diff options
Diffstat (limited to 'modules/backup-server.nix')
-rw-r--r-- | modules/backup-server.nix | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/modules/backup-server.nix b/modules/backup-server.nix new file mode 100644 index 0000000..774d71e --- /dev/null +++ b/modules/backup-server.nix @@ -0,0 +1,48 @@ +{ config, lib, pkgs, ... }: + +let + cfg = config.orbekk.backups; + + backups.pincer = { + paths = [ "/etc/nixos" ]; + doInit = true; + repo = cfg.serverLocation; + encryption = { + mode = "repokey-blake2"; + passCommand = "cat ${config.age.secrets.pincer-borg-repo-key.path}"; + }; + environment = { BORG_RSH = "ssh -i ${config.age.secrets.pincer-borg-ssh-key.path}"; }; + compression = "auto,lzma"; + startAt = "daily"; + }; + + backupJob = { + ${config.networking.hostName} = backups.${config.networking.hostName}; + }; +in +{ + options = { + orbekk.backups = { + enableServer = lib.mkEnableOption "Enable backup server"; + enableClient = lib.mkEnableOption "Enable backup client"; + serverLocation = lib.mkOption { + type = lib.types.str; + default = "borg@localhost:."; + }; + }; + }; + + config = { + age.secrets.pincer-borg-repo-key.file = ../secrets/pincer-borg-repo-key.age; + age.secrets.pincer-borg-ssh-key.file = ../secrets/pincer-borg-ssh-key.age; + + services.borgbackup.repos = lib.mkIf cfg.enableServer { + pincer = { + authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ]; + path = [ "/var/lib/borg-pincer" ]; + }; + }; + + services.borgbackup.jobs = lib.mkIf cfg.enableClient backupJob; + }; +} |