Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# Importing this adds a daily borgbackup job to a node.
# It has all the common config and keys, but can
# be extended invidually to include more folders.
{ lib, config, ...}:
let
inherit (config.grid) publicKeyPath privateKeyPath;
in {
config = {
deployment = {
secrets = {
"borgbackup-repopath" = {
# This is the repo we are backing up to
# Not very secret, but not public either, and I'd rather keep it with
# the rest of the backup destination config
destination = "/run/keys/borgbackup/repopath";
source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.repopath";
};
"borgbackup-passphrase" = {
# The passphrase is used to encrypt the repo key
# https://borgbackup.readthedocs.io/en/stable/usage/init.html
destination = "/run/keys/borgbackup/passphrase";
source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.passphrase";
};
"borgbackup-appendonly-ssh-key" = {
# The ssh key is used to authenticate to the remote repo server
destination = "/run/keys/borgbackup/ssh-key";
source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.ssh-key";
};
};
};
services.borgbackup.jobs = {
daily = {
paths = [ "/storage" ];
repo = lib.fileContents config.deployment.secrets.borgbackup-repopath.source;
encryption = {
mode = "repokey-blake2";
passCommand = "cat /run/keys/borgbackup/passphrase";
};
environment = {
BORG_RSH = "ssh -i /run/keys/borgbackup/ssh-key";
};
compression = "none";
startAt = "daily";
};
};
};
}