nixos: add restic

.sops.yaml

@@ -17,6 +17,12 @@ creation_rules:
       - age:
           - *guanranwang
           - *tyo0
+  - path_regex: ^nixos/profiles/restic/secrets.yaml$
+    key_groups:
+      - age:
+          - *guanranwang
+          - *dust
+          - *sin0
   - path_regex: ^nixos/profiles/sing-box/secrets.yaml$
     key_groups:
       - age:

hosts/dust/default.nix

@@ -8,6 +8,7 @@
 {
   imports =
     [
+      ../../nixos/profiles/restic
       ../../nixos/profiles/sing-box
       ../../nixos/profiles/wireless
 
@@ -231,4 +232,6 @@
       };
     };
   };
+
+  services.restic.backups.persist.exclude = [ "/persist/home/guanranwang/.local/share/Steam" ];
 }

hosts/vultr/common/default.nix

@@ -12,6 +12,8 @@
 
       ./disko.nix
       ./preservation.nix
+
+      ../../../nixos/profiles/restic
     ]
     ++ (with inputs; [
       disko.nixosModules.disko

infra/vultr.tf

@@ -30,3 +30,6 @@ module "vultr" {
   script   = vultr_startup_script.script.id
 }
 
+resource "vultr_object_storage" "storage" {
+  cluster_id = 4 # sgp1.vultrobjects.com
+}

nixos/profiles/restic/default.nix

@@ -0,0 +1,27 @@
+{ config, ... }:
+{
+  sops.secrets = builtins.mapAttrs (_n: v: v // { sopsFile = ./secrets.yaml; }) {
+    "restic/environment" = { };
+    "restic/password" = { };
+    "restic/repository" = { };
+  };
+
+  services.restic.backups.persist = {
+    environmentFile = config.sops.secrets."restic/environment".path;
+    passwordFile = config.sops.secrets."restic/password".path;
+    repositoryFile = config.sops.secrets."restic/repository".path;
+    paths = [ "/persist" ];
+    extraBackupArgs = [
+      "--one-file-system"
+      "--exclude-caches"
+      "--no-scan"
+      "--retry-lock 2h"
+    ];
+    timerConfig = {
+      OnCalendar = "daily";
+      RandomizedDelaySec = "4h";
+      FixedRandomDelay = true;
+      Persistent = true;
+    };
+  };
+}

nixos/profiles/restic/secrets.yaml

@@ -0,0 +1,51 @@
+restic:
+    environment: ENC[AES256_GCM,data:7XdLf6C3ojLWxQJtQv+Fkof5GUZDpRhgsdwtMFKGJYwHQKhPfmmghlEWxXMi7HuWHCBxlvEKDU/8L9RnsWPHBG8yiZbuaqQWJna/PH0M69i2ZMHgXqRf433zxUAkCY8ULl2UGH7P,iv:hx9k/6gGTuC353j8JL2qHRgKFHY4/b7nA+ILjxXTbB0=,tag:dTFrmwIJLrcn4Ga6lzZQmQ==,type:str]
+    password: ENC[AES256_GCM,data:79+ZXif/zXiQ/0xJJxW4v5NOcOnAIFM+QeYNd9HVlBgF,iv:0W02zdfR6aS/E/vnEXdqQd7NF21VY5osdpP8s5muM6c=,tag:k+5ObQGcam67NWkiuE6Eaw==,type:str]
+    repository: ENC[AES256_GCM,data:jbeQ8oQrcT/q89vvI7tZs3WMsKK78jHEGqbuhf5v4KBz9voVHOVVPSLxXrk=,iv:a01YaOfIYldkFYFpY2KdDW4yzQij1JrdLMMbn/MkW9g=,tag:nZlGzftlnqHGJ+kDLllQXw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bTRYdi84N1VrcXhFZzRQ
+            ZGVBV3pMUkxxTjZWcTBEVllhZzJCMkhtaGg4CjZYakRGODhLa3Rkb3lDQy9oVjFV
+            SCtJUGtMcFMybGRIbmhIQUNQQ2I0dGMKLS0tIFAyZURTVFNQZml1d0JGYWZYQS84
+            bnkrVUZvY3YwTVpUZHlzcTFvR1pNbkUKcVP66FDXJFN8tsprjwx7E+eSCb/qCe+F
+            7HxC1Aele3vdu3GpJinArWblpXBoc66P6+5UHHop/O6c4p3dEjrCRQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age193x79xx8snu82w3t3hax6nruuw57g7pduwnkpvzkzmd7fs5jvfrquqa3sl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjT2swWFRaZnJyZW5XanNj
+            VUE1OVNCOGRjRytab0g4MDdXRnVXdHIwSkVVCk1CNXlIVkU5WVRBQlg1cmtIS3dy
+            MlkvUzkxTGtWOTBMRWs3MmJPV2tGWEEKLS0tIEl4a0N2NUdscnNlWEc2TmNzNGUr
+            bFNTcHFWU2hlTXBjK0Rha2ZFNTFCcncKyI2b4FGDX3XI0jw9Wj6Skv/VfiFi8Upu
+            HXCUovZqdWZBCtmNIXQSKjjTYizKAoTFK6YFqA8CKzNcRrq3vBRhcw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1u7srtfpgf83hesmsvtqdqftl8xrjmmp33mlg0aze6ken866ad55qxmzdqd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsczZ6QVpRQUtqVDhnYjJF
+            dlRnT1pvWXdGaW9Ta1NZODJTTXU3aktrZUcwCm01V1RnR0RCcmZXYkRGN2U0M3k4
+            WnhJbXl3UkNKcEtjaGkzellsUW84aGMKLS0tIEQweVdZTDFMZHlFT21LbDgva0x5
+            NTlFcjArSzhYRzNCMG9EbmR2d1lVaXcKxvQMdsDAVSwStg1cr6sA55bkWIIEdhjj
+            TObLtnZMdXskrcm7vRU8h8JpacTntSkjtQPYd04pBIItRIunE0DJJA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12un5sgwu73ufgtd3e439fttek5yfem3m9twq9p7wx95kakmz3cyq5gm3et
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwYnQ3OFZCcmVPTXZ3djBJ
+            NTJvd0pobzh5TzNxN0pneExwcExEQzRSbEVnCjVtTTdRSk85YzVhVDFBWmYrdk0x
+            RHNmUlREOEppWm1OQnR5eENPeFV2UWMKLS0tIGYxZ0RmTGRLaTBCdTkyMXk2MVUr
+            VFFJTFRQWnFFV0MxbWpSUGNyUy83dHcKbl2wtGFCvh4m0/aKGQneWSV3cKdU7AbT
+            11piv6jq54GNdq6QtbuX4MlbOsDO18jm29WZ2sbbHANnU70jyybIIA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-22T05:18:57Z"
+    mac: ENC[AES256_GCM,data:NaA8s3PRyhD9oVQr2DhsjuMVxT97SFwmH7hzRmq9eNXenwAsuJtJLV1MS9O9MW94rQo9aMeA5e//1jodTlkOgznnDoebX1m1cjXD88HMI3+NXu7f509HSlTKMopjst2PpOPGRq3Vt+SPHc9hV363O/rQBXiohCQ1o/YII1PBm1c=,iv:oqIeyit/UeISNrS6M6KZxJnzyk6f07NOa7dPK/VrtyM=,tag:CUEYuuNuvQeFJvat6tOpeQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0