marie-desktop: add restic backup service

Author: NyCodeGHG

hosts/marie-desktop/backup.nix

@@ -0,0 +1,48 @@
+{ pkgs, config, lib, ... }:
+{
+  age.secrets.restic-password = {
+    file = ./secrets/restic-password.age;
+    owner = "marie";
+    group = "users";
+  };
+  systemd.services.backup = {
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    serviceConfig = {
+      PrivateMounts = true;
+      SystemCallFilter = [ "@system-service" "@mount" ];
+    };
+    environment = {
+      RESTIC_REPOSITORY = "sftp:marie@marie-nas.fritz.box:/srv/restic/marie";
+      RESTIC_PASSWORD_FILE = config.age.secrets.restic-password.path;
+      SSH_AUTH_SOCK = "/run/user/1000/ssh-agent";
+      HOME = "/home/marie";
+    };
+    path = with pkgs; [ restic util-linux btrfs-progs config.programs.ssh.package config.security.sudo.package ];
+    script = ''
+      set -euo pipefail
+      SNAPSHOT_NAME="@restic-$(date "+%F_%k-%M-%S")"
+      btrfs subvolume snapshot /home "/home/$SNAPSHOT_NAME"
+
+      function cleanup() {
+        mount -t btrfs -o subvol=home ${config.fileSystems."/home".device} /home
+        btrfs subvolume delete "/home/$SNAPSHOT_NAME"
+      }
+
+      trap cleanup EXIT
+
+      umount /home
+      mount -t btrfs -o subvol="/home/$SNAPSHOT_NAME" '${config.fileSystems."/home".device}' /home
+
+      sudo \
+        --user=marie \
+        --preserve-env=RESTIC_REPOSITORY,RESTIC_PASSWORD_FILE,SSH_AUTH_SOCK \
+          restic backup \
+            --exclude-caches \
+            --exclude-file "${./scripts/restic-excludes.txt}" \
+            --tag home \
+            --one-file-system \
+            "$HOME"
+    '';
+  };
+}

hosts/marie-desktop/configuration.nix

@@ -2,12 +2,14 @@
 {
   imports = with inputs; [
     home-manager-unstable.nixosModules.default
+    agenix.nixosModules.default
     ./hardware.nix
     ./gaming.nix
     ./suspend-fix.nix
     ./tailscale.nix
     ./syncthing.nix
     ./wireshark.nix
+    ./backup.nix
   ];
 
   uwumarie.profiles = {

hosts/marie-desktop/scripts/restic-excludes.txt

@@ -0,0 +1,34 @@
+$HOME/**/Cache
+$HOME/**/Caches
+$HOME/**/cache
+$HOME/**/caches
+$HOME/**/.cache
+$HOME/**/__pycache__
+
+$HOME/.config/*/Cache
+$HOME/.config/*/GPUCache
+$HOME/.config/*/ShaderCache
+$HOME/.config/*/DawnCache
+$HOME/.config/*/DawnGraphiteCache
+$HOME/.config/*/DawnWebGPUCache
+
+$HOME/.config/VSCodium/CachedData
+$HOME/.config/VSCodium/CachedExtensions
+$HOME/.config/VSCodium/logs
+
+$HOME/.local/share/Steam
+$HOME/.local/share/pnpm
+$HOME/.local/share/containers
+$HOME/.local/share/umu
+
+$HOME/.rustup
+$HOME/.yarn
+$HOME/.npm
+$HOME/.jdks
+$HOME/.cargo
+$HOME/.compose-cache
+$HOME/.ccache
+$HOME/.android
+$HOME/.gradle
+
+$HOME/.var/app/com.usebottles.bottles

hosts/marie-desktop/secrets/restic-password.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 GkDrBg hlklf6O6XbDOm1t42koXo3lqCyhk6vfkKVEmS8VRWwo
+AwRFsyGEo2GvLaR3dxqBWs5LtEZN3BeVz/Phr5HRsIk
+-> ssh-ed25519 /tLDqA kC/Sxf9S1/3uUoY5XfEsfA1+52s+EgToc/ktAyWdwz8
+1nI4VDwqmrgNDf/GxFDqFJIoKipSzO9MNwW9t3VNxqs
+-> ssh-ed25519 kl9Tcw 0rZ7RBdPuMItattk4JIrchPakWp8JWojFHWHLVy9Im8
+qBPidAlVVxbKSm9bW2/PdsmdahZ76IKBWjX+a2XtDss
+--- ZJMS3G8LpYfS6t68+lkK19DmR4XvKLecHSx6QT27p+A
+i����:�v�V�i�ៗ�1���n����^�*��\p�@i�-@?�V6�dM�e@ن��(�����h�u�� �*2}�K�N0�

secrets/secrets.nix

@@ -9,6 +9,7 @@ let
   wsl = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEpKCSJGPFfckgr1/X1Rv7jeOe9E8tYmP1iqogzSXF+u"];
   gitlabber = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBFxL7AqowWxKzJqrj8Mr2MDF3NDbyExAPwKjohoCx/t"];
   marie-nas = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwvQy3cK9gGwFEf5UGCxQ61j8Kv30JDAZ39FOtKkrCQ"];
+  marie-desktop-host = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSpnu/du04AEB2LuwIHJU5CZwBFsMLWUhNgn0+9tlte root@marie-desktop"];
   allSystems = artemis ++ delphi ++ wsl ++ marie-nas;
   users = marie-desktop-wsl ++ marie-desktop;
 in
@@ -42,4 +43,6 @@ in
   "../hosts/gitlabber/cachix-auth-token.age".publicKeys = users ++ gitlabber;
   "../hosts/gitlabber/forgejo-runner.age".publicKeys = users ++ gitlabber;
   "../hosts/artemis/applications/hedgedoc/env.age".publicKeys = users ++ artemis;
+
+  "../hosts/marie-desktop/secrets/restic-password.age".publicKeys = marie-desktop ++ marie-desktop-host;
 }