feat(servers): switch to borgbackup jobs for granular control

devices/servivi/default.nix

@@ -6,7 +6,7 @@
     ../../modules/tailscale.nix
 
     ./modules/binary-cache.nix
-    ./modules/borgmatic.nix
+    ./modules/borgbackup.nix
     ./modules/minecraft.nix
   ];
 

devices/servivi/modules/borgbackup.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  # Make this file declare default settings
+  options.services.borgbackup = with lib; {
+    defaults = mkOption {
+      type = types.attrs;
+    };
+  };
+
+  config = {
+    users.groups.borg = {};
+    users.users.borg = {
+      isSystemUser = true;
+      createHome = true;
+      home = "/var/lib/borg";
+      group = "borg";
+      extraGroups = ["mc"];
+    };
+
+    programs.ssh.knownHosts = {
+      pve.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG/4mrp8E4Ittwg8feRmPtDHSDR2+Pq4uZHeF5MweVcW";
+    };
+
+    services.borgbackup = {
+      defaults = {
+        user = "borg";
+        environment = {
+          # TODO: use secrets
+          BORG_RSH = "ssh -i ${config.users.users.borg.home}/.ssh/id_ed25519";
+        };
+
+        repo = "ssh://matt@pve/data/backups/borg";
+        encryption = {
+          mode = "repokey";
+          passCommand = let
+            cat = "${pkgs.coreutils}/bin/cat";
+            key = config.sops.secrets.borg-repo.path;
+          in "${cat} ${key}";
+        };
+
+        # Run every 3 hours
+        startAt = "00/3:00";
+        compression = "auto,lzma";
+      };
+    };
+  };
+}

devices/servivi/modules/borgmatic.nix

@@ -1,32 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  # Make this file declare default settings
-  options.services.borgmatic = with lib; {
-    defaults = mkOption {
-      type = types.attrs;
-    };
-  };
-
-  # Make sure known_hosts has the needed info
-  config = {
-    services.borgmatic = {
-      enable = true;
-
-      defaults = {
-        keep_daily = 7;
-
-        # FIXME: doesn't work, have to put it in /root/.ssh
-        ssh_command = "ssh -i /root/.ssh/borg";
-        encryption_passcommand = "${pkgs.coreutils}/bin/cat ${config.sops.secrets.borg-repo.path}";
-
-        source_directories_must_exist = true;
-        borgmatic_source_directory = "/tmp/borgmatic";
-        store_config_files = false;
-      };
-    };
-  };
-}

devices/servivi/modules/minecraft.nix

@@ -10,7 +10,6 @@
     modded-minecraft-servers = {
       eula = true;
       user = config.vars.user;
-      group = "users";
 
       instances = let
         jre8 = pkgs.temurin-bin-8;
@@ -89,19 +88,12 @@
       };
     };
 
-    borgmatic.configurations.mc =
-      config.services.borgmatic.defaults
+    borgbackup.jobs.mc =
+      config.services.borgbackup.defaults
       // {
-        source_directories = [
+        paths = [
           "/var/lib/minecraft"
         ];
-
-        repositories = [
-          {
-            label = "PVE";
-            path = "ssh://matt@pve/data/backups/borg";
-          }
-        ];
       };
   };
 }

flake.lock

@@ -719,11 +719,11 @@
         "nixpkgs": "nixpkgs_6"
       },
       "locked": {
-        "lastModified": 1703628847,
-        "narHash": "sha256-CiMGqa1twXq50Ub2gGqwZ6jZuWWbISgvj61pUC5uAXc=",
+        "lastModified": 1703654106,
+        "narHash": "sha256-2VoiAD/zzZ6/KiN18qm2pEclBP611+YRRzmiikTRdpc=",
         "owner": "nix-community",
         "repo": "nixpkgs-wayland",
-        "rev": "34e93cad9a011f28c094ba4d94adc7f59cec08ad",
+        "rev": "454c1fc492b82c28ab3ec8ef6edae0ec6eef41ad",
         "type": "github"
       },
       "original": {
@@ -766,11 +766,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1703255338,
-        "narHash": "sha256-Z6wfYJQKmDN9xciTwU3cOiOk+NElxdZwy/FiHctCzjU=",
+        "lastModified": 1703438236,
+        "narHash": "sha256-aqVBq1u09yFhL7bj1/xyUeJjzr92fXVvQSSEx6AdB1M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6df37dc6a77654682fe9f071c62b4242b5342e04",
+        "rev": "5f64a12a728902226210bf01d25ec6cbb9d9265b",
         "type": "github"
       },
       "original": {
@@ -867,11 +867,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1703619116,
-        "narHash": "sha256-FAs/EoccWduokTKuqYeRzW2o3Eb6T3SpgWDoqHGeFwU=",
+        "lastModified": 1703659416,
+        "narHash": "sha256-+S75gs0rUWlWpiozAh3sCPar+gfZ96efG7Ifpo5rleA=",
         "owner": "matt1432",
         "repo": "nixos-minecraft-servers",
-        "rev": "cffa361baa1990558f96b18e454502b8ed74a8f1",
+        "rev": "cee4e78311e225aae0af6a49f410d5da23d40b66",
         "type": "github"
       },
       "original": {
@@ -898,11 +898,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1703646418,
-        "narHash": "sha256-+O5UYPoboInEqQM0KeNVTz8Dff2dTxDwZOSRTgdOejM=",
+        "lastModified": 1703659518,
+        "narHash": "sha256-MhYyeYf6vLB8Itrbfd6v8osQqxfo7RcHgNQUd2/KaqM=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "4b648583aa2718a55740bd6f7e2916c9771762c8",
+        "rev": "6561f85abf01b5f47ce49407d34ea7b3332d11a7",
         "type": "github"
       },
       "original": {
@@ -961,11 +961,11 @@
         "sops-nix": "sops-nix"
       },
       "locked": {
-        "lastModified": 1703648158,
-        "narHash": "sha256-z2My4To69oyY4xYofSJCAKK6BOMcbA9qRZJoUBpi6+U=",
+        "lastModified": 1703659676,
+        "narHash": "sha256-GV7aDQygrPSXwR6auRHpanMzvXvKBbw1F2o78BA/ZeM=",
         "ref": "refs/heads/main",
-        "rev": "22a1a1c6a18639e11e4e47a667870dffa527623e",
-        "revCount": 17,
+        "rev": "792df10f43731b75e4d11ce76e0cde911381869e",
+        "revCount": 18,
         "type": "git",
         "url": "ssh://git@git.nelim.org/matt1432/nixos-secrets"
       },