+1

.envrc

··· 1 1 + eval "$(nix print-dev-env)"

+17

README.md

··· 24 24 │ ├── tacyon # rpi 5 25 25 │ └── terebithia # oracle cloud aarch64 server 26 26 ├── modules 27 27 + │ ├── lib # shared nix utilities 28 28 + │ │ └── mkService.nix # base service factory 27 29 │ ├── home # home-manager modules 28 30 │ │ ├── aesthetics # theming and wallpapers 29 31 │ │ ├── apps # any app specific config ··· 33 35 │ │ └── hyprland 34 36 │ └── nixos # nixos modules 35 37 │ ├── apps # also app specific configs 38 38 + │ ├── services # self-hosted services with automatic backup 39 39 + │ │ └── restic # backup system (see modules/nixos/services/restic/README.md) 36 40 │ └── system # pam and my fancy wifi module for now 37 41 └── secrets # keep your grubby hands (or paws) off my data 38 42 ··· 241 245 atuin login 242 246 atuin sync 243 247 ``` 248 248 + 249 249 + ## Backups 250 250 + 251 251 + Services are automatically backed up nightly using restic to Backblaze B2. The `atelier-backup` CLI provides an interactive TUI for managing backups: 252 252 + 253 253 + ```bash 254 254 + atelier-backup # Interactive menu 255 255 + atelier-backup status # Show backup status 256 256 + atelier-backup restore # Restore wizard 257 257 + atelier-backup dr # Disaster recovery 258 258 + ``` 259 259 + 260 260 + See [modules/nixos/services/restic/README.md](modules/nixos/services/restic/README.md) for setup and usage. 244 261 245 262 ## some odd things 246 263

+30

machines/terebithia/default.nix

··· 137 137 file = ../../secrets/l4.age; 138 138 owner = "l4"; 139 139 }; 140 140 + "restic/env".file = ../../secrets/restic/env.age; 141 141 + "restic/repo".file = ../../secrets/restic/repo.age; 142 142 + "restic/password".file = ../../secrets/restic/password.age; 140 143 }; 141 144 142 145 environment.sessionVariables = { ··· 151 154 152 155 atelier = { 153 156 authentication.enable = true; 157 157 + backup.enable = true; 154 158 }; 155 159 156 160 networking = { ··· 373 377 }; 374 378 }; 375 379 380 380 + # Backup configuration for tangled services 381 381 + atelier.backup.services.knot = { 382 382 + paths = [ "/home/git" ]; # Git repositories managed by knot 383 383 + exclude = [ "*.log" ]; 384 384 + # Uses SQLite, stop before backup 385 385 + preBackup = "systemctl stop knot"; 386 386 + postBackup = "systemctl start knot"; 387 387 + }; 388 388 + 389 389 + atelier.backup.services.spindle = { 390 390 + paths = [ "/var/lib/spindle" ]; 391 391 + exclude = [ "*.log" "cache/*" ]; 392 392 + # Uses SQLite, stop before backup 393 393 + preBackup = "systemctl stop spindle"; 394 394 + postBackup = "systemctl start spindle"; 395 395 + }; 396 396 + 376 397 atelier.services.knot-sync = { 377 398 enable = true; 378 399 secretsFile = config.age.secrets.github-knot-sync.path; ··· 419 440 header_up X-Forwarded-For {remote} 420 441 } 421 442 ''; 443 443 + }; 444 444 + 445 445 + # Backup configuration for n8n 446 446 + atelier.backup.services.n8n = { 447 447 + paths = [ "/var/lib/n8n" ]; 448 448 + exclude = [ "*.log" "cache/*" ]; 449 449 + # n8n uses SQLite, stop before backup 450 450 + preBackup = "systemctl stop n8n"; 451 451 + postBackup = "systemctl start n8n"; 422 452 }; 423 453 424 454 boot.loader.systemd-boot.enable = true;

