{ config, lib, pkgs, ... }: let cfg = config.orbekk.backups; backups.pincer = { paths = [ "/etc/nixos" ]; doInit = true; repo = cfg.serverLocation; encryption = { mode = "repokey-blake2"; passCommand = "cat ${config.age.secrets.pincer-borg-repo-key.path}"; }; environment = { BORG_RSH = "ssh -i ${config.age.secrets.pincer-borg-ssh-key.path}"; }; compression = "auto,lzma"; startAt = "daily"; }; backups.dragon = { paths = [ "/home" "/opt" "/var" ]; exclude = [ "/var/lib/lxd" "/var/lib/borg" ]; doInit = true; repo = "borg@www.breakds.org:."; encryption = { mode = "repokey-blake2"; passCommand = "cat ${config.age.secrets.dragon-borg-repo-key.path}"; }; environment = { BORG_RSH = "ssh -i ${config.age.secrets.dragon-borg-ssh-key.path}"; }; compression = "auto,lzma"; startAt = "daily"; extraCreateArgs = "--stats"; }; backupJob = { ${config.networking.hostName} = backups.${config.networking.hostName}; }; in { options = { orbekk.backups = { enableServer = lib.mkEnableOption "Enable backup server"; enableClient = lib.mkEnableOption "Enable backup client"; serverLocation = lib.mkOption { type = lib.types.str; default = "borg@localhost:."; }; }; }; config = { age.secrets = lib.mkIf cfg.enableClient { "${config.networking.hostName}-borg-repo-key".file = ../secrets/${config.networking.hostName}-borg-repo-key.age; "${config.networking.hostName}-borg-ssh-key".file = ../secrets/${config.networking.hostName}-borg-ssh-key.age; }; services.borgbackup.repos = lib.mkIf cfg.enableServer { dragon = { authorizedKeys = [ (builtins.readFile ../secrets/dragon-borg-ssh-key.pub) ]; path = [ "/var/lib/dragon" ]; }; breakds = { authorizedKeys = [ (builtins.readFile ../data/breakds.pub) ]; path = [ "/var/lib/borg/breakds" ]; }; pincer = { authorizedKeys = [ (builtins.readFile ../secrets/pincer-borg-ssh-key.pub) ]; path = [ "/var/lib/borg-pincer" ]; }; }; services.borgbackup.jobs = lib.mkIf cfg.enableClient backupJob; }; }