feat: picard to ds9 backups

hosts/ds9/default.nix

@@ -51,27 +51,16 @@ in
 
   };
 
-  # services.restic.backups."ds9" = {
+  # Backup Target
-  #   rcloneConfigFile = "/run/secrets/ds9rcloneConfig";
+  users.users.picardbackup = {
-  #   passwordFile = "/run/secrets/ds9resticPassword";
+    createHome = true;
-  #   pruneOpts = [
+    group = "users";
-  #     "--keep-daily 7"
+    home = "/backups/picard";
-  #     "--keep-weekly 5"
+    isSystemUser = true;
-  #     "--keep-monthly 12"
+    openssh.authorizedKeys.keys = [
-  #     "--keep-yearly 75"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHvCF8KGgpF9O8Q7k+JXqZ5eMeEeTaMhCIk/2ZFOzXL0"
-  #   ];
+    ];
-  #   initialize = true;
+  };
-  #   repository = "rclone:ds9:/ds9";
-  #   paths = [
-  #     "/data"
-  #     "/persistent/var/lib"
-  #   ];
-
-  # };
-
-  ragon.agenix.secrets."ds9rcloneConfig" = { };
-  ragon.agenix.secrets."ds9resticPassword" = { };
-
 
   # Enable Scanning
   hardware.sane.enable = true;

hosts/picard/default.nix

@@ -41,6 +41,27 @@
   users.mutableUsers = false;
 
   services.postgresql.package = pkgs.postgresql_13;
+  ragon.agenix.secrets."picardResticPassword" = { };
+  ragon.agenix.secrets."picardResticSSHKey" = { };
+
+  services.restic.backups."picard" = {
+    passwordFile = config.age.secrets.picardResticPassword.path;
+    extraOptions = [
+      "sftp.command='ssh picardbackup@ds9 -i ${config.age.secrets.picardResticSSHKey.path} -s sftp'"
+    ];
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 12"
+      "--keep-yearly 75"
+    ];
+    initialize = true;
+    repository = "sftp:ds9:/backups/picard/restic";
+    paths = [
+      "/persistent"
+    ];
+
+  };
 
   ragon = {
     cli.enable = true;

secrets/picardResticPassword.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 WceKOQ k2R5Jitq8cEQPR6XFnucyYE3BDlBTnXeXakig5Rb6CQ
+aXWMcZDMsC4UqpgkUywkOuHGTb5aeTHvpKNjxEUfTDo
+-> ssh-ed25519 ugHWWw 0CCoHYRYlYq5wFt8R26y5pSfSqTQzcR4jzdWl2E12TQ
+6qjep1dn6B5DA2lcMZXItnAzxE2eHY/XSJYVyDGRwW4
+-> ssh-ed25519 UU9RSA CMo9lkcazC9TXypP/o/majaFp0UP++XAbh65TYvEiDo
+GD1/sNmjRM2+9RpPbCMoMU9Q0JQb2jsjji1Yt0+LR9w
+-> +!c:-grease zi]- eO\*
+nKAD5+pPHB3K+HtpEHA+bDBG/P9ec6pb
+--- 5x5Rpg23SqXQK/sSiUNEZ0tdXF+GxgBSTWVSbIOmmNw
+IåXnTBt·Œh¥|XÇwmôúèÎÓºSç=Sr”MCàâè<C3A2>Š²{¢¢MÂ…›^¯µÒHa›„£Wâi
+;†}ÿ
+,<2C>€:´—Ït’=öÓâ<C393>ùÐrC|À|h«©”$¹†–

secrets/secrets.nix

@@ -10,8 +10,6 @@ in
   "ragonPasswd.age".publicKeys = pubkeys.ragon.computers;
   "tailscaleKey.age".publicKeys = pubkeys.ragon.computers;
   "paperlessAdminPW.age".publicKeys = pubkeys.ragon.host "ds9";
-  "ds9rcloneConfig.age".publicKeys = pubkeys.ragon.host "ds9";
-  "ds9resticPassword.age".publicKeys = pubkeys.ragon.host "ds9";
   "hedgedocSecret.age".publicKeys = pubkeys.ragon.host "picard";
   "gitlabInitialRootPassword.age".publicKeys = pubkeys.ragon.host "picard";
   "gitlabSecretFile.age".publicKeys = pubkeys.ragon.host "picard";
@@ -19,4 +17,6 @@ in
   "gitlabOTPFile.age".publicKeys = pubkeys.ragon.host "picard";
   "gitlabJWSFile.age".publicKeys = pubkeys.ragon.host "picard";
   "nextcloudAdminPass.age".publicKeys = pubkeys.ragon.host "picard";
+  "picardResticSSHKey.age".publicKeys = pubkeys.ragon.host "picard";
+  "picardResticPassword.age".publicKeys = pubkeys.ragon.host "picard";
 }