Add borg backup module

flake.nix

@@ -107,28 +107,35 @@
           extraModules = [
             ./hardware/levitation.nix
             ({ pkgs, config, lib, ... }: {
-              boot.loader = {
+              # sops for borg
-                grub = {
+              sops.secrets."borg-ssh-key" = {
-                  enable = true;
+                sopsFile = ./secrets/levitation/borg.yaml;
-                  version = 2;
+                format = "yaml";
-                  efiSupport = true;
-                  # Go efi only
-                  devices = [ "nodev" ];
-                  # Use os-prober
-                  useOSProber = true;
-                };
-                efi = {
-                  efiSysMountPoint = "/boot/";
-                  canTouchEfiVariables = false;
               };
+              sops.secrets."borg-password" = {
+                sopsFile = ./secrets/levitation/borg.yaml;
+                format = "yaml";
               };
               # Setup system configuration
               nathan = {
                 programs = {
                   games = true;
                 };
+                services = {
+                  borg = {
+                    enable = true;
+                    extraExcludes = [
+                      "/home/${config.nathan.config.user}/Music"
+                      "/var/lib/docker"
+                      "/var/log"
+                    ];
+                    passwordFile = config.sops.secrets."borg-password".path;
+                    sshKey = config.sops.secrets."borg-ssh-key".path;
+                  };
+                };
                 config = {
                   isDesktop = true;
+                  setupGrub = true;
                   nix.autoUpdate = false;
                   harden = false;
                 };

modules/default.nix

@@ -15,6 +15,7 @@ in
     ./programs/utils.nix
     ./services/ssh.nix
     ./services/tailscale.nix
+    ./services/borg.nix
     ./linux/base.nix
   ];
 
@@ -31,6 +32,36 @@ in
         tailscale = {
           enable = mkDefaultOption "tailscale" pkgs.stdenv.isLinux;
         };
+        # Borg backup
+        # Disabled by default as it requires configuration, but a really good idea to turn on
+        borg = {
+          enable = mkEnableOption "borg";
+          extraExcludes = mkOption {
+            default = [ ];
+            description = "List of extra paths to exclude";
+          };
+          extraIncludes = mkOption {
+            default = [ ];
+            description = "List of extra paths to include";
+          };
+          location = mkOption {
+            default = "de1955@de1955.rsync.net:computers";
+            description = "Location to backup to";
+            type = lib.types.str;
+          };
+          passwordFile = mkOption {
+            description = "Path to the password file";
+            type = lib.types.str;
+          };
+          sshKey = mkOption {
+            description = "Path to the ssh key";
+            type = lib.types.str;
+          };
+          startAt = mkOption {
+            description = "How often to run backups";
+            default = "hourly";
+          };
+        };
       };
       # Control enabling/configuratin of services
       programs = {

modules/services/borg.nix

@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+with lib; {
+  config = mkIf config.nathan.services.borg.enable {
+    # Add borg to the system packages
+    environment.systemPackages = with pkgs; [
+      borgbackup
+    ];
+    services.borgbackup.jobs = {
+      rsyncnet = {
+        paths = [
+          "/home"
+          "/var"
+          "/etc"
+          "/root"
+        ] ++ config.nathan.services.borg.extraIncludes;
+        exclude = [
+          "*/.cache"
+          "*/.tmp"
+          "/home/${config.nathan.config.user}/Projects/*/target"
+          "/home/${config.nathan.config.user}/Work/*/target"
+          "/home/${config.nathan.config.user}/.local/share/Steam"
+          "/home/${config.nathan.config.user}/*/Cache"
+          "/home/*/Downloads"
+        ];
+        repo = "${config.nathan.services.borg.location}/${config.networking.hostName}";
+        encryption = {
+          mode = "repokey-blake2";
+          passCommand = "cat ${config.nathan.services.borg.passwordFile}";
+        };
+        environment.BORG_RSH = "ssh -i ${config.nathan.services.borg.sshKey}";
+        compression = "auto,zstd";
+        startAt = config.nathan.services.borg.startAt;
+        prune.keep = {
+          within = "7d"; # Keep all archives for the past week
+          daily = 1; # Keep 1 snapshot a day for 2 weeks
+          weekly = 4; # Keep 1 snapshot a week for 4 weeks
+          monthly = -1; # Keep unlimited monthly backups
+        };
+      };
+    };
+  };
+}

