nixos/modules/restic-server/default.nix

{ custom }: { config, pkgs, ... }:
let
  repository = "/var/lib/restic-server";
in
{
  imports = [
    (import "${custom.inputs.self}/modules/telegram-notifications" { inherit custom; })
  ];
  age.secrets.resticKey = {
    file = "${custom.inputs.self}/scrts/restic.key.age";
    mode = "440";
    owner = "restic";
    group = "restic";
  };

  environment.systemPackages = with pkgs; [
    restic
  ];

  fileSystems."${repository}" = {
    device = "10.7.89.108:restic-server";
    fsType = "nfs";
    options = [ "noatime" "hard" "nfsvers=4.0" ];
  };
  services.restic.server = {
    enable = true;
    dataDir = repository;
    extraFlags = [ "--no-auth" ];
  };
  networking.firewall.allowedTCPPorts = [ 8000 ];

  systemd.services.restic-prune = {
    serviceConfig = {
      Type = "oneshot";
      User = "restic";
    };
    onFailure = [ "unit-status-telegram@%n.service" ];
    script = ''
      ${pkgs.restic}/bin/restic \
      --repo ${repository} \
      --password-file ${config.age.secrets.resticKey.path} \
      prune \
    '';
  };

  systemd.timers.restic-prune = {
    wantedBy = [ "timers.target" ];
    partOf = [ "restic-prune.service" ];
    timerConfig.OnCalendar = [ "*-*-* 08:00:00" ];
  };

  systemd.services.restic-check = {
    serviceConfig = {
      Type = "oneshot";
      User = "restic";
    };
    onFailure = [ "unit-status-telegram@%n.service" ];
    script = ''
      ${pkgs.restic}/bin/restic \
      --repo ${repository} \
      --password-file ${config.age.secrets.resticKey.path} \
      check \
    '';
  };
  systemd.timers.restic-prune = {
    wantedBy = [ "timers.target" ];
    partOf = [ "restic-check.service" ];
    timerConfig.OnCalendar = [ "*-*-* 07:00:00" ];
  };
}
Integrate inputs into custom 2022-11-04 19:35:57 +01:00			`{ custom }: { config, pkgs, ... }:`
add a restic-server 2022-01-27 19:32:05 +01:00			`let`
Correct mount point for the resti repository If I mount it in /mnt it gets only 700 for root which makes unreadable for the restic server. 2022-11-10 00:11:55 +01:00			`repository = "/var/lib/restic-server";`
add a restic-server 2022-01-27 19:32:05 +01:00			`in`
			`{`
Enable telegram notifications 2022-11-21 08:36:03 +01:00			`imports = [`
			`(import "${custom.inputs.self}/modules/telegram-notifications" { inherit custom; })`
			`];`
Make the restic key readable by the restic user 2022-11-21 08:35:49 +01:00			`age.secrets.resticKey = {`
			`file = "${custom.inputs.self}/scrts/restic.key.age";`
			`mode = "440";`
			`owner = "restic";`
			`group = "restic";`
			`};`
Encrypt restic secrets 2022-11-04 16:49:46 +01:00
add a new restic repo the old one is broken 2022-01-29 14:04:24 +01:00			`environment.systemPackages = with pkgs; [`
			`restic`
			`];`

Try with quotes 2022-06-07 23:50:33 +02:00			`fileSystems."${repository}" = {`
add a new restic repo the old one is broken 2022-01-29 14:04:24 +01:00			`device = "10.7.89.108:restic-server";`
			`fsType = "nfs";`
Try to downgrade the NFS version 2022-06-14 20:44:21 +02:00			`options = [ "noatime" "hard" "nfsvers=4.0" ];`
add a new restic repo the old one is broken 2022-01-29 14:04:24 +01:00			`};`
add a restic-server 2022-01-27 19:32:05 +01:00			`services.restic.server = {`
			`enable = true;`
			`dataDir = repository;`
			`extraFlags = [ "--no-auth" ];`
			`};`
open port for restic server 2022-01-27 20:08:09 +01:00			`networking.firewall.allowedTCPPorts = [ 8000 ];`
add a prune timer to the backup server 2022-02-28 15:10:58 +01:00
rename services 2022-02-28 17:16:23 +01:00			`systemd.services.restic-prune = {`
run prune command as restic user 2022-02-28 17:33:18 +01:00			`serviceConfig = {`
			`Type = "oneshot";`
			`User = "restic";`
			`};`
Enable telegram notifications 2022-11-21 08:36:03 +01:00			`onFailure = [ "unit-status-telegram@%n.service" ];`
add a prune timer to the backup server 2022-02-28 15:10:58 +01:00			`script = ''`
			`${pkgs.restic}/bin/restic \`
			`--repo ${repository} \`
Encrypt restic secrets 2022-11-04 16:49:46 +01:00			`--password-file ${config.age.secrets.resticKey.path} \`
move the prune tasks into seperate services 2022-02-28 16:23:03 +01:00			`prune \`
add a prune timer to the backup server 2022-02-28 15:10:58 +01:00			`'';`
			`};`

rename services 2022-02-28 17:16:23 +01:00			`systemd.timers.restic-prune = {`
add a prune timer to the backup server 2022-02-28 15:10:58 +01:00			`wantedBy = [ "timers.target" ];`
rename services 2022-02-28 17:16:23 +01:00			`partOf = [ "restic-prune.service" ];`
Add a service to check the repository 2022-11-21 08:36:21 +01:00			`timerConfig.OnCalendar = [ "--* 08:00:00" ];`
			`};`

			`systemd.services.restic-check = {`
			`serviceConfig = {`
			`Type = "oneshot";`
			`User = "restic";`
			`};`
			`onFailure = [ "unit-status-telegram@%n.service" ];`
			`script = ''`
			`${pkgs.restic}/bin/restic \`
			`--repo ${repository} \`
			`--password-file ${config.age.secrets.resticKey.path} \`
			`check \`
			`'';`
			`};`
			`systemd.timers.restic-prune = {`
			`wantedBy = [ "timers.target" ];`
			`partOf = [ "restic-check.service" ];`
Update all the restic related times 2022-11-10 00:25:15 +01:00			`timerConfig.OnCalendar = [ "--* 07:00:00" ];`
add a prune timer to the backup server 2022-02-28 15:10:58 +01:00			`};`
add a restic-server 2022-01-27 19:32:05 +01:00			`}`