voyager: initialize borg backups

hosts/voyager/backup.nix

@@ -0,0 +1,47 @@
+{ config, pkgs, lib, ... }:
+{
+  services.borgbackup.jobs =
+    let
+      borgJob = name: {
+        environment.BORG_RSH = "ssh -i /root/.ssh/fealsyn1";
+        environment.BORG_REMOTE_PATH = "/usr/local/bin/borg";
+        repo = "ssh://backup@feal-syn1.home.feal.no/volume2/backup/borg/voyager/${name}";
+        compression = "auto,zstd";
+      };
+    in {
+      postgresDaily = borgJob "postgres::daily" // {
+        paths = "/var/backup/postgres";
+        startAt = "*-*-* 05:15:00"; # 2 hours after postgresqlBackup
+        extraInitArgs = "--storage-quota 10G";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
+        };
+      };
+
+      postgresWeekly = borgJob "postgres::weekly" // {
+        paths = "/var/backup/postgres";
+        startAt = "Mon *-*-* 05:15:00"; # 2 hours after postgresqlBackup
+        extraInitArgs = "--storage-quota 10G";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat ${config.sops.secrets."borg/postgres".path}";
+        };
+      };
+
+      transmission = borgJob "transmission::weekly" // {
+        paths = "/var/lib/transmission";
+        startAt = "weekly";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat ${config.sops.secrets."borg/transmission".path}";
+        };
+      };
+
+      # TODO: kanidm, timemachine, calibre(?), nextcloud
+
+    };
+
+  sops.secrets."borg/postgres" = { };
+  sops.secrets."borg/transmission" = { };
+}

hosts/voyager/configuration.nix

@@ -6,9 +6,9 @@
       ../../base.nix
       ../../common/metrics-exporters.nix
       ./hardware-configuration.nix
-      ./filesystems.nix
+      ./backup.nix
-      # ./wireguard.nix
       ./exports.nix
+      ./filesystems.nix
 
       ./services/snappymail.nix
       ./services/calibre.nix

secrets/voyager/voyager.yaml

@@ -12,6 +12,9 @@ transmission:
     vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
 nextcloud:
     adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
+borg:
+    transmission: ENC[AES256_GCM,data:VGP23BjX6rjMbcEMA6O7UEX6,iv:C0ehtDSO0eMkIYbwi9wYAKncOBrNCiJB4S5tJ1rxctI=,tag:RNcGwihAxOwCt3XOSoCvfw==,type:str]
+    postgres: ENC[AES256_GCM,data:nA+Ga56rG8XippMmHsOLEik=,iv:41llHBWEU7ESiUetJC/SkcjHG+beXs/ur8QTmxDGFE8=,tag:92n88ZtrDQWz0gYZmuWD8g==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -45,8 +48,8 @@ sops:
             NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
             4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-02-08T13:44:57Z"
+    lastmodified: "2024-03-07T23:59:51Z"
-    mac: ENC[AES256_GCM,data:oy6uBKFDm7J70OZuZtCziKeNkV5u9/RabGF2gXOONeHqFD/9jXhHsWIrDYrgwHPCyauJyAZqwnw/+wNUMNUzk25rM1iBaBJg0+mjUnFGBEhrAUJu8hSHl2EAHEauhzPqRS0L7bew75FmuGs56Wo58DkdvdnCjjs3XIAOj8kjv/g=,iv:/rbPS8xANKV9sSC7e1OAQuIeJK7OtlUMggxN/RW+GLs=,tag:5kE7m7ZrfIPF+ulCsiPLVQ==,type:str]
+    mac: ENC[AES256_GCM,data:tRsHevzZTnfIqjqJI2lqbUCoFrNq8Hb7hyZKt41A1XUrd54BiqHhhPqXwp2HN7KmdxXWdnXBRGZEkNVfocGbi2gFV5IhW1oh+VRMnBLvDriqDbj6nh87wZ0OEZNLDuz/MjMaL3UIgMNzxFnjM47QNgt9oj9fXenfuFYitlwCw58=,iv:nL5vhy370eqVEHRk6jrm1mjPcHet0RN9txD9lTMi0Qo=,tag:4TvH2N8jm+AJLr/Pp6jgOA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1