nixos-config/nixos/system/all/borg-jobs.nix

{ config, lib, ... }:
# borg core setup
# ---------------
# provides an easy interface for all services
# to append it's files to be backuped
{

  options = {
    backup.dirs = lib.mkOption {
      default = [ ];
      type = with lib.types; listOf str;
      description = ''
        folders to backup
      '';
    };
    backup.exclude = lib.mkOption {
      default = [ ];
      type = with lib.types; listOf str;
      description = ''
        exclude files and folders matching a pattern.
        Theses patterns effect all folders in `backup.dirs`.
        see man borg pattern for more information
      '';
      example = [ ".git" "/home/*/.cache" ".stfolder" ];
    };
  };

  config =
    let

      servers = [
        {
          name = "robi";
          host = "144.76.13.147";
        }
        {
          name = "pepe";
          host = "pepe.private";
        }
      ];

      dirs = config.backup.dirs;

      myHostname = config.networking.hostName;

      setup = server: {
        paths = config.backup.dirs;
        exclude = config.backup.exclude;
        doInit = true;
        repo = "borg@${server}:./${myHostname}";
        encryption = {
          mode = "repokey-blake2";
          passCommand = "cat ${config.sops.secrets.backup_repository_passphrase.path}";
        };
        environment = {
          BORG_RSH = "ssh -i ${toString config.sops.secrets.backup_ssh_rsa_private.path}";
          BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
        };
        compression = "auto,lzma";
        startAt = "daily";
        prune.keep = {
          within = "10d"; # Keep all backups in the last 10 days.
          weekly = 8; # Keep 8 additional end of week archives.
          monthly = -1; # Keep end of month archive for every month
        };

      };

    in
    {

      sops.secrets.backup_repository_passphrase = { };
      sops.secrets.backup_ssh_rsa_private = { };

      services.borgbackup.jobs =
        let
          setups = map ({ name, host }: { "${name}" = setup host; }) servers;
          setupAttrs = lib.zipAttrsWith (_: vals: lib.head vals) setups;
          nonEmptySetups =
            lib.filterAttrs (_: { paths, ... }: builtins.length paths != 0)
              setupAttrs;
        in
        nonEmptySetups;

    };

}