From 2a216838ecc562532344884566fdfa33935b2b7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leon=20Schwarz=C3=A4ugl?=
 <leon.schwarzaeugl@imba.oeaw.ac.at>
Date: Sat, 24 May 2025 18:12:11 +0200
Subject: [PATCH] feat: add restic configuration for winters

---
 SwarselSystems.org                     |  45 ++++-
 index.html                             | 239 +++++++++++++++----------
 modules/nixos/server/restic.nix        |  42 ++++-
 profiles/nixos/localserver/default.nix |   1 +
 scripts/swarsel-install.sh             |   1 +
 scripts/swarsel-rebuild.sh             |   1 +
 secrets/winters/secrets.yaml           |  14 +-
 7 files changed, 233 insertions(+), 110 deletions(-)

diff --git a/SwarselSystems.org b/SwarselSystems.org
index 8d23c06..949daef 100644
--- a/SwarselSystems.org
+++ b/SwarselSystems.org
@@ -2990,6 +2990,7 @@ This program sets up a new NixOS host remotely. It also takes care of secret man
       rm modules/home/common/git.nix
       rm modules/home/common/mail.nix
       rm modules/home/common/yubikey.nix
+      rm modules/nixos/server/restic.nix
       rm modules/nixos/common/home-manager-extra.nix
       nix flake update vbc-nix
       git add .
@@ -3125,6 +3126,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/git.nix
     rm modules/home/common/mail.nix
     rm modules/home/common/yubikey.nix
+    rm modules/nixos/server/restic.nix
     rm modules/nixos/common/home-manager-extra.nix
     rm -rf modules/nixos/server
     rm -rf modules/home/server
@@ -4029,6 +4031,7 @@ Modules that need to be loaded on the NixOS level. Note that these will not be a
             nginx = lib.mkDefault true;
             ssh = lib.mkDefault true;
             kavita = lib.mkDefault true;
+            restic = lib.mkDefault true;
             jellyfin = lib.mkDefault true;
             navidrome = lib.mkDefault true;
             spotifyd = lib.mkDefault true;
@@ -7736,12 +7739,50 @@ Here we just define some aliases for rebuilding the system, and we allow some in
 Once this is finished, it will house a restic client that manages automatic backups of my image library. Before I get to this however, I first need to organice my pictures in the first place.
 
 #+begin_src nix :tangle modules/nixos/server/restic.nix
-  { lib, config, ... }:
+  { lib, config, inputs, ... }:
+  let
+    secretsDirectory = builtins.toString inputs.nix-secrets;
+    resticRepo = lib.swarselsystems.getSecret "${secretsDirectory}/restic/wintersRepo";
+  in
   {
     options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
     config = lib.mkIf config.swarselsystems.modules.server.restic {
 
-      # TODO
+      sops = {
+        secrets = {
+          resticpw = { };
+          resticaccesskey = { };
+          resticsecretaccesskey = { };
+        };
+        templates = {
+          "restic-env".content = ''
+            AWS_ACCESS_KEY_ID=${config.sops.placeholder.resticaccesskey}
+            AWS_SECRET_ACCESS_KEY=${config.sops.placeholder.resicsecretaccesskey}
+          '';
+        };
+      };
+
+      services.restic = {
+        backups = {
+          SwarselWinters = {
+            environmentFile = config.sops.templates."restic-env".path;
+            passwordFile = config.sops.secrets.resticpw.path;
+            paths = [
+              "/Vault/data/paperless"
+              "/Vault/Eternor/Paperless"
+              "/Vault/data/paperless"
+              "/Vault/Eternor/Bilder"
+              "/Vault/Eternor/Immich"
+            ];
+            repository = "${resticRepo}";
+            initialize = true;
+            timerConfig = {
+              OnCalendar = "19:00";
+            };
+          };
+
+        };
+      };
 
     };
   }
diff --git a/index.html b/index.html
index 96c53b7..2f2272c 100644
