pyrox.dev / nixpkgs
lol
fork atom

nixos/restic: add command option

Add module support for --stdin-from-command flag, which was added to
restic in https://github.com/restic/restic/pull/4410. I also made a few
very small changes here and there in the nix code to make it look a
little neater in my opinion.

I could potentially add support for the --stdin flag too, but this would
require prepending the restic command with an external command and a
pipe, which seems a bit messy - and the restic documentation says to
prefer --stdin-from-command over --stdin anyway.

I could add an option for --stdin-filename, but I feel that this would
be better for users to do in extraBackupArgs.

rowan amber-jones 6434cf0b 1a08a8b3

options
unified split
Changed files
+65 -14
nixos
modules
services
backup
restic.nix
+65 -14
nixos/modules/services/backup/restic.nix 
···

       
146

       
 

       
              ];


     

       
147

       
 

       
            };


     

       
148

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
149

       
 

       
            exclude = lib.mkOption {


     

       
150

       
 

       
              type = lib.types.listOf lib.types.str;


     

       
151

       
 

       
              default = [ ];


     
···

       
238

       
 

       



     

       
239

       
 

       
            runCheck = lib.mkOption {


     

       
240

       
 

       
              type = lib.types.bool;


     

       
241

       
-

       
              default = (builtins.length config.services.restic.backups.${name}.checkOpts > 0);


     

       
242

       
 

       
              defaultText = lib.literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0'';


     

       
243

       
 

       
              description = "Whether to run the `check` command with the provided `checkOpts` options.";


     

       
244

       
 

       
              example = true;


     
···

       
327

       
 

       
          RandomizedDelaySec = "5h";


     

       
328

       
 

       
        };


     

       
329

       
 

       
      };


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
330

       
 

       
    };


     

       
331

       
 

       
  };


     

       
332

       
 

       



     

       
333

       
 

       
  config = {


     

       
334

       
-

       
    assertions = lib.mapAttrsToList (n: v: {


     

       
335

       
-

       
      assertion = (v.repository == null) != (v.repositoryFile == null);


     

       
336

       
-

       
      message = "services.restic.backups.${n}: exactly one of repository or repositoryFile should be set";


     

       
337

       
-

       
    }) config.services.restic.backups;


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
338

       
 

       
    systemd.services = lib.mapAttrs' (


     

       
339

       
 

       
      name: backup:


     

       
340

       
 

       
      let


     
···

       
351

       
 

       
          backup.exclude != [ ]


     

       
352

       
 

       
        ) "--exclude-file=${pkgs.writeText "exclude-patterns" (lib.concatStringsSep "\n" backup.exclude)}";


     

       
353

       
 

       
        filesFromTmpFile = "/run/restic-backups-${name}/includes";


     

       
354

       
-

       
        doBackup = (backup.dynamicFilesFrom != null) || (backup.paths != null && backup.paths != [ ]);


     

       

       

       
     

       

       

       
     

       
355

       
 

       
        pruneCmd = lib.optionals (builtins.length backup.pruneOpts > 0) [


     

       
356

       
 

       
          (resticCmd + " unlock")


     

       
357

       
 

       
          (resticCmd + " forget --prune " + (lib.concatStringsSep " " backup.pruneOpts))


     
···

       
397

       
 

       
          serviceConfig = {


     

       
398

       
 

       
            Type = "oneshot";


     

       
399

       
 

       
            ExecStart =


     

       
400

       
-

       
              (lib.optionals doBackup [


     

       
401

       
 

       
                "${resticCmd} backup ${


     

       
402

       
-

       
                  lib.concatStringsSep " " (backup.extraBackupArgs ++ excludeFlags)


     

       
403

       
-

       
                } --files-from=${filesFromTmpFile}"


     

       
404

       
-

       
              ])


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
405

       
 

       
              ++ pruneCmd


     

       
406

       
 

       
              ++ checkCmd;


     

       
407

       
 

       
            User = backup.user;


     
···

       
419

       
 

       
            ${lib.optionalString (backup.backupPrepareCommand != null) ''


     

       
420

       
 

       
              ${pkgs.writeScript "backupPrepareCommand" backup.backupPrepareCommand}


     

       
421

       
 

       
            ''}


     

       
422

       
-

       
            ${lib.optionalString (backup.initialize) ''


     

       
423

       
 

       
              ${resticCmd} cat config > /dev/null || ${resticCmd} init


     

       
424

       
 

       
            ''}


     

       
425

       
 

       
            ${lib.optionalString (backup.paths != null && backup.paths != [ ]) ''


     
···

       
435

       
 

       
            ${lib.optionalString (backup.backupCleanupCommand != null) ''


     

       
436

       
 

       
              ${pkgs.writeScript "backupCleanupCommand" backup.backupCleanupCommand}


     

       
437

       
 

       
            ''}


     

       
438

       
-

       
            ${lib.optionalString doBackup ''