+284

modules/lib/mkService.nix

··· 1 1 + # mkService - Base service factory for atelier services 2 2 + # 3 3 + # Creates a standardized NixOS service module with: 4 4 + # - Common options (domain, port, dataDir, secrets, etc.) 5 5 + # - Systemd service with git-based deployment 6 6 + # - Caddy reverse proxy configuration 7 7 + # - Automatic backup integration via data declarations 8 8 + # 9 9 + # Usage in a service module: 10 10 + # let 11 11 + # mkService = import ../../lib/mkService.nix; 12 12 + # in 13 13 + # mkService { 14 14 + # name = "myapp"; 15 15 + # defaultPort = 3000; 16 16 + # extraOptions = { ... }; 17 17 + # extraConfig = cfg: { ... }; 18 18 + # } 19 19 + 20 20 + # This file is a function that takes service parameters and returns a NixOS module 21 21 + { 22 22 + # Service identity 23 23 + name, 24 24 + description ? "${name} service", 25 25 + defaultPort ? 3000, 26 26 + 27 27 + # Runtime configuration 28 28 + runtime ? "bun", # "bun" | "node" | "custom" 29 29 + entryPoint ? "src/index.ts", 30 30 + startCommand ? null, # Override the start command entirely 31 31 + 32 32 + # Additional options specific to this service 33 33 + extraOptions ? {}, 34 34 + 35 35 + # Additional config when service is enabled 36 36 + # Receives cfg (the service config) as argument 37 37 + extraConfig ? cfg: {}, 38 38 + }: 39 39 + 40 40 + # Return a proper NixOS module 41 41 + { config, lib, pkgs, ... }: 42 42 + 43 43 + let 44 44 + cfg = config.atelier.services.${name}; 45 45 + 46 46 + # Generate start command based on runtime 47 47 + defaultStartCommand = { 48 48 + bun = "${pkgs.unstable.bun}/bin/bun run ${entryPoint}"; 49 49 + node = "${pkgs.nodejs_20}/bin/node ${entryPoint}"; 50 50 + }.${runtime} or ""; 51 51 + 52 52 + finalStartCommand = if startCommand != null then startCommand else defaultStartCommand; 53 53 + 54 54 + in { 55 55 + options.atelier.services.${name} = { 56 56 + enable = lib.mkEnableOption description; 57 57 + 58 58 + domain = lib.mkOption { 59 59 + type = lib.types.str; 60 60 + description = "Domain to serve ${name} on"; 61 61 + }; 62 62 + 63 63 + port = lib.mkOption { 64 64 + type = lib.types.port; 65 65 + default = defaultPort; 66 66 + description = "Port to run ${name} on"; 67 67 + }; 68 68 + 69 69 + dataDir = lib.mkOption { 70 70 + type = lib.types.path; 71 71 + default = "/var/lib/${name}"; 72 72 + description = "Directory to store ${name} data"; 73 73 + }; 74 74 + 75 75 + secretsFile = lib.mkOption { 76 76 + type = lib.types.nullOr lib.types.path; 77 77 + default = null; 78 78 + description = "Path to agenix secrets file"; 79 79 + }; 80 80 + 81 81 + # Git-based deployment 82 82 + deploy = { 83 83 + enable = lib.mkEnableOption "Git-based deployment" // { default = true; }; 84 84 + 85 85 + repository = lib.mkOption { 86 86 + type = lib.types.nullOr lib.types.str; 87 87 + default = null; 88 88 + description = "Git repository URL for auto-deployment"; 89 89 + }; 90 90 + 91 91 + autoUpdate = lib.mkEnableOption "Automatically git pull on service restart"; 92 92 + 93 93 + branch = lib.mkOption { 94 94 + type = lib.types.str; 95 95 + default = "main"; 96 96 + description = "Git branch to deploy"; 97 97 + }; 98 98 + }; 99 99 + 100 100 + # Data declarations for automatic backup 101 101 + data = { 102 102 + sqlite = lib.mkOption { 103 103 + type = lib.types.nullOr lib.types.str; 104 104 + default = null; 105 105 + description = "Path to SQLite database (will checkpoint WAL and stop service for backup)"; 106 106 + example = "/var/lib/myapp/data/app.db"; 107 107 + }; 108 108 + 109 109 + postgres = lib.mkOption { 110 110 + type = lib.types.nullOr lib.types.str; 111 111 + default = null; 112 112 + description = "PostgreSQL database name (will use pg_dump for backup)"; 113 113 + }; 114 114 + 115 115 + files = lib.mkOption { 116 116 + type = lib.types.listOf lib.types.str; 117 117 + default = []; 118 118 + description = "Additional file paths to backup (no service interruption)"; 119 119 + example = [ "/var/lib/myapp/uploads" ]; 120 120 + }; 121 121 + 122 122 + exclude = lib.mkOption { 123 123 + type = lib.types.listOf lib.types.str; 124 124 + default = [ "*.log" "node_modules" ".git" "cache" "tmp" ]; 125 125 + description = "Glob patterns to exclude from backup"; 126 126 + }; 127 127 + }; 128 128 + 129 129 + # Caddy configuration 130 130 + caddy = { 131 131 + enable = lib.mkEnableOption "Caddy reverse proxy" // { default = true; }; 132 132 + 133 133 + extraConfig = lib.mkOption { 134 134 + type = lib.types.lines; 135 135 + default = ""; 136 136 + description = "Additional Caddy configuration"; 137 137 + }; 138 138 + 139 139 + rateLimit = { 140 140 + enable = lib.mkEnableOption "Rate limiting"; 141 141 + 142 142 + events = lib.mkOption { 143 143 + type = lib.types.int; 144 144 + default = 60; 145 145 + description = "Number of requests allowed per window"; 146 146 + }; 147 147 + 148 148 + window = lib.mkOption { 149 149 + type = lib.types.str; 150 150 + default = "1m"; 151 151 + description = "Time window for rate limiting"; 152 152 + }; 153 153 + }; 154 154 + }; 155 155 + 156 156 + # Environment variables (in addition to secretsFile) 157 157 + environment = lib.mkOption { 158 158 + type = lib.types.attrsOf lib.types.str; 159 159 + default = {}; 160 160 + description = "Additional environment variables"; 161 161 + }; 162 162 + } // extraOptions; 163 163 + 164 164 + config = lib.mkIf cfg.enable (lib.mkMerge [ 165 165 + # Base service configuration 166 166 + { 167 167 + # Create user and group 168 168 + users.groups.services = {}; 169 169 + 170 170 + users.users.${name} = { 171 171 + isSystemUser = true; 172 172 + group = name; 173 173 + extraGroups = [ "services" ]; 174 174 + home = cfg.dataDir; 175 175 + createHome = true; 176 176 + shell = pkgs.bash; 177 177 + }; 178 178 + 179 179 + users.groups.${name} = {}; 180 180 + 181 181 + # Allow service user to restart their own service 182 182 + security.sudo.extraRules = [ 183 183 + { 184 184 + users = [ name ]; 185 185 + commands = [ 186 186 + { 187 187 + command = "/run/current-system/sw/bin/systemctl restart ${name}.service"; 188 188 + options = [ "NOPASSWD" ]; 189 189 + } 190 190 + ]; 191 191 + } 192 192 + ]; 193 193 + 194 194 + # Systemd service 195 195 + systemd.services.${name} = { 196 196 + inherit description; 197 197 + wantedBy = [ "multi-user.target" ]; 198 198 + after = [ "network.target" ]; 199 199 + path = [ pkgs.git ]; 200 200 + 201 201 + preStart = lib.optionalString (cfg.deploy.enable && cfg.deploy.repository != null) '' 202 202 + # Clone repository if not present 203 203 + if [ ! -d ${cfg.dataDir}/app/.git ]; then 204 204 + ${pkgs.git}/bin/git clone -b ${cfg.deploy.branch} ${cfg.deploy.repository} ${cfg.dataDir}/app 205 205 + fi 206 206 + 207 207 + cd ${cfg.dataDir}/app 208 208 + '' + lib.optionalString (cfg.deploy.enable && cfg.deploy.autoUpdate) '' 209 209 + ${pkgs.git}/bin/git fetch origin 210 210 + ${pkgs.git}/bin/git reset --hard origin/${cfg.deploy.branch} 211 211 + '' + lib.optionalString (runtime == "bun") '' 212 212 + 213 213 + if [ -f package.json ]; then 214 214 + echo "Installing dependencies..." 215 215 + ${pkgs.unstable.bun}/bin/bun install 216 216 + fi 217 217 + '' + lib.optionalString (runtime == "node") '' 218 218 + 219 219 + if [ -f package.json ]; then 220 220 + echo "Installing dependencies..." 221 221 + ${pkgs.nodejs_20}/bin/npm ci --production 222 222 + fi 223 223 + ''; 224 224 + 225 225 + serviceConfig = { 226 226 + Type = "simple"; 227 227 + User = name; 228 228 + Group = name; 229 229 + WorkingDirectory = "${cfg.dataDir}/app"; 230 230 + EnvironmentFile = lib.mkIf (cfg.secretsFile != null) cfg.secretsFile; 231 231 + Environment = [ 232 232 + "NODE_ENV=production" 233 233 + "PORT=${toString cfg.port}" 234 234 + ] ++ (lib.mapAttrsToList (k: v: "${k}=${v}") cfg.environment); 235 235 + ExecStart = "${pkgs.bash}/bin/bash -c '${finalStartCommand}'"; 236 236 + Restart = "always"; 237 237 + RestartSec = "10s"; 238 238 + 239 239 + # Security hardening 240 240 + NoNewPrivileges = true; 241 241 + ProtectSystem = "strict"; 242 242 + ProtectHome = true; 243 243 + ReadWritePaths = [ cfg.dataDir ]; 244 244 + PrivateTmp = true; 245 245 + }; 246 246 + 247 247 + serviceConfig.ExecStartPre = [ 248 248 + "+${pkgs.writeShellScript "${name}-setup" '' 249 249 + mkdir -p ${cfg.dataDir}/app 250 250 + mkdir -p ${cfg.dataDir}/data 251 251 + chown -R ${name}:services ${cfg.dataDir} 252 252 + chmod -R g+rwX ${cfg.dataDir} 253 253 + ''}" 254 254 + ]; 255 255 + }; 256 256 + 257 257 + # Caddy reverse proxy 258 258 + services.caddy.virtualHosts.${cfg.domain} = lib.mkIf cfg.caddy.enable { 259 259 + extraConfig = '' 260 260 + tls { 261 261 + dns cloudflare {env.CLOUDFLARE_API_TOKEN} 262 262 + } 263 263 + 264 264 + ${lib.optionalString cfg.caddy.rateLimit.enable '' 265 265 + rate_limit { 266 266 + zone ${name}_limit { 267 267 + key {http.request.remote_ip} 268 268 + events ${toString cfg.caddy.rateLimit.events} 269 269 + window ${cfg.caddy.rateLimit.window} 270 270 + } 271 271 + } 272 272 + ''} 273 273 + 274 274 + ${cfg.caddy.extraConfig} 275 275 + 276 276 + reverse_proxy localhost:${toString cfg.port} 277 277 + ''; 278 278 + }; 279 279 + } 280 280 + 281 281 + # Extra config from the service module 282 282 + (extraConfig cfg) 283 283 + ]); 284 284 + }

+24

modules/nixos/services/battleship-arena.nix

··· 55 55 type = types.package; 56 56 description = "The battleship-arena package to use"; 57 57 }; 58 58 + 59 59 + backup = { 60 60 + enable = mkEnableOption "Enable backups for battleship-arena" // { default = true; }; 61 61 + 62 62 + paths = mkOption { 63 63 + type = types.listOf types.str; 64 64 + default = [ "/var/lib/battleship-arena" ]; 65 65 + description = "Paths to back up"; 66 66 + }; 67 67 + 68 68 + exclude = mkOption { 69 69 + type = types.listOf types.str; 70 70 + default = [ "*.log" ]; 71 71 + description = "Patterns to exclude from backup"; 72 72 + }; 73 73 + }; 58 74 }; 59 75 60 76 config = mkIf cfg.enable { ··· 158 174 ''; 159 175 160 176 networking.firewall.allowedTCPPorts = [ cfg.sshPort ]; 177 177 + 178 178 + # Register backup configuration 179 179 + atelier.backup.services.battleship-arena = mkIf cfg.backup.enable { 180 180 + inherit (cfg.backup) paths exclude; 181 181 + # Has SQLite database, stop before backup 182 182 + preBackup = "systemctl stop battleship-arena"; 183 183 + postBackup = "systemctl start battleship-arena"; 184 184 + }; 161 185 }; 162 186 }

