From 579157fbf60eda00c53c86fba40456ca5a2a7e1b Mon Sep 17 00:00:00 2001
From: Gene Liverman <gene@technicalissues.us>
Date: Sat, 6 Apr 2024 21:08:11 -0400
Subject: [PATCH] Setup restic backups

---
 modules/hosts/nixos/nixnuc/audiobookshelf.nix |  3 ++
 modules/hosts/nixos/nixnuc/default.nix        |  4 +++
 modules/system/common/linux/restic.nix        | 28 +++++++++++++++++++
 modules/system/common/secrets.yaml            |  7 +++--
 4 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 modules/system/common/linux/restic.nix

diff --git a/modules/hosts/nixos/nixnuc/audiobookshelf.nix b/modules/hosts/nixos/nixnuc/audiobookshelf.nix
index 7a77670..5730b8c 100644
--- a/modules/hosts/nixos/nixnuc/audiobookshelf.nix
+++ b/modules/hosts/nixos/nixnuc/audiobookshelf.nix
@@ -20,4 +20,7 @@ in {
       ];
     };
   };
+  services.restic.backups.daily.paths = [
+    "/orico/audiobookshelf"
+  ];
 }
diff --git a/modules/hosts/nixos/nixnuc/default.nix b/modules/hosts/nixos/nixnuc/default.nix
index 6101048..e3e4408 100644
--- a/modules/hosts/nixos/nixnuc/default.nix
+++ b/modules/hosts/nixos/nixnuc/default.nix
@@ -3,6 +3,7 @@
     ./hardware-configuration.nix
     ./audiobookshelf.nix
     ./containers/nginx-proxy.nix
+    ../../../system/common/linux/restic.nix
   ];
 
   system.stateVersion = "23.11";
@@ -132,6 +133,9 @@
       };
     };
     resolved.enable = true;
+    restic.backups.daily.paths = [
+      "/orico/jellyfin/data"
+    ];
     tailscale = {
       enable = true;
       authKeyFile = config.sops.secrets.tailscale_key.path;
diff --git a/modules/system/common/linux/restic.nix b/modules/system/common/linux/restic.nix
new file mode 100644
index 0000000..6f3b1ee
--- /dev/null
+++ b/modules/system/common/linux/restic.nix
@@ -0,0 +1,28 @@
+{ config, pkgs, ... }: {
+  environment.systemPackages = with pkgs; [
+    restic
+  ];
+
+  sops.secrets = {
+    restic_env.sopsFile = ../secrets.yaml;
+    restic_repo.sopsFile = ../secrets.yaml;
+    restic_password.sopsFile = ../secrets.yaml;
+  };
+
+  services.restic.backups = {
+    daily = {
+      initialize = true;
+
+      environmentFile = config.sops.secrets.restic_env.path;
+      repositoryFile = config.sops.secrets.restic_repo.path;
+      passwordFile = config.sops.secrets.restic_password.path;
+
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-monthly 6"
+      ];
+    };
+  };
+}
+
diff --git a/modules/system/common/secrets.yaml b/modules/system/common/secrets.yaml
index 8064289..c5749fb 100644
--- a/modules/system/common/secrets.yaml
+++ b/modules/system/common/secrets.yaml
@@ -1,5 +1,8 @@
 gandi_dns_pat: ENC[AES256_GCM,data:81tlAE6e655+RgKZVJgwYg6V59VtMmuVk5spkGZq1U6AgxYXO3wvsA==,iv:Dp5csrqHIAYloi5XkrBgDMqeIX/W+JFJ1avKbTnEU/Y=,tag:QjhdX4gv9OmWtQp7r06+RA==,type:str]
 gandi_api: ENC[AES256_GCM,data:YsdDMk75miIKO4LkCZjfwJw6gxfrmsTL,iv:BOPRxB661sPJnUH1AUKEALIJfBeyAHZpkWJEDbY+7i8=,tag:TvtW7qhPbOqi9kKDcIe28w==,type:str]
+restic_env: ENC[AES256_GCM,data:FCYR8tkClRwfcjUotcr28D6uRz7sNihn50nw38CaYnqOD/U9+5kU0iAPSvqAbeuw+xUoKKKAPAfMHI12dPTYt17Wz1N7i4a+MRkiIR9pjyv5KZTK59G+,iv:jStc8GMbZUQUgooZiRdImSZskdckYN1cRm2gsKbUyYY=,tag:HpQQIj1j7fjCmxkSeY/k4g==,type:str]
+restic_repo: ENC[AES256_GCM,data:kCoNYVKwB87W4h5doa3IXj4n,iv:jKEw/Hki/tp3RSTsRB4dlg593I5B4pCLBav84ADCh70=,tag:+GFF5vHOVw0r/G8BbhcCjw==,type:str]
+restic_password: ENC[AES256_GCM,data:PfQsxJul1Qpt3WQoUEI941l+yng3lVjhDd8=,iv:U5KjhcVqyksN2ay19RBjNhYIB31tUbfNRIqCEx/+Wbc=,tag:jsoU+B1mjAprPK+M5I0pAQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -69,8 +72,8 @@ sops:
             ZlBVMUJmWml3dkQ3OTN1ZmF1N0hXNHcKnLOSViooQmhU5yE754VHIBYNRVikgptc
             3bXDiOlkjBbxGru3bnn+vUUJ3n+QdZoAnCgdL7D2/Me3HVrAW5M5LA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-05T03:17:40Z"
-    mac: ENC[AES256_GCM,data:4u2rpoc20qDv3W6s3lgtYU+35cfaK1tOmMySuji07s7IxqXqmkAn/giynH7y+PQRLACV6XvKnysLwuTPanekmXqQx/cOPOIPPrXOwz4oDLncFILI+7H/ShFuRN3KKUq9+OZElO4lLO0PDL+6flo3Mq6oSbzzeqxqVXUvt5gG8So=,iv:WEoiZzIWxAsxr3+nUY7b/jewYn6YRraU+zIPBhin8JI=,tag:BN5zLe8jdrvvCFU0BbfiaQ==,type:str]
+    lastmodified: "2024-04-07T00:55:24Z"
+    mac: ENC[AES256_GCM,data:5GaItFbHP8Qj8Dev5a0kkI7VFovvW5STaI7MPaZibHWCB2Xvcw50ZjKPRVVx6yqsnjz6zf3H2h/siowq/eAvvKJ5gltbof4NAxcCqjcOrqpUaeFT1ykG2SMznX8OezUyH6K7KmFgSFgYv3F/5JhoQOIClJs4NmQIBxUf7afY9KQ=,iv:oJhBRcyyL5zBc324tyyTYF2i1a0Q+CkOxwg4HbyUXkA=,tag:kK9/bQIO/VioSpmxC7P+XA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1