     

       
439

       
 

       
              rm ${filesFromTmpFile}


     

       
440

       
 

       
            ''}


     

       
441

       
 

       
          '';


     
···

       
446

       
 

       
      name: backup:


     

       
447

       
 

       
      lib.nameValuePair "restic-backups-${name}" {


     

       
448

       
 

       
        wantedBy = [ "timers.target" ];


     

       
449

       
-

       
        timerConfig = backup.timerConfig;


     

       
450

       
 

       
      }


     

       
451

       
 

       
    ) (lib.filterAttrs (_: backup: backup.timerConfig != null) config.services.restic.backups);


     

       
452

       
 

       



     
···

       
464

       
 

       
        ${lib.pipe config.systemd.services."restic-backups-${name}".environment [


     

       
465

       
 

       
          (lib.filterAttrs (n: v: v != null && n != "PATH"))


     

       
466

       
 

       
          (lib.mapAttrs (_: v: "${v}"))


     

       
467

       
-

       
          (lib.toShellVars)


     

       
468

       
 

       
        ]}


     

       
469

       
 

       
        PATH=${config.systemd.services."restic-backups-${name}".environment.PATH}:$PATH


     

       
470

       
 

       



     
···

       
146

       
 

       
              ];


     

       
147

       
 

       
            };


     

       
148

       
 

       



     

       
149

       
+

       
            command = lib.mkOption {


     

       
150

       
+

       
              type = lib.types.listOf lib.types.str;


     

       
151

       
+

       
              default = [ ];


     

       
152

       
+

       
              description = ''


     

       
153

       
+

       
                Command to pass to --stdin-from-command. If null or an empty array, and `paths`/`dynamicFilesFrom`


     

       
154

       
+

       
                are also null, no backup command will be run.


     

       
155

       
+

       
              '';


     

       
156

       
+

       
              example = [


     

       
157

       
+

       
                "sudo"


     

       
158

       
+

       
                "-u"


     

       
159

       
+

       
                "postgres"


     

       
160

       
+

       
                "pg_dumpall"


     

       
161

       
+

       
              ];


     

       
162

       
+

       
            };


     

       
163

       
+

       



     

       
164

       
 

       
            exclude = lib.mkOption {


     

       
165

       
 

       
              type = lib.types.listOf lib.types.str;


     

       
166

       
 

       
              default = [ ];


     
···

       
253

       
 

       



     

       
254

       
 

       
            runCheck = lib.mkOption {


     

       
255

       
 

       
              type = lib.types.bool;


     

       
256

       
+

       
              default = builtins.length config.services.restic.backups.${name}.checkOpts > 0;


     

       
257

       
 

       
              defaultText = lib.literalExpression ''builtins.length config.services.backups.${name}.checkOpts > 0'';


     

       
258

       
 

       
              description = "Whether to run the `check` command with the provided `checkOpts` options.";


     

       
259

       
 

       
              example = true;


     
···

       
342

       
 

       
          RandomizedDelaySec = "5h";


     

       
343

       
 

       
        };


     

       
344

       
 

       
      };


     

       
345

       
+

       
      commandbackup = {


     

       
346

       
+

       
        command = [


     

       
347

       
+

       
          "\${lib.getExe pkgs.sudo}"


     

       
348

       
+

       
          "-u postgres"


     

       
349

       
+

       
          "\${pkgs.postgresql}/bin/pg_dumpall"


     

       
350

       
+

       
        ];


     

       
351

       
+

       
        extraBackupArgs = [ "--tag database" ];


     

       
352

       
+

       
        repository = "s3:example.com/mybucket";


     

       
353

       
+

       
        passwordFile = "/etc/nixos/secrets/restic-password";


     

       
354

       
+

       
        environmentFile = "/etc/nixos/secrets/restic-environment";


     

       
355

       
+

       
        pruneOpts = [


     

       
356

       
+

       
          "--keep-daily 14"


     

       
357

       
+

       
          "--keep-weekly 4"


     

       
358

       
+

       
          "--keep-monthly 2"


     

       
359

       
+

       
          "--group-by tags"


     

       
360

       
+

       
        ];


     

       
361

       
+

       
      };


     

       
362

       
 

       
    };


     

       
363

       
 

       
  };


     

       
364

       
 

       



     

       
365

       
 

       
  config = {


     

       
366

       
+

       
    assertions = lib.flatten (


     

       
367

       
+

       
      lib.mapAttrsToList (name: backup: [


     

       
368

       
+

       
        {


     

       
369

       
+

       
          assertion = (backup.repository == null) != (backup.repositoryFile == null);


     

       
370

       
+

       
          message = "services.restic.backups.${name}: exactly one of repository or repositoryFile should be set";


     

       
371

       
+

       
        }


     

       
372

       
+

       
        {


     

       
373

       
+

       
          assertion =


     

