radish: add borgbackup

hosts/radish/default.nix

@@ -13,6 +13,7 @@ in
     ./containers.nix
     ./desktop.nix
     ./users.nix
+    ./secrets.nix
     lanzaboote.nixosModules.lanzaboote
     nixos-hardware.nixosModules.framework-13-7040-amd
     auto-cpufreq.nixosModules.default

hosts/radish/packages.nix

@@ -1,4 +1,7 @@
-{ pkgs, lib, inputs, ... }:
+{ pkgs, lib, inputs, config, ... }:
+let
+  secrets = config.age.secrets;
+in
 {
   nixpkgs.config.allowUnfree = true;
   nixpkgs.overlays = [ (import ../../custom-pkgs { inherit lib inputs; }) ];
@@ -41,8 +44,62 @@
         HSA_OVERRIDE_GFX_VERSION = "11.0.3";
       };
     };
+
+    borgbackup.jobs.root = {
+      paths = "/";
+      exclude = [
+        "/nix"
+        "/var/cache"
+        "/run"
+        "/sys"
+        "/etc"
+        "/swap"
+        "/proc"
+        "**/node_modules"
+        "**/.cargo"
+        "**/ruby/*/gems"
+        "**/.cache"
+        "**/.meteor"
+        "**/.next"
+        "**/.local/share/containers/cache"
+        "**/.local/share/containers/storage/overlay"
+        "**/.local/share/docker/overlay2"
+        "**/log/*.log"
+        "**/.local/share/Trash"
+      ];
+      environment = {
+        BORG_RSH = "ssh -i /root/.ssh/id_ed25519.borg";
+      };
+      repo = "ssh://u324815-sub2@u324815.your-storagebox.de:23/./backup";
+      encryption = {
+        mode = "repokey";
+        passphrase = "will be overridden from environment file";
+      };
+      extraCreateArgs = [ "--stats" "--progress" ];
+      compression = "auto,zstd";
+      startAt = "daily";
+      persistentTimer = true;
+      preHook = with pkgs; ''
+        ${coreutils}/bin/timeout 60 ${bash}/bin/sh -c '
+          until ${iputils}/bin/ping -c1 your-storagebox.de; do
+            sleep 1
+          done
+        '
+      '';
+      postCreate = with pkgs; ''
+        ${curl}/bin/curl "https://status.freun.dev/api/push/''${UPTIME_KUMA_TOKEN}?status=up&msg=OK&ping="
+      '';
+      prune.keep = {
+        within = "3d";
+        daily = 14;
+        weekly = 8;
+        monthly = -1;
+      };
+    };
   };
 
+  systemd.services.borgbackup-job-root.serviceConfig.EnvironmentFile = secrets.borgbackup-radish.path;
+
   programs = {
     zsh.enable = true;
     _1password-gui = {

hosts/radish/secrets.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+{
+  age.secrets = lib.listToAttrs
+    (
+      map (secret: { name = secret; value = { file = ../../secrets/${secret}.age; }; }) [
+        "borgbackup-radish"
+      ]
+    );
+}

secrets/secrets.nix

@@ -21,4 +21,5 @@ in
   "dnote.age".publicKeys = users ++ [ freun-dev ];
   "octodns.age".publicKeys = users ++ [ freun-dev ];
   "mealie.age".publicKeys = users ++ [ freun-dev ];
+  "borgbackup-radish.age".publicKeys = users ++ [ radish ];
 }

secrets/uptime-kuma-borg-token.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA nk3tPnHuA6Ozpahwot8YpakJXsloy3N9XCg4pZsUkGg
+EMQszNhC3Hzt/MwpxUrjCTuofWkNB883EKlNUEUVbbs
+-> ssh-ed25519 DFiohQ dsyS7ANYPPgBTHyq6n8gRhDSfOZ2k8dy9EgB0lQgdRw
+K4h6JZ4W38zQdff7ZY92ka2q58444EL+nvlJvmxKT2w
+-> ssh-ed25519 hRPDBg 53NZD4bMhGYZ8dkoP4T+LjzFh+3u9WnhMnUTktUFeU4
+U3GYIVhGgV6nCk9P+Fo+CHjBlSEQiiO3nTnJlGklui4
+--- uqnbehYLZuAdETE2fTMaKder1g3P1CCQPVhQqP01sKM
+xŠŸ´:&Ö½Qí<51>FL0$ŧ¬QØŒ>b«[ÁŽ¬®°z!