secrets/levitation/borg.yaml

@@ -0,0 +1,31 @@
+borg-ssh-key: ENC[AES256_GCM,data:w3l69u5319qQsD+4SIEtqft5WX9yWtbK0/AB/RJAohh3x8zBfVOz9EG+tSoal28EUEcXg0EDVYh7hZ33nPeq5PWP+/ktob0uWd1i7apTJRnQGI5sOf0GrK3qCZXJMn7kGVSzYlnZWyf1XAzgEOtR4QhGnrHsFrp5IKBrRC2u2HTdlxPJPUwNjOL3PbtuPZga8R497/6d86LHdmx1q+DWBhANkQZNNsDWiXGQU2MKfJFoNMd8I4SZia1M7rt4T8TkcxzwzqRvx8CRjI/CWmUkzRnojIvmOFsZuScfeenjq8uolDSI5kNznXG+r+bIyW6BFyOPoGCqR4YcJZZdPJxIJGBBl6wXDow1iyAoCnSrJhQV7HFDc4Gyd0UESeAIRiWzEmlAiKvGQG/J7K1HbYekrLfxENcwYEt26h5FfLznFSNJ1VGIOJFk/08ewy2SZ9KiImeTpv2lcqAmOLjSp+OkxU+1xeffOMGR8adutsbhXLMlCIaqlimZWvSRPyR5Qp9SOo2esQ3S4Rq5VUbq93xAFnrJpNgyr7r0OZTy,iv:UGiwqGadbm3P5RBI/R32zlIOmVjRiEaEwAuGTAqhnks=,tag:WS0ksDUEoGJLl1L2jNb2Zg==,type:str]
+borg-password: ENC[AES256_GCM,data:W0MEp075S/1fAzLl3UxQ/8W/Cx+Z0pBU/qYMEbL+rmvCnhLRpbM/iy48RAz0xFZ4txUIDHkNllaA,iv:7wlt8FjA8k5iol4lgW8upuRQJTeu2ToyI6LsTmPCk/4=,tag:jrG00Q5bkDONDhfYMlKtfA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ak5NVEJ4U0s0ajB2SnhC
+            Ym45TlZjdWM0VnhYK08yMWduWUg5SDI3bFJrCkt1SGlpUkx2cnFMbDdLTWdUM3Za
+            eElFbjJDVXlRUDQrek5XalpUMEZydVUKLS0tIHpLU21ZY29ydU1ENmVWWXdTK0RF
+            VFFmQld5UzVUZUtDQmRRVnNacm1uUkEKuodQeOPsTw7i3dTWqb4XQ4v/Jtf9X9ah
+            NVhYD79ZltK2k5Epa95oH46Djwz1RjPad0WVgLDPlPYdto2Kd5Y26A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadlVMRzY1Zkoyb1JVYTd0
+            NEQ0bStuNWVpRTZJRGx6NVpUejIxMzhKT1NjCnJyK1pONmljYTVLajF3VGpiRllG
+            MEcxR1ptbWs0Q1U5Zi85U3hZOFJxUGMKLS0tIDZYT0dZYkJoU0lTMHBRS0NqVHdq
+            SHRtU2NNeHdJTVdvNFhDU1dXbHZVSTgKAan3xhZNtYVRgrx0oCgz5bA2x2gS9+mj
+            DzxQY1NrM4ZEGWQtm7NWyyfuO16OAVsdotiMN8mbSlyh9uB+j4nNig==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-07-02T18:30:32Z"
+    mac: ENC[AES256_GCM,data:cX7URw9zZN2WIpKe4RKbZi6T/CW6L5nMiINzAoNeO0pdmsQpeCiiNiI3bn4epOf5qWKZDybSbwMdEB9a/uDOAImIKL08rUUJr9JTLICFRMcQgNpczN6XNu5Xpbt8uxksRc/ex2x8a7TbE7gy4xsEE0U9CGG3WWQm2LeUpbz9PGA=,iv:mbY+1H1rsyAL00VmNTjzmGITywRc5uFEd+HAfQQNtY4=,tag:JNcoz8XLPCpQ61CV2Dxfuw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3