--- a/index.html
+++ b/index.html
@@ -3,7 +3,7 @@
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
 <head>
-<!-- 2025-05-24 Sa 17:27 -->
+<!-- 2025-05-24 Sa 18:24 -->
 <meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1" />
 <title>SwarselSystems: NixOS + Emacs Configuration</title>
@@ -263,9 +263,9 @@
 <li><a href="#h:7056b9a0-f38b-4bca-b2ba-ab34e2d73493">3.1.4.3. Home-manager only (default non-NixOS)</a></li>
 <li><a href="#h:e1498bef-ec67-483d-bf02-76264e30be8e">3.1.4.4. ChaosTheatre (Demo Physical/VM)</a>
 <ul>
-<li><a href="#org5ea29a8">3.1.4.4.1. Main configuration</a></li>
-<li><a href="#org1fa9e9e">3.1.4.4.2. NixOS dummy options configuration</a></li>
-<li><a href="#org208299c">3.1.4.4.3. home-manager dummy options configuration</a></li>
+<li><a href="#org1c08418">3.1.4.4.1. Main configuration</a></li>
+<li><a href="#orgbe535af">3.1.4.4.2. NixOS dummy options configuration</a></li>
+<li><a href="#orgb452630">3.1.4.4.3. home-manager dummy options configuration</a></li>
 </ul>
 </li>
 </ul>
@@ -305,7 +305,7 @@
 <li><a href="#h:36d6c17c-6d91-4297-b76d-9d7feab6c1a0">3.2.1.27. fhs</a></li>
 <li><a href="#h:814d5e7f-4b95-412d-b246-33f888514ec6">3.2.1.28. swarsel-displaypower</a></li>
 <li><a href="#h:799579f3-ddd3-4f76-928a-a8c665980476">3.2.1.29. swarsel-mgba</a></li>
-<li><a href="#org1cd67ee">3.2.1.30. sshrm</a></li>
+<li><a href="#orgc5db632">3.2.1.30. sshrm</a></li>
 </ul>
 </li>
 <li><a href="#h:5e3e21e0-57af-4dad-b32f-6400af9b7aab">3.2.2. Overlays (additions, overrides, nixpkgs-stable)</a></li>
@@ -313,28 +313,28 @@
 <ul>
 <li><a href="#h:14e68518-8ec7-48ec-b208-0e3d6d49954d">3.2.3.1. NixOS</a>
 <ul>
-<li><a href="#org9dc64b4">3.2.3.1.1. Personal</a></li>
-<li><a href="#org188a012">3.2.3.1.2. Chaostheatre</a></li>
-<li><a href="#orgcae49f6">3.2.3.1.3. toto</a></li>
-<li><a href="#org838f7e2">3.2.3.1.4. Work</a></li>
-<li><a href="#org4309252">3.2.3.1.5. Framework</a></li>
-<li><a href="#org9e91c20">3.2.3.1.6. AMD CPU</a></li>
-<li><a href="#org1a4e2ce">3.2.3.1.7. AMD GPU</a></li>
-<li><a href="#org2c54240">3.2.3.1.8. Hibernation</a></li>
-<li><a href="#orgacf9734">3.2.3.1.9. BTRFS</a></li>
-<li><a href="#org441c01c">3.2.3.1.10. Local Server</a></li>
-<li><a href="#orgbc79a75">3.2.3.1.11. OCI Sync Server</a></li>
+<li><a href="#org98b7bb4">3.2.3.1.1. Personal</a></li>
+<li><a href="#org9671087">3.2.3.1.2. Chaostheatre</a></li>
+<li><a href="#org5d017d5">3.2.3.1.3. toto</a></li>
+<li><a href="#org9e3d9c4">3.2.3.1.4. Work</a></li>
+<li><a href="#orgd0ef530">3.2.3.1.5. Framework</a></li>
+<li><a href="#org700f6ba">3.2.3.1.6. AMD CPU</a></li>
+<li><a href="#orgf16c66a">3.2.3.1.7. AMD GPU</a></li>
+<li><a href="#orgc4ce0a2">3.2.3.1.8. Hibernation</a></li>
+<li><a href="#orgb07c3c8">3.2.3.1.9. BTRFS</a></li>
+<li><a href="#orgaf31799">3.2.3.1.10. Local Server</a></li>
+<li><a href="#org65270d4">3.2.3.1.11. OCI Sync Server</a></li>
 </ul>
 </li>
 <li><a href="#h:ced5841f-c088-4d88-b3a1-7d62aad8837b">3.2.3.2. home-manager</a>
 <ul>
-<li><a href="#orgea9ff4b">3.2.3.2.1. Personal</a></li>
-<li><a href="#orgdd25304">3.2.3.2.2. Chaostheatre</a></li>
-<li><a href="#org32b2ef4">3.2.3.2.3. toto</a></li>
-<li><a href="#orgee3f66f">3.2.3.2.4. Work</a></li>
-<li><a href="#orgd7d0b01">3.2.3.2.5. Framework</a></li>
-<li><a href="#org50f73f5">3.2.3.2.6. Darwin</a></li>
-<li><a href="#org6d43dd0">3.2.3.2.7. Local Server</a></li>
+<li><a href="#orgdde8204">3.2.3.2.1. Personal</a></li>
+<li><a href="#org8a8a674">3.2.3.2.2. Chaostheatre</a></li>
+<li><a href="#org875a489">3.2.3.2.3. toto</a></li>
+<li><a href="#orga3d9381">3.2.3.2.4. Work</a></li>
+<li><a href="#org1b6724f">3.2.3.2.5. Framework</a></li>
+<li><a href="#org605d768">3.2.3.2.6. Darwin</a></li>
+<li><a href="#org4e95c8c">3.2.3.2.7. Local Server</a></li>
