feat: backup

Author: theorderingmachine

cloud/backup.tf

@@ -2,6 +2,7 @@ module "backup" {
   for_each = {
     git       = "tom.git"
     minecraft = "tom.25565"
+    openclaw  = "tom.openclaw"
   }
 
   source = "./modules/backup"
@@ -32,3 +33,15 @@ output "backup_minecraft_secret_access_key" {
   value     = module.backup["minecraft"].secret_access_key
   sensitive = true
 }
+
+# https://opentofu.org/docs/language/values/outputs/
+output "backup_openclaw_access_key_id" {
+  value     = module.backup["openclaw"].access_key_id
+  sensitive = true
+}
+
+# https://opentofu.org/docs/language/values/outputs/
+output "backup_openclaw_secret_access_key" {
+  value     = module.backup["openclaw"].secret_access_key
+  sensitive = true
+}

machines/tom/configuration.nix

@@ -227,6 +227,12 @@
         group = "minecraft";
         sopsFile = ./services/restic/vault.minecraft.env;
       };
+      "aws/iam/openclaw" = {
+        format = "dotenv";
+        owner = "openclaw";
+        group = "openclaw";
+        sopsFile = ./services/restic/vault.openclaw.env;
+      };
       "github/oauth" = {
         owner = config.users.users.default.name;
         group = "wheel";
@@ -305,6 +311,10 @@
         owner = "minecraft";
         group = "minecraft";
       };
+      "restic/openclaw" = {
+        owner = "openclaw";
+        group = "openclaw";
+      };
       "slack/snaek" = {
         format = "dotenv";
         owner = "snaek";

machines/tom/services/restic/default.nix

@@ -42,5 +42,25 @@
         Persistent = true;
       };
     };
+    openclaw = {
+      initialize = true;
+      user = "openclaw";
+      environmentFile = "/run/secrets/aws/iam/openclaw";
+      passwordFile = "/run/secrets/restic/openclaw";
+      repository = "s3:s3.us-east-1.amazonaws.com/tom.openclaw";
+      paths = [
+        "/var/lib/openclaw"
+      ];
+      pruneOpts = [
+        "--keep-daily 5"
+        "--keep-weekly 6"
+        "--keep-monthly 12"
+        "--keep-yearly 60"
+      ];
+      timerConfig = {
+        OnCalendar = "daily";
+        Persistent = true;
+      };
+    };
   };
 }

machines/tom/services/restic/vault.openclaw.env

@@ -0,0 +1,8 @@
+AWS_ACCESS_KEY_ID=ENC[AES256_GCM,data:I2BZZad6XA8bykwxyM9yRkRY0Qs=,iv:KqDHlW/6RCFrvB6SqLvoJ4oEjTskvKmkZwAgbBHvddY=,tag:UwlcreLfyGttotNal0aDUQ==,type:str]
+AWS_SECRET_ACCESS_KEY=ENC[AES256_GCM,data:rmWvrotMPHmtbtxccsIGTNy1ZXzM8qMaC1W8Yr1rHjtJWLcUBcIY4w==,iv:yq3RmdClHDSTTrkRHuk3tju0OINsoQEcLGPYiBUCvoE=,tag:C7tXZC6Ti06VzlUQhDFoqA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva2VGVVNyTkladTNHc2ox\nc1ZsU3NLSzc2Rkt0dGt4T0pJQ3BmUFhqUmw4ClMwa3Y5OGxGUWw5ckFrakY1Q2Fi\naUVjZ2Jmdm1XeXJYZTNTcEE3WmcxaHcKLS0tIDZFNUg3SGxENStBVk1RdVJFZWtr\nY25CS1pNUG5tNEU0S2JlKzhSS25BVk0KNchaSe7PfTcwt3D6EjKDauN+u60YIK9O\nmWPWATZLYI8f9mk9yDSLUlL00qdT84elz8qdAF8oFTMT3jY+E4vSqw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1dujf55uzev2nnpq6c2drn0e8pmpxay22qqfsavwaxqakwn9se5hsputgx4
+sops_lastmodified=2026-04-06T01:06:32Z
+sops_mac=ENC[AES256_GCM,data:+5BrGqcXNi/iOSU8d3T59sACwss1KBNZtp5u8XjuKjJCLcUtNaIAHjg2bXCaKmHrTE6qqkgi1sXLnr2on+fbj9G9ZNedOfAQlDfJOuaqwkvmtMe6K2bT6YP/9upvJKor1dt/GtS9YV2sQmYKSGNB8dyMuoPjwrscn+PykpE1P7I=,iv:D5ah3mIkOB7Us0s9EwY+ndcQe4/ygn9rNtWncZYLOco=,tag:8qBzCt0AoUIA9lgBIN1Gog==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.12.2