feat: add restic

Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>

.sops.yaml

@@ -11,9 +11,14 @@ creation_rules:
           - *wodan
         pgp:
           - *lander
-  - path_regex: home/lander/global/secrets.yam?l$
+  - path_regex: hosts/common/optional/secrets.yam?l$
     key_groups:
       - age:
           - *wodan
         pgp:
           - *lander
+  - path_regex: home/lander/global/secrets.yam?l$
+    key_groups:
+      - age:
+          - *wodan
+        pgp:

hosts/common/global/secrets.nix

@@ -1,4 +1,5 @@
-{...}: {
+{ ... }:
+{
   sops.secrets.inuits-mail-pass = {
     owner = "lander";
     group = "users";

hosts/common/optional/restic.nix

@@ -0,0 +1,40 @@
+{ pkgs, config, ... }:
+{
+  sops.secrets.restic-environment = {
+    owner = "root";
+    group = "root";
+    sopsFile = ./secrets.yaml;
+  };
+
+  sops.secrets.restic-password = {
+    owner = "root";
+    group = "root";
+    sopsFile = ./secrets.yaml;
+  };
+
+  sops.secrets.restic-repository = {
+    owner = "root";
+    group = "root";
+    sopsFile = ./secrets.yaml;
+  };
+
+  services.restic.backups = {
+    daily = {
+      initialize = true;
+
+      repositoryFile = config.sops.secrets.restic-repository.path;
+      passwordFile = config.sops.secrets.restic-password.path;
+      environmentFile = config.sops.secrets.restic-environment.path;
+
+      paths = [
+        config.users.users.lander.home
+      ];
+
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-weekly 12"
+      ];
+    };
+  };
+}

hosts/common/optional/secrets.yaml

@@ -0,0 +1,34 @@
+restic-environment: ENC[AES256_GCM,data:CkgRnXNGAsVlWWPj4pvADpNTPyufafaO745vySUBNqWoZbcnjZyvZUkUuZ2xp/EwbRrtMYL0DQXBgW3BqRVZuSkm6/9go2rMMmmNRYvzuJOkap5ePIiaHa9UrS87eupgeaODxRcj,iv:lOtadnRCC6tZkaHKCdfT1v0hG1wMo/hRAlWKtCvs2vc=,tag:fvI+Vb+stHa9sgrziMjQGQ==,type:str]
+restic-password: ENC[AES256_GCM,data:BsJ7fkoeZHxGbKP7YGuD13s1feYWeVj+hg==,iv:vmpWp/vWBt2bw61p43HTp7fuTKOX4k7io/HGt4yPPo4=,tag:f3pfbcWqccKJ1fI00AyKLA==,type:str]
+restic-repository: ENC[AES256_GCM,data:GAm8+hE96byqeyIb9qQ7QCstBYd0j+WIXp69quZ/f8joH2fUst/Kxb18mOKQozlu6Q==,iv:VQYZmGv+fyyYWUeAQTNiwxhAwR6o0LRw2s6G4lYkkDQ=,tag:P0bAsB3Wp9Vw7YH73XspIg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15m0pdv8mkt4aue8wjay9k4endyymtka5je3gc2t63dgamfzh9vts7774hh
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5Q1BObXBYUFhXdStEbWFa
+            Z29mZXp6NkJZbitZcjhibkl4UGlBazV2MGc4CklZSG82bU9oMUt1WUpUamt2QmpS
+            VDBqWHBQZGl0YUtXOTFSOThOeGk1YmMKLS0tIFJkSlhibVFwVnl0WHl4aUd4ajRm
+            RWRuU0tKTzNQb0hwZHZJYlhjZ2lJYkUK6T9iTfsfgajho1UUgcYTQa3ppT0CaoT7
+            rVLOyhLGHZLoBkmAm0gTJ1SOFHOyYZMbRMvN2saSLgMIiCuvXm4eEg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-13T17:47:53Z"
+    mac: ENC[AES256_GCM,data:qKEbUu0/kt4eM7JXCOl73hJ3IuHr6kr3A7Y0xdXKZ0A/5Ex2F2dgLRTtmFeEMdmm77dYr6PLm8u+eQ+FmpuMb59+q1Y3k/IUpaQXfBJ6qtQCX5lOxJrE9VpR84OIDVQZ7pKclXuNfc6H+MKlGEbmVRnpdJrd6lWxIkpgwmBLBRc=,iv:xh6ywlS7sn/BVpYpej7mmxV/Be33wvQYn/8glbMLnrA=,tag:iIixjf9VZ6OuP5Pgw0w/WA==,type:str]
+    pgp:
+        - created_at: "2025-01-13T15:15:34Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DARdpY4woM6wSAQdAwVc6Y2JuSKZ+CfVXGcZwXGLPxd4qzYEYCXeVw6fUMn0w
+            8nCY3GAdJR2doPeQFtakqulb6sNH+sA2eGSUS1B+MQ7HpxkungLAbWI0wpFYwnfw
+            0lwB5Zz4+rRkhPTqQNudTSBHX018kR5/A6/jLslox6vaKesyPIFSMejJqFp3hmHu
+            3QoK0HNLTCgmUw4OZsYtgPLw00KxDYNbUN6JY9H/MOuBT3Uwe4y8HXlffPXr1w==
+            =Csbt
+            -----END PGP MESSAGE-----
+          fp: 4BE1257015580BAB9F4B9D5FCA5B1C34E649BF92
+    unencrypted_suffix: _unencrypted
+    version: 3.9.2

hosts/wodan/default.nix

@@ -9,6 +9,7 @@
     ../common/optional/fonts.nix
     ../common/optional/yubikey-gpg.nix
     ../common/optional/virt.nix
+    ../common/optional/restic.nix
     ../common/optional/steam.nix
   ];