 </ul>
 </li>
 </ul>
@@ -379,7 +379,7 @@
 <li><a href="#h:f101daa2-604d-4553-99e2-f64b9c207f51">3.3.1.22.3. enable GVfs</a></li>
 <li><a href="#h:08d213d5-a9f4-4309-8635-ba557b01dc7d">3.3.1.22.4. interception-tools: Make CAPS work as ESC/CTRL</a></li>
 <li><a href="#h:82fbba41-3a46-4db7-aade-49e4c23fc475">3.3.1.22.5. power-profiles-daemon</a></li>
-<li><a href="#org632da5f">3.3.1.22.6. SwayOSD</a></li>
+<li><a href="#orge3e730d">3.3.1.22.6. SwayOSD</a></li>
 </ul>
 </li>
 <li><a href="#h:7a89b5e3-b700-4167-8b14-2b8172f33936">3.3.1.23. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules</a>
@@ -445,11 +445,11 @@
 <li><a href="#h:34db28fb-62f7-4597-a9ff-0de2991a8415">3.3.4.3. VmWare</a></li>
 <li><a href="#h:fa8d9ec4-3e22-458a-9239-859cffe7f55c">3.3.4.4. Auto-login</a></li>
 <li><a href="#h:5c41c4ee-22ca-405b-9e4f-cc4051634edd">3.3.4.5. nswitch-rcm</a></li>
-<li><a href="#orgd30a285">3.3.4.6. Framework</a></li>
-<li><a href="#orgdc91a90">3.3.4.7. AMD CPU</a></li>
-<li><a href="#orga94b861">3.3.4.8. AMD GPU</a></li>
-<li><a href="#orga739eb3">3.3.4.9. Hibernation</a></li>
-<li><a href="#org40ccd98">3.3.4.10. BTRFS</a></li>
+<li><a href="#org048634d">3.3.4.6. Framework</a></li>
+<li><a href="#org14d38a1">3.3.4.7. AMD CPU</a></li>
+<li><a href="#orgdf62a2a">3.3.4.8. AMD GPU</a></li>
+<li><a href="#orga411e20">3.3.4.9. Hibernation</a></li>
+<li><a href="#org9c624f2">3.3.4.10. BTRFS</a></li>
 <li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.3.4.11. work</a></li>
 <li><a href="#h:3fc1d301-7bae-4678-9085-d12c23eed8ac">3.3.4.12. Minimal Install</a></li>
 </ul>
@@ -498,7 +498,7 @@
 <li><a href="#h:cb812c8a-247c-4ce5-a00c-59332c2f5fb9">3.4.1.29.1. gnome-keyring</a></li>
 <li><a href="#h:be6afd89-9e1e-40b6-8542-5c07a0ab780d">3.4.1.29.2. KDE Connect</a></li>
 <li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.4.1.29.3. Mako</a></li>
-<li><a href="#org0d0faef">3.4.1.29.4. SwayOSD</a></li>
+<li><a href="#orga989e13">3.4.1.29.4. SwayOSD</a></li>
 <li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.4.1.29.5. yubikey-touch-detector</a></li>
 </ul>
 </li>
@@ -523,7 +523,7 @@
 <ul>
 <li><a href="#h:84fd7029-ecb6-4131-9333-289982f24ffa">3.4.4.1. Gaming</a></li>
 <li><a href="#h:f0b2ea93-94c8-48d8-8d47-6fe58f58e0e6">3.4.4.2. Work</a></li>
-<li><a href="#org72bd2ab">3.4.4.3. Framework</a></li>
+<li><a href="#orgc45706b">3.4.4.3. Framework</a></li>
 </ul>
 </li>
 </ul>
@@ -701,7 +701,7 @@
 <ul>
 <li><a href="#h:c1e53aed-fb47-4aff-930c-dc52f3c5dcb8">6.1. Server Emacs config</a></li>
 <li><a href="#h:fc64f42f-e7cf-4829-89f6-2d0d58e04f51">6.2. tridactylrc</a></li>
-<li><a href="#org504baa4">6.3. tridactyl theme</a></li>
+<li><a href="#org45faa69">6.3. tridactyl theme</a></li>
 <li><a href="#h:77b1c523-5074-4610-b320-90af95e6134d">6.4. Waybar style.css</a></li>
 <li><a href="#h:788937cf-8816-466b-8e57-1b695cb50f52">6.5. justfile</a></li>
 </ul>
@@ -710,7 +710,7 @@
 </div>
 </div>
 <p>
-<b>This file has 62553 words spanning 16386 lines and was last revised on 2025-05-24 17:27:46 +0200.</b>
+<b>This file has 62656 words spanning 16427 lines and was last revised on 2025-05-24 18:24:21 +0200.</b>
 </p>
 
 <p>
@@ -763,7 +763,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
 </p>
 
 <p>
-My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-05-24 17:27:46 +0200)
+My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-05-24 18:24:21 +0200)
 </p></li>
 </ul>
 
@@ -2800,8 +2800,8 @@ This is just a demo host. It applies all the configuration found in the common p
 I also set the <code>WLR_RENDERER_ALLOW_SOFTWARE=1</code> to allow this configuration to run in a virtualized environment. I also enable <code>qemuGuest</code> for a smoother experience when testing on QEMU.
