Borgmatic backups for dalinar

hosts/dalinar/default.nix

@@ -78,6 +78,7 @@
   sops.age.keyFile = "/etc/age/keys.txt";
   sops.secrets."miniflux/ADMIN_USERNAME" = { };
   sops.secrets."miniflux/ADMIN_PASSWORD" = { };
+  sops.secrets."borg/passphrase" = { };
   sops.templates."miniflux-admin-credentials".content = ''
     ADMIN_USERNAME=${config.sops.placeholder."miniflux/ADMIN_USERNAME"}
     ADMIN_PASSWORD=${config.sops.placeholder."miniflux/ADMIN_PASSWORD"}
@@ -340,6 +341,54 @@
     };
   };
 
+  services.borgmatic = let
+      commonSettings = {
+        compression = "lz4";
+        archive_name_format = "backup-{now}";
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+        keep_yearly = 1;
+        check_last = 3;
+      };
+      borgID = "zh5200";
+    in {
+      enable = true;
+      # After a new installation
+      #  * Run `nix run nixpkgs#borgmatic -- init --encryption repokey-blake2` to initialize the repos
+      #  * Generate and add ssh key to rsync.net (see Multiple Keys Section at https://www.rsync.net/resources/howto/ssh_keys.html)
+      configurations = {
+        files = commonSettings // {
+          source_directories = [
+            "/storage/encrypted/media/books"
+            "/storage/encrypted/photos/"
+          ];
+          repositories = [{
+            path = "ssh://${borgID}@${borgID}.rsync.net/./dalinar-files";
+            label = "dalinar-files";
+          }];
+        };
+
+        databases = commonSettings // {
+          source_directories = lib.mkForce [ ]; # Should never be set for the databases repo
+          postgresql_databases = [
+            { name = "immich"; username = "immich"; }
+            { name = "miniflux"; username = "miniflux"; }
+          ];
+          repositories = [{
+            path = "ssh://${borgID}@${borgID}.rsync.net/./dalinar-databases";
+            label = "dalinar-databases";
+          }];
+        };
+      };
+    };
+
+    systemd.services.borgmatic = {
+      environment = {
+        BORG_PASSCOMMAND = "cat ${config.sops.secrets."borg/passphrase".path}";
+      };
+    };
+
   networking.nat = {
     enable = true;
     internalInterfaces = [ "ve-*" ];

hosts/dalinar/secrets.yaml

@@ -8,6 +8,8 @@ searx:
 transmission_rpc:
     user: ENC[AES256_GCM,data:w+gjEQ==,iv:Qyp2zvUBagrMMdUMN6ghIZuGxSMEvhh2/JPXtRtBJ7Q=,tag:6rOt4Goc7n0nrIycdbquhw==,type:str]
     password: ENC[AES256_GCM,data:SUTKckSWqW94eshNkysVfA==,iv:WtuyR7Y9a7lyaZ9AbJyTiVVYVbJUsxHqtRU/5T1aO/E=,tag:eyveY9/aA1EQ2JXU2NrDYg==,type:str]
+borg:
+    passphrase: ENC[AES256_GCM,data:O0NgLUbf+1bC3r0RP9ozb5GMdb9AUqk2o+rczMCKgY7n1WEQvj5LmMW/Cg==,iv:kB8B8H/Kw/daJ0RWTXE6FrFRILK/P8A1yImEy90tqvM=,tag:ocZll0ravre2vfU2xtFurA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -32,8 +34,8 @@ sops:
             SVMwSGwwWVo1RzZnSjB6Z0MraTBHZ00KiHCJ8M3xQ8+YH5+aOy3th5fYTEavHqa0
             bbzATd2uRW8K+RSW3NFpN2AMtn9GCGt6Hsw0kezhiBN8qZ4tneKxJg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-03T20:18:45Z"
+    lastmodified: "2025-04-25T21:11:20Z"
-    mac: ENC[AES256_GCM,data:OM78015iecHNG3p5m0CCe+76dkKo7wBe+i7Crl/A58K0bomDKm8jys2yDXJU1udEaJBwhQTUadIaPFHPyMhegPrnfAMcInUQP6aD9SQVAOByi1T/BrFvT0hQClKzskSEeGwnUb+hJYSMkojhkzx5MvEnX9WDdVfAKgHbj4+QxCM=,iv:F8h2gv7F998Lh3FAXEzedsFNRDxD8bzdShTVVwLzKSU=,tag:x44SQkD4PnGhVaIx1XlBug==,type:str]
+    mac: ENC[AES256_GCM,data:Y9oV1f9kkOqz031wn0HOh8Trh6W+KDlZ2smLQdhdiG1pLknShJ+JaSzKLkg2zOj8FCJ52t+iJv/90VVGSPrM7zp1Z4mPoJwodlfObFOdy2bwkeDUXHHWDYg4ji+zUePa+z/kPXh3yAqKG6jeUfFLZ3RroXFI9dEchIdbiIdKdCg=,iv:ccbvursbZGa3bih/LMZ+YQrwkhT1dpdchjTx8jVvMDE=,tag:JGlwkKJ/lF8a5FxeN0C6ww==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.4