make genepi backups atomic

hosts/genepi/backup.nix

@@ -7,6 +7,7 @@
 let
   storagebox-user = "u422292-sub1";
   storagebox-host = "${storagebox-user}.your-storagebox.de";
+  storagebox-nightly-backup-name = "storagebox-nightly";
 in
 {
   environment.systemPackages = [
@@ -20,12 +21,14 @@ in
     "${storagebox-host}".publicKey = keys.hosts.storagebox-rsa;
   };
 
-  services.restic.backups = {
-    storagebox-nightly = {
+  services.restic.backups."${storagebox-nightly-backup-name}" = {
     initialize = true;
     paths = [
       "/persist"
     ];
+    exclude = [
+      "/persist/@backup-snapshot"
+    ];
     passwordFile = config.age.secrets.restic-genepi-storagebox-key.path;
     repository = "sftp://${storagebox-user}@${storagebox-host}/";
     extraOptions = [
@@ -41,6 +44,29 @@ in
       "--keep-monthly 12"
       "--keep-yearly 10"
     ];
+    backupPrepareCommand = ''
+      set -Eeuxo pipefail
+      # clean old snapshot
+      if btrfs subvolume delete /persist/@backup-snapshot; then
+          echo "WARNING: previous run did not cleanly finish, removing old snapshot"
+      fi
+
+      btrfs subvolume snapshot -r /persist /persist/@backup-snapshot
+
+      umount /persist
+      mount -t btrfs -o subvol=/persist/@backup-snapshot /dev/disk/by-partlabel/disk-main-root /persist
+    '';
+    backupCleanupCommand = ''
+      btrfs subvolume delete /persist/@backup-snapshot
+    '';
   };
+
+  systemd.services."restic-backups-${storagebox-nightly-backup-name}" = {
+    path = with pkgs; [
+      btrfs-progs
+      umount
+      mount
+    ];
+    serviceConfig.privateMounts = true;
   };
 }