From 91a0bb384abd4c8868c558e7180a995fb3522a37 Mon Sep 17 00:00:00 2001
From: wo2wz <189177184+wo2wz@users.noreply.github.com>
Date: Sat, 22 Nov 2025 23:40:47 -0500
Subject: [PATCH] gutterman: add restic backups to minecraft

---
 .sops.yaml                                    |  7 ++++-
 hosts/Gutterman/default.nix                   |  4 ++-
 modules/nixos/services/gameserver/default.nix |  9 ++++++
 modules/nixos/services/gameserver/restic.nix  | 31 +++++++++++++++++++
 modules/nixos/services/gameserver/sops.nix    |  5 +++
 secrets/gutterman.yaml                        | 18 +++++++++++
 6 files changed, 72 insertions(+), 2 deletions(-)
 create mode 100644 modules/nixos/services/gameserver/default.nix
 create mode 100644 modules/nixos/services/gameserver/restic.nix
 create mode 100644 modules/nixos/services/gameserver/sops.nix
 create mode 100644 secrets/gutterman.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 13f79ba..82b8c24 100755
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -1,8 +1,13 @@
 keys:
   - &drone age19ey5xs9gxy0738tcp2a66zcye2cxj6suhcwa6y39x3w0sdvyr5tsxp0rlj
+  - &gutterman age1t3n08lsemjmflt8nw2je4cr62g8e6evpxsakhcgtzhgp6rmn7u6s29lnpa
 creation_rules:
-  - path_regex: secrets/.+\.yaml$
+  - path_regex: secrets/drone\.yaml$
     key_groups:
     - age:
       - *drone
 
+  - path_regex: secrets/gutterman\.yaml$
+    key_groups:
+    - age:
+      - *gutterman
\ No newline at end of file
diff --git a/hosts/Gutterman/default.nix b/hosts/Gutterman/default.nix
index b201ef7..bf62b64 100644
--- a/hosts/Gutterman/default.nix
+++ b/hosts/Gutterman/default.nix
@@ -11,7 +11,9 @@
 
     ../../modules/nixos/services/tailscale
     ../../modules/nixos/services/tailscale/exit-node/server.nix
-    ../../modules/nixos/services/gameserver/minecraft-server.nix
+    ../../modules/nixos/services/gameserver
+    ../../modules/nixos/services/restic.nix
+    ../../modules/nixos/services/sops.nix
 
     ../../modules/nixos/system/headless.nix
     ../../modules/nixos/system/minimal.nix
diff --git a/modules/nixos/services/gameserver/default.nix b/modules/nixos/services/gameserver/default.nix
new file mode 100644
index 0000000..9ca7870
--- /dev/null
+++ b/modules/nixos/services/gameserver/default.nix
@@ -0,0 +1,9 @@
+{ config, ... }:
+
+{
+  imports = [
+    ./minecraft-server.nix
+    ./restic.nix
+    ./sops.nix
+  ];
+}
\ No newline at end of file
diff --git a/modules/nixos/services/gameserver/restic.nix b/modules/nixos/services/gameserver/restic.nix
new file mode 100644
index 0000000..2549153
--- /dev/null
+++ b/modules/nixos/services/gameserver/restic.nix
@@ -0,0 +1,31 @@
+{ config, pkgs, ... }:
+
+{
+  sops.secrets = {
+    "restic/password" = {};
+    "restic/rest-auth.env" = {};
+  };
+
+  services.restic.backups.gameservers =
+  assert config.users.users.restic-backup != null;
+  {
+    user = "restic-backup";
+    package = pkgs.writeShellScriptBin "restic" ''
+      exec /run/wrappers/bin/restic "$@"
+    '';
+
+    initialize = true;
+    repository = "rest:https://restic.taild5f7e6.ts.net/gutterman/gameservers";
+    environmentFile = config.sops.secrets."restic/rest-auth.env".path;
+    passwordFile = config.sops.secrets."restic/password".path;
+    timerConfig = {
+      OnCalendar = "03:00";
+      Persistent = true;
+    };
+
+    paths = [
+      "/var/lib/minecraft"
+    ];
+    exclude = [ ".*" ];
+  };
+}
\ No newline at end of file
diff --git a/modules/nixos/services/gameserver/sops.nix b/modules/nixos/services/gameserver/sops.nix
new file mode 100644
index 0000000..f360e73
--- /dev/null
+++ b/modules/nixos/services/gameserver/sops.nix
@@ -0,0 +1,5 @@
+{ config, ... }:
+
+{
+  sops.defaultSopsFile = "/etc/nixos/secrets/gutterman.yaml";
+}
\ No newline at end of file
diff --git a/secrets/gutterman.yaml b/secrets/gutterman.yaml
new file mode 100644
index 0000000..aabcaee
--- /dev/null
+++ b/secrets/gutterman.yaml
@@ -0,0 +1,18 @@
+restic:
+    password: ENC[AES256_GCM,data:XQHv85l9cRNmJVknIhNuj7+o5oRvot7rtKdtXY0xO58=,iv:mwV373WSqMxh6ATYPnl4Qcxdim0uCVj/ooXFsturY9c=,tag:a/wCIsMQPVq5+jPf2QVZVA==,type:str]
+    rest-auth.env: ENC[AES256_GCM,data:O6ujHcZuN2qi4oDknqjNKXtWIil2AIgkeNqhTDWr2XfKxVKeiNEz8cW0a5gXXmqicS0+KHwv32fITN6mA2t4hgJgFItMkAj9dVrnhTFX9UmrV+6qIGZVg+e1L6ZBdFxYJcrughepfvMVT01lG/DU1TJ/aDbK,iv:683BKhhcJOfKR4zu50fGit01bAChooCjt0zpcyJzmAQ=,tag:3ymmH4PU9+Q+J3TmJgZ2YA==,type:str]
+sops:
+    age:
+        - recipient: age1t3n08lsemjmflt8nw2je4cr62g8e6evpxsakhcgtzhgp6rmn7u6s29lnpa
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2YzZGa09sWlBEVUJMcHpL
+            Wi9zbHREOTNoTndSU2s3RVhJQi9KN1ZMMTFFCk4zUHpHcThlYmthQmdmOVRPYlo2
+            Wkc4RHQ0ZVB5aVVvRUpGei9YVW1RV0kKLS0tIHNpY2p6a21FbUxtT1VZNHVmdW9Z
+            UFR2UTJWSHJGcGFIV25Wb1B5U1ZCalkKapZc3gwAVsVyStau64dSYuperbTvw73c
+            EKfjlFriowQ6V5MUewoV1OaXx4SW2ExzccnhMXE6UdpoDGRZkNGk6Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-11-23T02:29:47Z"
+    mac: ENC[AES256_GCM,data:NRcaylRx2paVuCO5IahZzgfnwghOZLC2GeIkZDqj9427Een1aopQU0BuQsoiwZWWC1o0ZSN9KkOTnR+2ExVFcJfzqx3n6pguHZ7pCs23OdnQK8hvs0aVn1obrkWGo4jWDCVUQT859J5QGbKxVCJ03dhkFLRknH3+09IcBZUQG2Y=,iv:IwGiSqyttNYWUSKwd/FYvpcXcbqvtRkRfoKtkNtMtk8=,tag:JDGfrvgfxiFCzlL78WdNlQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0