+21 -122

modules/nixos/services/cachet.nix

··· 1 1 - { 2 2 - config, 3 3 - lib, 4 4 - pkgs, 5 5 - ... 6 6 - }: 1 1 + # Cachet - Slack emoji/profile cache service 2 2 + # 3 3 + # Uses the mkService base to provide standardized: 4 4 + # - Systemd service with git deployment 5 5 + # - Caddy reverse proxy 6 6 + # - Automatic SQLite backup with WAL checkpoint 7 7 + 7 8 let 8 8 - cfg = config.atelier.services.cachet; 9 9 + mkService = import ../../lib/mkService.nix; 9 10 in 10 10 - { 11 11 - options.atelier.services.cachet = { 12 12 - enable = lib.mkEnableOption "Cachet Slack emoji/profile cache"; 13 11 14 14 - domain = lib.mkOption { 15 15 - type = lib.types.str; 16 16 - description = "Domain to serve cachet on"; 17 17 - }; 18 18 - 19 19 - port = lib.mkOption { 20 20 - type = lib.types.port; 21 21 - default = 3000; 22 22 - description = "Port to run cachet on"; 23 23 - }; 24 24 - 25 25 - dataDir = lib.mkOption { 26 26 - type = lib.types.path; 27 27 - default = "/var/lib/cachet"; 28 28 - description = "Directory to store cachet data"; 29 29 - }; 30 30 - 31 31 - secretsFile = lib.mkOption { 32 32 - type = lib.types.path; 33 33 - description = "Path to secrets file containing SLACK_TOKEN, SLACK_SIGNING_SECRET, BEARER_TOKEN"; 34 34 - }; 35 35 - 36 36 - repository = lib.mkOption { 37 37 - type = lib.types.str; 38 38 - default = "https://github.com/taciturnaxolotl/cachet.git"; 39 39 - description = "Git repository URL (optional, for auto-deployment)"; 40 40 - }; 41 41 - 42 42 - autoUpdate = lib.mkEnableOption "Automatically git pull on service restart"; 43 43 - }; 44 44 - 45 45 - config = lib.mkIf cfg.enable { 46 46 - users.groups.services = { }; 47 47 - 48 48 - users.users.cachet = { 49 49 - isSystemUser = true; 50 50 - group = "cachet"; 51 51 - extraGroups = [ "services" ]; 52 52 - home = cfg.dataDir; 53 53 - createHome = true; 54 54 - shell = pkgs.bash; 55 55 - }; 56 56 - 57 57 - users.groups.cachet = { }; 12 12 + mkService { 13 13 + name = "cachet"; 14 14 + description = "Cachet Slack emoji/profile cache"; 15 15 + defaultPort = 3000; 16 16 + runtime = "bun"; 17 17 + entryPoint = "src/index.ts"; 58 18 59 59 - security.sudo.extraRules = [ 60 60 - { 61 61 - users = [ "cachet" ]; 62 62 - commands = [ 63 63 - { 64 64 - command = "/run/current-system/sw/bin/systemctl restart cachet.service"; 65 65 - options = [ "NOPASSWD" ]; 66 66 - } 67 67 - ]; 68 68 - } 19 19 + extraConfig = cfg: { 20 20 + # Set DATABASE_PATH environment variable 21 21 + systemd.services.cachet.serviceConfig.Environment = [ 22 22 + "DATABASE_PATH=${cfg.dataDir}/data/cachet.db" 69 23 ]; 70 24 71 71 - systemd.services.cachet = { 72 72 - description = "Cachet Slack emoji/profile cache"; 73 73 - wantedBy = [ "multi-user.target" ]; 74 74 - after = [ "network.target" ]; 75 75 - path = [ pkgs.git ]; 76 76 - 77 77 - preStart = '' 78 78 - if [ ! -d ${cfg.dataDir}/app/.git ]; then 79 79 - ${pkgs.git}/bin/git clone ${cfg.repository} ${cfg.dataDir}/app 80 80 - fi 81 81 - 82 82 - cd ${cfg.dataDir}/app 83 83 - '' + lib.optionalString cfg.autoUpdate '' 84 84 - ${pkgs.git}/bin/git pull 85 85 - '' + '' 86 86 - 87 87 - if [ ! -f src/index.ts ]; then 88 88 - echo "No code found at ${cfg.dataDir}/app/src/index.ts" 89 89 - exit 1 90 90 - fi 91 91 - 92 92 - echo "Installing dependencies..." 93 93 - ${pkgs.unstable.bun}/bin/bun install 94 94 - ''; 95 95 - 96 96 - serviceConfig = { 97 97 - Type = "simple"; 98 98 - User = "cachet"; 99 99 - Group = "cachet"; 100 100 - EnvironmentFile = cfg.secretsFile; 101 101 - Environment = [ 102 102 - "NODE_ENV=production" 103 103 - "PORT=${toString cfg.port}" 104 104 - "DATABASE_PATH=${cfg.dataDir}/data/cachet.db" 105 105 - ]; 106 106 - ExecStart = "${pkgs.bash}/bin/bash -c 'cd ${cfg.dataDir}/app && ${pkgs.unstable.bun}/bin/bun run src/index.ts'"; 107 107 - Restart = "always"; 108 108 - RestartSec = "10s"; 109 109 - }; 110 110 - 111 111 - serviceConfig.ExecStartPre = [ 112 112 - "+${pkgs.writeShellScript "cachet-setup" '' 113 113 - mkdir -p ${cfg.dataDir}/data 114 114 - mkdir -p ${cfg.dataDir}/app 115 115 - chown -R cachet:services ${cfg.dataDir} 116 116 - chmod -R g+rwX ${cfg.dataDir} 117 117 - ''}" 118 118 - ]; 119 119 - }; 120 120 - 121 121 - services.caddy.virtualHosts.${cfg.domain} = { 122 122 - extraConfig = '' 123 123 - tls { 124 124 - dns cloudflare {env.CLOUDFLARE_API_TOKEN} 125 125 - } 126 126 - 127 127 - reverse_proxy localhost:${toString cfg.port} 128 128 - ''; 25 25 + # Data declarations for automatic backup 26 26 + atelier.services.cachet.data = { 27 27 + sqlite = "${cfg.dataDir}/data/cachet.db"; 129 28 }; 130 29 }; 131 30 }

+22

modules/nixos/services/emojibot.nix

··· 50 50 }; 51 51 52 52 autoUpdate = lib.mkEnableOption "Automatically git pull on service restart"; 53 53 + 54 54 + backup = { 55 55 + enable = lib.mkEnableOption "Enable backups for emojibot" // { default = true; }; 56 56 + 57 57 + paths = lib.mkOption { 58 58 + type = lib.types.listOf lib.types.str; 59 59 + default = [ cfg.dataDir ]; 60 60 + description = "Paths to back up"; 61 61 + }; 62 62 + 63 63 + exclude = lib.mkOption { 64 64 + type = lib.types.listOf lib.types.str; 65 65 + default = [ "*.log" "app/.git" "app/node_modules" ]; 66 66 + description = "Patterns to exclude from backup"; 67 67 + }; 68 68 + }; 53 69 }; 54 70 55 71 config = lib.mkIf cfg.enable { ··· 134 150 135 151 reverse_proxy localhost:${toString cfg.port} 136 152 ''; 153 153 + }; 154 154 + 155 155 + # Register backup configuration 156 156 + atelier.backup.services.emojibot = lib.mkIf cfg.backup.enable { 157 157 + inherit (cfg.backup) paths exclude; 158 158 + # Stateless service, no pre/post hooks needed 137 159 }; 138 160 }; 139 161 }

+24

modules/nixos/services/hn-alerts.nix

··· 40 40 }; 41 41 42 42 autoUpdate = lib.mkEnableOption "Automatically git pull on service restart"; 43 43 + 44 44 + backup = { 45 45 + enable = lib.mkEnableOption "Enable backups for hn-alerts" // { default = true; }; 46 46 + 47 47 + paths = lib.mkOption { 48 48 + type = lib.types.listOf lib.types.str; 49 49 + default = [ cfg.dataDir ]; 50 50 + description = "Paths to back up"; 51 51 + }; 52 52 + 53 53 + exclude = lib.mkOption { 54 54 + type = lib.types.listOf lib.types.str; 55 55 + default = [ "*.log" "app/.git" "app/node_modules" ]; 56 56 + description = "Patterns to exclude from backup"; 57 57 + }; 58 58 + }; 43 59 }; 44 60 45 61 config = lib.mkIf cfg.enable { ··· 119 135 120 136 reverse_proxy localhost:${toString cfg.port} 121 137 ''; 138 138 + }; 139 139 + 140 140 + # Register backup configuration 141 141 + atelier.backup.services.hn-alerts = lib.mkIf cfg.backup.enable { 142 142 + inherit (cfg.backup) paths exclude; 143 143 + # Has database, stop before backup 144 144 + preBackup = "systemctl stop hn-alerts"; 145 145 + postBackup = "systemctl start hn-alerts"; 122 146 }; 123 147 }; 124 148 }

+24

modules/nixos/services/indiko.nix

··· 44 44 }; 45 45 46 46 autoUpdate = lib.mkEnableOption "Automatically git pull on service restart"; 47 47 + 48 48 + backup = { 49 49 + enable = lib.mkEnableOption "Enable backups for indiko" // { default = true; }; 50 50 + 51 51 + paths = lib.mkOption { 52 52 + type = lib.types.listOf lib.types.str; 53 53 + default = [ cfg.dataDir ]; 54 54 + description = "Paths to back up"; 55 55 + }; 56 56 + 57 57 + exclude = lib.mkOption { 58 58 + type = lib.types.listOf lib.types.str; 59 59 + default = [ "*.log" "app/.git" "app/node_modules" ]; 60 60 + description = "Patterns to exclude from backup"; 61 61 + }; 62 62 + }; 47 63 }; 48 64 49 65 config = lib.mkIf cfg.enable { ··· 164 180 reverse_proxy localhost:${toString cfg.port} 165 181 } 166 182 ''; 183 183 + }; 184 184 + 185 185 + # Register backup configuration 186 186 + atelier.backup.services.indiko = lib.mkIf cfg.backup.enable { 187 187 + inherit (cfg.backup) paths exclude; 188 188 + # Has SQLite database for sessions/tokens 189 189 + preBackup = "systemctl stop indiko"; 190 190 + postBackup = "systemctl start indiko"; 167 191 }; 168 192 }; 169 193 }