 </p>
 </div>
-<div id="outline-container-org5ea29a8" class="outline-6">
-<h6 id="org5ea29a8"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
+<div id="outline-container-org1c08418" class="outline-6">
+<h6 id="org1c08418"><span class="section-number-6">3.1.4.4.1.</span> Main configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ self, inputs, config, pkgs, lib, primaryUser, ... }:
@@ -2880,8 +2880,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org1fa9e9e" class="outline-6">
-<h6 id="org1fa9e9e"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
+<div id="outline-container-orgbe535af" class="outline-6">
+<h6 id="orgbe535af"><span class="section-number-6">3.1.4.4.2.</span> NixOS dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-2">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@@ -2891,8 +2891,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org208299c" class="outline-6">
-<h6 id="org208299c"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
+<div id="outline-container-orgb452630" class="outline-6">
+<h6 id="orgb452630"><span class="section-number-6">3.1.4.4.3.</span> home-manager dummy options configuration</h6>
 <div class="outline-text-6" id="text-3-1-4-4-3">
 <div class="org-src-container">
 <pre class="src src-nix">_:
@@ -4049,6 +4049,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/git.nix
     rm modules/home/common/mail.nix
     rm modules/home/common/yubikey.nix
+    rm modules/nixos/server/restic.nix
     rm modules/nixos/common/home-manager-extra.nix
     nix flake update vbc-nix
     git add .
@@ -4187,6 +4188,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/git.nix
     rm modules/home/common/mail.nix
     rm modules/home/common/yubikey.nix
+    rm modules/nixos/server/restic.nix
     rm modules/nixos/common/home-manager-extra.nix
     rm -rf modules/nixos/server
     rm -rf modules/home/server
@@ -4667,8 +4669,8 @@ appimageTools.wrapType2 {
 </div>
 </div>
 </div>
-<div id="outline-container-org1cd67ee" class="outline-5">
-<h5 id="org1cd67ee"><span class="section-number-5">3.2.1.30.</span> sshrm</h5>
+<div id="outline-container-orgc5db632" class="outline-5">
+<h5 id="orgc5db632"><span class="section-number-5">3.2.1.30.</span> sshrm</h5>
 <div class="outline-text-5" id="text-3-2-1-30">
 <p>
 This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually.
