hm cleanup

nixos/consensus/backups.nix

@@ -0,0 +1,30 @@
+{config, ...}: {
+  sops = {
+    defaultSopsFile = ../../secrets/restic.yaml;
+    secrets = {
+      "b2-immich/env" = {};
+      "b2-immich/repo" = {};
+      "b2-immich/password" = {};
+    };
+  };
+  services.restic.backups = {
+    b2-immich = {
+      initialize = true;
+      environmentFile = config.sops.secrets."b2-immich/env".path;
+      repositoryFile = config.sops.secrets."b2-immich/repo".path;
+      passwordFile = config.sops.secrets."b2-immich/password".path;
+
+      paths = [
+        "/rice/immich"
+      ];
+      timerConfig = {
+        OnCalendar = "06:00";
+      };
+      pruneOpts = [
+        "--keep-daily 14"
+        "--keep-monthly 6"
+        "--keep-yearly 1"
+      ];
+    };
+  };
+}

nixos/consensus/configuration.nix

@@ -1,11 +1,11 @@
 {lib, pkgs, config, ...}: {
   imports = [
     ./hardware-configuration.nix
+    ./backups.nix
   ];
   sops = {
-    defaultSopsFile = ../../secrets/cf-acme.yaml;
     secrets = {
-      "env" = {};
+      "env" = { sopsFile = ../../secrets/cf-acme.yaml; };
     };
   };
   documentation = {
@@ -91,11 +91,11 @@
         2022
         6443
         25565
-        30001
+        9001
         30303
       ];
       allowedUDPPorts = [
-        30001
+        9001
         30303
       ];
       logRefusedConnections = true;