nixos-conf/modules/services/borg-client.nix

{ config, lib, ... }:
let
  cfg = config.custom.services.borgClient;
  host = config.networking.hostName;
in
{
  options.custom.services.borgClient.enable = lib.mkEnableOption "the BorgBackup client";

  config = lib.mkIf cfg.enable {
    sops.secrets.borg-passphrase = {
      sopsFile = ../../secrets/${host}/borg.yaml;
    };

    environment.persistence."/persist".directories = [
      "/root/.cache/borg" # Otherwise the initial run of Borg is painfully slow
    ];

    services.borgbackup.jobs.persist = {
      compression = "auto,zstd,10";
      encryption = {
        mode = "repokey";
        passCommand = "cat ${config.sops.secrets.borg-passphrase.path}";
      };
      environment = {
        BORG_RSH = "ssh -i /etc/ssh/ssh_host_ed25519_key";
      };
      failOnWarnings = false;
      paths = "/persist";
      persistentTimer = true;
      patterns = [ "- var/log" ];
      prune.keep = {
        within = "1d";
        daily = 7;
        weekly = 4;
        monthly = 12;
      };
      repo = "borg@borg.vsinerva.fi:/persist/borg/${host}";
      startAt = "*-*-* *:00/10:00";
    };
  };
}