Restic: made modular backup declerations.

Required tree-wide re-wiring of the host option. Now, rather than each host having a monolithic restic.nix file, the hosts restic.nix file just specifies the password and url of the restic repository. Eatch module then definies specific paths to backup and any pre and post commands that need to be performed. Each backed up service gets an independent systemd backup service and timer.
2025-04-13 15:27:25 +02:00 · 2025-04-13 15:27:25 +02:00 · 48c60629ab
commit 48c60629ab
parent cf33c036dd
36 changed files with 307 additions and 1476 deletions
--- a/configs/nixos/common.nix
+++ b/configs/nixos/common.nix
@ -48,13 +48,13 @@ in {
  environment.shells = lib.mkDefault [pkgs.zsh];
  # if we arent setting our password from nix secrets, we need to allow changing it.
  users.mutableUsers = !inputs ? nix-secrets;
-  users.users.${config.host.user} = {
+  users.users.${config.host.details.user} = {
    isNormalUser = true;
    hashedPassword =
      if inputs ? nix-secrets
      then (lib.removeSuffix "\n" (builtins.readFile "${inputs.nix-secrets}/password-hash"))
      else defaultPasswordHash;
-    description = config.host.fullName;
+    description = config.host.details.fullName;
    shell = pkgs.zsh;
    extraGroups = ["wheel"];
  };
--- a/configs/nixos/docker.nix
+++ b/configs/nixos/docker.nix
@ -9,5 +9,5 @@
    enable = true;
    autoPrune.enable = true;
  };
-  users.users.${config.host.user}.extraGroups = ["docker"];
+  users.users.${config.host.details.user}.extraGroups = ["docker"];
 }
--- a/configs/nixos/factorio-docker.nix
+++ b/configs/nixos/factorio-docker.nix
@ -17,6 +17,11 @@
      environment = {UPDATE_MODS_ON_START = "true";};
    };
  };
+
+  host.restic.backups.factorio = {
+    paths = ["/storage/factorio"];
+  };
+
  imports = [
    ./docker.nix
  ];
--- a/configs/nixos/forgejo.nix
+++ b/configs/nixos/forgejo.nix
@ -39,5 +39,15 @@ in {
    };
  };

+  host.restic.backups.forgejo = {
+    paths = [
+      "/var/lib/forgejo/custom"
+      "/var/lib/forgejo/data"
+      "/var/lib/forgejo/repositories"
+    ];
+    preBackupCommands = "systemctl stop forgejo.service";
+    postBackupCommands = "systemctl start forgejo.service";
+  };
+
  imports = [./nginx.nix];
 }
--- a/configs/nixos/i3/default.nix
+++ b/configs/nixos/i3/default.nix
@ -8,7 +8,7 @@
  services.displayManager = {
    defaultSession = "none+i3";
    autoLogin = {
-      user = config.host.user;
+      user = config.host.details.user;
      enable = true;
    };
  };
@ -22,7 +22,7 @@
    };
    xkb.options = "ctrl:nocaps,compose:rctrl";
  };
-  home-manager.users.${config.host.user} = {config, ...}: {
+  home-manager.users.${config.host.details.user} = {config, ...}: {
    home.packages = with pkgs; [
      maim
      brightnessctl
--- a/configs/nixos/i3/i3status-rust.nix
+++ b/configs/nixos/i3/i3status-rust.nix
@ -4,7 +4,7 @@
  lib,
  ...
 }: {
-  home-manager.users.${config.host.user} = {
+  home-manager.users.${config.host.details.user} = {
    config,
    osConfig,
    lib,
@ -46,14 +46,14 @@
            }
            (
              lib.mkIf
-              (!osConfig.host.isVm)
+              (!osConfig.host.details.isVm)
              {
                block = "backlight";
                missing_format = "";
              }
            )
            (
-              lib.mkIf (osConfig.host.isLaptop)
+              lib.mkIf (osConfig.host.details.isLaptop)
              {
                block = "battery";
                driver = "upower";
--- a/configs/nixos/i3/lockscreen.nix
+++ b/configs/nixos/i3/lockscreen.nix
@ -7,7 +7,7 @@
  environment.systemPackages = with pkgs; [
    betterlockscreen
  ];
-  home-manager.users.${config.host.user} = {
+  home-manager.users.${config.host.details.user} = {
    config,
    osConfig,
    lib,
--- a/configs/nixos/interactive-networking.nix
+++ b/configs/nixos/interactive-networking.nix
@ -5,5 +5,5 @@
 }: {
  # Enable networking
  networking.networkmanager.enable = true;
-  users.users.${config.host.user}.extraGroups = ["networkmanager"];
+  users.users.${config.host.details.user}.extraGroups = ["networkmanager"];
 }
--- a/configs/nixos/minecraft-docker.nix
+++ b/configs/nixos/minecraft-docker.nix
@ -4,7 +4,23 @@
  pkgs,
  lib,
  ...
-}: {
+}: let
+  preBackup = pkgs.writeShellScriptBin "mc-docker-pre-backup" ''
+    set -euxo pipefail
+
+    docker exec minecraft rcon-cli "say server backing up, expect minor lag"
+    sleep 10
+    docker exec minecraft rcon-cli "save-all flush"
+    docker exec minecraft rcon-cli "save-off"
+    sleep 10
+  '';
+  postBackup = pkgs.writeShellScriptBin "mc-docker-post-backup" ''
+    set -euxo pipefail
+
+    docker exec minecraft rcon-cli "save-on"
+    docker exec minecraft rcon-cli "say server backup succsessful!"
+  '';
+in {
  virtualisation.oci-containers = {
    backend = "docker";
    containers.minecraft = {
@ -31,7 +47,7 @@
        # SETUP_ONLY = "true";
        MOTD = "Welcome!";
        DIFFICULTY = "normal";
-        OPS ="TheToric";
+        OPS = "TheToric";
        ENFORCE_WHITELIST = "true";
        ENABLE_WHITELIST = "true";
        ANNOUNCE_PLAYER_ACHIEVEMENTS = "true";
@ -42,6 +58,13 @@
      extraOptions = ["--stop-timeout=60"];
    };
  };
+
+  host.restic.backups.minecraft = {
+    preBackupCommands = "${preBackup}/bin/mc-docker-pre-backup";
+    postBackupCommands = "${postBackup}/bin/mc-docker-post-backup";
+    paths = ["/storage/minecraft"];
+  };
+
  imports = [
    ./docker.nix
  ];
--- a/configs/nixos/radicale.nix
+++ b/configs/nixos/radicale.nix
@ -25,5 +25,11 @@
    };
  };

