revisit nix managed backups

Author: debugloop

hosts/common/impermanence.nix

@@ -22,7 +22,6 @@
       "/var/lib/bluetooth" # blueman connections
       "/var/lib/nixos" # uid and gid mappings
       "/var/log" # logs
-      "/var/lib/rancher/k3s" # k3s cluster
       "/var/lib/docker" # docker rootful
     ];
     files = [

hosts/hyperion/default.nix

@@ -8,6 +8,7 @@
     ../services/matrix.nix
     ../services/miniflux.nix
     ../services/prometheus.nix
+    ../services/restic-rest.nix
     inputs.wunschkonzert-install.include
   ];
 }

hosts/services/prometheus.nix

@@ -75,6 +75,19 @@
           }
         ];
       }
+      {
+        job_name = "restic-server";
+        static_configs = [
+          {
+            targets = [
+              "localhost:8000"
+            ];
+            labels = {
+              host = "${hostname}";
+            };
+          }
+        ];
+      }
     ];
   };
 

hosts/services/restic-rest.nix

@@ -0,0 +1,18 @@
+{...}: {
+  services.restic.server = {
+    enable = true;
+    prometheus = true;
+    htpasswd-file = "/var/lib/restic/htpasswd";
+    extraFlags = [
+      "--no-auth"
+    ];
+  };
+
+  # no firewall rule means only accessible on trusted interfaces, i.e. lo and tailscale
+
+  environment.persistence."/nix/persist" = {
+    directories = [
+      "/var/lib/restic"
+    ];
+  };
+}

hosts/simmons/backup.nix

@@ -3,17 +3,18 @@
   pkgs,
   ...
 }: {
-  environment.systemPackages = with pkgs; [
-    restic
-  ];
+  age.secrets.restic_password = {
+    file = ../../secrets/restic_password.age;
+    owner = "danieln";
+  };
 
   services.restic.backups.daily = {
     initialize = true;
-    rcloneConfigFile = config.age.secrets.restic_rclone_config.path;
     passwordFile = config.age.secrets.restic_password.path;
     paths = ["/nix/persist"];
     exclude = [
       "var/log"
+      "home/danieln/go" # golang cache
       "home/danieln/scratch" # random repos
       "home/danieln/downloads" # random crap
       "home/danieln/.local/share/Steam" # steam and its games
@@ -23,8 +24,13 @@
       "home/danieln/.config/Slack" # slack syncs itself
       "home/danieln/.mozilla" # nothing that firefox sync won't cover
       "home/danieln/.config/TeamSpeak" # nothing of value
+      "home/danieln/code/*/.cache" # direnv caches etc
+      # huge repo that I don't care about
+      "home/danieln/code/qmk"
+      "home/danieln/code/qmk_firmware"
+      "home/danieln/code/Garmin"
     ];
-    repository = "rclone:b2:danieln-backups/simmons";
+    repository = "rest:http://hyperion.squirrel-emperor.ts.net:8000/${config.networking.hostName}";
     timerConfig = {
       OnCalendar = "daily";
       Persistent = true;
@@ -35,9 +41,4 @@
       "--keep-yearly 10"
     ];
   };
-
-  systemd.services.restic-backups-daily = {
-    wants = ["network.target"];
-    after = ["network.target"];
-  };
 }

hosts/simmons/default.nix

@@ -1,6 +1,6 @@
 {...}: {
   imports = [
-    #./backup.nix
+    ./backup.nix
     ./boot.nix
     ./steam.nix
   ];

secrets/restic_rclone_config.age

@@ -5,7 +5,6 @@ let
   all = [simmons hyperion lusus];
 in {
   "password.age".publicKeys = all;
-  "restic_rclone_config.age".publicKeys = all;
   "restic_password.age".publicKeys = all;
   "tailscale.age".publicKeys = all;
   "grafana.age".publicKeys = all;