+22

modules/nixos/services/l4.nix

··· 50 50 }; 51 51 52 52 autoUpdate = lib.mkEnableOption "Automatically git pull on service restart"; 53 53 + 54 54 + backup = { 55 55 + enable = lib.mkEnableOption "Enable backups for l4" // { default = true; }; 56 56 + 57 57 + paths = lib.mkOption { 58 58 + type = lib.types.listOf lib.types.str; 59 59 + default = [ cfg.dataDir ]; 60 60 + description = "Paths to back up"; 61 61 + }; 62 62 + 63 63 + exclude = lib.mkOption { 64 64 + type = lib.types.listOf lib.types.str; 65 65 + default = [ "*.log" "app/.git" "app/node_modules" ]; 66 66 + description = "Patterns to exclude from backup"; 67 67 + }; 68 68 + }; 53 69 }; 54 70 55 71 config = lib.mkIf cfg.enable { ··· 136 152 137 153 reverse_proxy localhost:${toString cfg.port} 138 154 ''; 155 155 + }; 156 156 + 157 157 + # Register backup configuration 158 158 + atelier.backup.services.l4 = lib.mkIf cfg.backup.enable { 159 159 + inherit (cfg.backup) paths exclude; 160 160 + # Stateless service (images in R2), no pre/post hooks needed 139 161 }; 140 162 }; 141 163 }

+162

modules/nixos/services/restic/README.md

··· 1 1 + # Restic Backup System 2 2 + 3 3 + Per-service backup system using Restic and Backblaze B2, with automatic backup discovery from `mkService` data declarations. 4 4 + 5 5 + ## Quick Start 6 6 + 7 7 + ### 1. Create B2 Bucket 8 8 + 9 9 + 1. Go to [Backblaze B2 console](https://secure.backblaze.com/b2_buckets.htm) 10 10 + 2. Create a new bucket (e.g., `terebithia-backup`) 11 11 + 3. Create an application key with read/write access to this bucket 12 12 + 4. Note the Account ID, Application Key, and Bucket name 13 13 + 14 14 + ### 2. Create Agenix Secrets 15 15 + 16 16 + ```bash 17 17 + cd ~/dots/secrets 18 18 + mkdir -p restic 19 19 + 20 20 + # Repository encryption password 21 21 + echo "choose-a-strong-encryption-password" | agenix -e restic/password.age 22 22 + 23 23 + # B2 credentials 24 24 + cat > /tmp/restic-env << 'EOF' 25 25 + B2_ACCOUNT_ID="your-account-id" 26 26 + B2_ACCOUNT_KEY="your-application-key" 27 27 + EOF 28 28 + agenix -e restic/env.age < /tmp/restic-env 29 29 + rm /tmp/restic-env 30 30 + 31 31 + # Repository URL 32 32 + echo "b2:your-bucket-name:/" | agenix -e restic/repo.age 33 33 + ``` 34 34 + 35 35 + ### 3. Add Secrets to Machine Config 36 36 + 37 37 + ```nix 38 38 + age.secrets = { 39 39 + "restic/env".file = ../../secrets/restic/env.age; 40 40 + "restic/repo".file = ../../secrets/restic/repo.age; 41 41 + "restic/password".file = ../../secrets/restic/password.age; 42 42 + }; 43 43 + ``` 44 44 + 45 45 + ### 4. Enable Backup System 46 46 + 47 47 + ```nix 48 48 + atelier.backup.enable = true; 49 49 + ``` 50 50 + 51 51 + ### 5. Deploy and Verify 52 52 + 53 53 + ```bash 54 54 + deploy .#terebithia 55 55 + 56 56 + # Check timers are active 57 57 + ssh terebithia 'systemctl list-timers | grep restic' 58 58 + ``` 59 59 + 60 60 + ## Service Integration 61 61 + 62 62 + ### Automatic (mkService) 63 63 + 64 64 + Services using `mkService` with `data.*` declarations get automatic backup: 65 65 + 66 66 + ```nix 67 67 + # In your service module 68 68 + mkService { 69 69 + name = "myapp"; 70 70 + # ... 71 71 + extraConfig = cfg: { 72 72 + atelier.services.myapp.data = { 73 73 + sqlite = "${cfg.dataDir}/data/app.db"; # Auto WAL checkpoint + stop/start 74 74 + files = [ "${cfg.dataDir}/uploads" ]; # Just backed up, no hooks 75 75 + }; 76 76 + }; 77 77 + } 78 78 + ``` 79 79 + 80 80 + The backup system automatically: 81 81 + - Checkpoints SQLite WAL before backup 82 82 + - Stops the service during backup 83 83 + - Restarts after completion 84 84 + - Tags snapshots with `service:myapp` and `type:sqlite` 85 85 + 86 86 + ### Manual Registration 87 87 + 88 88 + For services not using `mkService`: 89 89 + 90 90 + ```nix 91 91 + atelier.backup.services.myservice = { 92 92 + paths = [ "/var/lib/myservice" ]; 93 93 + exclude = [ "*.log" "cache/*" ]; 94 94 + preBackup = "systemctl stop myservice"; 95 95 + postBackup = "systemctl start myservice"; 96 96 + }; 97 97 + ``` 98 98 + 99 99 + ## CLI Usage 100 100 + 101 101 + The `atelier-backup` command provides an interactive TUI: 102 102 + 103 103 + ```bash 104 104 + atelier-backup # Interactive menu 105 105 + atelier-backup status # Show backup status for all services 106 106 + atelier-backup list # Browse snapshots 107 107 + atelier-backup backup # Trigger manual backup 108 108 + atelier-backup restore # Interactive restore wizard 109 109 + atelier-backup dr # Disaster recovery mode 110 110 + ``` 111 111 + 112 112 + See `man atelier-backup` for full documentation. 113 113 + 114 114 + ## Backup Schedule 115 115 + 116 116 + - **Time**: 02:00 AM daily 117 117 + - **Random delay**: 0-2 hours (spreads load across services) 118 118 + - **Retention**: 119 119 + - Last 3 snapshots 120 120 + - 7 daily backups 121 121 + - 5 weekly backups 122 122 + - 12 monthly backups 123 123 + 124 124 + ## Disaster Recovery 125 125 + 126 126 + On a fresh NixOS install: 127 127 + 128 128 + 1. Rebuild from flake: `nixos-rebuild switch --flake .#hostname` 129 129 + 2. Run: `atelier-backup dr` 130 130 + 3. All services restored from latest snapshots 131 131 + 132 132 + A manifest at `/etc/atelier/backup-manifest.json` tracks all configured backups. 133 133 + 134 134 + ## Systemd Units 135 135 + 136 136 + Each service gets: 137 137 + - Timer: `restic-backups-<service>.timer` 138 138 + - Service: `restic-backups-<service>.service` 139 139 + 140 140 + ```bash 141 141 + # Check timer status 142 142 + systemctl list-timers | grep restic 143 143 + 144 144 + # View backup logs 145 145 + journalctl -u restic-backups-<service>.service 146 146 + 147 147 + # Manual backup trigger 148 148 + systemctl start restic-backups-<service>.service 149 149 + ``` 150 150 + 151 151 + ## Testing Backups 152 152 + 153 153 + Always verify backups work before relying on them: 154 154 + 155 155 + ```bash 156 156 + # Restore to /tmp for inspection 157 157 + atelier-backup restore 158 158 + # → Select service → Select snapshot → "Inspect (restore to /tmp)" 159 159 + 160 160 + # Check restored files 161 161 + ls -la /tmp/restore-myservice-*/ 162 162 + ```

