servers/common/backups/restic.nix

{
  config,
  pkgs,
  lib,
  ...
}:
let
  inherit (lib)
    mkIf
    mkEnableOption
    mkOption
    types
    ;
  cfg = config.foehammer.backups.restic;
in
{
  options.foehammer.backups.restic = {
    enable = mkEnableOption "Enable restic backups";

    repositoryFile = mkOption {
      type = types.nullOr types.path;
    };

    environmentFile = mkOption {
      type = types.nullOr types.str;
    };

    passwordFile = mkOption {
      type = types.str;
    };

    paths = mkOption {
      type = lib.types.nullOr (lib.types.listOf lib.types.str);
      default = [ ];
    };

    exclude = mkOption {
      type = lib.types.nullOr (lib.types.listOf lib.types.str);
      default = [ ];
    };
  };

  config = mkIf cfg.enable {
    users.groups.restic = { };
    users.users.restic = {
      isSystemUser = true;
      group = "restic";
    };

    security.wrappers.restic = {
      source = "${pkgs.restic.out}/bin/restic";
      owner = "restic";
      group = "restic";
      permissions = "u=rwx,g=,o=";
      capabilities = "cap_dac_read_search=+ep";
    };

    services.restic.backups = {
      remote = {
        paths = cfg.paths;
        exclude = cfg.exclude;
        user = "restic";

        initialize = true;

        repositoryFile = cfg.repositoryFile;
        environmentFile = cfg.environmentFile;
        passwordFile = cfg.passwordFile;

        pruneOpts = [
          "--keep-daily 7"
          "--keep-weekly 4"
        ];
      };
    };
  };
}
Refactor Tailscale and Restic Into Common Nixos Modules. 2025-02-07 17:14:52 -06:00			`{`
			`config,`
			`pkgs,`
			`lib,`
			`...`
Nixfmt Tree 2026-02-24 00:00:35 -08:00			`}:`
			`let`
			`inherit (lib)`
			`mkIf`
			`mkEnableOption`
			`mkOption`
			`types`
			`;`
Refactor Tailscale and Restic Into Common Nixos Modules. 2025-02-07 17:14:52 -06:00			`cfg = config.foehammer.backups.restic;`
Nixfmt Tree 2026-02-24 00:00:35 -08:00			`in`
			`{`
Refactor Tailscale and Restic Into Common Nixos Modules. 2025-02-07 17:14:52 -06:00			`options.foehammer.backups.restic = {`
			`enable = mkEnableOption "Enable restic backups";`

			`repositoryFile = mkOption {`
			`type = types.nullOr types.path;`
			`};`

			`environmentFile = mkOption {`
			`type = types.nullOr types.str;`
			`};`

			`passwordFile = mkOption {`
			`type = types.str;`
			`};`

			`paths = mkOption {`
			`type = lib.types.nullOr (lib.types.listOf lib.types.str);`
Nixfmt Tree 2026-02-24 00:00:35 -08:00			`default = [ ];`
Refactor Tailscale and Restic Into Common Nixos Modules. 2025-02-07 17:14:52 -06:00			`};`

			`exclude = mkOption {`
			`type = lib.types.nullOr (lib.types.listOf lib.types.str);`
Nixfmt Tree 2026-02-24 00:00:35 -08:00			`default = [ ];`
Refactor Tailscale and Restic Into Common Nixos Modules. 2025-02-07 17:14:52 -06:00			`};`
			`};`

			`config = mkIf cfg.enable {`
Nixfmt Tree 2026-02-24 00:00:35 -08:00			`users.groups.restic = { };`
Refactor Tailscale and Restic Into Common Nixos Modules. 2025-02-07 17:14:52 -06:00			`users.users.restic = {`
			`isSystemUser = true;`
			`group = "restic";`
			`};`

			`security.wrappers.restic = {`
			`source = "${pkgs.restic.out}/bin/restic";`
			`owner = "restic";`
			`group = "restic";`
			`permissions = "u=rwx,g=,o=";`
			`capabilities = "cap_dac_read_search=+ep";`
			`};`

			`services.restic.backups = {`
			`remote = {`
			`paths = cfg.paths;`
			`exclude = cfg.exclude;`
			`user = "restic";`

			`initialize = true;`

			`repositoryFile = cfg.repositoryFile;`
			`environmentFile = cfg.environmentFile;`
			`passwordFile = cfg.passwordFile;`

			`pruneOpts = [`
			`"--keep-daily 7"`
			`"--keep-weekly 4"`
			`];`
			`};`
			`};`
			`};`
			`}`