store backups locally and remotely

It might be useful to have a local backup so that I don't need to pull
it from the remote bucket. It is useful to be able to quickly browse and
see what's in the backup, and having to go to GCS for that is a waste of
resources.

Export environment variables to make it easier to interact with the
local repository.

4 files changed, 49 insertions, 13 deletions

diff --git a/docs/backups.org b/docs/backups.org
index 605ba55..f9906f1 100644
--- a/docs/backups.org
+++ b/docs/backups.org
@@ -1,13 +1,15 @@
 * General
-Backups are managed with =restic= and are stored directly to a Google Cloud Storage Bucket.
+Backups are managed with =restic= and are stored locally and also on a Google Cloud Storage Bucket. These are two different backups, they are executed at different time, and there should be no assumptions that they are identical.
 
-Access to the bucket is managed via service account.
+There's a single password for all the repositories, it's managed with =agenix=, and the file is under secrets (=restic_password.age=).
+** Remote backup
+Access to the bucket is managed via service account. Each machine has its own repository.
 
-Each machine has its own repository.
+The service account key is stored in JSON and also encrypted with =agenix=.
 
-There's a single password for all the repositories, it's managed with =agenix=, and the file is under secrets (=restic_password.age=). The service account key is stored in JSON and also encrypted with =agenix=.
+| bucket          | [[https://console.cloud.google.com/storage/browser/fcuny-infra-backups;tab=objects?forceOnBucketsSortingFiltering=true&hl=en&inv=1&invt=Ab2J4Q&project=fcuny-infra&prefix=&forceOnObjectsSortingFiltering=false][fcuny-infra-backups]] |
+| project         | fcuny-infra         |
+| service account | [[https://console.cloud.google.com/iam-admin/serviceaccounts/details/118261378048653759345?inv=1&invt=Ab2J-w&project=fcuny-infra&supportedpurview=project][restic]]              |
 
-|-----------------+----------------------|
-| bucket          | [[https://console.cloud.google.com/storage/browser/fcuny-backup/vm-synology/data/c1?pageState=(%22StorageObjectListTable%22:(%22f%22:%22%255B%255D%22))&inv=1&invt=Ab1hkA&project=fcuny-backups-464518&supportedpurview=project][fcuny-backup]]         |
-| project         | fcuny-backups-464518 |
-| service account | [[https://console.cloud.google.com/iam-admin/serviceaccounts?inv=1&invt=Ab1hkA&project=fcuny-backups-464518&supportedpurview=project][restic]]               |
+* Managing backups
+The path to the repository and the password file are exported as environment variables, to make it easier to interact with the backups.
diff --git a/nix/machines/vm-synology/backups.nix b/nix/machines/vm-synology/backups.nix
index 69dcb6e..cf3c65b 100644
--- a/nix/machines/vm-synology/backups.nix
+++ b/nix/machines/vm-synology/backups.nix
@@ -1,22 +1,45 @@
 {
-  pkgs,
   config,
+  pkgs,
   ...
 }:
 let
   environmentFile = toString (
     pkgs.writeText "restic-gcs-env" ''
-      GOOGLE_PROJECT_ID=fcuny-backups-464518
+      GOOGLE_PROJECT_ID=fcuny-infra
       GOOGLE_APPLICATION_CREDENTIALS=${config.age.secrets.restic_gcs_credentials.path}
     ''
   );
 in
 {
-  # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix
-  services.restic.backups.git = {
+  services.restic.backups.local = {
+    passwordFile = config.age.secrets.restic_password.path;
+    repository = "/srv/data/backups/";
+    initialize = true;
+    paths = [ "/var/lib/gitolite" ];
+    exclude = [
+      "/var/lib/gitolite/.bash_history"
+      "/var/lib/gitolite/.ssh"
+      "/var/lib/gitolite/.viminfo"
+    ];
+    extraBackupArgs = [
+      "--exclude-caches"
+      "--compression=max"
+    ];
+    timerConfig = {
+      OnCalendar = "daily";
+    };
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+    ];
+  };
+
+  services.restic.backups.gcs = {
     passwordFile = config.age.secrets.restic_password.path;
     environmentFile = environmentFile;
-    repository = "gs:fcuny-backup:/vm-synology";
+    repository = "gs:fcuny-infra-backups:/vm-synology/";
     initialize = true;
     paths = [ "/var/lib/gitolite" ];
     exclude = [
@@ -37,4 +60,14 @@ in
       "--keep-monthly 3"
     ];
   };
+
+  environment = {
+    sessionVariables = {
+      RESTIC_REPOSITORY = "/srv/data/backups";
+      RESTIC_PASSWORD_FILE = config.age.secrets.restic_password.path;
+    };
+    systemPackages = with pkgs; [
+      restic
+    ];
+  };
 }
diff --git a/nix/users/fcuny/shell.nix b/nix/users/fcuny/shell.nix
index d54e7e0..994570b 100644
--- a/nix/users/fcuny/shell.nix
+++ b/nix/users/fcuny/shell.nix
@@ -19,6 +19,7 @@ in
       jless # jless - a better cat
       jq # jq - a better json
       procs # procs - a better ps
+      restic # to manage backups
       ripgrep # ripgrep - a better grep
       shellcheck # shell script linter
       tree # tree - a better ls
diff --git a/secrets/restic_gcs_credentials.age b/secrets/restic_gcs_credentials.age
index 7debd57..8ee6981 100644
--- a/secrets/restic_gcs_credentials.age
+++ b/secrets/restic_gcs_credentials.age