From 41bd91deb15d31c479566c68a404ca754a0c02a8 Mon Sep 17 00:00:00 2001
From: Joakim Repomaa <joakim.repomaa@mocoapp.com>
Date: Tue, 18 Feb 2025 15:42:55 +0200
Subject: [PATCH] radish: add borgbackup

---
 hosts/radish/default.nix           |   1 +
 hosts/radish/packages.nix          |  59 ++++++++++++++++++++++++++++-
 hosts/radish/secrets.nix           |   9 +++++
 secrets/borgbackup-radish.age      | Bin 0 -> 542 bytes
 secrets/secrets.nix                |   1 +
 secrets/uptime-kuma-borg-token.age |   9 +++++
 6 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 hosts/radish/secrets.nix
 create mode 100644 secrets/borgbackup-radish.age
 create mode 100644 secrets/uptime-kuma-borg-token.age

diff --git a/hosts/radish/default.nix b/hosts/radish/default.nix
index 5b40005..414024f 100644
--- a/hosts/radish/default.nix
+++ b/hosts/radish/default.nix
@@ -13,6 +13,7 @@ in
     ./containers.nix
     ./desktop.nix
     ./users.nix
+    ./secrets.nix
     lanzaboote.nixosModules.lanzaboote
     nixos-hardware.nixosModules.framework-13-7040-amd
     auto-cpufreq.nixosModules.default
diff --git a/hosts/radish/packages.nix b/hosts/radish/packages.nix
index 44ed17b..34da7f5 100644
--- a/hosts/radish/packages.nix
+++ b/hosts/radish/packages.nix
@@ -1,4 +1,7 @@
-{ pkgs, lib, inputs, ... }:
+{ pkgs, lib, inputs, config, ... }:
+let
+  secrets = config.age.secrets;
+in
 {
   nixpkgs.config.allowUnfree = true;
   nixpkgs.overlays = [ (import ../../custom-pkgs { inherit lib inputs; }) ];
@@ -41,8 +44,62 @@
         HSA_OVERRIDE_GFX_VERSION = "11.0.3";
       };
     };
+
+    borgbackup.jobs.root = {
+      paths = "/";
+      exclude = [
+        "/nix"
+        "/var/cache"
+        "/run"
+        "/sys"
+        "/etc"
+        "/swap"
+        "/proc"
+        "**/node_modules"
+        "**/.cargo"
+        "**/ruby/*/gems"
+        "**/.cache"
+        "**/.meteor"
+        "**/.next"
+        "**/.local/share/containers/cache"
+        "**/.local/share/containers/storage/overlay"
+        "**/.local/share/docker/overlay2"
+        "**/log/*.log"
+        "**/.local/share/Trash"
+      ];
+      environment = {
+        BORG_RSH = "ssh -i /root/.ssh/id_ed25519.borg";
+      };
+      repo = "ssh://u324815-sub2@u324815.your-storagebox.de:23/./backup";
+      encryption = {
+        mode = "repokey";
+        passphrase = "will be overridden from environment file";
+      };
+      extraCreateArgs = [ "--stats" "--progress" ];
+      compression = "auto,zstd";
+      startAt = "daily";
+      persistentTimer = true;
+      preHook = with pkgs; ''
+        ${coreutils}/bin/timeout 60 ${bash}/bin/sh -c '
+          until ${iputils}/bin/ping -c1 your-storagebox.de; do
+            sleep 1
+          done
+        '
+      '';
+      postCreate = with pkgs; ''
+        ${curl}/bin/curl "https://status.freun.dev/api/push/''${UPTIME_KUMA_TOKEN}?status=up&msg=OK&ping="
+      '';
+      prune.keep = {
+        within = "3d";
+        daily = 14;
+        weekly = 8;
+        monthly = -1;
+      };
+    };
   };
 
