pastila: system backups with restic

2024-05-28 19:56:03 +02:00 · 2024-05-28 19:56:03 +02:00 · 0a393fb14a
commit 0a393fb14a
parent f73651bc32
4 changed files with 66 additions and 3 deletions
--- a/common/configuration.nix
+++ b/common/configuration.nix
@ -1,6 +1,10 @@
 { config, lib, pkgs, ... }:

 {
+  imports = [
+    ./secrets-permissions.nix
+  ];
+
  # Enable the OpenSSH daemon
  services.openssh.enable = true;
  services.openssh.settings.PermitRootLogin = lib.mkDefault "no";
@ -21,13 +25,12 @@
    wget
    htop
    tmux
-    bmon # Shows network activity
+    bmon
    nixfmt
-    jnettop
-    iperf3
    ncdu
    git
    tig
+    restic
  ];

  # required when using kitty
--- a/common/secrets-permissions.nix
+++ b/common/secrets-permissions.nix
@ -0,0 +1,22 @@
+# This module enforces permissions on secrets stored on the machines.
+
+{ config, ... }:
+
+{
+  system.activationScripts."secrets-permissions" = ''
+    # Default to restrictive permissions on secrets.
+    # Root can alway read/write/traverse directories no matter the permissions
+    # set.
+
+    chown --recursive root:root /etc/secrets
+    chmod --recursive 600 /etc/secrets
+
+    # Relax permissions on some secrets.
+
+    # The top directory must be readable and traversable by thoses who need to
+    # access secrets.
+    chmod 755 /etc/secrets
+
+    # ... add chowns & chmods to specific users/groups when needed
+  '';
+}
--- a/pastila/backups.nix
+++ b/pastila/backups.nix
@ -0,0 +1,37 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.restic.backups."borgbase" = {
+    paths = [
+      "/home"
+      "/root"
+      "/etc/secrets"
+      "/var"
+      "/srv"
+    ];
+
+    exclude = [
+      "/var/cache"
+      "/home/*/.cache"
+      "/var/log"
+      ".opam"
+    ];
+
+    timerConfig = {
+      OnCalendar = "daily";
+      RandomizedDelaySec = "5h";
+      Persistent = true;
+    };
+
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 6"
+      "--keep-yearly 3"
+    ];
+
+    repositoryFile = /etc/secrets/restic/repo;
+    passwordFile = "/etc/secrets/restic/password";
+  };
+
+}
--- a/pastila/configuration.nix
+++ b/pastila/configuration.nix
@ -11,6 +11,7 @@ in
  imports =
    [
      ./hardware-configuration.nix
+      ./backups.nix
      ../common/configuration.nix
    ];