@@ -4817,8 +4819,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-org9dc64b4" class="outline-6">
-<h6 id="org9dc64b4"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
+<div id="outline-container-org98b7bb4" class="outline-6">
+<h6 id="org98b7bb4"><span class="section-number-6">3.2.3.1.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-1-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -4885,8 +4887,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org188a012" class="outline-6">
-<h6 id="org188a012"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
+<div id="outline-container-org9671087" class="outline-6">
+<h6 id="org9671087"><span class="section-number-6">3.2.3.1.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-1-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -4950,8 +4952,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgcae49f6" class="outline-6">
-<h6 id="orgcae49f6"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
+<div id="outline-container-org5d017d5" class="outline-6">
+<h6 id="org5d017d5"><span class="section-number-6">3.2.3.1.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-1-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -4983,8 +4985,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org838f7e2" class="outline-6">
-<h6 id="org838f7e2"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
+<div id="outline-container-org9e3d9c4" class="outline-6">
+<h6 id="org9e3d9c4"><span class="section-number-6">3.2.3.1.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-1-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5005,8 +5007,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org4309252" class="outline-6">
-<h6 id="org4309252"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
+<div id="outline-container-orgd0ef530" class="outline-6">
+<h6 id="orgd0ef530"><span class="section-number-6">3.2.3.1.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-1-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5027,8 +5029,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org9e91c20" class="outline-6">
-<h6 id="org9e91c20"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
+<div id="outline-container-org700f6ba" class="outline-6">
+<h6 id="org700f6ba"><span class="section-number-6">3.2.3.1.6.</span> AMD CPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5049,8 +5051,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org1a4e2ce" class="outline-6">
-<h6 id="org1a4e2ce"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
+<div id="outline-container-orgf16c66a" class="outline-6">
+<h6 id="orgf16c66a"><span class="section-number-6">3.2.3.1.7.</span> AMD GPU</h6>
 <div class="outline-text-6" id="text-3-2-3-1-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5071,8 +5073,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org2c54240" class="outline-6">
-<h6 id="org2c54240"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
+<div id="outline-container-orgc4ce0a2" class="outline-6">
+<h6 id="orgc4ce0a2"><span class="section-number-6">3.2.3.1.8.</span> Hibernation</h6>
 <div class="outline-text-6" id="text-3-2-3-1-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5093,8 +5095,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgacf9734" class="outline-6">
-<h6 id="orgacf9734"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
+<div id="outline-container-orgb07c3c8" class="outline-6">
+<h6 id="orgb07c3c8"><span class="section-number-6">3.2.3.1.9.</span> BTRFS</h6>
 <div class="outline-text-6" id="text-3-2-3-1-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5115,8 +5117,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org441c01c" class="outline-6">
-<h6 id="org441c01c"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
+<div id="outline-container-orgaf31799" class="outline-6">
+<h6 id="orgaf31799"><span class="section-number-6">3.2.3.1.10.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5142,6 +5144,7 @@ in
           nginx = lib.mkDefault true;
           ssh = lib.mkDefault true;
           kavita = lib.mkDefault true;
+          restic = lib.mkDefault true;
           jellyfin = lib.mkDefault true;
           navidrome = lib.mkDefault true;
           spotifyd = lib.mkDefault true;
@@ -5166,8 +5169,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgbc79a75" class="outline-6">
-<h6 id="orgbc79a75"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
+<div id="outline-container-org65270d4" class="outline-6">
+<h6 id="org65270d4"><span class="section-number-6">3.2.3.1.11.</span> OCI Sync Server</h6>
 <div class="outline-text-6" id="text-3-2-3-1-11">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5224,8 +5227,8 @@ in
 </pre>
 </div>
 </div>
-<div id="outline-container-orgea9ff4b" class="outline-6">
-<h6 id="orgea9ff4b"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
+<div id="outline-container-orgdde8204" class="outline-6">
+<h6 id="orgdde8204"><span class="section-number-6">3.2.3.2.1.</span> Personal</h6>
 <div class="outline-text-6" id="text-3-2-3-2-1">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5282,8 +5285,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgdd25304" class="outline-6">
-<h6 id="orgdd25304"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
+<div id="outline-container-org8a8a674" class="outline-6">
+<h6 id="org8a8a674"><span class="section-number-6">3.2.3.2.2.</span> Chaostheatre</h6>
 <div class="outline-text-6" id="text-3-2-3-2-2">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5335,8 +5338,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org32b2ef4" class="outline-6">
-<h6 id="org32b2ef4"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
+<div id="outline-container-org875a489" class="outline-6">
+<h6 id="org875a489"><span class="section-number-6">3.2.3.2.3.</span> toto</h6>
 <div class="outline-text-6" id="text-3-2-3-2-3">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5356,8 +5359,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgee3f66f" class="outline-6">
-<h6 id="orgee3f66f"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
+<div id="outline-container-orga3d9381" class="outline-6">
+<h6 id="orga3d9381"><span class="section-number-6">3.2.3.2.4.</span> Work</h6>
 <div class="outline-text-6" id="text-3-2-3-2-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5377,8 +5380,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-orgd7d0b01" class="outline-6">