+  systemd.services.borgbackup-job-root.serviceConfig.EnvironmentFile = secrets.borgbackup-radish.path;
+
   programs = {
     zsh.enable = true;
     _1password-gui = {
diff --git a/hosts/radish/secrets.nix b/hosts/radish/secrets.nix
new file mode 100644
index 0000000..8523c9e
--- /dev/null
+++ b/hosts/radish/secrets.nix
@@ -0,0 +1,9 @@
+{ lib, ... }:
+{
+  age.secrets = lib.listToAttrs
+    (
+      map (secret: { name = secret; value = { file = ../../secrets/${secret}.age; }; }) [
+        "borgbackup-radish"
+      ]
+    );
+}
diff --git a/secrets/borgbackup-radish.age b/secrets/borgbackup-radish.age
new file mode 100644
index 0000000000000000000000000000000000000000..1e4026dd7b0c07a1f75344b795fc5d69ea703247
GIT binary patch
literal 542
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCU7FZOqia#ZjRDJZEl
z%T5bRbaRaiaWxJoj&!duH+A+;^e{>DFmp8W@Q4ZwOpJ63&gV)@$;-4b3$t{t3h|0E
zPA+!}b1}4VGVpfRPmU-EE6OM^OYta8H!w1GNk_NM#Vs>GBTykXEzvY3P2WGM*f1+U
z%`qk4Ij2<LC^*nJ(>yah+@&NcD#<h0BqF@jAfGGD!mr5CImE~?H=^7-q}Vgt+%!Bi
z#XGS)y(rMYv)m}y%gih)tjZ(A)DhjbjGzD)r*wsi$V4B*Qp4i1+=v2GQ@6a-3fH`R
z?c9*WRMV95;v^rB41Y7rf;_J<7ZWaH<HF+fWPMAE(%>)yOXp<miolXI%lx3UA|ngS
z3JXJ%C@23&Z$pcqq(ClRU0nqWuc9<V-w^MLC<|lDqU?0zLO&y4r?e`kbnPG?ZNs3j
zK=Ulih}2MDlR&OMBd%-QJ4BazEmA73w8>q3aJQl3A=870bgET+8n4?_>Q2{mpB&`b
z{Fo)m_aE1S&0TMp*k?^wco*^^)Fx`n23?IgFGICG&lVaL>hPSDIifsKa`|5273MqM
zO=mx}#bMsL`3y0kFMqF=KW$oA;@9#rZ!4dui1CGhyFV-ak4)>@Z)_oOo1OLa@us~Q
I{2$!C0Z3`R1poj5

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 8fec0a0..2757ddd 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -21,4 +21,5 @@ in
   "dnote.age".publicKeys = users ++ [ freun-dev ];
   "octodns.age".publicKeys = users ++ [ freun-dev ];
   "mealie.age".publicKeys = users ++ [ freun-dev ];
+  "borgbackup-radish.age".publicKeys = users ++ [ radish ];
 }
diff --git a/secrets/uptime-kuma-borg-token.age b/secrets/uptime-kuma-borg-token.age
new file mode 100644
index 0000000..27e2fa8
--- /dev/null
+++ b/secrets/uptime-kuma-borg-token.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA nk3tPnHuA6Ozpahwot8YpakJXsloy3N9XCg4pZsUkGg
+EMQszNhC3Hzt/MwpxUrjCTuofWkNB883EKlNUEUVbbs
+-> ssh-ed25519 DFiohQ dsyS7ANYPPgBTHyq6n8gRhDSfOZ2k8dy9EgB0lQgdRw
+K4h6JZ4W38zQdff7ZY92ka2q58444EL+nvlJvmxKT2w
+-> ssh-ed25519 hRPDBg 53NZD4bMhGYZ8dkoP4T+LjzFh+3u9WnhMnUTktUFeU4
+U3GYIVhGgV6nCk9P+Fo+CHjBlSEQiiO3nTnJlGklui4
+--- uqnbehYLZuAdETE2fTMaKder1g3P1CCQPVhQqP01sKM
+x���:&ֽQ�FL0$ŧ�Q،>b�[�����z!
k�ka��
\ No newline at end of file