diff --git a/backup/restic.nix b/backup/restic.nix index 6c7d5bb..970f126 100644 --- a/backup/restic.nix +++ b/backup/restic.nix @@ -4,13 +4,19 @@ let in { services.restic.backups = { - options = { - passwordFile = "/etc/restic/resticPasswd"; - repository = "s3:s3.anazonaws.com/${cfg.backblaze.bucket}"; + varBackup = { + passwordFile = "/var/lib/restic/pass"; + repository = "rclone:${cfg.backblaze.bucket}:/sfbackup"; + extraOptions = [ "rclone.args='serve restic --stdio'" ]; + rcloneConfig = { + type = "b2"; + account = cfg.backblaze.accountId; + key = cfg.backblaze.accountKey; + hard_delete = false; + }; initialize = true; paths = [ - "/var/dkim" - "/var/vmail" + "/var" ]; timerConfig = { OnCalendar = [ "daily" ]; @@ -25,11 +31,4 @@ in isNormalUser = false; isSystemUser = true; }; - environment.etc."restic/resticPasswd".text = '' - ${cfg.resticPassword} - ''; - environment.etc."restic/s3Passwd".text = '' - AWS_ACCESS_KEY_ID=${cfg.backblaze.accountId} - AWS_SECRET_ACCESS_KEY=${cfg.backblaze.accountKey} - ''; } diff --git a/files.nix b/files.nix index 1b3a66d..7ebd2c4 100644 --- a/files.nix +++ b/files.nix @@ -25,7 +25,8 @@ in (if cfg.bitwarden.enable then "d /var/lib/bitwarden 0777 bitwarden_rs bitwarden_rs -" else "") (if cfg.bitwarden.enable then "d /var/lib/bitwarden/backup 0777 bitwarden_rs bitwarden_rs -" else "") (if cfg.pleroma.enable then "d /var/lib/pleroma 0700 pleroma pleroma - -" else "") - "d /var/lib/restic 0600 restic - - -" + "d /var 0755 root shared - -" + "d /var/lib/restic 0700 restic - - -" "f+ /var/lib/restic/pass 0400 restic - - ${resticPass}" "f+ /root/.config/rclone/rclone.conf 0400 root root - ${rcloneConfig}" (if cfg.pleroma.enable then "f /var/lib/pleroma/secrets.exs 0755 pleroma pleroma - -" else "") diff --git a/users.nix b/users.nix index a3128b2..8812f8e 100644 --- a/users.nix +++ b/users.nix @@ -21,5 +21,10 @@ in }; }) cfg.users); + groups = { + shared = { + members = [ "restic" ]; + }; + }; }; }