add restic :3

hosts/ocelot/default.nix

@@ -4,6 +4,7 @@
     ../../profiles/hcloud
   ];
   fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
+  cherrykitten.backups.enable = true;
 
   networking = {
     nameservers = [

modules/nixos/backups/default.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.cherrykitten.backups;
+  hostname = config.networking.hostName;
+in
+{
+  options.cherrykitten.backups = {
+    enable = lib.mkEnableOption "Backups";
+  };
+
+  config = lib.mkIf cfg.enable {
+    deployment.keys = {
+      "restic_env" = {
+        destDir = "/root/keys";
+        keyCommand = [ "pass" "hosts/${hostname}/restic/env" ];
+      };
+      "restic_repository_file" = {
+        destDir = "/root/keys";
+        keyCommand = [ "pass" "hosts/${hostname}/restic/repository" ];
+      };
+      "restic_password_file" = {
+        destDir = "/root/keys";
+        keyCommand = [ "pass" "hosts/${hostname}/restic/password" ];
+      };
+    };
+    services.restic.backups = {
+      default = {
+        user = "root";
+        timerConfig = {
+          OnCalendar = "daily";
+          Persistent = true;
+        };
+        pruneOpts = [
+          "--keep-daily 14"
+          "--keep-weekly 6"
+          "--keep-monthly 24"
+        ];
+        paths = [ ] ++ lib.optional (config.services.postgresql.enable) "/var/lib/postgresql";
+        initialize = true;
+        exclude = [
+          "cache"
+          ".cache"
+          ".git"
+        ];
+        environmentFile = "/root/keys/restic_env";
+        repositoryFile = "/root/keys/restic_repository_file";
+        passwordFile = "/root/keys/restic_password_file";
+      };
+    };
+  };
+}

modules/nixos/default.nix

@@ -0,0 +1,3 @@
+{ ... }: {
+  imports = [ ./backups ];
+}

profiles/base/default.nix

@@ -2,6 +2,7 @@
   imports = [
     ../../users/root
     ../../users/sammy
+    ../../modules/nixos
     inputs.home-manager.nixosModules.home-manager
   ];