1 files changed, 23 insertions, 2 deletions

diff --git a/modules/backup-server.nix b/modules/backup-server.nix
index 774d71e..fbe9c25 100644
--- a/modules/backup-server.nix
+++ b/modules/backup-server.nix
@@ -16,6 +16,19 @@ let
     startAt = "daily";
   };
 
+  backups.dragon = {
+    paths = [ "/etc/nixos" ];
+    doInit = true;
+    repo = cfg.serverLocation;
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat ${config.age.secrets.dragon-borg-repo-key.path}";
+    };
+    environment = { BORG_RSH = "ssh -i ${config.age.secrets.dragon-borg-ssh-key.path}"; };
+    compression = "auto,lzma";
+    startAt = "daily";
+  };
+
   backupJob = {
     ${config.networking.hostName} = backups.${config.networking.hostName};
   };
@@ -33,10 +46,18 @@ in
   };
 
   config = {
-    age.secrets.pincer-borg-repo-key.file = ../secrets/pincer-borg-repo-key.age;
-    age.secrets.pincer-borg-ssh-key.file = ../secrets/pincer-borg-ssh-key.age;
+    age.secrets = lib.mkIf cfg.enableClient {
+      "${config.networking.hostName}-borg-repo-key".file =
+        ../secrets/${config.networking.hostName}-borg-repo-key.age;
+      "${config.networking.hostName}-borg-ssh-key".file =
+        ../secrets/${config.networking.hostName}-borg-ssh-key.age;
+    };
 
     services.borgbackup.repos = lib.mkIf cfg.enableServer {
+      dragon = {
+        authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ];
+        path = [ "/var/lib/dragon" ];
+      };
       pincer = {
         authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ];
         path = [ "/var/lib/borg-pincer" ];