nixos/utils/modules/borgbackup.nix

{ pkgs, config, lib, ... }:

let
  repo = config.borgbackup.repo;
  #repo = config.borgrepo;
  #repo = "u149513-sub3@u149513-sub3.your-backup.de:borg";
  borgMount = pkgs.writeShellScriptBin "borg-mount" ''
    export BORG_PASSCOMMAND='cat ${config.sops.secrets.borg-passphrase.path}'
    borg mount --rsh "ssh -p23 -i ${config.sops.secrets.borg-ssh-key.path}" ${repo}::$1 $2
  '';
  borgList = pkgs.writeShellScriptBin "borg-list" ''
    export BORG_PASSCOMMAND='cat ${config.sops.secrets.borg-passphrase.path}'
    borg --rsh "ssh -p23 -i ${config.sops.secrets.borg-ssh-key.path}" list ${repo}
  '';

  borgBackup = pkgs.writeShellScriptBin "borg-backup" ''
    systemctl restart borgbackup-job-default.service
  '';

  borgRestore = pkgs.writeShellScriptBin "borg-restore" ''
    cd /
    export BORG_PASSCOMMAND='cat ${config.sops.secrets.borg-passphrase.path}'
    borg --rsh "ssh -p23 -i ${config.sops.secrets.borg-ssh-key.path}" list ${repo}
    borg extract --list --rsh "ssh -p23 -i ${config.sops.secrets.borg-ssh-key.path}" ${repo}::$1
  '';
in {
  options = with lib; with types; {
    borgbackup = mkOption {
      description = "Options for borg module";
      type = submodule {
        options.repo = mkOption {
          type = types.str;
          description = "borg repo";
        };
      };
    };
  };

  

  config = {
    sops.secrets.borg-passphrase = {};
    sops.secrets.borg-ssh-key = {};

    environment.systemPackages = [
      borgMount
      borgList
      borgBackup
      borgRestore
    ];

    services.borgbackup.jobs.default = {
      paths = [
        "/home"
        "/var"
        "/root"
      ];
      exclude = [
        "/var/lib/containerd"
        # already included in database backup
        "/var/lib/mysql"
        "/var/lib/postgresql"
        "/var/lib/docker/"
        "/var/lib/containers/"
        "/var/log"
        "/var/cache"
        "/var/tmp"
        "/var/log"
      ];
      environment.BORG_RSH = "ssh -p23 -i ${config.sops.secrets.borg-ssh-key.path}";
      repo = repo;
      encryption = {
        mode = "repokey";
        passCommand = "cat ${config.sops.secrets.borg-passphrase.path}";
      };
      compression = "auto,zstd";
      startAt = "*-*-* 03:00:00";

      prune.keep = {
        within = "1d"; # Keep all archives from the last day
        daily = 7;
        weekly = 4;
        monthly = 6;
      };
    };
  };

}