From aa1d82481f315b714fa5e6cced6142e4925bd647 Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Thu, 27 Nov 2025 13:29:39 -0800
Subject: backup to the synology nas

In addition to do a local backup, we also backup to the synology nas. We
don't configure what to backup in the profiles, but instead in the host
configuration.
---
 machines/nixos/x86_64-linux/rivendell.nix |   3 ++
 profiles/git-server.nix                   |   2 --
 profiles/restic-backup.nix                |  56 ++++++++++++++++++------------
 secrets/nas_client.age                    |  10 ------
 secrets/restic-nas-smb-config.age         | Bin 0 -> 431 bytes
 secrets/restic_gcs_credentials.age        | Bin 2661 -> 0 bytes
 secrets/secrets.nix                       |   5 +--
 7 files changed, 38 insertions(+), 38 deletions(-)
 delete mode 100644 secrets/nas_client.age
 create mode 100644 secrets/restic-nas-smb-config.age
 delete mode 100644 secrets/restic_gcs_credentials.age

diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix
index 1e7abcf..8e8ab20 100644
--- a/machines/nixos/x86_64-linux/rivendell.nix
+++ b/machines/nixos/x86_64-linux/rivendell.nix
@@ -72,6 +72,9 @@
     openFirewall = true;
   };
 
+  services.restic.backups.local.paths = [ "/var/lib/gitolite/repositories" ];
+  services.restic.backups.synology.paths = [ "/var/lib/gitolite/repositories" ];
+
   home-manager = {
     users.${adminUser.name} = {
       imports = [
diff --git a/profiles/git-server.nix b/profiles/git-server.nix
index 2d45fee..0d02d8a 100644
--- a/profiles/git-server.nix
+++ b/profiles/git-server.nix
@@ -90,6 +90,4 @@ in
       root-desc = "source code of my various projects";
     };
   };
-
-  services.restic.backups.local.paths = [ "/var/lib/gitolite/repositories" ];
 }
diff --git a/profiles/restic-backup.nix b/profiles/restic-backup.nix
index a608415..976bbcf 100644
--- a/profiles/restic-backup.nix
+++ b/profiles/restic-backup.nix
@@ -1,33 +1,45 @@
 { config, pkgs, ... }:
 {
-  age = {
-    secrets = {
-      restic-local-pw = {
-        file = ../secrets/restic-pw.age;
-      };
-    };
+  age.secrets = {
+    restic-local-pw.file = ../secrets/restic-pw.age;
+    restic-nas-smb-config.file = ../secrets/restic-nas-smb-config.age;
   };
 
   environment.systemPackages = with pkgs; [
+    rclone
     restic
   ];
 
-  services.restic = {
-    backups = {
-      local = {
-        paths = [ ];
-        passwordFile = config.age.secrets.restic-local-pw.path;
-        repository = "/data/backups/";
-        initialize = true;
-        timerConfig.OnCalendar = "daily";
-        timerConfig.RandomizedDelaySec = "5m";
-        extraBackupArgs = [ ];
-        pruneOpts = [
-          "--keep-daily=7"
-          "--keep-weekly=4"
-          "--keep-monthly=12"
-        ];
-      };
+  services.restic.backups = {
+    local = {
+      paths = [ ];
+      passwordFile = config.age.secrets.restic-local-pw.path;
+      repository = "/data/backups/";
+      initialize = true;
+      timerConfig.OnCalendar = "daily";
+      timerConfig.RandomizedDelaySec = "5m";
+      extraBackupArgs = [ ];
+      pruneOpts = [
+        "--keep-daily=7"
+        "--keep-weekly=4"
+        "--keep-monthly=12"
+      ];
+    };
+    synology = {
+      paths = [ ];
+      passwordFile = config.age.secrets.restic-local-pw.path;
+      repository = "rclone:synology:backups/${config.networking.hostName}";
+      initialize = true;
+      timerConfig.OnCalendar = "daily";
+      timerConfig.RandomizedDelaySec = "5m";
+      extraBackupArgs = [ "--compression max" ];
+      pruneOpts = [
+        "--keep-daily=7"
+        "--keep-weekly=4"
+        "--keep-monthly=12"
+        "--compression max"
+      ];
+      rcloneConfigFile = config.age.secrets.restic-nas-smb-config.path;
     };
   };
 }
diff --git a/secrets/nas_client.age b/secrets/nas_client.age
deleted file mode 100644
index 3666c35..0000000
--- a/secrets/nas_client.age
+++ /dev/null
@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 pFjJaA bsOjeLfsM3lKJ/0EGhUO9AnzgeSy2liqtUE9rq2HyR8
-vA3yNaV/HIG0iMx0q1BMRFuNvVMHH3UGSLk1ddbBWd8
--> ssh-ed25519 qRUWSw 5RPHJKWeao30CTZ4Wpnz2nmBTh/InxrbQtDFXEbT4Ww
-YTWbxEqnorjJi9Oh+M4Y9kPs/CM2/ItGpc4IwDEDTHU
--> ssh-ed25519 Y5h84Q dCY/++deVZp1oUrjj7ZI3X2XaeEDpvcgh3T68HJ9rVc
-aaRCOk+49vMQX9CENhEs/KXtBjcoybR4kW0QvTXCbHY
---- kfCLmNOOritnNqcBchts6ZHOumzKLWwOzgJD2pX3r0U
-üƒÛiZÃ£æ%/‹	Óù_ßI­Þ×gÑÇ²š'h~Ù¸™ç¬UôHvÜÇY
-)Mú×ƒcÇF0ÓL ¼£Ä1	cÌŽ£|å|«<
\ No newline at end of file
diff --git a/secrets/restic-nas-smb-config.age b/secrets/restic-nas-smb-config.age
new file mode 100644
index 0000000..d90033e
Binary files /dev/null and b/secrets/restic-nas-smb-config.age differ
diff --git a/secrets/restic_gcs_credentials.age b/secrets/restic_gcs_credentials.age
deleted file mode 100644
index 101a7aa..0000000
Binary files a/secrets/restic_gcs_credentials.age and /dev/null differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a4092c6..13f098d 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -12,19 +12,16 @@ in
 {
   "acme-cloudflare-env.age".publicKeys = [
     users.fcuny
-    hosts.rivendell
     hosts.argonath
   ];
 
   "restic-pw.age".publicKeys = [
     users.fcuny
-    hosts.bree
     hosts.rivendell
   ];
 
-  "nas_client.age".publicKeys = [
+  "restic-nas-smb-config.age".publicKeys = [
     users.fcuny
-    hosts.bree
     hosts.rivendell
   ];
 
-- 
cgit v1.2.3