       
374

       
+

       
            let


     

       
375

       
+

       
              fileBackup = (backup.paths != null && backup.paths != [ ]) || backup.dynamicFilesFrom != null;


     

       
376

       
+

       
              commandBackup = backup.command != [ ];


     

       
377

       
+

       
            in


     

       
378

       
+

       
            !(fileBackup && commandBackup);


     

       
379

       
+

       
          message = "services.restic.backups.${name}: cannot do both a command backup and a file backup at the same time.";


     

       
380

       
+

       
        }


     

       
381

       
+

       
      ]) config.services.restic.backups


     

       
382

       
+

       
    );


     

       
383

       
 

       
    systemd.services = lib.mapAttrs' (


     

       
384

       
 

       
      name: backup:


     

       
385

       
 

       
      let


     
···

       
396

       
 

       
          backup.exclude != [ ]


     

       
397

       
 

       
        ) "--exclude-file=${pkgs.writeText "exclude-patterns" (lib.concatStringsSep "\n" backup.exclude)}";


     

       
398

       
 

       
        filesFromTmpFile = "/run/restic-backups-${name}/includes";


     

       
399

       
+

       
        fileBackup = (backup.dynamicFilesFrom != null) || (backup.paths != null && backup.paths != [ ]);


     

       
400

       
+

       
        commandBackup = backup.command != [ ];


     

       
401

       
+

       
        doBackup = fileBackup || commandBackup;


     

       
402

       
 

       
        pruneCmd = lib.optionals (builtins.length backup.pruneOpts > 0) [


     

       
403

       
 

       
          (resticCmd + " unlock")


     

       
404

       
 

       
          (resticCmd + " forget --prune " + (lib.concatStringsSep " " backup.pruneOpts))


     
···

       
444

       
 

       
          serviceConfig = {


     

       
445

       
 

       
            Type = "oneshot";


     

       
446

       
 

       
            ExecStart =


     

       
447

       
+

       
              lib.optionals doBackup [


     

       
448

       
 

       
                "${resticCmd} backup ${


     

       
449

       
+

       
                  lib.concatStringsSep " " (


     

       
450

       
+

       
                    backup.extraBackupArgs


     

       
451

       
+

       
                    ++ lib.optionals fileBackup (excludeFlags ++ [ "--files-from=${filesFromTmpFile}" ])


     

       
452

       
+

       
                    ++ lib.optionals commandBackup ([ "--stdin-from-command=true --" ] ++ backup.command)


     

       
453

       
+

       
                  )


     

       
454

       
+

       
                }"


     

       
455

       
+

       
              ]


     

       
456

       
 

       
              ++ pruneCmd


     

       
457

       
 

       
              ++ checkCmd;


     

       
458

       
 

       
            User = backup.user;


     
···

       
470

       
 

       
            ${lib.optionalString (backup.backupPrepareCommand != null) ''


     

       
471

       
 

       
              ${pkgs.writeScript "backupPrepareCommand" backup.backupPrepareCommand}


     

       
472

       
 

       
            ''}


     

       
473

       
+

       
            ${lib.optionalString backup.initialize ''


     

       
474

       
 

       
              ${resticCmd} cat config > /dev/null || ${resticCmd} init


     

       
475

       
 

       
            ''}


     

       
476

       
 

       
            ${lib.optionalString (backup.paths != null && backup.paths != [ ]) ''


     
···

       
486

       
 

       
            ${lib.optionalString (backup.backupCleanupCommand != null) ''


     

       
487

       
 

       
              ${pkgs.writeScript "backupCleanupCommand" backup.backupCleanupCommand}


     

       
488

       
 

       
            ''}


     

       
489

       
+

       
            ${lib.optionalString fileBackup ''


     

       
490

       
 

       
              rm ${filesFromTmpFile}


     

       
491

       
 

       
            ''}


     

       
492

       
 

       
          '';


     
···

       
497

       
 

       
      name: backup:


     

       
498

       
 

       
      lib.nameValuePair "restic-backups-${name}" {


     

       
499

       
 

       
        wantedBy = [ "timers.target" ];


     

       
500

       
+

       
        inherit (backup) timerConfig;


     

       
501

       
 

       
      }


     

       
502

       
 

       
    ) (lib.filterAttrs (_: backup: backup.timerConfig != null) config.services.restic.backups);


     

       
503

       
 

       



     
···

       
515

       
 

       
        ${lib.pipe config.systemd.services."restic-backups-${name}".environment [


     

       
516

       
 

       
          (lib.filterAttrs (n: v: v != null && n != "PATH"))


     

       
517

       
 

       
          (lib.mapAttrs (_: v: "${v}"))


     

       
518

       
+

       
          lib.toShellVars


     

       
519

       
 

       
        ]}


     

       
520

       
 

       
        PATH=${config.systemd.services."restic-backups-${name}".environment.PATH}:$PATH


     

       
521