feat(system): add restic

5 files changed, 77 insertions, 0 deletions

diff --git a/system/secrets/backup/backuppass.age b/system/secrets/backup/backuppass.age
new file mode 100644
index 0000000..1931226
--- /dev/null
+++ b/system/secrets/backup/backuppass.age
@@ -0,0 +1,16 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1TEVTcmRkbkVHUVhzMU9J
+YmVadUJWTTloZDZ0S2l2bnViSEpESXQ0d2dVCmRQbUx0Smh6b0ZCL2ZOL1NrMk9a
+Q21OZi9Wd2d1Y1AxWVJZdHpjTmp2dzQKLT4gWDI1NTE5IE1ZblNNSEJ6Z1ZOZFJh
+Nm5zOUNiV3ppRkgwNlVGaUV4S1dsbUVQeEhlV0UKUDVCV0UyY1JPczcvTVdFa2hw
+WkVQeGJrcXRBSnRaeE1EZEZRSHBPS1ExTQotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
+ejZDNEJhK0dXb084MG41ZmpHVDRTaEpzOFN3RXNkNHdJR0UvYXppUjVqQQoyRlZP
+MExORHN6cGhUZlFHRTc5OGV2cW5NczhSUFdGcmxmeS9GYTFDSk9VCi0+IHFdIWdL
+aThRLWdyZWFzZSA2JmIgfVo3dXt7ayBGPEVOXEggd08KWFdtVkxKN256QXhBTjBT
+RTBEeTBSbjNtSGRYNllOYlJRVjN0Vk9XV2FQQ2hlSWVHT3RUelVKZ2ZGZ2k5OWlN
+Ywp6RktpamU4TVVPdENTNzh2VFFtdGNIZFdDRUxFbEIwSFJ5RmdmbWxibVR3bE55
+M1B0eFJmSldCU1NMWW01ejUyCgotLS0gbS9vZmtpYjA5OThTcnIwZ01lYkFTK0xy
+Q05zdExqdTJZeVlOM0xqVTUrRQoZdRtAQ8c/dfZeZ2k5YhdEyNYn0fZQP3vKnj7b
+s1AB5m+oTMDIn05x05lDsvqcFCvxZZNPzmkj5KzWXVxvg4/5Wr06BVdZaTHsrPqu
+SmXsQmF8uqB6xctT3+ne3PGopF8J
+-----END AGE ENCRYPTED FILE-----
diff --git a/system/secrets/backup/backupssh.age b/system/secrets/backup/backupssh.age
new file mode 100644
index 0000000..ba04931
--- /dev/null
+++ b/system/secrets/backup/backupssh.age
@@ -0,0 +1,22 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVMW91eE40QVhCcXlCSktD
+NkE5ZUVnWm56L0hxaU4wYzJ6dHFFd05Xa0dzCjJTeGNsL2RCdm0raHBQaVhQbVFJ
+MWc4d1RNamhTSWJLaDJPdjZram11ZEkKLT4gWDI1NTE5IGFRdStWbVJSTFhNeWVG
+dUVjbk9qdWJxNm0wenBWcmFieWtMQjFLQWU1aTAKSG94WlhGVEN6MHZiRFNKcTI4
+cFdqM0Q5eGxTRGFwVWhiR0pRS2NVZUs2dwotPiBzc2gtZWQyNTUxOSBPRDhUNGcg
+dFFyUVFTOGttcUpOcE82YXM1Yk11VGJUUllsWXRQNitTeU9WMHhYSGJVawpwZXIz
+SGNvTkNGM2lyMXMzeFNBZ0NacS94enRvUWpGU1Y5Vy9kRkhTOTBFCi0+IEpkLWdy
+ZWFzZSA2aXgnICd5IE5jRGFQLyBLTFVxWWY8KApycVRUdFN5MVNtc2x3cEJMeWFi
+R0QveWJmN3BWS2J3REpOekpLc1czNGE3OTZLMjlpS1VubUpOM1R0MWlkazNUClZP
+K01KUzVZQjltcW9yUXpmTlZMTnVqQU5uYwotLS0gb2pIdnY1YmdXV3RnbXJnejVI
+aGRaTnczUUxiK1gwSkpsMUJxNzRmVjFRUQosYNaZP/ahgrMf/vP+Bbsy6kis9Fwa
+UwBVwDE7nqRcyoIrtodUtq3I2cDog6YGzmvqY1yJHsuumqo3K6sZJK+/oINn9vLf
+O85CZAcnV58CRFnc4LHQoFCz/wa7/osajjz5dQYcfd201qP3qESIjqRkwALqDmL5
+9abcDdgpCvjYYKi2ULKgdMyeqHsd7cTIVLJm1U7iZC6EnmcGiIy+c/pmDuK0OMl0
