7 files changed, 72 insertions, 37 deletions

diff --git a/nix/lib/mkSystem.nix b/nix/lib/mkSystem.nix
index 2bd36bd..c069a3f 100644
--- a/nix/lib/mkSystem.nix
+++ b/nix/lib/mkSystem.nix
@@ -36,6 +36,7 @@ systemFunc rec {
     { nixpkgs.overlays = overlays; }
 
     inputs.disko.nixosModules.disko
+    inputs.agenix.nixosModules.default
 
     machineConfig
     userOSConfig
diff --git a/nix/machines/vm-synology/backups.nix b/nix/machines/vm-synology/backups.nix
new file mode 100644
index 0000000..69dcb6e
--- /dev/null
+++ b/nix/machines/vm-synology/backups.nix
@@ -0,0 +1,40 @@
+{
+  pkgs,
+  config,
+  ...
+}:
+let
+  environmentFile = toString (
+    pkgs.writeText "restic-gcs-env" ''
+      GOOGLE_PROJECT_ID=fcuny-backups-464518
+      GOOGLE_APPLICATION_CREDENTIALS=${config.age.secrets.restic_gcs_credentials.path}
+    ''
+  );
+in
+{
+  # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix
+  services.restic.backups.git = {
+    passwordFile = config.age.secrets.restic_password.path;
+    environmentFile = environmentFile;
+    repository = "gs:fcuny-backup:/vm-synology";
+    initialize = true;
+    paths = [ "/var/lib/gitolite" ];
+    exclude = [
+      "/var/lib/gitolite/.bash_history"
+      "/var/lib/gitolite/.ssh"
+      "/var/lib/gitolite/.viminfo"
+    ];
+    extraBackupArgs = [
+      "--exclude-caches"
+      "--compression=max"
+    ];
+    timerConfig = {
+      OnCalendar = "daily";
+    };
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 4"
+      "--keep-monthly 3"
+    ];
+  };
+}
diff --git a/nix/machines/vm-synology/default.nix b/nix/machines/vm-synology/default.nix
index 8ced4e1..dd004f6 100644
--- a/nix/machines/vm-synology/default.nix
+++ b/nix/machines/vm-synology/default.nix
@@ -1,8 +1,20 @@
 { pkgs, ... }:
 {
+  age = {
+    secrets = {
+      restic_gcs_credentials = {
+        file = ../../../secrets/restic_gcs_credentials.age;
+      };
+      restic_password = {
+        file = ../../../secrets/restic_password.age;
+      };
+    };
+  };
+
   imports = [
-    ./hardware.nix
+    ./backups.nix
     ./git.nix
+    ./hardware.nix
   ];
 
   # Use the systemd-boot EFI boot loader.
diff --git a/nix/machines/vm-synology/git.nix b/nix/machines/vm-synology/git.nix
index 6ca6ec7..27eebc7 100644
--- a/nix/machines/vm-synology/git.nix
+++ b/nix/machines/vm-synology/git.nix
@@ -1,6 +1,5 @@
 { pkgs, ... }:
 {
-
   services.gitolite = {
     enable = true;
     adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi";
@@ -23,39 +22,4 @@
       	defaultBranch = main
     ''}"
   ];
-
-  # # TODO also rsync the backups to the nas
-  # # TODO need the ssh key for the nas for rsync ?
-  # age.secrets.restic = {
-  #   file = ../../../secrets/restic-backups.age;
-  #   owner = "root";
-  #   group = "root";
-  #   path = "/etc/restic/secret";
-  #   mode = "600";
-  # };
-
-  # # https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/backup/restic.nix
-  # services.restic.backups.git = {
-  #   passwordFile = "/etc/restic/secret";
-  #   repository = "/srv/backups/git";
-  #   initialize = true;
-  #   paths = [ "/var/lib/gitolite" ];
-  #   exclude = [
-  #     "/var/lib/gitolite/.bash_history"
-  #     "/var/lib/gitolite/.ssh"
-  #     "/var/lib/gitolite/.viminfo"
-  #   ];
-  #   extraBackupArgs = [
-  #     "--exclude-caches"
-  #     "--compression=max"
-  #   ];
-  #   timerConfig = {
-  #     OnCalendar = "daily";
-  #   };
-  #   pruneOpts = [
-  #     "--keep-daily 7"
-  #     "--keep-weekly 4"
-  #     "--keep-monthly 3"
-  #   ];
-  # };
 }
diff --git a/secrets/restic_gcs_credentials.age b/secrets/restic_gcs_credentials.age
new file mode 100644
index 0000000..7debd57
--- /dev/null
+++ b/secrets/restic_gcs_credentials.age
diff --git a/secrets/restic_password.age b/secrets/restic_password.age
new file mode 100644
index 0000000..b5c94e2
--- /dev/null
+++ b/secrets/restic_password.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA iHTs45YXsTQXK+OINYkkQa69zzWQ3vbvRq4BEUTcQCw
+EBhd2JKma+aZInyLyzLJXG0ceBlSxF3iXa23NtUPQ30
+-> ssh-ed25519 qRUWSw eROWQVI+Wb4tDmRMeX0ietX+cpWy248UO1sbghnXz2E
+H1+zbwjLrytYe3XAcmS34q1A+unmctOf6koVTUyc6bM
+--- lLozC4In1nPiUoXtXWH2hqfotyFnUxX+sW1k4mCkYyE
+$η2Ù(¦!{ÞmÞg9+»L4ù]·t‰4iÀt9j×9	 ÃPaZq
ÕÖoˆuÕ
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9fd765f..ce03f7f 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -1,4 +1,7 @@
 let
+  hosts = {
+    vm-synology = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHKZAKlqOU6bSuMaaZAsYJdZnmNASWuIbbrrOjB6yGb8 root@vm-synology";
+  };
   users = {
     fcuny = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdyJepi/NyO6d9eP8m48Ga/gdjB5ENHRXYM1ZqFZR8t";
   };
@@ -10,4 +13,12 @@ in
   "users/fcuny/anthropic-api-key.age".publicKeys = [
     users.fcuny
   ];
+  "restic_password.age".publicKeys = [
+    users.fcuny
+    hosts.vm-synology
+  ];
+  "restic_gcs_credentials.age".publicKeys = [
+    users.fcuny
+    hosts.vm-synology
+  ];
 }