+140

modules/nixos/services/restic/atelier-backup.1.md

··· 1 1 + % ATELIER-BACKUP(1) atelier-backup 1.0 2 2 + % Kieran Klukas 3 3 + % December 2024 4 4 + 5 5 + # NAME 6 6 + 7 7 + atelier-backup - interactive backup management for atelier services 8 8 + 9 9 + # SYNOPSIS 10 10 + 11 11 + **atelier-backup** [*COMMAND*] 12 12 + 13 13 + **atelier-backup** **status** 14 14 + 15 15 + **atelier-backup** **list** 16 16 + 17 17 + **atelier-backup** **backup** 18 18 + 19 19 + **atelier-backup** **restore** 20 20 + 21 21 + **atelier-backup** **dr** 22 22 + 23 23 + # DESCRIPTION 24 24 + 25 25 + **atelier-backup** is an interactive CLI for managing restic backups of atelier services. It provides a gum-powered TUI for browsing snapshots, triggering backups, restoring data, and performing disaster recovery. 26 26 + 27 27 + When run without arguments, an interactive menu is displayed. 28 28 + 29 29 + # COMMANDS 30 30 + 31 31 + **status** 32 32 + : Show the backup status for all configured services, including the date of the most recent snapshot. 33 33 + 34 34 + **list** 35 35 + : Interactively select a service and browse its available snapshots. 36 36 + 37 37 + **backup** 38 38 + : Trigger a manual backup for a selected service or all services. 39 39 + 40 40 + **restore** 41 41 + : Interactive restore wizard. Select a service, choose a snapshot, and restore either to /tmp for inspection or in-place (with service stop/start). 42 42 + 43 43 + **dr**, **disaster-recovery** 44 44 + : Full disaster recovery mode. Restores the latest snapshot for ALL services. Only use on a fresh NixOS install after rebuilding from the flake. 45 45 + 46 46 + # OPTIONS 47 47 + 48 48 + **-h**, **--help** 49 49 + : Display usage information and exit. 50 50 + 51 51 + # RESTORE MODES 52 52 + 53 53 + When restoring, you can choose between two modes: 54 54 + 55 55 + **Inspect (restore to /tmp)** 56 56 + : Restores the snapshot to /tmp/restore-SERVICE-SNAPSHOT for inspection. Safe and non-destructive. 57 57 + 58 58 + **In-place (DANGEROUS)** 59 59 + : Stops the service, restores directly to the original paths, and restarts the service. Use with caution. 60 60 + 61 61 + # DISASTER RECOVERY 62 62 + 63 63 + The **dr** command is designed for full server recovery: 64 64 + 65 65 + 1. Rebuild NixOS from the flake: `nixos-rebuild switch --flake .#hostname` 66 66 + 2. Run: `atelier-backup dr` 67 67 + 3. The CLI restores the latest snapshot for each service 68 68 + 4. Services are started automatically after restore 69 69 + 70 70 + A backup manifest is stored at **/etc/atelier/backup-manifest.json** containing metadata about all configured backups. 71 71 + 72 72 + # EXAMPLES 73 73 + 74 74 + Interactive menu: 75 75 + ``` 76 76 + $ atelier-backup 77 77 + ``` 78 78 + 79 79 + Check backup status for all services: 80 80 + ``` 81 81 + $ atelier-backup status 82 82 + ``` 83 83 + 84 84 + Browse snapshots for a service: 85 85 + ``` 86 86 + $ atelier-backup list 87 87 + ``` 88 88 + 89 89 + Trigger manual backup: 90 90 + ``` 91 91 + $ atelier-backup backup 92 92 + ``` 93 93 + 94 94 + Restore a service from backup: 95 95 + ``` 96 96 + $ atelier-backup restore 97 97 + ``` 98 98 + 99 99 + Full disaster recovery: 100 100 + ``` 101 101 + $ atelier-backup dr 102 102 + ``` 103 103 + 104 104 + # FILES 105 105 + 106 106 + **/etc/atelier/backup-manifest.json** 107 107 + : Generated manifest containing backup configuration for all services. 108 108 + 109 109 + **/run/agenix/restic/*** 110 110 + : Agenix-managed secrets for restic (env, repo, password). 111 111 + 112 112 + # BACKUP SCHEDULE 113 113 + 114 114 + Services are backed up nightly at 02:00 with a randomized delay of up to 2 hours to spread load. Backups are triggered via systemd timers: 115 115 + 116 116 + - `restic-backups-SERVICE.timer` 117 117 + - `restic-backups-SERVICE.service` 118 118 + 119 119 + # RETENTION POLICY 120 120 + 121 121 + Snapshots are retained according to: 122 122 + 123 123 + - Last 3 snapshots 124 124 + - 7 daily backups 125 125 + - 5 weekly backups 126 126 + - 12 monthly backups 127 127 + 128 128 + # SEE ALSO 129 129 + 130 130 + **restic**(1), **systemctl**(1) 131 131 + 132 132 + Restic documentation: https://restic.readthedocs.io/ 133 133 + 134 134 + # BUGS 135 135 + 136 136 + Report bugs at: https://github.com/taciturnaxolotl/dots/issues 137 137 + 138 138 + # AUTHORS 139 139 + 140 140 + Kieran Klukas <kierank@dunkirk.sh>

