Borgbackup

Fixes privatestorageops#314.

---

This adds off-site backup for our user ciphertext using the Borg backup software and the SaaS backup storage provider borgbase.com.

morph/lib/borgbackup.nix

 # Importing this adds a daily borg backup job to a node.
-# It has all the common config and keys, but can be configured
+# It has all the common config and keys, and can be configured
 # to back up more (or entirely different) folders.
 
 
-{ lib, config, ...}:
+{ lib, config, pkgs, ...}:
 let
   cfg = config.services.private-storage.borgbackup;
   inherit (config.grid) publicKeyPath privateKeyPath;
 
-  # Get a per-host number of hours to start the backup at a
-  # time that should be "night" in most of the USA:
+  # Get a per-host number so backup jobs don't all run at the
+  # same time.
   ip-util = import ../../nixos/lib/ip-util.nix;
-  backupDelayHours = with builtins; bitAnd (ip-util.fromHexString
+  backupDelay = with builtins; bitAnd (ip-util.fromHexString
     (hashString "md5" config.networking.hostName)) 15;
 
 in {
@@ -59,8 +59,21 @@ in {
 
         # Start the backup at a different time per machine,
         # and not at the full hour, but somewhat later
-        startAt = "*-*-* " + toString backupDelayHours + ":22:11 UTC";
+        startAt = "*-*-* " + toString backupDelay + ":22:11 UTC";
       };
     };
+
+    # Check repo once a month
+    systemd.services.borgbackup-check-repo = {
+      # Once a month, 3h after last backup started
+      startAt = "*-*-" + toString backupDelay + " 18:33:22 UTC";
+      path = [ pkgs.borgbackup ];
+      environment = {
+        BORG_PASSCOMMAND = "cat /run/keys/borgbackup/passphrase";
+        BORG_RSH = "ssh -i /run/keys/borgbackup/ssh-key";
+        BORG_REPO = lib.fileContents "${publicKeyPath}/borgbackup/${config.networking.hostName}.repopath";
+      };
+      script = ''${pkgs.borgbackup}/bin/borg check'';
+    };
   };
 }