Restic resticprofile#14
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces a restic/resticprofile-based backup setup that’s gated by a new backup: true profile flag, along with a 1Password-backed secret caching mechanism for restic credentials and an updated 1Password reference for the age key.
Changes:
- Add restic/resticprofile packages and a
backupprofile flag, and propagate it via.chezmoi.toml.tmpl. - Add resticprofile configuration + a run_onchange script to register systemd
--usertimers for backup/check schedules on Linux personal machines. - Add an
op-cached-secrettemplate helper and new restic secret templates that cache 1Password values to disk after first fetch.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/decrypt-secrets.sh | Updates the 1Password reference used to fetch the age key for local decrypt tooling. |
| run_onchange_70-configure-restic.sh.tmpl | New script to register resticprofile schedules as user systemd timers when backup: true. |
| run_onchange_50-configure-hyprpm.sh.tmpl | Adds documentation + a workaround to commit staged hyprpm plugin state across filesystems. |
| run_before_01-decrypt.sh.tmpl | Refactors age key setup into a reusable ensure_secret helper and updates the 1Password reference. |
| README.md | Updates repo tree documentation to reflect the decrypt script naming/behavior and restic secret handling. |
| dot_config/resticprofile/private_rest-pass.tmpl | New cached secret template for REST transport password. |
| dot_config/resticprofile/private_profiles.yaml.tmpl | New resticprofile configuration (REST backend, schedules, excludes, check policy). |
| dot_config/resticprofile/private_password.tmpl | New cached secret template for restic repository password. |
| CLAUDE.md | Updates documentation for the decrypt run_before script and restic secret approach. |
| .chezmoitemplates/op-cached-secret | New shared template helper to read from on-disk cache or 1Password. |
| .chezmoiignore.tmpl | Attempts to skip resticprofile config on non-backup profiles (currently with an incorrect path). |
| .chezmoidata/profiles.yaml | Documents and enables the new backup flag for the arch profile. |
| .chezmoidata/packages.yaml | Adds restic and resticprofile packages. |
| .chezmoi.toml.tmpl | Adds backup to template data so it can be referenced as .backup in templates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+30
to
+31
| .config/resticprofile | ||
| .config/resticprofile/** |
| # servers/containers (debian-server, devpod, Proxmox/LXC) are deliberately excluded. | ||
| # Reruns automatically when the profile or this script changes (hashes below). | ||
| # profiles.yaml: {{ include "dot_config/resticprofile/private_profiles.yaml.tmpl" | sha256sum }} | ||
| # (restic secrets are self-caching templates in dot_config/resticprofile/; not hashed — they don't affect schedules) |
|
|
||
| MACHINES: $host namespaces the repo, so each machine has its own repo under | ||
| /ty/<host>. Add a machine by giving it a hostname; nothing else changes. | ||
| Macs use Time Machine instead and render no profiles (see guard). |
…udes - Add a `backup` tri-state gate to cascade-filter (mirrors work/decrypt) and mark restic/resticprofile `backup: true` so the backup stack installs only on profiles with `backup: true` — servers/containers/Macs stay clean. - Add the root `system` profile (/etc) with a sudo-guarded timer registration in run_onchange_70; user `default` timers still register without sudo. - Capture flatpak + AppImage + language-manager manifests alongside the pacman lists in the staged system-state record. - Excludes: add ~/Backups (96G), Steam workshop/compatibilitytools.d (18G), and scope VM images to ~/.windows + ~/vms dirs instead of a global **/*.img (which would have excluded the LUKS header backups). Verified ~39 GiB of a 4.9 TB home via restic --dry-run (clean exit, no warnings). - Docs: add the `backup` flag + restic section to CLAUDE.md, refresh the stale profile tables in CLAUDE.md and README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Remove both from the hyprpm repo/enable lists and delete the now-dead hyprglass plugin block from looknfeel.conf. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…s present run_onchange_70 now escalates itself when it can — passwordless sudo (no prompt) or an interactive `chezmoi apply` where sudo prompts on the terminal — and only prints the manual command for non-interactive applies (cron/CI/piped). A declined or failed prompt warns and continues instead of aborting apply. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…oads/shims
Strip per-line size/explanation annotations from the exclude block, leaving only
clean category headers (the two load-bearing facts — Dropbox→NAS mirror and the
*.img/LUKS-header hazard — fold into their section headers). Also exclude
~/.local/share/mise/{downloads,shims} alongside installs (cache + dangling symlinks
into the excluded installs/ tree).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
`restic check` verifies the whole repository, not a tag or source. The system profile shares its repo with default, so default/check already validates the system-tagged /etc snapshots — a second check just re-reads the same repo. Removing it: 4 timers -> 3 (default backup+check, system backup). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.