servers/machines/lebesgue/config/backups.nix

{
  pkgs,
  config,
  ...
}: let
  paths = ["/var/lib/vaultwarden"];
  exclude = [];

  secrets = config.sops.secrets;
in {
  users.groups.restic = {};
  users.users.restic = {
    isSystemUser = true;
    group = "restic";
  };

  security.wrappers.restic = {
    source = "${pkgs.restic.out}/bin/restic";
    owner = "restic";
    group = "restic";
    permissions = "u=rwx,g=,o=";
    capabilities = "cap_dac_read_search=+ep";
  };

  services.restic.backups = {
    s3 = {
      inherit paths exclude;
      user = "restic";

      repositoryFile = secrets.restic-repository.path;
      environmentFile = secrets.restic-env.path;
      passwordFile = secrets.restic-password.path;

      pruneOpts = [
        "--keep-daily 7"
        "--keep-weekly 4"
      ];
    };
  };
}
Add restic backups to lebesgue. 2025-02-06 17:44:13 -06:00			`{`
			`pkgs,`
			`config,`
			`...`
			`}: let`
			`paths = ["/var/lib/vaultwarden"];`
			`exclude = [];`

			`secrets = config.sops.secrets;`
			`in {`
			`users.groups.restic = {};`
			`users.users.restic = {`
			`isSystemUser = true;`
			`group = "restic";`
			`};`

			`security.wrappers.restic = {`
			`source = "${pkgs.restic.out}/bin/restic";`
			`owner = "restic";`
			`group = "restic";`
			`permissions = "u=rwx,g=,o=";`
			`capabilities = "cap_dac_read_search=+ep";`
			`};`

			`services.restic.backups = {`
			`s3 = {`
			`inherit paths exclude;`
			`user = "restic";`

			`repositoryFile = secrets.restic-repository.path;`
			`environmentFile = secrets.restic-env.path;`
			`passwordFile = secrets.restic-password.path;`

			`pruneOpts = [`
			`"--keep-daily 7"`
			`"--keep-weekly 4"`
			`];`
			`};`
			`};`
			`}`