+341

modules/nixos/services/restic/cli.nix

··· 1 1 + # atelier-backup CLI - Interactive backup management with gum 2 2 + # 3 3 + # Commands: 4 4 + # atelier-backup - Interactive menu 5 5 + # atelier-backup status - Show backup status for all services 6 6 + # atelier-backup list - List snapshots (interactive service selection) 7 7 + # atelier-backup restore - Interactive restore wizard 8 8 + # atelier-backup backup - Trigger manual backup 9 9 + # atelier-backup dr - Disaster recovery mode 10 10 + 11 11 + { config, lib, pkgs, ... }: 12 12 + 13 13 + let 14 14 + cfg = config.atelier.backup; 15 15 + 16 16 + # Collect all services with backup data for the manifest 17 17 + atelierServices = lib.filterAttrs (name: svc: 18 18 + (svc.enable or false) && (svc.data or null) != null 19 19 + ) (config.atelier.services or {}); 20 20 + 21 21 + hasData = svc: 22 22 + (svc.data.sqlite or null) != null || 23 23 + (svc.data.postgres or null) != null || 24 24 + (svc.data.files or []) != []; 25 25 + 26 26 + servicesWithData = lib.filterAttrs (name: svc: hasData svc) atelierServices; 27 27 + 28 28 + # Also include manually registered backup services 29 29 + allBackupServices = (lib.attrNames cfg.services) ++ (lib.attrNames servicesWithData); 30 30 + 31 31 + # Generate manifest for disaster recovery 32 32 + backupManifest = pkgs.writeText "backup-manifest.json" (builtins.toJSON { 33 33 + version = 1; 34 34 + generated = "nixos-rebuild"; 35 35 + services = lib.mapAttrs (name: svc: { 36 36 + dataDir = svc.dataDir or "/var/lib/${name}"; 37 37 + data = { 38 38 + sqlite = svc.data.sqlite or null; 39 39 + postgres = svc.data.postgres or null; 40 40 + files = svc.data.files or []; 41 41 + exclude = svc.data.exclude or []; 42 42 + }; 43 43 + }) servicesWithData // lib.mapAttrs (name: backupCfg: { 44 44 + paths = backupCfg.paths; 45 45 + exclude = backupCfg.exclude or []; 46 46 + manual = true; 47 47 + }) cfg.services; 48 48 + }); 49 49 + 50 50 + backupCliScript = pkgs.writeShellScript "atelier-backup" '' 51 51 + set -e 52 52 + 53 53 + # Colors via gum 54 54 + style() { ${pkgs.gum}/bin/gum style "$@"; } 55 55 + confirm() { ${pkgs.gum}/bin/gum confirm "$@"; } 56 56 + choose() { ${pkgs.gum}/bin/gum choose "$@"; } 57 57 + input() { ${pkgs.gum}/bin/gum input "$@"; } 58 58 + spin() { ${pkgs.gum}/bin/gum spin "$@"; } 59 59 + 60 60 + # Restic wrapper with secrets 61 61 + restic_cmd() { 62 62 + ${pkgs.restic}/bin/restic \ 63 63 + --repository-file ${config.age.secrets."restic/repo".path} \ 64 64 + --password-file ${config.age.secrets."restic/password".path} \ 65 65 + "$@" 66 66 + } 67 67 + export -f restic_cmd 68 68 + export B2_ACCOUNT_ID=$(cat ${config.age.secrets."restic/env".path} | grep B2_ACCOUNT_ID | cut -d= -f2) 69 69 + export B2_ACCOUNT_KEY=$(cat ${config.age.secrets."restic/env".path} | grep B2_ACCOUNT_KEY | cut -d= -f2) 70 70 + 71 71 + # Available services 72 72 + SERVICES="${lib.concatStringsSep " " allBackupServices}" 73 73 + MANIFEST="${backupManifest}" 74 74 + 75 75 + cmd_status() { 76 76 + style --bold --foreground 212 "Backup Status" 77 77 + echo 78 78 + 79 79 + for svc in $SERVICES; do 80 80 + # Get latest snapshot for this service 81 81 + latest=$(restic_cmd snapshots --tag "service:$svc" --json --latest 1 2>/dev/null | ${pkgs.jq}/bin/jq -r '.[0] // empty') 82 82 + 83 83 + if [ -n "$latest" ]; then 84 84 + time=$(echo "$latest" | ${pkgs.jq}/bin/jq -r '.time' | cut -d'T' -f1) 85 85 + hostname=$(echo "$latest" | ${pkgs.jq}/bin/jq -r '.hostname') 86 86 + style --foreground 35 "✓ $svc" 87 87 + style --foreground 117 " Last backup: $time on $hostname" 88 88 + else 89 89 + style --foreground 214 "! $svc" 90 90 + style --foreground 117 " No backups found" 91 91 + fi 92 92 + done 93 93 + } 94 94 + 95 95 + cmd_list() { 96 96 + style --bold --foreground 212 "List Snapshots" 97 97 + echo 98 98 + 99 99 + # Let user pick a service 100 100 + svc=$(echo "$SERVICES" | tr ' ' '\n' | choose --header "Select service:") 101 101 + 102 102 + if [ -z "$svc" ]; then 103 103 + style --foreground 196 "No service selected" 104 104 + exit 1 105 105 + fi 106 106 + 107 107 + style --foreground 117 "Snapshots for $svc:" 108 108 + echo 109 109 + 110 110 + restic_cmd snapshots --tag "service:$svc" --compact 111 111 + } 112 112 + 113 113 + cmd_backup() { 114 114 + style --bold --foreground 212 "Manual Backup" 115 115 + echo 116 116 + 117 117 + # Let user pick a service or all 118 118 + svc=$(echo "all $SERVICES" | tr ' ' '\n' | choose --header "Select service to backup:") 119 119 + 120 120 + if [ -z "$svc" ]; then 121 121 + style --foreground 196 "No service selected" 122 122 + exit 1 123 123 + fi 124 124 + 125 125 + if [ "$svc" = "all" ]; then 126 126 + for s in $SERVICES; do 127 127 + style --foreground 117 "Backing up $s..." 128 128 + systemctl start "restic-backups-$s.service" || style --foreground 214 "! Failed to backup $s" 129 129 + done 130 130 + else 131 131 + style --foreground 117 "Backing up $svc..." 132 132 + systemctl start "restic-backups-$svc.service" 133 133 + fi 134 134 + 135 135 + style --foreground 35 "✓ Backup triggered" 136 136 + } 137 137 + 138 138 + cmd_restore() { 139 139 + style --bold --foreground 212 "Restore Wizard" 140 140 + echo 141 141 + 142 142 + # Pick service 143 143 + svc=$(echo "$SERVICES" | tr ' ' '\n' | choose --header "Select service to restore:") 144 144 + 145 145 + if [ -z "$svc" ]; then 146 146 + style --foreground 196 "No service selected" 147 147 + exit 1 148 148 + fi 149 149 + 150 150 + # List snapshots for selection 151 151 + style --foreground 117 "Fetching snapshots for $svc..." 152 152 + snapshots=$(restic_cmd snapshots --tag "service:$svc" --json 2>/dev/null) 153 153 + 154 154 + if [ "$(echo "$snapshots" | ${pkgs.jq}/bin/jq 'length')" = "0" ]; then 155 155 + style --foreground 196 "No snapshots found for $svc" 156 156 + exit 1 157 157 + fi 158 158 + 159 159 + # Format snapshots for selection 160 160 + snapshot_list=$(echo "$snapshots" | ${pkgs.jq}/bin/jq -r '.[] | "\(.short_id) - \(.time | split("T")[0]) - \(.paths | join(", "))"') 161 161 + 162 162 + selected=$(echo "$snapshot_list" | choose --header "Select snapshot:") 163 163 + snapshot_id=$(echo "$selected" | cut -d' ' -f1) 164 164 + 165 165 + if [ -z "$snapshot_id" ]; then 166 166 + style --foreground 196 "No snapshot selected" 167 167 + exit 1 168 168 + fi 169 169 + 170 170 + # Restore options 171 171 + restore_mode=$(choose --header "Restore mode:" "Inspect (restore to /tmp)" "In-place (DANGEROUS)") 172 172 + 173 173 + case "$restore_mode" in 174 174 + "Inspect"*) 175 175 + target="/tmp/restore-$svc-$snapshot_id" 176 176 + mkdir -p "$target" 177 177 + 178 178 + style --foreground 117 "Restoring to $target..." 179 179 + restic_cmd restore "$snapshot_id" --target "$target" 180 180 + 181 181 + style --foreground 35 "✓ Restored to $target" 182 182 + style --foreground 117 " Inspect files, then copy what you need" 183 183 + ;; 184 184 + 185 185 + "In-place"*) 186 186 + style --foreground 196 --bold "⚠ WARNING: This will overwrite existing data!" 187 187 + echo 188 188 + 189 189 + if ! confirm "Stop $svc and restore data?"; then 190 190 + style --foreground 214 "Restore cancelled" 191 191 + exit 0 192 192 + fi 193 193 + 194 194 + style --foreground 117 "Stopping $svc..." 195 195 + systemctl stop "$svc" 2>/dev/null || true 196 196 + 197 197 + style --foreground 117 "Restoring snapshot $snapshot_id..." 198 198 + restic_cmd restore "$snapshot_id" --target / 199 199 + 200 200 + style --foreground 117 "Starting $svc..." 201 201 + systemctl start "$svc" 202 202 + 203 203 + style --foreground 35 "✓ Restore complete" 204 204 + ;; 205 205 + esac 206 206 + } 207 207 + 208 208 + cmd_dr() { 209 209 + style --bold --foreground 196 "⚠ DISASTER RECOVERY MODE" 210 210 + echo 211 211 + style --foreground 214 "This will restore ALL services from backup." 212 212 + style --foreground 214 "Only use this on a fresh NixOS install." 213 213 + echo 214 214 + 215 215 + if ! confirm "Continue with full disaster recovery?"; then 216 216 + style --foreground 117 "Cancelled" 217 217 + exit 0 218 218 + fi 219 219 + 220 220 + style --foreground 117 "Reading backup manifest..." 221 221 + 222 222 + for svc in $SERVICES; do 223 223 + style --foreground 212 "Restoring $svc..." 224 224 + 225 225 + # Get latest snapshot 226 226 + snapshot_id=$(restic_cmd snapshots --tag "service:$svc" --json --latest 1 2>/dev/null | ${pkgs.jq}/bin/jq -r '.[0].short_id // empty') 227 227 + 228 228 + if [ -z "$snapshot_id" ]; then 229 229 + style --foreground 214 " ! No snapshots found, skipping" 230 230 + continue 231 231 + fi 232 232 + 233 233 + # Stop service if running 234 234 + systemctl stop "$svc" 2>/dev/null || true 235 235 + 236 236 + # Restore 237 237 + restic_cmd restore "$snapshot_id" --target / 238 238 + 239 239 + # Start service 240 240 + systemctl start "$svc" 2>/dev/null || true 241 241 + 242 242 + style --foreground 35 " ✓ Restored from $snapshot_id" 243 243 + done 244 244 + 245 245 + echo 246 246 + style --foreground 35 --bold "✓ Disaster recovery complete" 247 247 + } 248 248 + 249 249 + cmd_menu() { 250 250 + style --bold --foreground 212 "Atelier Backup" 251 251 + echo 252 252 + 253 253 + action=$(choose \ 254 254 + "Status - Show backup status" \ 255 255 + "List - Browse snapshots" \ 256 256 + "Backup - Trigger manual backup" \ 257 257 + "Restore - Restore from backup" \ 258 258 + "DR - Disaster recovery mode") 259 259 + 260 260 + case "$action" in 261 261 + Status*) cmd_status ;; 262 262 + List*) cmd_list ;; 263 263 + Backup*) cmd_backup ;; 264 264 + Restore*) cmd_restore ;; 265 265 + DR*) cmd_dr ;; 266 266 + *) exit 0 ;; 267 267 + esac 268 268 + } 269 269 + 270 270 + # Main 271 271 + case "''${1:-}" in 272 272 + status) cmd_status ;; 273 273 + list) cmd_list ;; 274 274 + backup) cmd_backup ;; 275 275 + restore) cmd_restore ;; 276 276 + dr|disaster-recovery) cmd_dr ;; 277 277 + --help|-h) 278 278 + echo "Usage: atelier-backup [command]" 279 279 + echo 280 280 + echo "Commands:" 281 281 + echo " status Show backup status for all services" 282 282 + echo " list List snapshots" 283 283 + echo " backup Trigger manual backup" 284 284 + echo " restore Interactive restore wizard" 285 285 + echo " dr Disaster recovery mode" 286 286 + echo 287 287 + echo "Run without arguments for interactive menu." 288 288 + ;; 289 289 + "") cmd_menu ;; 290 290 + *) 291 291 + style --foreground 196 "Unknown command: $1" 292 292 + exit 1 293 293 + ;; 294 294 + esac 295 295 + ''; 296 296 + 297 297 + backupCli = pkgs.stdenv.mkDerivation { 298 298 + pname = "atelier-backup"; 299 299 + version = "1.0.0"; 300 300 + 301 301 + dontUnpack = true; 302 302 + 303 303 + nativeBuildInputs = [ pkgs.installShellFiles pkgs.pandoc ]; 304 304 + 305 305 + manPageSrc = ./atelier-backup.1.md; 306 306 + bashCompletionSrc = ./completions/atelier-backup.bash; 307 307 + zshCompletionSrc = ./completions/atelier-backup.zsh; 308 308 + fishCompletionSrc = ./completions/atelier-backup.fish; 309 309 + 310 310 + buildPhase = '' 311 311 + ${pkgs.pandoc}/bin/pandoc -s -t man $manPageSrc -o atelier-backup.1 312 312 + ''; 313 313 + 314 314 + installPhase = '' 315 315 + mkdir -p $out/bin 316 316 + cp ${backupCliScript} $out/bin/atelier-backup 317 317 + chmod +x $out/bin/atelier-backup 318 318 + 319 319 + # Install man page 320 320 + installManPage atelier-backup.1 321 321 + 322 322 + # Install completions 323 323 + installShellCompletion --bash --name atelier-backup $bashCompletionSrc 324 324 + installShellCompletion --zsh --name _atelier-backup $zshCompletionSrc 325 325 + installShellCompletion --fish --name atelier-backup.fish $fishCompletionSrc 326 326 + ''; 327 327 + 328 328 + meta = with lib; { 329 329 + description = "Interactive backup management CLI for atelier services"; 330 330 + license = licenses.mit; 331 331 + }; 332 332 + }; 333 333 + 334 334 + in { 335 335 + config = lib.mkIf cfg.enable { 336 336 + environment.systemPackages = [ backupCli ]; 337 337 + 338 338 + # Store manifest for reference 339 339 + environment.etc."atelier/backup-manifest.json".source = backupManifest; 340 340 + }; 341 341 + }

