hosts/plover: add backup service

hosts/plover/default.nix

@@ -46,6 +46,8 @@ in
       "gitea/db/password".owner = giteaUserGroup;
       "gitea/smtp/password".owner = giteaUserGroup;
       "vaultwarden/env".owner = vaultwardenUserGroup;
+      "borg/patterns/keys" = {};
+      "borg/password" = {};
     });
 
   # All of the keys required to deploy the secrets. Don't know how to make the
@@ -254,5 +256,46 @@ in
     };
   };
 
+  # Of course, what is a server without a backup? A professionally-handled
+  # production system so we can act like one.
+  services.borgbackup.jobs.host-backup = let
+    patterns = [
+      config.sops.secrets."plover/borg/patterns/keys".path
+    ];
+  in {
+    compression = "zstd,11";
+    dateFormat = "+%F-%H-%M-%S-%z";
+    doInit = true;
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat ${config.sops.secrets."plover/borg/password".path}";
+    };
+    extraCreateArgs = lib.concatStringsSep " "
+      (builtins.map (patternFile: "--patterns-from ${patternFile}") patterns);
+    extraInitArgs = "--make-parent-dirs";
+    # We're setting it since it is required plus we're replacing all of them
+    # with patterns anyways.
+    paths = [];
+    persistentTimer = true;
+    preHook = ''
+      extraCreateArgs="$extraCreateArgs --stats"
+    '';
+    prune = {
+      keep = {
+        weekly = 4;
+        monthly = 12;
+        yearly = 6;
+      };
+    };
+    repo = "cr6pf13r@cr6pf13r.repo.borgbase.com:repo";
+    startAt = "monthly";
+    environment.BORG_RSH = "ssh -i ${config.sops.secrets."plover/ssh-key".path}";
+  };
+
+  programs.ssh.extraConfig = ''
+    Host *.repo.borgbase.com
+     IdentityFile ${config.sops.secrets."plover/ssh-key".path}
+  '';
+
   system.stateVersion = "22.11";
 }

hosts/plover/secrets/secrets.yaml

@@ -13,6 +13,10 @@ gitea:
             password: ENC[AES256_GCM,data:rk8GPBLof4D9mJnDCzKtbjJcQqeS5W8kyNuqOzYbr9rNjOlBNN2y/qVGb/MmOd9TMzRpKJYe70Gk87DgCvlm8/JoxsoQ,iv:TdVDi71s8HDyCeWadubYBjgDvBZdfZhlFf8qArGgpdk=,tag:mptPQ8AScuG+1skTu7ooxw==,type:str]
 vaultwarden:
     env: ENC[AES256_GCM,data:C0advtRXZSRrm3D9iguxfYXTbK2XPMnsqHegN5JcNtxojQuGRry4hyM+PytB5t0rkaPrxffLGJkBsJo/oaYgXlkEBvoEVejMsVNsV2BBU/UrjkhvtjzS1q2BsnSW3rwy6K1IW1CCKHeknWiiT/qH/w0UvGSm3JxbkKnMShxy+mXkNeL99oPJS+5x4bcmCExaJ+EYlMiK1o/BjeBgk/sq/5TcguVpfZvIN0/PhSwqXGn0mwHR+GGApCQxSbB6kO9kKd8e+7zkbfWbK1cRsnZ6UpQl+ElVyQ==,iv:27TdCZYTYazXvi8gjNUkEvYDSRCzUE2IhbvT8k5Mqro=,tag:B+agm4rueu5B6jMkBd3FVQ==,type:str]
+borg:
+    password: ENC[AES256_GCM,data:jj5DARwujL3qMyOZ5jegFuWqAWKeEPbGihV2WZ45,iv:qiII9yWbUfQggeO3KdPwNXAQBwVmx6YEa5YIID3AUIs=,tag:Nz6iEf02N6UZTbNxP/vh/A==,type:str]
+    patterns:
+        keys: ENC[AES256_GCM,data:0CDCFSvqUeGD6JOAuptnke6z3eSD+SgT3AhZYTPujR+6Q42IWXs5Oq+YZeI1CEASFbV7+DhXSNc08zsR/Uuu2xym,iv:xj/owX79CeWV2ztQ0DP5bQRBwLPZiCpHB/JAK5tCfH8=,tag:VXC/b3HDdmwwiZlcqX/C9g==,type:str]
 sops:
     kms: []
     gcp_kms:
@@ -31,8 +35,8 @@ sops:
             YTZnVWJBdkVKTDIyN0JjNUVkNU84bmsKVEvYry/jpwScC0wtDqbvE4WtYVm+bBss
             /uTld6ObaI92LLVwdkcApVSzt8AD/vCRD/Kf084oi+fRDFn2JiYChQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-02T14:09:22Z"
-    mac: ENC[AES256_GCM,data:zj0iVqEqi756+6IRhi4My7zds3ttP+FYPfCC2zSSCk/Sx5ONMlZtxD8v3LWZ0D+X0amgwFUi8+FYp0C4tj6GDcPU3Ila98eCvPOoCWh35vHUojO/8PwRsKY1jzx51o6mwHahksWBIHeH7+hGWnKFwjYO7Bpt1D9m2cLD4GXiUOM=,iv:o7fx9PuC0sUnIlpjS3dSr4YpcW9CMS/SdQjfhNd/K1s=,tag:190liNbTq7J/Lg5VMa6PEw==,type:str]
+    lastmodified: "2022-12-02T23:39:58Z"
+    mac: ENC[AES256_GCM,data:9g4mwaqH6+P1gxYlAOT1VVzbGAW7pC2A6MuAzEM5n3ooNemIMnj9GG5WMR9g4d3BYx6Ne8FLWuT2Xi1T1JTtY6vaFuUOMoCt5Lucl4twLeS1zP4wjx5vwGqSgwC2ZB1Gjd3gN1TCoKxhbAy74AClPJZeFuVLvFiDbxmD8AyA3xg=,iv:rssJX9hQL0FX2hlrNQRLDikU2YNwJAL3AjnJASqS/Rc=,tag:yx95SM15geHUMd51uZYTSg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3