Newer
Older
# Importing this adds a daily borgbackup job to a node.
# It has all the common config and keys, but can
# be extended invidually to include more folders.
{ lib, config, ...}:
let
cfg = config.services.private-storage.borgbackup;
options.services.private-storage.borgbackup = {
enable = lib.mkEnableOption "Borgbackup daily backup job";
paths = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
A list of directories to back up using Borg.
'';
default = [ "/storage" ];
};
};
config = lib.mkIf cfg.enable {
deployment = {
secrets = {
"borgbackup-repopath" = {
# This is the repo we are backing up to
# Not very secret, but not public either, and I'd rather keep it with
# the rest of the backup destination config
destination = "/run/keys/borgbackup/repopath";
source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.repopath";
};
"borgbackup-passphrase" = {
# The passphrase is used to encrypt the repo key
# https://borgbackup.readthedocs.io/en/stable/usage/init.html
destination = "/run/keys/borgbackup/passphrase";
source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.passphrase";
};
"borgbackup-appendonly-ssh-key" = {
# The ssh key is used to authenticate to the remote repo server
destination = "/run/keys/borgbackup/ssh-key";
source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.ssh-key";
};
};
};
services.borgbackup.jobs = {
daily = {
repo = lib.fileContents config.deployment.secrets.borgbackup-repopath.source;
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/keys/borgbackup/passphrase";
};
environment = {
BORG_RSH = "ssh -i /run/keys/borgbackup/ssh-key";
};
compression = "none";
startAt = "daily";
};
};
};
}