From 5b73fbf6989b48e5c4f35f671338d880acece2d0 Mon Sep 17 00:00:00 2001
From: Profpatsch <mail@profpatsch.de>
Date: Sat, 13 Feb 2021 12:18:54 +0100
Subject: feat(machines/legosi): initial duplicity setup

This should backup every service in `/var/lib` and anything I add in
the future that I might have missed.
---
 machines/profpatsch/legosi.nix | 44 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/machines/profpatsch/legosi.nix b/machines/profpatsch/legosi.nix
index a0dd56f4..e4edc660 100644
--- a/machines/profpatsch/legosi.nix
+++ b/machines/profpatsch/legosi.nix
@@ -6,6 +6,13 @@ let
 
   hostname = "legosi";
 
+  gpgPublicKeyring = pkgs.runCommandLocal "keyring" {} ''
+    export GNUPGHOME=.
+    ${pkgs.gnupg}/bin/gpg --import ${../../pkgs/profpatsch/profpatsch.de/key.asc}
+    cp ./pubring.kbx $out
+  '';
+  gpgPublicKeyId = "4ACFD7592710266E18CEBB28C5CFD08B22247CDF";
+
   myKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNMQvmOfon956Z0ZVdp186YhPHtSBrXsBwaCt0JAbkf/U/P+4fG0OROA++fHDiFM4RrRHH6plsGY3W6L26mSsCM2LtlHJINFZtVILkI26MDEIKWEsfBatDW+XNAvkfYEahy16P5CBtTVNKEGsTcPD+VDistHseFNKiVlSLDCvJ0vMwOykHhq+rdJmjJ8tkUWC2bNqTIH26bU0UbhMAtJstWqaTUGnB0WVutKmkZbnylLMICAvnFoZLoMPmbvx8efgLYY2vD1pRd8Uwnq9MFV1EPbkJoinTf1XSo8VUo7WCjL79aYSIvHmXG+5qKB9ed2GWbBLolAoXkZ00E4WsVp9H philip@nyx";
 
 in {
@@ -64,6 +71,43 @@ in {
       };
     };
 
+    services.duplicity = {
+      enable = true;
+
+      root = "/";
+      # exclude all the system-related dirs
+      exclude = [
+        "/bin"
+        "/boot"
+        "/dev"
+        "/nix"
+        "/proc"
+        "/run"
+        "/sys"
+        "/tmp"
+        "/usr"
+        # /var/lib is what we want because it contains all services,
+        # but let’s be generous and keep everthing in /var except log
+        "/var/log"
+      ];
+
+      targetUrl = "b2://000efe88f7148a00000000003@profpatsch-legosi/";
+
+      # this uses the internal stateDirectory of the duplicity module
+      # Has to be set manually once of course.
+      secretFile = "/var/lib/duplicity/secrets";
+
+      extraFlags = [
+        "--verbosity" "notice"
+        "--full-if-older-than" "60D"
+        "--num-retries" "3"
+        # I hate GPG from the bottom of my heart
+        "--encrypt-key" gpgPublicKeyId
+        "--gpg-options" "--keyring ${gpgPublicKeyring} --trust-model always"
+      ];
+
+    };
+
 
     users.users = {
       root.openssh.authorizedKeys.keys = [ myKey ];
-- 
cgit 1.4.1