-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathrestic.nix
75 lines (69 loc) · 2.46 KB
/
restic.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
{
lib,
config,
...
}: let
inherit
(lib)
flatten
flip
mapAttrsToList
mkEnableOption
mkIf
mkOption
optional
types
unique
;
in {
options.services.restic.backups = mkOption {
type = types.attrsOf (types.submodule (submod: {
options.hetznerStorageBox = {
enable = mkEnableOption "Automatically configure this backup to use the given hetzner storage box. Will use SFTP via SSH.";
mainUser = mkOption {
type = types.str;
description = ''
The main user. While not technically required for restic, we still use it to
derive the subuser name and it is required for the automatic setup script
that creates the users.
'';
};
subUid = mkOption {
type = types.int;
description = "The id of the subuser that was allocated on the hetzner server for this backup.";
};
path = mkOption {
type = types.str;
description = ''
The remote path to backup into. While not technically required for restic
(since the subuser is chrooted on the remote), it is required for the
automatic setup script that creates the users.
'';
};
sshAgeSecret = mkOption {
type = types.str;
description = "The name of the agenix secret containing the ssh private key for accesing the storage box.";
};
};
config = let
subuser = "${submod.config.hetznerStorageBox.mainUser}-sub${toString submod.config.hetznerStorageBox.subUid}";
url = "${subuser}@${submod.config.hetznerStorageBox.mainUser}.your-storagebox.de";
in
mkIf submod.config.hetznerStorageBox.enable {
repository = "rclone:";
extraOptions = [
"rclone.program='ssh -p23 ${url} -i ${config.age.secrets.${submod.config.hetznerStorageBox.sshAgeSecret}.path}'"
];
};
}));
};
config.services.openssh.knownHosts.hetzner-storage-boxes = let
hetznerStorageBoxHostnames =
unique (flatten (flip mapAttrsToList config.services.restic.backups
(_: backupCfg: optional backupCfg.hetznerStorageBox.enable "[${backupCfg.hetznerStorageBox.mainUser}.your-storagebox.de]:23")));
in
mkIf (hetznerStorageBoxHostnames != []) {
publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIICf9svRenC/PLKIL9nk6K/pxQgoiFC41wTNvoIncOxs";
hostNames = hetznerStorageBoxHostnames;
};
}