From 9fdf837c5ae35f8d2071b0947d032278cca3fcd7 Mon Sep 17 00:00:00 2001
From: Christoph Schmatzler <christoph@schmatzler.com>
Date: Sun, 4 Jan 2026 19:35:04 +0000
Subject: [PATCH] init backups

---
 hosts/michael/secrets.nix | 14 +++++++++
 profiles/gitea.nix        | 61 ++++++++++++++++++++++++++++++++++++++-
 2 files changed, 74 insertions(+), 1 deletion(-)

diff --git a/hosts/michael/secrets.nix b/hosts/michael/secrets.nix
index 96effd0..3ed2810 100644
--- a/hosts/michael/secrets.nix
+++ b/hosts/michael/secrets.nix
@@ -3,4 +3,18 @@
 		sopsFile = ../../secrets/michael-litestream;
 		format = "binary";
 	};
+
+	sops.secrets.restic-gitea-password = {
+		sopsFile = ../../secrets/michael-restic-gitea-password;
+		format = "binary";
+		owner = "gitea";
+		group = "gitea";
+	};
+
+	sops.secrets.restic-gitea-env = {
+		sopsFile = ../../secrets/michael-restic-gitea-env;
+		format = "binary";
+		owner = "gitea";
+		group = "gitea";
+	};
 }
diff --git a/profiles/gitea.nix b/profiles/gitea.nix
index 3eeb1a3..e8f7145 100644
--- a/profiles/gitea.nix
+++ b/profiles/gitea.nix
@@ -1,4 +1,9 @@
-{lib, ...}: {
+{
+	lib,
+	pkgs,
+	config,
+	...
+}: {
 	networking.firewall.allowedTCPPorts = [80 443];
 
 	services.redis.servers.gitea = {
@@ -85,4 +90,58 @@
 			reverse_proxy localhost:3000
 		'';
 	};
+
+	services.restic.backups.gitea = {
+		repository = "s3:s3.eu-central-003.backblazeb2.com/gitea-restic";
+		paths = ["/var/lib/gitea"];
+		exclude = [
+			# Database is backed up via Litestream
+			"/var/lib/gitea/data/gitea.db"
+			"/var/lib/gitea/data/gitea.db-shm"
+			"/var/lib/gitea/data/gitea.db-wal"
+			# Logs aren't needed in backups
+			"/var/lib/gitea/log"
+		];
+		passwordFile = "/run/secrets/restic-gitea-password";
+		environmentFile = "/run/secrets/restic-gitea-env";
+		pruneOpts = [
+			"--keep-daily 7"
+			"--keep-weekly 4"
+			"--keep-monthly 6"
+		];
+		timerConfig = {
+			OnCalendar = "daily";
+			Persistent = true;
+			RandomizedDelaySec = "1h";
+		};
+	};
+
+	systemd.services.restic-backups-gitea = {
+		wants = ["restic-init-gitea.service"];
+		after = ["restic-init-gitea.service"];
+		serviceConfig = {
+			User = lib.mkForce "gitea";
+			Group = lib.mkForce "gitea";
+		};
+	};
+
+	systemd.services.restic-init-gitea = {
+		description = "Initialize Restic repository for Gitea backups";
+		wantedBy = ["multi-user.target"];
+		after = ["network-online.target"];
+		wants = ["network-online.target"];
+		path = [pkgs.restic];
+		serviceConfig = {
+			Type = "oneshot";
+			User = "gitea";
+			Group = "gitea";
+			RemainAfterExit = true;
+			EnvironmentFile = config.sops.secrets.restic-gitea-env.path;
+		};
+		script = ''
+			export RESTIC_PASSWORD=$(cat ${config.sops.secrets.restic-gitea-password.path})
+			restic -r s3:s3.eu-central-003.backblazeb2.com/gitea-restic snapshots &>/dev/null || \
+				restic -r s3:s3.eu-central-003.backblazeb2.com/gitea-restic init
+		'';
+	};
 }