+27

modules/nixos/services/restic/completions/atelier-backup.bash

··· 1 1 + # bash completion for atelier-backup 2 2 + 3 3 + _atelier_backup_completion() { 4 4 + local cur prev 5 5 + COMPREPLY=() 6 6 + cur="${COMP_WORDS[COMP_CWORD]}" 7 7 + prev="${COMP_WORDS[COMP_CWORD-1]}" 8 8 + 9 9 + # Main commands 10 10 + local commands="status list backup restore dr --help" 11 11 + 12 12 + # Complete flags 13 13 + if [[ ${cur} == -* ]]; then 14 14 + COMPREPLY=( $(compgen -W "--help -h" -- ${cur}) ) 15 15 + return 0 16 16 + fi 17 17 + 18 18 + # Complete commands as first argument 19 19 + if [[ ${COMP_CWORD} -eq 1 ]]; then 20 20 + COMPREPLY=( $(compgen -W "${commands}" -- ${cur}) ) 21 21 + return 0 22 22 + fi 23 23 + 24 24 + return 0 25 25 + } 26 26 + 27 27 + complete -F _atelier_backup_completion atelier-backup

+14

modules/nixos/services/restic/completions/atelier-backup.fish

··· 1 1 + # fish completion for atelier-backup 2 2 + 3 3 + # Disable file completion 4 4 + complete -c atelier-backup -f 5 5 + 6 6 + # Commands (first argument only) 7 7 + complete -c atelier-backup -n '__fish_is_first_token' -a 'status' -d 'Show backup status for all services' 8 8 + complete -c atelier-backup -n '__fish_is_first_token' -a 'list' -d 'List snapshots for a service' 9 9 + complete -c atelier-backup -n '__fish_is_first_token' -a 'backup' -d 'Trigger manual backup' 10 10 + complete -c atelier-backup -n '__fish_is_first_token' -a 'restore' -d 'Interactive restore wizard' 11 11 + complete -c atelier-backup -n '__fish_is_first_token' -a 'dr' -d 'Disaster recovery mode' 12 12 + 13 13 + # Flags 14 14 + complete -c atelier-backup -s h -l help -d 'Show help'

+30

modules/nixos/services/restic/completions/atelier-backup.zsh

··· 1 1 + #compdef atelier-backup 2 2 + 3 3 + _atelier-backup() { 4 4 + local curcontext="$curcontext" state line 5 5 + typeset -A opt_args 6 6 + 7 7 + _arguments -C \ 8 8 + '1: :->command' \ 9 9 + '--help[Show help]' \ 10 10 + '-h[Show help]' \ 11 11 + && return 0 12 12 + 13 13 + case $state in 14 14 + command) 15 15 + local -a commands 16 16 + commands=( 17 17 + 'status:Show backup status for all services' 18 18 + 'list:List snapshots for a service' 19 19 + 'backup:Trigger manual backup' 20 20 + 'restore:Interactive restore wizard' 21 21 + 'dr:Disaster recovery mode' 22 22 + ) 23 23 + _describe 'command' commands 24 24 + ;; 25 25 + esac 26 26 + 27 27 + return 0 28 28 + } 29 29 + 30 30 + _atelier-backup "$@"

