pastila: system backups with restic
This commit is contained in:
root
parent
f73651bc32
commit
0a393fb14a
4 changed files with 66 additions and 3 deletions
|
|
@ -1,6 +1,10 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
{
|
{
|
||||||
|
imports = [
|
||||||
|
./secrets-permissions.nix
|
||||||
|
];
|
||||||
|
|
||||||
# Enable the OpenSSH daemon
|
# Enable the OpenSSH daemon
|
||||||
services.openssh.enable = true;
|
services.openssh.enable = true;
|
||||||
services.openssh.settings.PermitRootLogin = lib.mkDefault "no";
|
services.openssh.settings.PermitRootLogin = lib.mkDefault "no";
|
||||||
|
|
@ -21,13 +25,12 @@
|
||||||
wget
|
wget
|
||||||
htop
|
htop
|
||||||
tmux
|
tmux
|
||||||
bmon # Shows network activity
|
bmon
|
||||||
nixfmt
|
nixfmt
|
||||||
jnettop
|
|
||||||
iperf3
|
|
||||||
ncdu
|
ncdu
|
||||||
git
|
git
|
||||||
tig
|
tig
|
||||||
|
restic
|
||||||
];
|
];
|
||||||
|
|
||||||
# required when using kitty
|
# required when using kitty
|
||||||
|
|
|
||||||
22
common/secrets-permissions.nix
Normal file
22
common/secrets-permissions.nix
Normal file
|
|
@ -0,0 +1,22 @@
|
||||||
|
# This module enforces permissions on secrets stored on the machines.
|
||||||
|
|
||||||
|
{ config, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
system.activationScripts."secrets-permissions" = ''
|
||||||
|
# Default to restrictive permissions on secrets.
|
||||||
|
# Root can alway read/write/traverse directories no matter the permissions
|
||||||
|
# set.
|
||||||
|
|
||||||
|
chown --recursive root:root /etc/secrets
|
||||||
|
chmod --recursive 600 /etc/secrets
|
||||||
|
|
||||||
|
# Relax permissions on some secrets.
|
||||||
|
|
||||||
|
# The top directory must be readable and traversable by thoses who need to
|
||||||
|
# access secrets.
|
||||||
|
chmod 755 /etc/secrets
|
||||||
|
|
||||||
|
# ... add chowns & chmods to specific users/groups when needed
|
||||||
|
'';
|
||||||
|
}
|
||||||
37
pastila/backups.nix
Normal file
37
pastila/backups.nix
Normal file
|
|
@ -0,0 +1,37 @@
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
services.restic.backups."borgbase" = {
|
||||||
|
paths = [
|
||||||
|
"/home"
|
||||||
|
"/root"
|
||||||
|
"/etc/secrets"
|
||||||
|
"/var"
|
||||||
|
"/srv"
|
||||||
|
];
|
||||||
|
|
||||||
|
exclude = [
|
||||||
|
"/var/cache"
|
||||||
|
"/home/*/.cache"
|
||||||
|
"/var/log"
|
||||||
|
".opam"
|
||||||
|
];
|
||||||
|
|
||||||
|
timerConfig = {
|
||||||
|
OnCalendar = "daily";
|
||||||
|
RandomizedDelaySec = "5h";
|
||||||
|
Persistent = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
pruneOpts = [
|
||||||
|
"--keep-daily 7"
|
||||||
|
"--keep-weekly 5"
|
||||||
|
"--keep-monthly 6"
|
||||||
|
"--keep-yearly 3"
|
||||||
|
];
|
||||||
|
|
||||||
|
repositoryFile = /etc/secrets/restic/repo;
|
||||||
|
passwordFile = "/etc/secrets/restic/password";
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
||||||
|
|
@ -11,6 +11,7 @@ in
|
||||||
imports =
|
imports =
|
||||||
[
|
[
|
||||||
./hardware-configuration.nix
|
./hardware-configuration.nix
|
||||||
|
./backups.nix
|
||||||
../common/configuration.nix
|
../common/configuration.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue