Implement basic backups with restic

2026-01-24 01:13:32 -05:00
parent 7842126a66
commit 5ba7e22e8a
3 changed files with 52 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -14,6 +14,7 @@
        ./modules/nginx.nix
        ./modules/gitea.nix
        ./modules/pds.nix
+        ./modules/restic.nix
    ];

    nix.settings.experimental-features = [ "nix-command" "flakes" ];
@@ -43,6 +44,7 @@

    users.users.admin = {
        isNormalUser = true;
+        shell = pkgs.zsh;
        openssh.authorizedKeys.keys = [
            "sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBEyvP3QsMUk8k+h/gjmHUZvic/lKVfQDNISIhwiJ4OArcvo8Y1c9Hg+wagVkSw3xA+ggBQw/E7VYoMvx/JtcAQsAAAAEc3NoOg== ssh:"
        ];
@@ -59,11 +61,14 @@

    # Global packages
    environment.systemPackages = with pkgs; [
+        zsh
+        fish
        neovim
        nano
        git
    ];

+    programs.zsh.enable = true;
    programs.bash.completion.enable = true;

    security.sudo = {
--- a/modules/gitea.nix
+++ b/modules/gitea.nix
@@ -3,6 +3,8 @@
    services.gitea = {
        enable = true;

+        dump.enable = true;
+
        settings = {
            service.DISABLE_REGISTRATION = true;
            server = {
--- a/modules/restic.nix
+++ b/modules/restic.nix
@@ -0,0 +1,45 @@
+{pkgs, config, ...}:
+{
+    systemd.tmpfiles.rules = [
+        "d /backup - root backup-sync -"
+    ];
+
+    services.restic.backups = {
+        garden = {
+            initialize = true;
+            paths = [
+                "/var/www" # Webserver data
+                "/var/lib/pds" # ATProto PDS
+                "/home" # User data
+                "${config.services.gitea.stateDir}/dump" # Gitea repository
+            ];
+
+            pruneOpts = [
+                "--keep-daily 14"
+            ];
+
+            # Stop bluesky-pds during backup to ensure usable database files.
+            backupPrepareCommand = "systemctl stop bluesky-pds";
+            backupCleanupCommand =
+            ''
+            systemctl start bluesky-pds
+            chgrp -R backup-sync /backup
+            chmod -R g+rX /backup
+            '';
+
+            repository = "/backup";
+            passwordFile = "/root/restic_pass";
+        };
+    };
+
+    # User used for fetching the backup repository
+    users.groups.backup-sync = {};
+    users.users.backup-sync = {
+        isSystemUser = true;
+        group = "backup-sync";
+        shell = pkgs.zsh;
+        openssh.authorizedKeys.keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCzn4bk+onpJHltUmc/Axqux1l+gdZ1iXuC4ra2FTs1"
+        ];
+    };
+}