Changes to rpi setup

modules/backup.nix

@@ -8,11 +8,27 @@
 # Before a backup, Nextcloud is put into maintenance mode and postgres is
 # pg_dump'd to a file.  This ensures consistent DB backups.
 #
+# Backup strategy — two tiers:
+#
+#   1. Automatic daily backup to an S3-compatible bucket (primary offsite copy).
+#      Set the repository URL to your bucket in hosts/pi-main/default.nix, e.g.:
+#        homey.backup.repository = "s3:https://s3.us-west-002.backblazeb2.com/your-bucket";
+#      S3 credentials are injected via environment variables from sops secrets:
+#        restic/s3_access_key_id  →  AWS_ACCESS_KEY_ID
+#        restic/s3_secret_access_key  →  AWS_SECRET_ACCESS_KEY
+#
+#   2. Manual offload to a local disk (USB drive plugged into Pi, or workstation disk).
+#      Use scripts/offload-backup.sh --target /path/to/mounted/disk
+#      That script uses `restic copy` to clone snapshots from the S3 repo into a
+#      local restic repo on the target disk, preserving deduplication.
+#
 # Secrets consumed from sops:
 #   restic/password
+#   restic/s3_access_key_id        (if using S3 backend)
+#   restic/s3_secret_access_key    (if using S3 backend)
 #
 # The backup repository URL is set per-host in default.nix:
-#   homey.backup.repository = "sftp:user@nas:/backups/homey";
+#   homey.backup.repository = "s3:https://s3.us-west-002.backblazeb2.com/bucket";
 #
 # Restore:
 #   restic -r <repo> restore latest --target /mnt/data
@@ -58,7 +74,9 @@ in
     # -----------------------------------------------------------------------
     # Secrets
     # -----------------------------------------------------------------------
-    sops.secrets."restic/password" = { owner = "root"; };
+    sops.secrets."restic/password"              = { owner = "root"; };
+    sops.secrets."restic/s3_access_key_id"      = { owner = "root"; };
+    sops.secrets."restic/s3_secret_access_key"  = { owner = "root"; };
 
     # -----------------------------------------------------------------------
     # Pre-backup hook: pg_dump + nextcloud maintenance mode
@@ -105,7 +123,9 @@ in
     services.restic.backups.homey = {
       repository    = cfg.repository;
       passwordFile  = config.sops.secrets."restic/password".path;
-      cacheDir      = "${dataDir}/restic-cache";
+
+      # Runtime env file written by ExecStartPre (see systemd override below)
+      environmentFile = "/run/restic-homey-secrets.env";
 
       paths = [
         "${dataDir}/openldap"
@@ -136,10 +156,31 @@ in
       ];
     };
 
-    # Wire the pre/post hooks around the restic job
+    # Wire the pre/post hooks around the restic job and inject secrets
     systemd.services."restic-backups-homey" = {
       requires = [ "homey-backup-pre.service" ];
       after    = [ "homey-backup-pre.service" ];
+      serviceConfig = {
+        # Write runtime env file with actual secret values (restic needs the
+        # raw values; it does not support _FILE suffix env vars).
+        ExecStartPre = [
+          (pkgs.writeShellScript "restic-inject-secrets" ''
+            install -m 0600 /dev/null /run/restic-homey-secrets.env
+            {
+              printf 'AWS_ACCESS_KEY_ID=%s\n' \
+                "$(cat ${config.sops.secrets."restic/s3_access_key_id".path})"
+              printf 'AWS_SECRET_ACCESS_KEY=%s\n' \
+                "$(cat ${config.sops.secrets."restic/s3_secret_access_key".path})"
+              printf 'RESTIC_CACHE_DIR=%s\n' "${dataDir}/restic-cache"
+            } >> /run/restic-homey-secrets.env
+          '')
+        ];
+        ExecStopPost = [
+          (pkgs.writeShellScript "restic-cleanup-secrets" ''
+            rm -f /run/restic-homey-secrets.env
+          '')
+        ];
+      };
     };
 
     systemd.services."homey-backup-post" = {