modules/backup: create a wrapper to handle restic failures

- create wrapper module
- expose po_env to everything

configs/ci.nix

@@ -42,7 +42,6 @@ with lib; {
   config = mkIf config.xinCI.enable {
     sops.defaultSopsFile = config.xin-secrets.ci;
     sops.secrets = {
-      po_env = { owner = config.xinCI.user; };
       ci_ed25519_key = {
         mode = "400";
         owner = config.xinCI.user;

configs/manager.nix

@@ -36,7 +36,6 @@ with lib; {
       manager_pubkey = { owner = config.nixManager.user; };
       ca_key = { owner = config.nixManager.user; };
       ca_cert = { owner = config.nixManager.user; };
-      po_env = { owner = config.nixManager.user; };
     };
 
     environment.systemPackages = [

configs/tailnet.nix

@@ -243,10 +243,6 @@ with lib; {
       owner = config.nixManager.user;
       sopsFile = config.xin-secrets.manager;
     };
-    po_env = {
-      owner = config.nixManager.user;
-      sopsFile = config.xin-secrets.manager;
-    };
   };
   systemd.services = mkIf enabled (listToAttrs (builtins.map xinlib.jobToService jobs));
   environment.systemPackages = mkIf enabled [ aclUpdateScript ];

default.nix

@@ -65,6 +65,11 @@ in
 
       secrets =
         if config.needsDeploy.enable then {
+          po_env = {
+            sopsFile = config.xin-secrets.deploy;
+            owner = "root";
+            mode = "444";
+          };
           xin_secrets_deploy_key = {
             sopsFile = config.xin-secrets.deploy;
             owner = "root";

flake.nix

@@ -132,7 +132,10 @@
     , ...
     } @ inputs:
     let
-      xinlib = import ./lib { inherit (unstable) lib; };
+      xinlib = import ./lib {
+        inherit (unstable) lib;
+        inherit inputs;
+      };
       supportedSystems = [ "x86_64-linux" ];
       #[ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
       forAllSystems = unstable.lib.genAttrs supportedSystems;

hosts/europa/default.nix

@@ -219,31 +219,29 @@ in
       openFirewall = true;
     };
     printing.enable = true;
-    restic = {
     backups =
       let
-          paths = [ "/home/qbit" "/var/lib/libvirt" "/etc" ];
+        paths = [ "/home/qbit" "/etc" ];
+        pruneOpts = [ "--keep-hourly 12" "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 4" ];
+        timerConfig = { OnCalendar = "*-*-* 00:30:00"; };
       in
       {
         remote = {
-            initialize = true;
+          enable = true;
           passwordFile = "${config.sops.secrets.restic_remote_password_file.path}";
           repositoryFile = "${config.sops.secrets.restic_remote_repo_file.path}";
 
-            inherit paths;
-
-            pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 4" ];
+          # Don't send libvirt over the air-wire
+          inherit paths pruneOpts timerConfig;
         };
         local = {
-            initialize = true;
+          enable = true;
           repository = "/run/media/qbit/backup/${config.networking.hostName}";
           environmentFile = "${config.sops.secrets.restic_env_file.path}";
           passwordFile = "${config.sops.secrets.restic_password_file.path}";
 
-            inherit paths;
-
-            pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 5" ];
-          };
+          paths = paths ++ [ "/var/lib/libvirt" ];
+          inherit pruneOpts timerConfig;
         };
       };
     pcscd.enable = true;

hosts/h/default.nix

@@ -489,10 +489,9 @@ in
       ];
     };
 
