restic: init

2026-02-22 23:54:33 +11:00 · 2026-02-22 23:54:33 +11:00 · 79fbbbfd82
commit 79fbbbfd82
parent 414bb513d0
2 changed files with 67 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -60,6 +60,7 @@
        ./modules/services/media/jellyfin.nix
        ./modules/services/archiveteam-warrior.nix
        ./modules/services/samba.nix
+        ./modules/hardware/restic.nix

        ./modules/network/avahi.nix
        ./modules/services/ssh.nix
--- a/modules/hardware/restic.nix
+++ b/modules/hardware/restic.nix
@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.restic.backups."${config.networking.hostName}-server" = {
+    initialize = false;
+
+    paths = [
+      "/media"
+    ];
+
+    exclude = [
+      "/media/secrets"
+      "/media/torrents"
+      "/media/media"
+
+      ".cache*"
+      ".DS_Store"
+      "logs"
+    ];
+
+    checkOpts = [
+      "--with-cache" # just to make checks faster
+    ];
+
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 12"
+      "--keep-yearly 10"
+    ];
+
+    timerConfig = {
+      OnBootSec = "5m"; # lets wifi connect before starting backups
+      OnCalendar = "daily";
+      Persistent = true;
+    };
+
+    # backup postgres databases, kind of hacky but
+    # i think its the only way to do it without needing
+    # another backup repo
+    backupPrepareCommand = ''
+      rm -f /media/apps/postgres # -f doesn't error if doesn't exist
+      touch /media/apps/postgres
+      chmod 600 /media/apps/postgres
+      ${lib.getExe pkgs.sudo} -u postgres ${config.services.postgresql.package}/bin/pg_dumpall > /media/apps/postgres
+    '';
+
+    backupCleanupCommand = ''
+      rm /media/apps/postgres
+    '';
+
+    # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#other-services-via-rclone
+    # put something like : "rclone:onedrive:restic" to use as the remote
+    #
+    # sudo nix run nixpkgs#rclone -- config
+    repositoryFile = "/media/secrets/restic-repo";
+
+    # the passphrase used 
+    passwordFile = "/media/secrets/restic-password";
+  };
+
+  systemd.tmpfiles.rules = [
+    "f /media/secrets/restic-repo 0400 root root"
+    "f /media/secrets/restic-password 0400 root root"
+  ];
+}