feat: restic

2026-03-16 18:21:07 +01:00 · 2022-01-18 21:29:30 +01:00
parent 9a2205121b
commit 1b7e0f903d
4 changed files with 44 additions and 0 deletions
--- a/configs/backup.nix
+++ b/configs/backup.nix
@@ -0,0 +1,11 @@
+{
+  services.restic.backups.niveum = {
+    initialize = true;
+    repository = "rest:http://zaatar.r:3571/";
+    timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
+    passwordFile = toString <secrets/restic/password>;
+    paths = [
+      "/home/kfm/work"
+    ];
+  };
+}
--- a/configs/default.nix
+++ b/configs/default.nix
@@ -194,6 +194,7 @@ in {
      }) localAddresses;
    }
    ./alacritty.nix
+    ./backup.nix
    ./bash.nix
    ./beets.nix
    ./bluetooth.nix
--- a/systems/zaatar/backup.nix
+++ b/systems/zaatar/backup.nix
@@ -0,0 +1,31 @@
+{ lib, ... }:
+let
+  resticPort = 3571;
+  niveumLib = import <niveum/lib>;
+  inherit (niveumLib) retiolumAddresses;
+  firewall = niveumLib.firewall lib;
+in
+{
+  services.restic.server = {
+    enable = true;
+    appendOnly = true;
+    dataDir = "/backup/restic";
+    prometheus = true;
+    extraFlags = [ "--no-auth" "--prometheus-no-auth" ]; # auth is done via firewall
+    listenAddress = ":${toString resticPort}";
+  };
+
+  networking.firewall =
+  let
+    dport = resticPort;
+    protocol = "tcp";
+    rules = [
+      (firewall.accept { inherit dport protocol; source = retiolumAddresses.kabsa.ipv4; })
+      (firewall.accept { inherit dport protocol; source = retiolumAddresses.manakish.ipv4; })
+      (firewall.accept { inherit dport protocol; source = retiolumAddresses.makanek.ipv4; })
+    ];
+  in {
+    extraCommands = firewall.addRules rules;
+    extraStopCommands = firewall.removeRules rules;
+  };
+}
--- a/systems/zaatar/configuration.nix
+++ b/systems/zaatar/configuration.nix
@@ -4,6 +4,7 @@ let
 in
 {
  imports = [
+    ./backup.nix
    ./gaslight.nix
    ./hardware-configuration.nix
    ./kiosk.nix