From 79fbbbfd8213b87c6214bb79332cd227a390f803 Mon Sep 17 00:00:00 2001
From: Nico <nico@astolfo.org>
Date: Sun, 22 Feb 2026 23:54:33 +1100
Subject: [PATCH] restic: init

---
 flake.nix                   |  1 +
 modules/hardware/restic.nix | 66 +++++++++++++++++++++++++++++++++++++
 2 files changed, 67 insertions(+)
 create mode 100644 modules/hardware/restic.nix

diff --git a/flake.nix b/flake.nix
index c6f61a4..02ccd89 100644
--- a/flake.nix
+++ b/flake.nix
@@ -60,6 +60,7 @@
         ./modules/services/media/jellyfin.nix
         ./modules/services/archiveteam-warrior.nix
         ./modules/services/samba.nix
+        ./modules/hardware/restic.nix
 
         ./modules/network/avahi.nix
         ./modules/services/ssh.nix
diff --git a/modules/hardware/restic.nix b/modules/hardware/restic.nix
new file mode 100644
index 0000000..303fa55
--- /dev/null
+++ b/modules/hardware/restic.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.restic.backups."${config.networking.hostName}-server" = {
+    initialize = false;
+
+    paths = [
+      "/media"
+    ];
+
+    exclude = [
+      "/media/secrets"
+      "/media/torrents"
+      "/media/media"
+
+      ".cache*"
+      ".DS_Store"
+      "logs"
+    ];
+
+    checkOpts = [
+      "--with-cache" # just to make checks faster
+    ];
+
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 12"
+      "--keep-yearly 10"
+    ];
+
+    timerConfig = {
+      OnBootSec = "5m"; # lets wifi connect before starting backups
+      OnCalendar = "daily";
+      Persistent = true;
+    };
+
+    # backup postgres databases, kind of hacky but
+    # i think its the only way to do it without needing
+    # another backup repo
+    backupPrepareCommand = ''
+      rm -f /media/apps/postgres # -f doesn't error if doesn't exist
+      touch /media/apps/postgres
+      chmod 600 /media/apps/postgres
+      ${lib.getExe pkgs.sudo} -u postgres ${config.services.postgresql.package}/bin/pg_dumpall > /media/apps/postgres
+    '';
+
+    backupCleanupCommand = ''
+      rm /media/apps/postgres
+    '';
+
+    # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#other-services-via-rclone
+    # put something like : "rclone:onedrive:restic" to use as the remote
+    #
+    # sudo nix run nixpkgs#rclone -- config
+    repositoryFile = "/media/secrets/restic-repo";
+
+    # the passphrase used 
+    passwordFile = "/media/secrets/restic-password";
+  };
+
+  systemd.tmpfiles.rules = [
+    "f /media/secrets/restic-repo 0400 root root"
+    "f /media/secrets/restic-password 0400 root root"
+  ];
+}