-<h6 id="orgd7d0b01"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
+<div id="outline-container-org1b6724f" class="outline-6">
+<h6 id="org1b6724f"><span class="section-number-6">3.2.3.2.5.</span> Framework</h6>
 <div class="outline-text-6" id="text-3-2-3-2-5">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5399,8 +5402,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org50f73f5" class="outline-6">
-<h6 id="org50f73f5"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
+<div id="outline-container-org605d768" class="outline-6">
+<h6 id="org605d768"><span class="section-number-6">3.2.3.2.6.</span> Darwin</h6>
 <div class="outline-text-6" id="text-3-2-3-2-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -5418,8 +5421,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org6d43dd0" class="outline-6">
-<h6 id="org6d43dd0"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
+<div id="outline-container-org4e95c8c" class="outline-6">
+<h6 id="org4e95c8c"><span class="section-number-6">3.2.3.2.7.</span> Local Server</h6>
 <div class="outline-text-6" id="text-3-2-3-2-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -6952,8 +6955,8 @@ Most of the time I am using <code>power-saver</code>, however, it is good to be
 </div>
 </div>
 </div>
-<div id="outline-container-org632da5f" class="outline-6">
-<h6 id="org632da5f"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
+<div id="outline-container-orge3e730d" class="outline-6">
+<h6 id="orge3e730d"><span class="section-number-6">3.3.1.22.6.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-3-1-22-6">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, pkgs, config, ... }:
@@ -9027,12 +9030,50 @@ Once this is finished, it will house a restic client that manages automatic back
 </p>
 
 <div class="org-src-container">
-<pre class="src src-nix">{ lib, config, ... }:
+<pre class="src src-nix">{ lib, config, inputs, ... }:
+let
+  secretsDirectory = builtins.toString inputs.nix-secrets;
+  resticRepo = lib.swarselsystems.getSecret "${secretsDirectory}/restic/wintersRepo";
+in
 {
   options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
   config = lib.mkIf config.swarselsystems.modules.server.restic {
 
-    # TODO
+    sops = {
+      secrets = {
+        resticpw = { };
+        resticaccesskey = { };
+        resticsecretaccesskey = { };
+      };
+      templates = {
+        "restic-env".content = ''
+          AWS_ACCESS_KEY_ID=${config.sops.placeholder.resticaccesskey}
+          AWS_SECRET_ACCESS_KEY=${config.sops.placeholder.resicsecretaccesskey}
+        '';
+      };
+    };
+
+    services.restic = {
+      backups = {
+        SwarselWinters = {
+          environmentFile = config.sops.templates."restic-env".path;
+          passwordFile = config.sops.secrets.resticpw.path;
+          paths = [
+            "/Vault/data/paperless"
+            "/Vault/Eternor/Paperless"
+            "/Vault/data/paperless"
+            "/Vault/Eternor/Bilder"
+            "/Vault/Eternor/Immich"
+          ];
+          repository = "${resticRepo}";
+          initialize = true;
+          timerConfig = {
+            OnCalendar = "19:00";
+          };
+        };
+
+      };
+    };
 
   };
 }
@@ -9665,8 +9706,8 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
 </div>
 </div>
 </div>
-<div id="outline-container-orgd30a285" class="outline-5">
-<h5 id="orgd30a285"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
+<div id="outline-container-org048634d" class="outline-5">
+<h5 id="org048634d"><span class="section-number-5">3.3.4.6.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-3-4-6">
 <p>
 This holds configuration that is specific to framework laptops.
@@ -9704,8 +9745,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-orgdc91a90" class="outline-5">
-<h5 id="orgdc91a90"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
+<div id="outline-container-org14d38a1" class="outline-5">
+<h5 id="org14d38a1"><span class="section-number-5">3.3.4.7.</span> AMD CPU</h5>
 <div class="outline-text-5" id="text-3-3-4-7">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -9721,8 +9762,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-orga94b861" class="outline-5">
-<h5 id="orga94b861"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
+<div id="outline-container-orgdf62a2a" class="outline-5">
+<h5 id="orgdf62a2a"><span class="section-number-5">3.3.4.8.</span> AMD GPU</h5>
 <div class="outline-text-5" id="text-3-3-4-8">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -9744,8 +9785,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-orga739eb3" class="outline-5">
-<h5 id="orga739eb3"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
+<div id="outline-container-orga411e20" class="outline-5">
+<h5 id="orga411e20"><span class="section-number-5">3.3.4.9.</span> Hibernation</h5>
 <div class="outline-text-5" id="text-3-3-4-9">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -9776,8 +9817,8 @@ This holds configuration that is specific to framework laptops.
 </div>
 </div>
 </div>
-<div id="outline-container-org40ccd98" class="outline-5">
-<h5 id="org40ccd98"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
+<div id="outline-container-org9c624f2" class="outline-5">
+<h5 id="org9c624f2"><span class="section-number-5">3.3.4.10.</span> BTRFS</h5>
 <div class="outline-text-5" id="text-3-3-4-10">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -12693,8 +12734,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 </div>
 </div>
 </div>
-<div id="outline-container-org0d0faef" class="outline-6">
-<h6 id="org0d0faef"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
+<div id="outline-container-orga989e13" class="outline-6">
+<h6 id="orga989e13"><span class="section-number-6">3.4.1.29.4.</span> SwayOSD</h6>
 <div class="outline-text-6" id="text-3-4-1-29-4">
 <div class="org-src-container">
 <pre class="src src-nix">{ lib, config, ... }:
@@ -13943,8 +13984,8 @@ in
 </div>
 </div>
 </div>
-<div id="outline-container-org72bd2ab" class="outline-5">
-<h5 id="org72bd2ab"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
+<div id="outline-container-orgc45706b" class="outline-5">
+<h5 id="orgc45706b"><span class="section-number-5">3.4.4.3.</span> Framework</h5>
 <div class="outline-text-5" id="text-3-4-4-3">
 <p>
 This holds configuration that is specific to framework laptops.
