From 1b7e0f903d3ef51825e184d8832b6d5b244aec58 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kier=C3=A1n=20Meinhardt?= <kmein@posteo.de>
Date: Tue, 18 Jan 2022 21:29:30 +0100
Subject: [PATCH] feat: restic

---
 configs/backup.nix               | 11 +++++++++++
 configs/default.nix              |  1 +
 systems/zaatar/backup.nix        | 31 +++++++++++++++++++++++++++++++
 systems/zaatar/configuration.nix |  1 +
 4 files changed, 44 insertions(+)
 create mode 100644 configs/backup.nix
 create mode 100644 systems/zaatar/backup.nix

diff --git a/configs/backup.nix b/configs/backup.nix
new file mode 100644
index 0000000..023386f
--- /dev/null
+++ b/configs/backup.nix
@@ -0,0 +1,11 @@
+{
+  services.restic.backups.niveum = {
+    initialize = true;
+    repository = "rest:http://zaatar.r:3571/";
+    timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
+    passwordFile = toString <secrets/restic/password>;
+    paths = [
+      "/home/kfm/work"
+    ];
+  };
+}
diff --git a/configs/default.nix b/configs/default.nix
index c73b29e..82fa671 100644
--- a/configs/default.nix
+++ b/configs/default.nix
@@ -194,6 +194,7 @@ in {
       }) localAddresses;
     }
     ./alacritty.nix
+    ./backup.nix
     ./bash.nix
     ./beets.nix
     ./bluetooth.nix
diff --git a/systems/zaatar/backup.nix b/systems/zaatar/backup.nix
new file mode 100644
index 0000000..e8a8250
--- /dev/null
+++ b/systems/zaatar/backup.nix
@@ -0,0 +1,31 @@
+{ lib, ... }:
+let
+  resticPort = 3571;
+  niveumLib = import <niveum/lib>;
+  inherit (niveumLib) retiolumAddresses;
+  firewall = niveumLib.firewall lib;
+in
+{
+  services.restic.server = {
+    enable = true;
+    appendOnly = true;
+    dataDir = "/backup/restic";
+    prometheus = true;
+    extraFlags = [ "--no-auth" "--prometheus-no-auth" ]; # auth is done via firewall
+    listenAddress = ":${toString resticPort}";
+  };
+
+  networking.firewall =
+  let
+    dport = resticPort;
+    protocol = "tcp";
+    rules = [
+      (firewall.accept { inherit dport protocol; source = retiolumAddresses.kabsa.ipv4; })
+      (firewall.accept { inherit dport protocol; source = retiolumAddresses.manakish.ipv4; })
+      (firewall.accept { inherit dport protocol; source = retiolumAddresses.makanek.ipv4; })
+    ];
+  in {
+    extraCommands = firewall.addRules rules;
+    extraStopCommands = firewall.removeRules rules;
+  };
+}
diff --git a/systems/zaatar/configuration.nix b/systems/zaatar/configuration.nix
index 5dd6bbe..89eb0e5 100644
--- a/systems/zaatar/configuration.nix
+++ b/systems/zaatar/configuration.nix
@@ -4,6 +4,7 @@ let
 in
 {
   imports = [
+    ./backup.nix
     ./gaslight.nix
     ./hardware-configuration.nix
     ./kiosk.nix