
--- a/machines/calcite/secrets.yaml
+++ b/machines/calcite/secrets.yaml
@ -0,0 +1,31 @@
+restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str]
+restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMDdkc2RUVlR5aEFtZ01l
+            d3EzaG9RNFd1QTVrNFIrZlJmOXNVWG1jRFJNCnFqL2VrUFljdGdGMW02RnJkNGxm
+            dmhUS0pMOURyWWkyVlp1UDQ5ZG11U2cKLS0tIDBiNnI0Qm5QN04zQ3NpTVMzNGpY
+            eFlOKzdGa0FRZ0R5Um12bUE2T0ZzbHMK62B0QniOnaUKLGrrRV934PqbCbUKtK3u
+            hN+53kRiitkL1gmaGqRbfu4FMns9VPKdoyfECcJ39HyScl9ZEj8mMw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBycTBkMWlWMncybUFraS9R
+            ZWFjOGdDRlFLV2RlZHVFSEhMdExaekJWMFQwCk5hbFJhQ3cvbG9qdERnbFhLTnFs
+            NXQvcndjNHBMdk1XOTYydVlDMzk0Y0UKLS0tIGpLM20zTnREdllxRlc1SnJEVFBZ
+            WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
+            FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-30T16:43:19Z"
+    mac: ENC[AES256_GCM,data:U3TilLQvxM01gwIkBM4vT53JRBiE4VBOC0T6dxLjZ9btVMEhGp3MNQMRK0I06JP/vm532/oOTh/No/AwdzOpXxlfNY/hxxij03v83cZraSy8eT53uFV2TfU9HELVmmItqV2rJ96jBvCIzZJ+uif1OwIefcU+ii/MC333sW5DL1A=,iv:9pKUp08MPtECxUE3gxud/4220RsJ/d+xOFljntOdxfo=,tag:vvFpZRDoIz4NGll5XxRhAg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/machines/restic.nix
+++ b/machines/restic.nix
@ -0,0 +1,47 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.custom.restic;
+in
+{
+  options = {
+    custom.restic = {
+      repositoryFile = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+      };
+        passwordFile = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+      };
+    };
+  };
+  config = {
+    services.restic.backups = {
+      remotebackup = {
+        repositoryFile = cfg.repositoryFile;
+        passwordFile = cfg.passwordFile;
+        paths = [
+          "/home"
+          "/var/lib"
+        ];
+        exclude = [
+          "/home/*/.cache"
+          "/home/*/.cargo"
+          "/home/*/.local/share/Steam"
+          "/home/*/.local/share/flatpak"
+        ];
+        timerConfig = {
+          OnCalendar = "00:05";
+          RandomizedDelaySec = "5h";
+        };
+        pruneOpts = [
+          "--keep-daily 7"
+          "--keep-weekly 5"
+          "--keep-monthly 12"
+          "--keep-yearly 75"
+        ];
+      };
+    };
+  };
+}
+
--- a/machines/secrets.yaml
+++ b/machines/secrets.yaml
@ -49,8 +49,8 @@ sops:
            TGJVMUhjTEZ5YjZvM29QaWZ2UnBLcWcKmswAHhND9LlMaAXQYRQCx0BT7QE2Tmnb
            naiZyFNCcwnEjcEvEC0V/D1WnkLKtKqFa2pXZyIVBia4tafbxW4Yig==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-11-25T11:52:08Z"
-    mac: ENC[AES256_GCM,data:Qfz/3UP6ZDOZZupdkass7+Lv2ssgXwMW5mZ3w1mGpmo4Fq+8yQbNnQTLi78+R79bn+ntonexf51WUo0uwfYGtt+9YbbDSYxO7iaFhJ/e3sroo2tVO5gbkKByEMSYx/zkz8SYpg9fwGvjLl/8YurSnuyrI1mppkcu4AY75jeo9Iw=,iv:iPKUHm1Ui9MIhtrddskBX9pMna0y1w5gASbtsOY0LKc=,tag:03M0N7mWD6zSG2tSh7jffQ==,type:str]
+    lastmodified: "2023-11-30T16:23:27Z"
+    mac: ENC[AES256_GCM,data:TMy8toui6/DbFpyc+K7r+DN6Q21W9XKNxZeB44hJ+Sw3i+z46/m+lNJYbFVn/l/g7KykWMCi0UP8bgQtRrf6ARqyZkgXX/2H3FRyC1WXY9IJFXib05TtvXQQCkqscyWjEjkGBR8VREkVGCKEZAKdHqXFve70FrlxiWZgDv6QrIM=,iv:ukv1Mo6bwrTjsLnKzOesZiT1z5k6nvg7F8dk4fUsDUI=,tag:JM/iCdj+broRn1AxD2tQTg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/machines/sops.nix
+++ b/machines/sops.nix
@ -6,6 +6,9 @@
    # TODO: How to generate this key when bootstrap?
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
    secrets = {
+      github_public_token = {
+        owner = "xin";
+      };
      clash_subscription_link = { 
        owner = "root";
      };