From f37c9811822642ae4191488ee9350577ec74e096 Mon Sep 17 00:00:00 2001
From: Felix Albrigtsen <felixalbrigtsen@gmail.com>
Date: Fri, 8 Mar 2024 01:19:40 +0100
Subject: [PATCH] voyager: initialize borg backups

---
 hosts/voyager/backup.nix        | 47 +++++++++++++++++++++++++++++++++
 hosts/voyager/configuration.nix |  4 +--
 secrets/voyager/voyager.yaml    |  7 +++--
 3 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100644 hosts/voyager/backup.nix

diff --git a/hosts/voyager/backup.nix b/hosts/voyager/backup.nix
new file mode 100644
index 0000000..3d63e35
--- /dev/null
+++ b/hosts/voyager/backup.nix
@@ -0,0 +1,47 @@
+{ config, pkgs, lib, ... }:
+{
+  services.borgbackup.jobs =
+    let
+      borgJob = name: {
+        environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
+        environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
+        repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/voyager/${name}";
+        compression = "auto,zstd";
+      };
+    in {
+      postgresDaily = borgJob "postgres::daily" // {
+        paths = "/var/backup/postgres";
+        startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
+        extraInitArgs = "--storage-quota 10G";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
+        };
+      };
+
+      postgresWeekly = borgJob "postgres::weekly" // {
+        paths = "/var/backup/postgres";
+        startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
+        extraInitArgs = "--storage-quota 10G";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
+        };
+      };
+
+      transmission = borgJob "transmission::weekly" // {
+        paths = "/var/lib/transmission";
+        startAt = "weekly";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat ${config.sops.secrets."borg/transmission".path}";
+        };
+      };
+
+      # TODO: kanidm, timemachine, calibre(?), nextcloud
+
+    };
+
+  sops.secrets."borg/postgres" = { };
+  sops.secrets."borg/transmission" = { };
+}
diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix
index a940e50..ef5546b 100644
--- a/hosts/voyager/configuration.nix
+++ b/hosts/voyager/configuration.nix
@@ -6,9 +6,9 @@
       ../../base.nix
       ../../common/metrics-exporters.nix
       ./hardware-configuration.nix
-      ./filesystems.nix
-      # ./wireguard.nix
+      ./backup.nix
       ./exports.nix
+      ./filesystems.nix
 
       ./services/snappymail.nix
       ./services/calibre.nix
diff --git a/secrets/voyager/voyager.yaml b/secrets/voyager/voyager.yaml
index ad3c486..c56d78b 100644
--- a/secrets/voyager/voyager.yaml
+++ b/secrets/voyager/voyager.yaml
@@ -12,6 +12,9 @@ transmission:
     vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
 nextcloud:
     adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
+borg:
+    transmission: ENC[AES256_GCM,data:VGP23BjX6rjMbcEMA6O7UEX6,iv:C0ehtDSO0eMkIYbwi9wYAKncOBrNCiJB4S5tJ1rxctI=,tag:RNcGwihAxOwCt3XOSoCvfw==,type:str]
+    postgres: ENC[AES256_GCM,data:nA+Ga56rG8XippMmHsOLEik=,iv:41llHBWEU7ESiUetJC/SkcjHG+beXs/ur8QTmxDGFE8=,tag:92n88ZtrDQWz0gYZmuWD8g==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -45,8 +48,8 @@ sops:
             NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
             4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-08T13:44:57Z"
-    mac: ENC[AES256_GCM,data:oy6uBKFDm7J70OZuZtCziKeNkV5u9/RabGF2gXOONeHqFD/9jXhHsWIrDYrgwHPCyauJyAZqwnw/+wNUMNUzk25rM1iBaBJg0+mjUnFGBEhrAUJu8hSHl2EAHEauhzPqRS0L7bew75FmuGs56Wo58DkdvdnCjjs3XIAOj8kjv/g=,iv:/rbPS8xANKV9sSC7e1OAQuIeJK7OtlUMggxN/RW+GLs=,tag:5kE7m7ZrfIPF+ulCsiPLVQ==,type:str]
+    lastmodified: "2024-03-07T23:59:51Z"
+    mac: ENC[AES256_GCM,data:tRsHevzZTnfIqjqJI2lqbUCoFrNq8Hb7hyZKt41A1XUrd54BiqHhhPqXwp2HN7KmdxXWdnXBRGZEkNVfocGbi2gFV5IhW1oh+VRMnBLvDriqDbj6nh87wZ0OEZNLDuz/MjMaL3UIgMNzxFnjM47QNgt9oj9fXenfuFYitlwCw58=,iv:nL5vhy370eqVEHRk6jrm1mjPcHet0RN9txD9lTMi0Qo=,tag:4TvH2N8jm+AJLr/Pp6jgOA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1