# Importing this adds a daily borgbackup job to a node. # It has all the common config and keys, but can # be extended invidually to include more folders. { lib, config, ...}: let cfg = config.services.private-storage.borgbackup; inherit (config.grid) publicKeyPath privateKeyPath; in { options.services.private-storage.borgbackup = { enable = lib.mkEnableOption "Borgbackup daily backup job"; paths = lib.mkOption { type = lib.types.listOf lib.types.str; description = '' A list of directories to back up using Borg. ''; default = [ "/storage" ]; }; }; config = lib.mkIf cfg.enable { deployment = { secrets = { "borgbackup-repopath" = { # This is the repo we are backing up to # Not very secret, but not public either, and I'd rather keep it with # the rest of the backup destination config destination = "/run/keys/borgbackup/repopath"; source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.repopath"; }; "borgbackup-passphrase" = { # The passphrase is used to encrypt the repo key # https://borgbackup.readthedocs.io/en/stable/usage/init.html destination = "/run/keys/borgbackup/passphrase"; source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.passphrase"; }; "borgbackup-appendonly-ssh-key" = { # The ssh key is used to authenticate to the remote repo server destination = "/run/keys/borgbackup/ssh-key"; source = "${privateKeyPath}/borgbackup/${config.networking.hostName}.ssh-key"; }; }; }; services.borgbackup.jobs = { daily = { paths = cfg.paths; repo = lib.fileContents config.deployment.secrets.borgbackup-repopath.source; encryption = { mode = "repokey-blake2"; passCommand = "cat /run/keys/borgbackup/passphrase"; }; environment = { BORG_RSH = "ssh -i /run/keys/borgbackup/ssh-key"; }; compression = "none"; startAt = "daily"; }; }; }; }