++3CVNiy4qHGkYvwKzkq1fewzwvKTQchZaXgNDa57cSOOgh4lX8gU8eRfKg6REKod
+0jIaH2zN/UhOPkqpyf9Twi5vLk475RiLf+8cTNi/BL/ZtHf0xYfbcdJT4wPOUZNd
+P11eVDDUYnFvbszPSmRA8bueEQv9SZrYnS/DG4yDjpLFP9LCPIjdTr5OPvIfTpUy
+cu22C6VIii54kj7uztYd/0rqSrJ5mClPIDhTUJUeAdTI17NHbAM5BJUpDmXdaBAM
+LPWwu5KaiYjq7FmB39Qhp2I4hgmrEl/dorlU30VaV+uuV741ftWIykQJ9tmZUF9J
+nA2ygMaWq/xrXDQ6bMnR+gP8i9BiLXPk/ug=
+-----END AGE ENCRYPTED FILE-----
diff --git a/system/secrets/default.nix b/system/secrets/default.nix
index 41e4eeb..624f530 100644
--- a/system/secrets/default.nix
+++ b/system/secrets/default.nix
@@ -43,6 +43,18 @@
         owner = "etebase-server";
         group = "etebase-server";
       };
+      resticssh = {
+        file = ./backup/backupssh.age;
+        mode = "0700";
+        owner = "root";
+        group = "root";
+      };
+      resticpass = {
+        file = ./backup/backuppass.age;
+        mode = "0700";
+        owner = "root";
+        group = "root";
+      };
     };
   };
 }
diff --git a/system/secrets/secrets.nix b/system/secrets/secrets.nix
index f066fa1..e5dc418 100644
--- a/system/secrets/secrets.nix
+++ b/system/secrets/secrets.nix
@@ -18,4 +18,6 @@ in {
   "mastodon/mail.age".publicKeys = allSecrets;
   "taskserver/ca.age".publicKeys = allSecrets;
   "etebase-server/passwd.age".publicKeys = allSecrets;
+  "backup/backupssh.age".publicKeys = allSecrets;
+  "backup/backuppass.age".publicKeys = allSecrets;
 }
diff --git a/system/services/restic/default.nix b/system/services/restic/default.nix
new file mode 100644
index 0000000..3620540
--- /dev/null
+++ b/system/services/restic/default.nix
@@ -0,0 +1,25 @@
+{config, ...}: {
+  services.restic.backups = let
+    srvDir = "/srv";
+    boxUser = "u384702-sub2";
+  in {
+    storagebox = {
+      initialize = true;
+      paths = [
+        srvDir
+      ];
+      exclude = [
+        ".snapshots"
+      ];
+      extraBackupArgs = [
+        "--exclude-if-present .nobackup" # Don't backup directory if it contains a file called ".nobackup"
+        "--verbose" # Spam log
+      ];
+      passwordFile = config.age.secrets.resticpass.path;
+      extraOptions = [
+        "rclone.program='ssh -p 23 ${boxUser}@${boxUser}.your-storagebox.de -i ${config.age.secrets.resticssh.path}'"
+      ];
+      repository = "rclone: "; # There is only one repository served
+    };
+  };
+}