1 files changed, 48 insertions, 0 deletions

diff --git a/modules/backup-server.nix b/modules/backup-server.nix
new file mode 100644
index 0000000..774d71e
--- /dev/null
+++ b/modules/backup-server.nix
@@ -0,0 +1,48 @@
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.orbekk.backups;
+
+  backups.pincer = {
+    paths = [ "/etc/nixos" ];
+    doInit = true;
+    repo = cfg.serverLocation;
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat ${config.age.secrets.pincer-borg-repo-key.path}";
+    };
+    environment = { BORG_RSH = "ssh -i ${config.age.secrets.pincer-borg-ssh-key.path}"; };
+    compression = "auto,lzma";
+    startAt = "daily";
+  };
+
+  backupJob = {
+    ${config.networking.hostName} = backups.${config.networking.hostName};
+  };
+in
+{
+  options = {
+    orbekk.backups = {
+      enableServer = lib.mkEnableOption "Enable backup server";
+      enableClient = lib.mkEnableOption "Enable backup client";
+      serverLocation = lib.mkOption {
+        type = lib.types.str;
+        default = "borg@localhost:.";
+      };
+    };
+  };
+
+  config = {
+    age.secrets.pincer-borg-repo-key.file = ../secrets/pincer-borg-repo-key.age;
+    age.secrets.pincer-borg-ssh-key.file = ../secrets/pincer-borg-ssh-key.age;
+
+    services.borgbackup.repos = lib.mkIf cfg.enableServer {
+      pincer = {
+        authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ];
+        path = [ "/var/lib/borg-pincer" ];
+      };
+    };
+
+    services.borgbackup.jobs = lib.mkIf cfg.enableClient backupJob;
+  };
+}