From b37043851d51d6936ad53d4898d4705bf1a52a74 Mon Sep 17 00:00:00 2001
From: Aaron Bieber <aaron@bolddaemon.com>
Date: Fri, 26 Jan 2024 08:10:31 -0700
Subject: [PATCH] stan: enable backups

---
 flake.lock             | 22 +++++++++++-----------
 hosts/stan/default.nix | 29 +++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 11 deletions(-)

diff --git a/flake.lock b/flake.lock
index 470fd40..643eb6d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -392,10 +392,10 @@
     },
     "stable_2": {
       "locked": {
-        "lastModified": 1702161203,
-        "narHash": "sha256-nq40oP9Pk/bC9/3ShxUah2FWsyHcObtS2NU5rV8shXY=",
-        "path": "/nix/store/2mk1z2xf4v5rnpml75gbmgv6bv6i4nig-source",
-        "rev": "901fc6ea49ca9e9bbf636c48e2611588802e7b16",
+        "lastModified": 1706176172,
+        "narHash": "sha256-+kOLrH4DNw6EMITqXosMqoQUyIGWTMYVYcqALP8+PPc=",
+        "path": "/nix/store/a2y0kc4g4xlxg5r50565y45734q4mssd-source",
+        "rev": "72d28a6d71c30f0242c18317520bc3f4d822e794",
         "type": "path"
       },
       "original": {
@@ -516,11 +516,11 @@
     },
     "unstable_2": {
       "locked": {
-        "lastModified": 1702397419,
-        "narHash": "sha256-CBMSwZHT7GLq2JdOPWAVDBaYFbUHWD1+jPFrYk0JeLM=",
+        "lastModified": 1706278372,
+        "narHash": "sha256-SYceUQX1wjDQQsdws5MjNOWXE79GESFp/9uc4w3tZDo=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "73ca2df642228129df7a968bad6499732dbc7ddd",
+        "rev": "6081df2649d246e60d9d0165c79bea8ac3a97816",
         "type": "github"
       },
       "original": {
@@ -553,11 +553,11 @@
         "unstable": "unstable_2"
       },
       "locked": {
-        "lastModified": 1705613028,
-        "narHash": "sha256-YeZWRn1sqFFtBp1HgDSJAVczlPGS62TMUA0ruB8d+CQ=",
+        "lastModified": 1706280764,
+        "narHash": "sha256-hvqQwniv9DTXHHf9wXdSus5aaZUMX+cPjm0BU5sT4cI=",
         "ref": "main",
-        "rev": "f6ef694e6d8a6bc9af28996238bc379b6348ea88",
-        "revCount": 122,
+        "rev": "28c6b8651be883f28933d2646221098394c1fdab",
+        "revCount": 125,
         "type": "git",
         "url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
       },
diff --git a/hosts/stan/default.nix b/hosts/stan/default.nix
index 728dbdc..2ba9100 100644
--- a/hosts/stan/default.nix
+++ b/hosts/stan/default.nix
@@ -133,6 +133,21 @@ in
       group = "wheel";
       mode = "400";
     };
+    restic_password_file = {
+      sopsFile = config.xin-secrets.stan.main;
+      owner = "root";
+      mode = "400";
+    };
+    restic_env_file = {
+      sopsFile = config.xin-secrets.stan.main;
+      owner = "root";
+      mode = "400";
+    };
+    restic_repo_file = {
+      sopsFile = config.xin-secrets.stan.main;
+      owner = "root";
+      mode = "400";
+    };
   };
 
   users.users.root = userBase;
@@ -193,6 +208,20 @@ in
   };
 
   services = {
+    restic = {
+      backups = {
+        remote = {
+          initialize = true;
+          environmentFile = "${config.sops.secrets.restic_env_file.path}";
+          passwordFile = "${config.sops.secrets.restic_password_file.path}";
+          repositoryFile = "${config.sops.secrets.restic_repo_file.path}";
+
+          paths = [ "/home/abieber" "/var/lib/libvirt" ];
+
+          pruneOpts = [ "--keep-daily 7" "--keep-weekly 2" "--keep-monthly 2" ];
+        };
+      };
+    };
     rsyslogd = {
       enable = testingMode;
       defaultConfig = ''