From b52f0ea460efab6a329baa5909f661e5c0387db8 Mon Sep 17 00:00:00 2001
From: Nathan McCarty <nathan@mccarty.io>
Date: Fri, 10 Jun 2022 18:58:36 -0400
Subject: [PATCH] Setup borg on levitation

---
 machines/levitation.nix | 68 ++++++++++++++++++++++++++++++++++++++---
 secrets/borg.yaml       | 67 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 130 insertions(+), 5 deletions(-)
 create mode 100644 secrets/borg.yaml

diff --git a/machines/levitation.nix b/machines/levitation.nix
index 00d24d2..7983af9 100644
--- a/machines/levitation.nix
+++ b/machines/levitation.nix
@@ -1,20 +1,25 @@
-{ pkgs, lib, ... }: {
+{ pkgs, lib, config, ... }: {
 
-  # Define the hostname, enable dhcp
+  ###
+  ## Define the hostname, enable dhcp
+  ###
   networking = {
     hostName = "levitation";
     domain = "mccarty.io";
     useDHCP = false;
     interfaces.enp5s0.useDHCP = true;
   };
-
-  # Enable programs we don't want on every machine
+  ###
+  ## Enable programs we don't want on every machine
+  ###
   programs = {
     steam.enable = true;
     adb.enable = true;
   };
 
-  # Firewall ports
+  ###
+  ## Firewall ports
+  ###
   # 61377 - SoulSeek
   # Enable firewall and pass some ports
   networking.firewall = {
@@ -23,7 +28,9 @@
     allowedUDPPorts = [ 61377 ];
   };
 
