From 311c85642b11ba7307e5f563c306071634ac6bcd Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Tue, 24 Feb 2026 16:43:45 -0800
Subject: [PATCH 1/3] added backup

---
 flake.nix                   |  2 ++
 services/borgbackup-vps.nix | 19 +++++++++++++++++
 services/borgbackup.nix     | 41 +++++++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+)
 create mode 100644 services/borgbackup-vps.nix
 create mode 100644 services/borgbackup.nix

diff --git a/flake.nix b/flake.nix
index c1eab18..ab82480 100644
--- a/flake.nix
+++ b/flake.nix
@@ -59,6 +59,7 @@
           ./services/ergo.nix
           ./services/forgejo.nix
           ./services/forgejo-runner.nix
+          ./services/borgbackup.nix
           # ./services/akkoma.nix
         ];
       };
@@ -84,6 +85,7 @@
           ./hosts/vps/disko-config.nix
           ./services/coturn.nix
           ./services/wireguard-outer.nix
+          ./services/borgbackup-vps.nix
         ];
       };
 
diff --git a/services/borgbackup-vps.nix b/services/borgbackup-vps.nix
new file mode 100644
index 0000000..636e2cc
--- /dev/null
+++ b/services/borgbackup-vps.nix
@@ -0,0 +1,19 @@
+{ ... }:
+
+{
+  # Inbound: accept desktop offsite backups
+  services.borgbackup.repos.desktop = {
+    path = "/var/lib/borg/desktop";
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvKMpaawaw5bp73/W4dm0YEZa2FT99pXHLOYqZS8NPL borg-desktop"
+    ];
+  };
+
+  # Inbound: accept homeserver backups
+  services.borgbackup.repos.homeserver = {
+    path = "/var/lib/borg/homeserver";
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEkWV7RJuN4/cGGsER7oHJ55R4aZZZuDnCn/fjyPd9KX borg-homeserver"
+    ];
+  };
+}
diff --git a/services/borgbackup.nix b/services/borgbackup.nix
new file mode 100644
index 0000000..464501e
--- /dev/null
+++ b/services/borgbackup.nix
@@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  # Outbound: back up homeserver to VPS
+  services.borgbackup.jobs.homeserver = {
+    paths = [
+      "/var/lib"
+      "/etc"
+      "/home"
+    ];
+    repo = "ssh://borg@10.10.0.1/./homeserver";
+    environment.BORG_RSH = "ssh -i /etc/borg/ssh_key";
+    encryption = {
+      mode = "repokey";
+      passCommand = "cat /etc/borg/passphrase";
+    };
+    compression = "zstd";
+    startAt = "daily";
+    prune.keep = {
+      daily = 7;
+      weekly = 4;
+      monthly = 6;
+    };
+    exclude = [
+      "/var/lib/docker"
+      "/var/lib/containers"
+      "/var/lib/systemd/coredump"
+      "*.pyc"
+      "__pycache__"
+      ".cache"
+    ];
+  };
+
+  # Inbound: accept desktop backups
+  services.borgbackup.repos.desktop = {
+    path = "/var/lib/borg/desktop";
+    authorizedKeys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvKMpaawaw5bp73/W4dm0YEZa2FT99pXHLOYqZS8NPL borg-desktop"
+    ];
+  };
+}

From c43c6c43a5e9491d514271d1ccfcc99f500df040 Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Tue, 24 Feb 2026 16:57:52 -0800
Subject: [PATCH 2/3] fix forgejo crypto

---
 common.nix                   | 8 +++++++-
 services/forgejo.nix         | 4 +---
 services/wireguard-outer.nix | 2 +-
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/common.nix b/common.nix
index 26007c8..1f5cef1 100644
--- a/common.nix
+++ b/common.nix
@@ -24,8 +24,14 @@
       PasswordAuthentication = false;
       KbdInteractiveAuthentication = false;
       PermitRootLogin = "no";
-      AllowUsers = [ "ellie" ];
+      AllowUsers = [ "ellie" "forgejo" ];
     };
+    extraConfig = ''
+      Match User forgejo Address 10.10.0.1
+        AllowTcpForwarding no
+        X11Forwarding no
+        PermitTunnel no
+    '';
   };
 
   services.fail2ban = {
diff --git a/services/forgejo.nix b/services/forgejo.nix
index 1f07440..212756a 100644
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@@ -8,7 +8,6 @@
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
     3000
-    2222
   ];
 
   services.forgejo = {
@@ -20,10 +19,9 @@
       ROOT_URL = "https://forgejo.ellie.town/";
       HTTP_ADDR = "10.10.0.2";
       HTTP_PORT = 3000;
-      START_SSH_SERVER = true;
+      START_SSH_SERVER = false;
       SSH_DOMAIN = "forgejo.ellie.town";
       SSH_PORT = 2222;
-      SSH_LISTEN_PORT = 2222;
     };
   };
 }
diff --git a/services/wireguard-outer.nix b/services/wireguard-outer.nix
index 3de261d..03957ec 100644
--- a/services/wireguard-outer.nix
+++ b/services/wireguard-outer.nix
@@ -97,7 +97,7 @@
       }
 
       upstream forgejo_ssh {
-        server 10.10.0.2:2222;
+        server 10.10.0.2:22;
       }
       server {
         listen 2222;

From f2d3c7c7284ace43f027cb42dd116b39f537a4e3 Mon Sep 17 00:00:00 2001
From: Ellie <6687206+wizzeh@users.noreply.github.com>
Date: Tue, 24 Feb 2026 17:29:07 -0800
Subject: [PATCH 3/3] yay

---
 services/forgejo.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/services/forgejo.nix b/services/forgejo.nix
index 212756a..e75444a 100644
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@@ -7,6 +7,7 @@
   };
 
   networking.firewall.interfaces.wg0.allowedTCPPorts = [
+    22
     3000
   ];