@@ -17784,8 +17825,8 @@ autocmd DocStart vc-impimba-1.m.imp.ac.at/ui/webconsole mode ignore
 </div>
 </div>
 </div>
-<div id="outline-container-org504baa4" class="outline-3">
-<h3 id="org504baa4"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
+<div id="outline-container-org45faa69" class="outline-3">
+<h3 id="org45faa69"><span class="section-number-3">6.3.</span> tridactyl theme</h3>
 <div class="outline-text-3" id="text-6-3">
 <div class="org-src-container">
 <pre class="src src-config">
@@ -18282,7 +18323,7 @@ sync USER HOST:
 </div>
 <div id="postamble" class="status">
 <p class="author">Author: Leon Schwarzäugl</p>
-<p class="date">Created: 2025-05-24 Sa 17:27</p>
+<p class="date">Created: 2025-05-24 Sa 18:24</p>
 <p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
 </div>
 </body>
diff --git a/modules/nixos/server/restic.nix b/modules/nixos/server/restic.nix
index e5b092c..ce7dfc4 100644
--- a/modules/nixos/server/restic.nix
+++ b/modules/nixos/server/restic.nix
@@ -1,9 +1,47 @@
-{ lib, config, ... }:
+{ lib, config, inputs, ... }:
+let
+  secretsDirectory = builtins.toString inputs.nix-secrets;
+  resticRepo = lib.swarselsystems.getSecret "${secretsDirectory}/restic/wintersRepo";
+in
 {
   options.swarselsystems.modules.server.restic = lib.mkEnableOption "enable restic backups on server";
   config = lib.mkIf config.swarselsystems.modules.server.restic {
 
-    # TODO
+    sops = {
+      secrets = {
+        resticpw = { };
+        resticaccesskey = { };
+        resticsecretaccesskey = { };
+      };
+      templates = {
+        "restic-env".content = ''
+          AWS_ACCESS_KEY_ID=${config.sops.placeholder.resticaccesskey}
+          AWS_SECRET_ACCESS_KEY=${config.sops.placeholder.resicsecretaccesskey}
+        '';
+      };
+    };
+
+    services.restic = {
+      backups = {
+        SwarselWinters = {
+          environmentFile = config.sops.templates."restic-env".path;
+          passwordFile = config.sops.secrets.resticpw.path;
+          paths = [
+            "/Vault/data/paperless"
+            "/Vault/Eternor/Paperless"
+            "/Vault/data/paperless"
+            "/Vault/Eternor/Bilder"
+            "/Vault/Eternor/Immich"
+          ];
+          repository = "${resticRepo}";
+          initialize = true;
+          timerConfig = {
+            OnCalendar = "19:00";
+          };
+        };
+
+      };
+    };
 
   };
 }
diff --git a/profiles/nixos/localserver/default.nix b/profiles/nixos/localserver/default.nix
index fb1bb29..824367b 100644
--- a/profiles/nixos/localserver/default.nix
+++ b/profiles/nixos/localserver/default.nix
@@ -21,6 +21,7 @@
           nginx = lib.mkDefault true;
           ssh = lib.mkDefault true;
           kavita = lib.mkDefault true;
+          restic = lib.mkDefault true;
           jellyfin = lib.mkDefault true;
           navidrome = lib.mkDefault true;
           spotifyd = lib.mkDefault true;
diff --git a/scripts/swarsel-install.sh b/scripts/swarsel-install.sh
index 5f105b8..e3258fc 100644
--- a/scripts/swarsel-install.sh
+++ b/scripts/swarsel-install.sh
@@ -100,6 +100,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/git.nix
     rm modules/home/common/mail.nix
     rm modules/home/common/yubikey.nix
+    rm modules/nixos/server/restic.nix
     rm modules/nixos/common/home-manager-extra.nix
     rm -rf modules/nixos/server
     rm -rf modules/home/server
diff --git a/scripts/swarsel-rebuild.sh b/scripts/swarsel-rebuild.sh
index 0801648..9ce5291 100644
--- a/scripts/swarsel-rebuild.sh
+++ b/scripts/swarsel-rebuild.sh
@@ -82,6 +82,7 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/git.nix
     rm modules/home/common/mail.nix
     rm modules/home/common/yubikey.nix
+    rm modules/nixos/server/restic.nix
     rm modules/nixos/common/home-manager-extra.nix
     nix flake update vbc-nix
     git add .
