🚧 borgbackup for paperless

flake.nix

@@ -236,6 +236,7 @@
               # backup key
               "${config.clan.core.clanDir}/machines/chungus/facts/ssh.syncoid.id_ed25519.pub"
               "${config.clan.core.clanDir}/machines/chungus/facts/ssh.rbackup.id_ed25519.pub"
+              "${config.clan.core.clanDir}/machines/chungus/facts/ssh.paperless-ngx.id_ed25519.pub"
             ];
           }
         )

machines/chungus/service-paperless.nix

@@ -3,6 +3,7 @@
   pkgs,
   lib,
   nixos-artwork,
+  factsGenerator,
   ...
 }:
 {
@@ -50,4 +51,35 @@
       proxyWebsockets = true;
     };
   };
+
+  clan.core.facts.services."paperless-ngx.borg" = factsGenerator.password { name = "borgbackup"; };
+  clan.core.facts.services."paperless-ngx.ssh" = factsGenerator.ssh { name = "paperless-ngx"; };
+
+  # backup
+  services.borgbackup.jobs."paperless-ngx" = {
+    paths = [ config.services.paperless.dataDir ];
+    repo = "root@orbi.bear:${config.networking.hostName}/paperless-borg-backup";
+    compression = "auto,lzma";
+    startAt = "daily";
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat ${
+        toString config.clan.core.facts.services."paperless-ngx.borg".secret."password.borgbackup".path
+      }";
+    };
+    environment = {
+      BORG_RSH = "ssh -i ${
+        toString
+          config.clan.core.facts.services."paperless-ngx.ssh".secret."ssh.paperless-ngx.id_ed25519".path
+      }";
+      BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
+    };
+    prune.keep = {
+      within = "10d"; # Keep all backups in the last 10 days.
+      weekly = 8; # Keep 8 additional end of week archives.
+      monthly = -1; # Keep end of month archive for every month
+    };
+    doInit = true;
+  };
+
 }