added backup

flake.nix

@@ -59,6 +59,7 @@
           ./services/ergo.nix
           ./services/forgejo.nix
           ./services/forgejo-runner.nix
+          ./services/borgbackup.nix
           # ./services/akkoma.nix
         ];
       };
@@ -84,6 +85,7 @@
           ./hosts/vps/disko-config.nix
           ./services/coturn.nix
           ./services/wireguard-outer.nix
+          ./services/borgbackup-vps.nix
         ];
       };
 

services/borgbackup-vps.nix

@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+  # Inbound: accept desktop offsite backups
+  services.borgbackup.repos.desktop = {
+    path = "/var/lib/borg/desktop";
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvKMpaawaw5bp73/W4dm0YEZa2FT99pXHLOYqZS8NPL borg-desktop"
+    ];
+  };
+
+  # Inbound: accept homeserver backups
+  services.borgbackup.repos.homeserver = {
+    path = "/var/lib/borg/homeserver";
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEkWV7RJuN4/cGGsER7oHJ55R4aZZZuDnCn/fjyPd9KX borg-homeserver"
+    ];
+  };
+}

services/borgbackup.nix

@@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  # Outbound: back up homeserver to VPS
+  services.borgbackup.jobs.homeserver = {
+    paths = [
+      "/var/lib"
+      "/etc"
+      "/home"
+    ];
+    repo = "ssh://borg@10.10.0.1/./homeserver";
+    environment.BORG_RSH = "ssh -i /etc/borg/ssh_key";
+    encryption = {
+      mode = "repokey";
+      passCommand = "cat /etc/borg/passphrase";
+    };
+    compression = "zstd";
+    startAt = "daily";
+    prune.keep = {
+      daily = 7;
+      weekly = 4;
+      monthly = 6;
+    };
+    exclude = [
+      "/var/lib/docker"
+      "/var/lib/containers"
+      "/var/lib/systemd/coredump"
+      "*.pyc"
+      "__pycache__"
+      ".cache"
+    ];
+  };
+
+  # Inbound: accept desktop backups
+  services.borgbackup.repos.desktop = {
+    path = "/var/lib/borg/desktop";
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvKMpaawaw5bp73/W4dm0YEZa2FT99pXHLOYqZS8NPL borg-desktop"
+    ];
+  };
+}