nixos-config/configs/home-manager/foo-dogsquared/modules/services/backup/default.nix

{ config, lib, foodogsquaredLib, pkgs, ... }@attrs:

let
  userCfg = config.users.foo-dogsquared;
  cfg = userCfg.services.backup;

  pathPrefix = "borg-backup";
  getPath = path:
    config.sops.secrets."${pathPrefix}/${path}".path;
  isFilesystemSet = setupName:
    attrs.nixosConfig.suites.filesystem.setups.${setupName}.enable or false;

  hetznerBoxesUser = "u332477";
  hetznerBoxesServer = "${hetznerBoxesUser}.your-storagebox.de";

  borgmaticCommonConfig = module: lib.mkMerge [
    module

    {
      archive_name_format = lib.mkDefault "{fqdn}-home-manager-personal-{now}";
      patterns = lib.mkBefore [
        "R ${config.home.homeDirectory}"
        "! ${config.xdg.dataHome}"
        "! ${config.xdg.cacheHome}"
        "- ${config.xdg.configHome}"
        "- ${config.xdg.userDirs.download}"
        "+ ${config.xdg.userDirs.extraConfig.XDG_PROJECTS_DIR}"
        "+ ${config.xdg.userDirs.documents}"
        "+ ${config.xdg.userDirs.music}"
        "+ ${config.xdg.userDirs.pictures}"
        "+ ${config.xdg.userDirs.templates}"
        "+ ${config.xdg.userDirs.videos}"
        "+ ${config.home.homeDirectory}/.thunderbird"
        "+ ${config.xdg.dataHome}/gopass"
        "+ ${config.xdg.configHome}/age"
        "+ ${config.xdg.configHome}/sops"
      ];
      exclude_if_present = [
        ".nobackup"
        ".exclude.bak"
      ];
      exclude_patterns = [
        "node_modules/"
        "*.pyc"
        "result*/"
        "*/.vim*.tmp"
        "target/"
      ];

      store_config_files = true;

      # Most of these retention settings are meant to have overlaps in the
      # periodic backups.
      keep_hourly = 48;
      keep_daily = 14;
      keep_weekly = 8;
      keep_monthly = 12;
      keep_yearly = 4;

      check_last = 4;
    }
  ];

  checkRemovableMountScript = pkgs.writeShellScript "check-for-removable-storage" ''
    { findmnt "$(dirname "$1")" > /dev/null && [ -d "$1" ]; } || exit 75
  '';
in
{
  options.users.foo-dogsquared.services.backup.enable =
    lib.mkEnableOption "preferred backup service";

  config = lib.mkIf cfg.enable {
    sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets.yaml (
      foodogsquaredLib.sops-nix.attachSopsPathPrefix pathPrefix {
        "repos/remote-hetzner-boxes-personal/password" = { };
        "repos/local-external-hdd-personal/password" = { };
        "repos/local-archive-personal/password" = { };
      });

    programs.borgmatic.enable = true;
    programs.borgmatic.backups = lib.mkMerge [
      {
        remote-hetzner-boxes-personal = {
          initService.enable = true;
          initService.startAt = "06:30";
          settings = borgmaticCommonConfig {
            encryption_passcommand = "cat ${getPath "repos/remote-hetzner-boxes-personal/password"}";
            repositories = lib.singleton {
              path = "ssh://${hetznerBoxesUser}@${hetznerBoxesServer}:23/./borg/users/${config.home.username}";
              label = "remote-hetzner-boxes";
            };
            extra_borg_options = {
              init = builtins.toString [
                "--make-parent-dirs"
                "--encryption" "repokey-blake2"
              ];
            };
          };
        };
      }

      (lib.mkIf (isFilesystemSet "external-hdd") {
        local-external-hdd-personal = {
          initService.enable = true;
          initService.startAt = "04:30";
          settings = let
            removablePath = "${attrs.nixosConfig.state.paths.external-hdd}/Backups";
          in borgmaticCommonConfig {
            encryption_passcommand = "cat ${getPath "repos/local-external-hdd-personal/password"}";
            repositories = lib.singleton {
              path = removablePath;
              label = "local-external-hdd";
            };
            before_backup = lib.singleton "${checkRemovableMountScript} ${removablePath}";
          };
        };
      })

      {
        local-archive-personal = {
          initService.enable = true;
          initService.startAt = "04:30";
          settings = borgmaticCommonConfig {
            encryption_passcommand = "cat ${getPath "repos/local-archive-personal/password"}";
            repositories = lib.singleton {
              path = "\${BORG_PERSONAL_FDS_PATH:-${attrs.nixosConfig.state.paths.laptop-ssd}/Backups/foodogsquared}";
              label = "local-archive";
            };
          };
        };
      }
    ];

    # My game backups.
    services.ludusavi = {
      enable = true;
      startAt = "daily";

      settings = let
        backup_path = "${config.xdg.cacheHome}/ludusavi/backups";
      in {
        manifest.enable = true;
        roots = [
          { path = "${config.home.homeDirectory}/.steam"; store = "steam"; }
          { path = "${config.xdg.dataHome}/lutris"; store = "lutris"; }
        ];
        backup.path = backup_path;
        restore.path = backup_path;
        release.check = false;
      };
    };
  };
}