+  host.restic.backups.radicale = {
+    paths = [
+      "/var/lib/radicale"
+    ];
+  };
+
  imports = [./nginx.nix];
 }
--- a/configs/nixos/sound.nix
+++ b/configs/nixos/sound.nix
@ -13,7 +13,7 @@
    pulse.enable = true;
  };

-  home-manager.users.${config.host.user} = {config, ...}: {
+  home-manager.users.${config.host.details.user} = {config, ...}: {
    home.packages = with pkgs; [
      pwvucontrol
      helvum
--- a/configs/nixos/sshd.nix
+++ b/configs/nixos/sshd.nix
@ -2,8 +2,8 @@
  config,
  pkgs,
  inputs,
-  configLib,
  lib,
+  myLib,
  ...
 }: {
  services.openssh = {
@ -18,10 +18,10 @@

  users.users.root.openssh.authorizedKeys.keys = lib.mkDefault (
    if inputs ? nix-secrets
-    then (configLib.dirToStrings "${inputs.nix-secrets}/public-keys")
+    then (myLib.dirToStrings "${inputs.nix-secrets}/public-keys")
    else []
  );
  # if it can log into root, it should also be able to log in to the main user.
-  users.users.${config.host.user}.openssh.authorizedKeys.keys =
+  users.users.${config.host.details.user}.openssh.authorizedKeys.keys =
    config.users.users.root.openssh.authorizedKeys.keys;
 }
--- a/configs/nixos/syncthing.nix
+++ b/configs/nixos/syncthing.nix
@ -2,19 +2,18 @@
  config,
  pkgs,
  inputs,
-  configLib,
  lib,
  ...
 }: {
  services.syncthing = {
    enable = true;
-    user = config.host.user;
+    user = config.host.details.user;
    group = "users";
    overrideDevices = false;
    overrideFolders = false;
    openDefaultPorts = true;
    systemService = true;
-    dataDir = "/home/${config.host.user}/Sync";
-    configDir = "/home/${config.host.user}/.local/state/syncthing";
+    dataDir = "/home/${config.host.details.user}/Sync";
+    configDir = "/home/${config.host.details.user}/.local/state/syncthing";
  };
 }
--- a/configs/nixos/tailscale.nix
+++ b/configs/nixos/tailscale.nix
@ -2,7 +2,6 @@
  config,
  pkgs,
  inputs,
-  configLib,
  lib,
  ...
 }: {