diff --git a/secrets/winters/secrets.yaml b/secrets/winters/secrets.yaml
index 512ef2f..7a55f1a 100644
--- a/secrets/winters/secrets.yaml
+++ b/secrets/winters/secrets.yaml
@@ -37,11 +37,11 @@ grafanaadminpass: ENC[AES256_GCM,data:TBu0WOdvE+9CAH8EVm8=,iv:/usKOYscSXpo8tiSV/
 prometheusadminpass: ENC[AES256_GCM,data:NYUbSnAl0f3FUtvCjvJHFr2wMRsVsbVIeg==,iv:TP4NMwJsft8aEixxJBJCX/0I6BJVBnltFYJDKuXq1hM=,tag:yMY+KZsRjbn8ItgKgjzqSA==,type:str]
 #ENC[AES256_GCM,data:QnIF/xhWguX5tw==,iv:yTUBtPaZk6BXi+SC1P/OOtnc2x9UZ/jXirD5oaxhyQY=,tag:c33L5r5BaPZN6zkwduBCwQ==,type:comment]
 fresh: ENC[AES256_GCM,data:aPF8D96BvgDXhcc=,iv:Ubq3/sUmBipRanLgkAXXeAfXAz51AuR+NojMifsy8S0=,tag:mHf0YYYxulLXAIByqmnOsA==,type:str]
+#ENC[AES256_GCM,data:Ur0/rfBv5g==,iv:eH+KbbkmtBWbobqAIUFF0jIrGhbHnk9g8hLZoxE3swI=,tag:3dnoA+O5GXW5Dvxcx4jiTw==,type:comment]
+resticpw: ENC[AES256_GCM,data:0oHhUFH+2W7FONA=,iv:jT6o3H4pIkGTANriDVCBvnOsc/XITEGCayb6A86NlGg=,tag:qU3tAvIWFSFIf1krWAJ0+Q==,type:str]
+resticaccesskey: ENC[AES256_GCM,data:3EshJOZpoHqGrKdERYBtUcQZ6taZEe8PBA==,iv:3np3ASFhJrYT1ig3uSpb48lSdZOFl9kFyLJSkYHBnqo=,tag:TqjgnO1XRPZUGjLI20FqUg==,type:str]
+resticsecretaccesskey: ENC[AES256_GCM,data:j57l4p5viLZ2yL/KDrQpq1Dov69kpCRgzS4uEHgh4A==,iv:CYTxd4Vy1V+aW6EdaEOIma5vyDRL/VR6MlHqmAM1JQI=,tag:zLl0UZ50uN8YIrL+nOfurg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1h72072slm2pthn9m2qwjsyy2dsazc6hz97kpzh4gksvv0r2jqecqul8w63
           enc: |
@@ -52,8 +52,8 @@ sops:
             MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
             qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-16T14:43:24Z"
-    mac: ENC[AES256_GCM,data:vDSegkEgy255XQ3NYqfZXOxV21QYIPeEmM5U5B51PQBcs13CEMwTcKx26wDznsUrqU/N9xnpHaZlYBYjCqul7uhuLG6Le3a30b4la8MNtZRsIoRJqhVlim1II+X/kcrm3RlCJ6r8g8AjAj4SDXdamkXQ02+ckeS8wwNhREBbZsA=,iv:Ik/PE5mJQY+x1xvmJGE3AWK2sVUqYGNcz4zYasxZBaU=,tag:rBrILXohBC9T47PY3sYwYg==,type:str]
+    lastmodified: "2025-05-24T16:09:43Z"
+    mac: ENC[AES256_GCM,data:K6x8RdvbXEQMBMnhXL1vnD9urEGgsm+bg5WVIBExvML0ptkIX88AIXF9GPaOFdPJ7idKRrXe1euajGyDJZTZeM95auvEuw8Dyb3xC/2l21X9pAOlWQwhWNlilUu/G/JO56lXTxeIGS7qA1oUYRYGRyZYICbYssymcH/urcKGPZE=,iv:4QCTjTb1vs/7xWyvGC1eARMqaFAgkzKBsnxQIWv06gk=,tag:by8DbsqBHYbe3Xe+EbDIRA==,type:str]
     pgp:
         - created_at: "2024-12-17T16:24:32Z"
           enc: |-
@@ -87,4 +87,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.10.2