+  ###
   ## Machine specific home-manager
+  ###
   home-manager.users.nathan = {
     # Sway outputs
     wayland.windowManager.sway.config = {
@@ -57,4 +64,55 @@
       output = "DP-3";
     };
   };
+
+  ###
+  ## Borg Backups
+  ###
+
+  # Install borg
+  environment.systemPackages = with pkgs; [
+    borgbackup
+  ];
+  # Setup sops
+  sops.secrets."borg-sshKey" = {
+    format = "yaml";
+    sopsFile = ../secrets/borg.yaml;
+  };
+  sops.secrets."borg-levitationPassword" = {
+    format = "yaml";
+    sopsFile = ../secrets/borg.yaml;
+  };
+  # Setup the job
+  services.borgbackup.jobs = {
+    remote_backup = {
+      paths = [
+        "/home"
+        "/var"
+        "/etc"
+      ];
+      exclude = [
+        "*/.cache"
+        "*/.tmp"
+        "/home/nathan/Projects/*/target"
+        "/home/nathan/Work/*/target"
+        "/home/nathan/.local/share/Steam"
+        "/home/nathan/Downloads"
+        "/home/nathan/Music"
+      ];
+      repo = "de1955@de1955.rsync.net:computers/levitation";
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat ${config.sops.secrets."borg-levitationPassword".path}";
+      };
+      environment.BORG_RSH = "ssh -i ${config.sops.secrets."borg-sshKey".path}";
+      compression = "auto,zstd";
+      startAt = "hourly";
+      prune.keep = {
+        within = "7d"; # Keep all archives for the past week
+        daily = 1; # Keep 1 snapshot a day for 2 weeks
+        weekly = 4; # Keep 1 snapshot a week for 4 weeks
+        monthly = -1; # Keep unlimited monthly backups
+      };
+    };
+  };
 }
diff --git a/secrets/borg.yaml b/secrets/borg.yaml
new file mode 100644
index 0000000..50cc9f9
--- /dev/null
+++ b/secrets/borg.yaml
@@ -0,0 +1,67 @@
+borg-sshKey: ENC[AES256_GCM,data:rVDwCkDQbeYl8cAu/VlZzcW1XQERFVIhjGBigWZ1n0nSDga9812pJgnaIG6aoRVbuaiOVelSqZa0XJRlNU6yJtrT9sDulWb1nqFudSJ84cnhE3QzrgPzAGZJ60PcAQMI2/dqpb4pHGf0nyNBKf5OGCtOahwN3nqkAuiQkqE/XbGlPylHJ+3Hb+Q/RnmMrL5bhKQ9EvuauHwTczlII5JwkrrtZeuHiTZm1SzokQSTMgt71CUOOmDlKlSxXgHDn2g1C+rc+OHzZraWIFyOI0cMpYdfYOxkJM7Wh0/ByX5Iqlp6nTYAK3IbHr4bUUclw2QPMNtLebIaJzzZP8Hplg4sO1zxEWxG+moZzRT6rfd6FF+5EJ8KalgfTgIHVYVrwsQj3SoL258+IWbahQZI2Er1SixVwZQes46HuPaFn7Ydn+/RfJo33birUJ89H5ge/boEkaUT1cHKcbodxfvJsQJkbRUTzHqpRGIHRW9bF1m94/5D2LaaFmaFoJqondewwy1ZVzZIF0jePRhvF4lFtSmKP4jC1Z0xg2L/JnUo,iv:gHr+vtcY99MgSy9IiMmxy3mlOjcOJ4oN5NS3doNAXwo=,tag:AOaE2qHv5NalE7J/NVXQjw==,type:str]
+borg-levitationPassword: ENC[AES256_GCM,data:nAtAlhmv6NAE88f81BeroMnMd/lr7ZnUTmLlAMtn4/ML8TuiZjijCJ4LiUSg5FLeWmDEALUN5g/T,iv:2qoF4mw/sbitLmticTsKndcYdV2B+6YjXjKHJr591nk=,tag:ENPk7gm3tmVOSgzfrn7Vag==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrajVrQjRjemFTNTdBOTFn
+            bTN4TjVoT0hpd3RvUFRwSkdPZzhzNWJ4dWtVCkFSd2lvSE5BLzlGVmhYb3BFMXM1
+            dlZiOFdCUnZ5UExZMkpqSDFPemRITFkKLS0tIFdLZU96YjNZN1FiRTBpN3R6c0RJ
+            Z3JBZWM3RTdqcG44M0RBYXJDci9MUG8KKzI86Y2gYYyhKHK+H5U3aoJuU2a+RiRz
+            pulu06DWlL6R3e4HUDTpe0m1/RHwYxE8ap+WgVlq7jvG0STZV2a6pg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2b0M2WkNPRzI3YW15cHYz
+            TUcwUGt0bldSV3REKzF4dkk2anVLTjFCbGdvCnNJbWpONjJXU3dBaG1Za0tQS0Uw
+            engwS0RWRnVCRmdDaGx1UElsNVdZWjQKLS0tIGp2K1BsL0RlaFFzWTdKQmV3NnVa
+            c1ZONlRic2xBUzhTVVZYMWpGRWJ3bncK829TyEoxOAjmbdAJEZpmt+sW66bpVUgY
+            njlFpVrwAjLe49RezMelWbfI+ZIlL5+eKvoMzaG3te9daTxPjRoaVQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwQkRtS3lyUG9xK3laNndP
+            V2hOVXMvSmpRKzBqeW43Y01vS2VBRWFQK2xJCk9zQXgzSUFEd1BkcjhicXFpQ3hI
+            KzhYMXlZaFcrcGx0VG05ZEl4eWttY0kKLS0tIE1saUV4WHNKVC9ocHIzV2JTWENs
+            M0FqdDF2TU5JY3RwM2lXZEg4SVlscG8KoPu3vxd5watGkeKBPcwnfY79n27RKtre
+            zZDkeCldJNaIsvX2PPjm3NKUdUjVG1m8m8bQrvq0e4IAWkBwOFjUrA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTTJ4Mm9rZklxWlcraW5C
+            TUl5UVp1eUxkd0Mxamh5YVpQN0ZxMU83TVRvCmlvMWd0MFc2c3htWllySVRZcWYz
+            UjNLQkUwVG1Kb0tMb1J0ZHpSMnJDU1kKLS0tIHVIR1cxTXRoSUJtRllsYlk5c3FS
+            dzNxQzl0VGVsZExhL05vcWJiSzk2c0kKsU5nsgBcKh8EdrTYco6FvVRkk+8tUVtu
+            gltw8yhYC3TmbdsW185KIDMCxaX8btWmtBKoQk7RiSlHNgcNn+ebbg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6QTl5blVHUjZYdGdLY00w
+            aCtYalhVNzFsYlJSZmRPTVpGSmRoSkg5YnhnCmVlbCtka2lUck42MmZIRGkyQ2RC
+            NWQ5OW5Wc1liOWplbGtXbWxDZHlQQUUKLS0tIG1nOEpjcHpaZjRpM3ZEa3hlSDZL
+            K2JPTDBMemdyZU9RU0JzRDZFQ2hLZ1EKJrV5DVDw/zqvZ3fzDPc2xcQjGzFy+2pn
+            Y5yO+fQJC6mrrIQiQG1Jhl6RZNXPgI02f/iJKodDZ33QTc1e9/916w==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeUttdmhEalQ4R0EwbXVH
+            azZrMmx0Q1p5K2ZTTXM3RTQzWWZlNUV6cmhRCmppdGExTmU0aGF3Rk9lS3hnOHd4
+            cStBejlrZU42OHJJbEVKblppUUgvdmsKLS0tIGo5YkJGdkdFUGxta3k5aGVGRGRk
+            WmhzcngwekJ1UzJQNzBwNU9Kb3FLNzQKgWC/Pruek+lfMtyj8M1s88l46emKVqV/
+            nO3VxonQywOz1QaNEBODNTwly48MzNREwV1bUZy4DBAeraG4O3fRFg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-06-10T22:53:54Z"
+    mac: ENC[AES256_GCM,data:ZCTwUX3m4BPjJxMzaTmG1FNFmxJ+rO/5aKe8AB/Fca2Ut5V6GccrpnjVx43ccNSTibDEgdxvUPtAZRLZ0nZXsAFE1tI5KoCk5XxzhCddmG0gkrMDpt2bgnv+eNgwU5fpMNu1+IdwnUf9ut4LaJBtpojDQjM9wWpcVMAJKTfh83Y=,iv:M5SWFxX2anu7yoUd3S3HZ98LfzQrr20CHtX3KR9GI1U=,tag:/BXJkqtLT83AnuA6fZWQVg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3