Add restic backups to lebesgue.

machines/lebesgue/config/backups.nix

@@ -0,0 +1,40 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  paths = ["/var/lib/vaultwarden"];
+  exclude = [];
+
+  secrets = config.sops.secrets;
+in {
+  users.groups.restic = {};
+  users.users.restic = {
+    isSystemUser = true;
+    group = "restic";
+  };
+
+  security.wrappers.restic = {
+    source = "${pkgs.restic.out}/bin/restic";
+    owner = "restic";
+    group = "restic";
+    permissions = "u=rwx,g=,o=";
+    capabilities = "cap_dac_read_search=+ep";
+  };
+
+  services.restic.backups = {
+    s3 = {
+      inherit paths exclude;
+      user = "restic";
+
+      repositoryFile = secrets.restic-repository.path;
+      environmentFile = secrets.restic-env.path;
+      passwordFile = secrets.restic-password.path;
+
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 4"
+      ];
+    };
+  };
+}

machines/lebesgue/config/secrets.nix

@@ -6,6 +6,9 @@
       admin-password.neededForUsers = true;
       tskey = {};
       vaultwarden-env = {};
+      restic-env = {owner = "restic";};
+      restic-password = {owner = "restic";};
+      restic-repository = {owner = "restic";};
     };
   };
 }

machines/lebesgue/config/state.nix

@@ -3,6 +3,7 @@
 
   environment.persistence."/persist" = {
     directories = [
+      "/var/cache/restic-backups-s3"
       "/var/lib/tailscale"
       "/var/log"
       "/var/lib/nixos"