+194

modules/nixos/services/restic/default.nix

··· 1 1 + { 2 2 + config, 3 3 + lib, 4 4 + pkgs, 5 5 + ... 6 6 + }: 7 7 + let 8 8 + cfg = config.atelier.backup; 9 9 + 10 10 + # Collect all atelier services that have data declarations 11 11 + atelierServices = lib.filterAttrs (name: svc: 12 12 + svc.enable or false && (svc.data or null) != null 13 13 + ) (config.atelier.services or {}); 14 14 + 15 15 + # Check if a service has any data to backup 16 16 + hasData = svc: 17 17 + (svc.data.sqlite or null) != null || 18 18 + (svc.data.postgres or null) != null || 19 19 + (svc.data.files or []) != []; 20 20 + 21 21 + # Collect services with data declarations 22 22 + servicesWithData = lib.filterAttrs (name: svc: hasData svc) atelierServices; 23 23 + 24 24 + # Also include manually registered services 25 25 + allBackups = cfg.services // (lib.mapAttrs mkAutoBackup servicesWithData); 26 26 + 27 27 + # Auto-generate backup config from service data declarations 28 28 + mkAutoBackup = name: svc: let 29 29 + data = svc.data; 30 30 + hasSqlite = data.sqlite or null != null; 31 31 + hasPostgres = data.postgres or null != null; 32 32 + 33 33 + # Collect all paths to backup 34 34 + paths = 35 35 + (lib.optional hasSqlite (builtins.dirOf data.sqlite)) ++ 36 36 + (data.files or []); 37 37 + 38 38 + # Pre-backup: handle database consistency 39 39 + preBackup = lib.concatStringsSep "\n" ( 40 40 + # SQLite: checkpoint WAL then stop service 41 41 + (lib.optional hasSqlite '' 42 42 + echo "Checkpointing SQLite WAL for ${name}..." 43 43 + ${pkgs.sqlite}/bin/sqlite3 "${data.sqlite}" "PRAGMA wal_checkpoint(TRUNCATE);" || true 44 44 + echo "Stopping ${name} for backup..." 45 45 + systemctl stop ${name} 46 46 + '') ++ 47 47 + # PostgreSQL: dump to file 48 48 + (lib.optional hasPostgres '' 49 49 + echo "Dumping PostgreSQL database ${data.postgres}..." 50 50 + ${pkgs.sudo}/bin/sudo -u postgres ${pkgs.postgresql}/bin/pg_dump ${data.postgres} > /tmp/${name}-pg-dump.sql 51 51 + '') ++ 52 52 + # If no database but service needs to be stopped (manual override possible) 53 53 + [] 54 54 + ); 55 55 + 56 56 + # Post-backup: restart service 57 57 + postBackup = lib.concatStringsSep "\n" ( 58 58 + (lib.optional hasSqlite '' 59 59 + echo "Restarting ${name} after backup..." 60 60 + systemctl start ${name} 61 61 + '') ++ 62 62 + (lib.optional hasPostgres '' 63 63 + rm -f /tmp/${name}-pg-dump.sql 64 64 + '') 65 65 + ); 66 66 + 67 67 + in { 68 68 + enable = true; 69 69 + inherit paths; 70 70 + exclude = data.exclude or [ "*.log" "node_modules" ".git" ]; 71 71 + tags = [ "service:${name}" ] ++ 72 72 + (lib.optional hasSqlite "type:sqlite") ++ 73 73 + (lib.optional hasPostgres "type:postgres"); 74 74 + preBackup = if preBackup != "" then preBackup else null; 75 75 + postBackup = if postBackup != "" then postBackup else null; 76 76 + }; 77 77 + 78 78 + # Create a restic backup job for a service 79 79 + mkBackupJob = name: serviceCfg: { 80 80 + inherit (serviceCfg) paths exclude; 81 81 + 82 82 + initialize = true; 83 83 + 84 84 + # Use secrets from agenix 85 85 + environmentFile = config.age.secrets."restic/env".path; 86 86 + repositoryFile = config.age.secrets."restic/repo".path; 87 87 + passwordFile = config.age.secrets."restic/password".path; 88 88 + 89 89 + # Tags for easier filtering during restore 90 90 + extraBackupArgs = 91 91 + (map (t: "--tag ${t}") (serviceCfg.tags or [ "service:${name}" ])) ++ 92 92 + [ "--verbose" ]; 93 93 + 94 94 + # Retention policy 95 95 + pruneOpts = [ 96 96 + "--keep-last 3" 97 97 + "--keep-daily 7" 98 98 + "--keep-weekly 5" 99 99 + "--keep-monthly 12" 100 100 + "--tag service:${name}" # Only prune this service's snapshots 101 101 + ]; 102 102 + 103 103 + # Backup schedule (nightly at 2 AM + random delay) 104 104 + timerConfig = { 105 105 + OnCalendar = "02:00"; 106 106 + RandomizedDelaySec = "2h"; 107 107 + Persistent = true; 108 108 + }; 109 109 + 110 110 + # Pre/post backup hooks for database consistency 111 111 + backupPrepareCommand = lib.optionalString (serviceCfg.preBackup or null != null) serviceCfg.preBackup; 112 112 + backupCleanupCommand = lib.optionalString (serviceCfg.postBackup or null != null) serviceCfg.postBackup; 113 113 + }; 114 114 + 115 115 + in 116 116 + { 117 117 + imports = [ ./cli.nix ]; 118 118 + 119 119 + options.atelier.backup = { 120 120 + enable = lib.mkEnableOption "Restic backup system"; 121 121 + 122 122 + # Manual service registration (for services not using mkService) 123 123 + services = lib.mkOption { 124 124 + type = lib.types.attrsOf ( 125 125 + lib.types.submodule { 126 126 + options = { 127 127 + enable = lib.mkOption { 128 128 + type = lib.types.bool; 129 129 + default = true; 130 130 + description = "Enable backups for this service"; 131 131 + }; 132 132 + 133 133 + paths = lib.mkOption { 134 134 + type = lib.types.listOf lib.types.str; 135 135 + description = "Paths to back up"; 136 136 + }; 137 137 + 138 138 + exclude = lib.mkOption { 139 139 + type = lib.types.listOf lib.types.str; 140 140 + default = [ "*.log" "node_modules" ".git" ]; 141 141 + description = "Glob patterns to exclude from backup"; 142 142 + }; 143 143 + 144 144 + tags = lib.mkOption { 145 145 + type = lib.types.listOf lib.types.str; 146 146 + default = []; 147 147 + description = "Tags to apply to snapshots"; 148 148 + }; 149 149 + 150 150 + preBackup = lib.mkOption { 151 151 + type = lib.types.nullOr lib.types.str; 152 152 + default = null; 153 153 + description = "Command to run before backup"; 154 154 + }; 155 155 + 156 156 + postBackup = lib.mkOption { 157 157 + type = lib.types.nullOr lib.types.str; 158 158 + default = null; 159 159 + description = "Command to run after backup"; 160 160 + }; 161 161 + }; 162 162 + } 163 163 + ); 164 164 + default = { }; 165 165 + description = "Per-service backup configurations (manual registration)"; 166 166 + }; 167 167 + }; 168 168 + 169 169 + config = lib.mkIf cfg.enable { 170 170 + # Ensure secrets are defined 171 171 + assertions = [ 172 172 + { 173 173 + assertion = config.age.secrets ? "restic/env"; 174 174 + message = "atelier.backup requires age.secrets.\"restic/env\" to be defined"; 175 175 + } 176 176 + { 177 177 + assertion = config.age.secrets ? "restic/repo"; 178 178 + message = "atelier.backup requires age.secrets.\"restic/repo\" to be defined"; 179 179 + } 180 180 + { 181 181 + assertion = config.age.secrets ? "restic/password"; 182 182 + message = "atelier.backup requires age.secrets.\"restic/password\" to be defined"; 183 183 + } 184 184 + ]; 185 185 + 186 186 + # Create restic backup jobs for each service (auto + manual) 187 187 + services.restic.backups = lib.mapAttrs mkBackupJob ( 188 188 + lib.filterAttrs (n: v: v.enable) allBackups 189 189 + ); 190 190 + 191 191 + # Add restic and sqlite to system packages for manual operations 192 192 + environment.systemPackages = [ pkgs.restic pkgs.sqlite ]; 193 193 + }; 194 194 + }

+13

secrets/restic/env.age

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-rsa DqcG0Q 3 3 + lT4PA3DsRI4Br6Dvx0walY/MPOUWzuhGdiGPRtzjFIqGYnlaJNX/SjT+gn+THM/7 4 4 + wKWWQCQ4bXw6EqoguRsW4fcONCUvxQj/by7+JnMsLNM+eu1xlZHVlyi9rEkbkE9K 5 5 + xtgxuKuXVhPEPeyaZjCMmaWu7QMXeepFnUrUGcqmhTdF5cYHr8z6qMCqyfm7nC27 6 6 + rkBqqs4z3hAXRjS3gDxBLJCbWMMKG7RGvO1E5wgMlQeLLdmbDOYnFBajJdt4KLMN 7 7 + EzjnWp/BcqCAbJc8OVuawV4EDEdoN74IG7CQteZ5DF77vExzESuMVpEhpKOq92ho 8 8 + JF7qwFHeQtKoHAFmg1xl4X0e+V2pEDhW1VXKAwLXgljUYS5QQKYhzciKT3yXN6o7 9 9 + AaLk407EUSMvXmVQ7isfUQrFMtFD2AXP1tE445vMu3u9SmoyBAiMg0AM1orPtAaW 10 10 + wYxPt3zOezMBFGjnLYfJ2uZzdPJXGk5NfhkKojw++ZhCJ0F6D7Nawpln6McYYEuX 11 11 + 12 12 + --- IgHl41EQ9rKfWh8SbOjEYhgK5NeHr9njPcLOYEx2OtI 13 13 + wNX����}�O�X)�Ч�N��e+I����p ]g����$�‹��C��}����Y���K��-p�V��z{�51�w��ﯹŽ��X��XFMXV�^K�yOf��7����[}�0�tt0$a}��h@/

secrets/restic/password.age

This is a binary file and will not be displayed.

+13

secrets/restic/repo.age

··· 1 1 + age-encryption.org/v1 2 2 + -> ssh-rsa DqcG0Q 3 3 + KQE6ZRRHyd/oWWkkl80O502xQwJQcmbn40ihhTsjzQm//fxKCjhOkRf0O7ZL3ZPn 4 4 + sdM+Qr+LphvyoqDvgJwKE4L0MIBVw46swql+wTBGSBLa/fZ676Bx1hKbBs6PvcPO 5 5 + z2Rr3KFh1vMWm3W8CdPVYnFPdW7PCQaXUTZSext+AvAcZ6f+rGnnoEq1RW05FMoD 6 6 + nYec+PJk9A7bQJ9OrLj4yDKj8GZbd0k5gox/HiWTNGy42fvdXkpjZ29BEPeMlITD 7 7 + 2msyzEg4ITNIzkyFr0h0WFMhL515CnHxXvTeO3sGKDYJPZ9iqpJlV5fvtz76v2h9 8 8 + ZvJYzY9EgRyhk6t6rDk98ZrtRcp2BPwfNHocdYdUHRO0wKoFubZaw2Ifr22aJHhb 9 9 + +9MiSzJ6qVc91Rtbc20Ib/dKh3OYdJvJ08pQrW8gDD4dd1hOx9kPREBKbaoqoQ7C 10 10 + CldNO49lGYO1U7bnohHF11LiwnFtnESdZJUtJBrldawDmY4ikntP2oTrPFsDMAz8 11 11 + 12 12 + --- fdcl8C/41l9nxbxvz7bwkSsfvFgmtXXQjyj72ijyK5c 13 13 + �)��+C�#m����I�RJ7R���W�h�x"Rx-^��q�`z������/��

+9

secrets/secrets.nix

··· 47 47 "l4.age".publicKeys = [ 48 48 kierank 49 49 ]; 50 50 + "restic/env.age".publicKeys = [ 51 51 + kierank 52 52 + ]; 53 53 + "restic/repo.age".publicKeys = [ 54 54 + kierank 55 55 + ]; 56 56 + "restic/password.age".publicKeys = [ 57 57 + kierank 58 58 + ]; 50 59 }