{ pkgs, lib, config, ... }: let cfg = config.pim.backups; borgmaticConfig = pkgs.writeTextFile { name = "borgmatic-config.yaml"; text = lib.generators.toYAML {} { source_directories = ["/mnt/longhorn/persistent/longhorn-backup"]; repositories = [ { path = cfg.repoLocation; label = "nfs"; } { path = "ssh://s6969ym3@s6969ym3.repo.borgbase.com/./repo"; label = "borgbase"; } ]; ssh_command = "${pkgs.openssh}/bin/ssh -i ${config.sops.secrets."borg/borgbasePrivateKey".path} -o StrictHostKeychecking=no"; keep_daily = 7; keep_weekly = 4; keep_monthly = 12; keep_yearly = -1; encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets."borg/borgPassphrase".path}"; }; }; in { options.pim.backups = { enable = lib.mkOption { default = false; type = lib.types.bool; description = '' Whether to enable backups of persistent data on this machine. ''; }; repoLocation = lib.mkOption { default = "/mnt/longhorn/persistent/nfs.borg"; type = lib.types.str; description = '' Location of the Borg repository to back up to. ''; }; }; config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [borgbackup]; # Converted from: # https://github.com/borgmatic-collective/borgmatic/tree/84823dfb912db650936e3492f6ead7e0e0d32a0f/sample/systemd systemd.services.borgmatic = { description = "borgmatic backup"; wants = ["network-online.target"]; after = ["network-online.target"]; unitConfig.ConditionACPower = true; preStart = "${pkgs.coreutils}/bin/sleep 10s"; serviceConfig = { Type = "oneshot"; Nice = 19; CPUSchedulingPolicy = "batch"; IOSchedulingClass = "best-effort"; IOSchedulingPriority = 7; IOWeight = 100; Restart = "no"; LogRateLimitIntervalSec = 0; Environment = "BORG_PASSPHRASE_FILE=${config.sops.secrets."borg/borgPassphrase".path}"; }; script = "${pkgs.systemd}/bin/systemd-inhibit --who=\"borgmatic\" --what=\"sleep:shutdown\" --why=\"Prevent interrupting scheduled backup\" ${pkgs.borgmatic}/bin/borgmatic --verbosity -2 --syslog-verbosity 1 -c ${borgmaticConfig}"; }; systemd.timers.borgmatic = { description = "Run borgmatic backup"; wantedBy = ["timers.target"]; timerConfig = { OnCalendar = "*-*-* 3:00:00"; Persistent = true; RandomizedDelaySec = "1h"; }; }; sops.secrets = { "borg/borgPassphrase" = {}; "borg/borgbasePrivateKey" = {}; }; }; }