From a1fe9a16f6d8b4abbf279372014cd2ab82e80fd8 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@private.storage>
Date: Fri, 29 Apr 2022 17:44:59 +0000
Subject: [PATCH] Borgbackup v1

---
 morph/grid/local/grid.nix |  1 +
 morph/lib/borgbackup.nix  | 50 +++++++++++++++++++++++++++++++++++++++
 morph/lib/default.nix     |  1 +
 3 files changed, 52 insertions(+)
 create mode 100644 morph/lib/borgbackup.nix

diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 088d9e8c..892f6dee 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -84,6 +84,7 @@ let
     imports = [
       gridlib.storage
       grid-module
+      gridlib.borgbackup
     ];
     config = {
       grid.monitoringvpnIPv4 = "172.23.23.12";
diff --git a/morph/lib/borgbackup.nix b/morph/lib/borgbackup.nix
new file mode 100644
index 00000000..e0655d59
--- /dev/null
+++ b/morph/lib/borgbackup.nix
@@ -0,0 +1,50 @@
+# Importing this adds a daily borgbackup job to a node.
+# It has all the common config and keys, but can
+# be extended invidually to include more folders.
+
+
+{ lib, config, ...}:
+let
+  inherit (config.grid) publicKeyPath privateKeyPath;
+in {
+  config = {
+    deployment = {
+      secrets = {
+        "borgbackup-repopath" = {
+          # This is the repo we are backing up to
+          # Not very secret, but not public either, and I'd rather keep it with
+          # the rest of the backup destination config
+          destination = "/run/keys/borgbackup/repopath";
+          source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.repopath";
+        };
+        "borgbackup-passphrase" = {
+          # The passphrase is used to encrypt the repo key
+          # https://borgbackup.readthedocs.io/en/stable/usage/init.html
+          destination = "/run/keys/borgbackup/passphrase";
+          source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.passphrase";
+        };
+        "borgbackup-appendonly-ssh-key" = {
+          # The ssh key is used to authenticate to the remote repo server
+          destination = "/run/keys/borgbackup/ssh-key";
+          source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.ssh-key";
+        };
+      };
+    };
+
+    services.borgbackup.jobs = {
+      daily = {
+        paths = [ "/storage" ];
+        repo = lib.fileContents config.deployment.secrets.borgbackup-repopath.source;
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat /run/keys/borgbackup/passphrase";
+        };
+        environment = {
+          BORG_RSH = "ssh -i /run/keys/borgbackup/ssh-key";
+        };
+        compression = "none";
+        startAt = "daily";
+      };
+    };
+  };
+}
diff --git a/morph/lib/default.nix b/morph/lib/default.nix
index f236b8ca..c99c19a5 100644
--- a/morph/lib/default.nix
+++ b/morph/lib/default.nix
@@ -10,6 +10,7 @@
   issuer = import ./issuer.nix;
   storage = import ./storage.nix;
   monitoring = import ./monitoring.nix;
+  borgbackup = import ./borgbackup.nix;
 
   modules = builtins.toString ../../nixos/modules;
 
-- 
GitLab