-    restic = {
     backups = {
       b2 = {
-          initialize = true;
+        enable = true;
         repository = "b2:cyaspanJicyeemJedMarlEjcasOmos";
         environmentFile = "${config.sops.secrets.restic_env_file.path}";
         passwordFile = "${config.sops.secrets.restic_password_file.path}";
@@ -517,7 +516,6 @@ in
         pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 10" ];
       };
     };
-    };
 
     nginx = {
       enable = true;

hosts/stan/default.nix

@@ -275,10 +275,9 @@ in
         server = "127.0.0.1:24800";
       };
     };
-    restic = {
     backups = {
       remote = {
-          initialize = true;
+        enable = true;
         environmentFile = "${config.sops.secrets.restic_env_file.path}";
         passwordFile = "${config.sops.secrets.restic_password_file.path}";
         repositoryFile = "${config.sops.secrets.restic_repo_file.path}";
@@ -288,7 +287,6 @@ in
         pruneOpts = [ "--keep-daily 7" "--keep-weekly 2" "--keep-monthly 2" ];
       };
     };
-    };
     rsyslogd = {
       enable = testingMode;
       defaultConfig = ''

modules/backup.nix

@@ -0,0 +1,103 @@
+{ lib, inputs, config, utils, pkgs, ... }:
+with lib;
+let
+  inherit (utils.systemdUtils.unitOptions) unitOption;
+  cfg = config.services.backups;
+  enabledBackups = filterAttrs (_: conf: conf.enable) cfg;
+in
+{
+  options = {
+    services.backups = mkOption {
+      description = "Backup configurations, wrapped to allow for notifications of failed backups.";
+      default = { };
+      type = with types; attrsOf (submodule ({ name, ... }: {
+        options = {
+          enable = mkEnableOption "Enable backup for ${name}";
+
+          passwordFile = mkOption {
+            type = path;
+            description = "Path to file containing password.";
+          };
+
+          repository = mkOption {
+            type = nullOr str;
+            default = null;
+            description = "optional path to repository (can also be specified in the repositoryFile.";
+          };
+
+          repositoryFile = mkOption {
+            type = nullOr path;
+            default = null;
+            description = "Path to repository file.";
+          };
+
+          environmentFile = mkOption {
+            type = nullOr str;
+            default = null;
+            description = "path to environment file";
+          };
+
+          paths = mkOption {
+            type = listOf str;
+            description = "List of paths to backup.";
+            default = [ ];
+          };
+
+          pruneOpts = mkOption {
+            type = listOf str;
+            description = "Options for 'restic forget'.";
+            default = [ "--keep-hourly 12" "--keep-daily 7" "--keep-weekly 5" "--keep-yearly 4" ];
+          };
+
+          timerConfig = mkOption {
+            type = nullOr (attrsOf unitOption);
+            description = "systemd.timer(5) settings for when to do the backup.";
+            default = {
+              OnCalendar = "daily";
+              Persistent = true;
+            };
+          };
+        };
+      }));
+    };
+  };
+  config = mkIf (enabledBackups != { }) {
+    services.restic.backups = mapAttrs'
+      (name: conf: nameValuePair
+        name
+        {
+          initialize = true;
+          inherit (conf) passwordFile repository repositoryFile paths pruneOpts timerConfig environmentFile;
+        })
+      enabledBackups;
+
+    systemd.services = mkMerge [
+      (mapAttrs'
+        (name: _: nameValuePair
+          "restic-backups-${name}-failed"
+          {
+            enable = true;
+            description = "Notification service for ${name}";
+            serviceConfig = {
+              Type = "oneshot";
+            };
+            script = ''
+              . ${config.sops.secrets.po_env.path}
+            
+              PO=${inputs.po.packages.${pkgs.system}.po}/bin/po
+              $PO -title "restic-${name} backup failed!" -body "Please check the ${name} backup on ${config.networking.hostName}."
+            '';
+
+          })
+        enabledBackups)
+      (mapAttrs'
+        (name: _: nameValuePair
+          "restic-backups-${name}"
+          {
+            unitConfig.OnFailure = "restic-backups-${name}-failed.service";
+          })
+        enabledBackups)
+    ];
+  };
+}
+    

modules/default.nix

@@ -1,5 +1,6 @@
 { ... }: {
   imports = [
+    ./backup.nix
     ./golink.nix
     ./gotosocial.nix
     ./lock-action.nix