1 files changed, 157 insertions, 34 deletions
diff --git a/nix-conf/machines/edrahil/configuration.nix b/nix-conf/machines/edrahil/configuration.nix
index 2ef4c9d..a1bc8e3 100644
--- a/nix-conf/machines/edrahil/configuration.nix
+++ b/nix-conf/machines/edrahil/configuration.nix
@@ -1,7 +1,9 @@
-{ config, pkgs,... }: {
+{ config, pkgs, ... }:
+{
   imports = [
     ./hardware-configuration.nix
     ./network-configuration.nix
+    <sops-nix/modules/sops>
   ];
 
   boot.tmp.cleanOnBoot = true;
@@ -10,7 +12,20 @@
   networking.hostName = "edrahil";
   networking.firewall = {
     enable = true;
-    allowedTCPPorts = [ 113 2222 ];
+    allowedTCPPorts = [
+      113
+      2222
+    ];
+  };
+
+  sops = {
+    defaultSopsFile = builtins.path {
+      path = /etc/nixos/secrets.yaml;
+      name = "edrahil-secrets.yaml";
+    };
+    secrets.restic_password = {
+      owner = config.users.users.djm.name;
+    };
   };
 
   services.openssh = {
@@ -34,50 +49,158 @@
   services.sshguard.enable = true;
   services.oidentd.enable = true;
 
-  services.locate = {
-    enable = true;
-    package = pkgs.plocate;
-    localuser = null;
+  services.locate.enable = true;
+
+  services.restic = {
+    backups = {
+      hb = {
+        paths = [ "${config.users.users.djm.home}" ];
+        repository = "sftp:djm@hb-backup:/home/djm/backup/edrahil";
+        initialize = true;
+        user = "djm";
+        environmentFile = "/etc/restic-environment";
+        passwordFile = config.sops.secrets.restic_password.path;
+        timerConfig = {
+          OnCalendar = "02:25";
+          RandomizedDelaySec = "20min";
+        };
+        exclude = [
+          "irclogs"
+          ".cache"
+          ".config"
+          ".directory_history"
+          ".local"
+          "nixpkgs"
+        ];
+        extraBackupArgs = [
+          "--compression=max"
+        ];
+        pruneOpts = [
+          "--keep-daily 5"
+          "--keep-weekly 2"
+          "--keep-monthly 3"
+        ];
+      };
+      bs = {
+        paths = [ "${config.users.users.djm.home}" ];
+        repository = "sftp:djm@bs-backup:/home/djm/backup/edrahil";
+        initialize = true;
+        user = "djm";
+        environmentFile = "/etc/restic-environment";
+        passwordFile = config.sops.secrets.restic_password.path;
+        timerConfig = {
+          OnCalendar = "03:15";
+          RandomizedDelaySec = "20min";
+        };
+        exclude = [
+          "irclogs"
+          ".cache"
+          ".config"
+          ".directory_history"
+          ".local"
+          "nixpkgs"
+        ];
+        extraBackupArgs = [
+          "--compression=max"
+        ];
+        pruneOpts = [
+          "--keep-daily 5"
+          "--keep-weekly 2"
+          "--keep-monthly 3"
+        ];
+      };
+      tt = {
+        paths = [ "${config.users.users.djm.home}" ];
+        repository = "sftp:djm@tt-backup:/home/djm/backup/edrahil";
+        initialize = true;
+        user = "djm";
+        environmentFile = "/etc/restic-environment";
+        passwordFile = config.sops.secrets.restic_password.path;
+        timerConfig = {
+          OnCalendar = "04:05";
+          RandomizedDelaySec = "20min";
+        };
+        exclude = [
+          "irclogs"
+          ".cache"
+          ".config"
+          ".directory_history"
+          ".local"
+          "nixpkgs"
+        ];
+        extraBackupArgs = [
+          "--compression=max"
+        ];
+        pruneOpts = [
+          "--keep-daily 5"
+          "--keep-weekly 2"
+          "--keep-monthly 3"
+        ];
+      };
+    };
   };
 
   time.timeZone = "Europe/London";
 
-  users.users.djm =
-   { isNormalUser = true;
-     home = "/home/djm";
-     description = "David Morgan";
-     extraGroups = [ "wheel" "plocate" ];
-     shell = pkgs.zsh;
-     openssh.authorizedKeys.keys = [
+  users.users.djm = {
+    isNormalUser = true;
+    home = "/home/djm";
+    description = "David Morgan";
+    extraGroups = [
+      "wheel"
+      "plocate"
+    ];
+    shell = pkgs.zsh;
+    openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCurCpxZCHtByB5wXzsjTXwMyDSB4+B8rq5XY6EGss58NwD8jc5cII4i+QUbCOGTiAggSZUSC9YIP24hjpOeNT/IYs5m7Qn1B9MtBAiUSrIYew8eDwnMLlPzN+k2x9zCrJeCHIvGJaFHPXTh1Lf5Jt2fPVGW9lksE/XUVOe6ht4N/b+nqqszXFhc8Ug6le2bC1YeTCVEf8pjlh/I7DkDBl6IB8uEXc3X2vxxbV0Z4vlBrFkkAywcD3j5VlS/QYfBr4BICNmq/sO3fMkbMbtAPwuFxeL4+h6426AARQZiSS0qVEc8OoFRBVx3GEH5fqVAWfB1geyLzei22HbjUcT9+xN davidmo@gendros"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9UDTaVnUOU/JknrNdihlhhGOk53LmHq9I1ASri3aga djm@gaius"
-     ];
-   };
+    ];
+  };
 
-   security.sudo.extraConfig = ''
-     djm ALL=(ALL) NOPASSWD: ALL
-   '';
-   security.doas = {
-     enable = true;
-     extraRules = [ { users = [ "djm" ]; noPass = true; keepEnv = true; } ];
-   };
+  security.sudo.extraConfig = ''
+    djm ALL=(ALL) NOPASSWD: ALL
+  '';
+  security.doas = {
+    enable = true;
+    extraRules = [
+      {
+        users = [ "djm" ];
+        noPass = true;
+        keepEnv = true;
+      }
+    ];
+  };
+
+  programs.zsh.enable = true;
 
-   programs.zsh.enable = true;
+  programs.vim = {
+    enable = true;
+    defaultEditor = true;
+  };
 
-   programs.vim.defaultEditor = true;
+  environment.etc = {
+    "restic-environment" = {
+      text = ''
+        RESTIC_COMPRESSION=max
+      '';
+    };
+  };
 
-   environment.systemPackages = with pkgs; [
-     #procmail
-     git
-     wget
-   ];
+  environment.systemPackages = with pkgs; [
+    #procmail
+    git
+    wget
+  ];
 
-   nix.settings.trusted-users = [ "root" "djm" ];
-   nix.optimise.automatic = true;
-   nix.optimise.dates = [ "03:00" ];
+  nix.settings.trusted-users = [
+    "root"
+    "djm"
+  ];
+  nix.optimise.automatic = true;
+  nix.optimise.dates = [ "03:00" ];
 
-   i18n.defaultLocale = "en_GB.UTF-8";
+  i18n.defaultLocale = "en_GB.UTF-8";
 
-   system.stateVersion = "22.05";
+  system.stateVersion = "22.05";
 
 }