1 files changed, 79 insertions, 3 deletions

diff --git a/hosts/vidhar/borg/default.nix b/hosts/vidhar/borg/default.nix
index ee5856c9..65c309da 100644
--- a/hosts/vidhar/borg/default.nix
+++ b/hosts/vidhar/borg/default.nix
@@ -1,15 +1,72 @@
-{ pkgs, lib, ... }:
+{ config, pkgs, lib, ... }:
 
 with lib;
 
-{
+let
+  copyService = { repo, repoEscaped }: let
+    serviceName = "copy-borg@${repoEscaped}";
+    sshConfig = pkgs.writeText "config" ''
+      Host yggdrasil.borgbase
+        HostName nx69hpl8.repo.borgbase.com
+        User nx69hpl8
+        IdentityFile /run/credentials/${serviceName}.service/ssh-identity
+        IdentitiesOnly yes
+
+        BatchMode yes
+        ServerAliveInterval 10
+        ServerAliveCountMax 30
+    '';
+  in nameValuePair serviceName {
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${copyBorg}/bin/copy ${escapeShellArg repo} yggdrasil.borgbase:repo";
+      User = "borg";
+      Group = "borg";
+      StateDirectory = "borg";
+      Environment = [
+        "BORG_RSH=\"${pkgs.openssh}/bin/ssh -F ${sshConfig}\""
+        "BORG_CACHE_DIR=/var/lib/borg/cache"
+        "BORG_SECURITY_DIR=/var/lib/borg/security"
+        "BORG_KEYS_DIR=/var/lib/borg/keys"
+        "BORG_KEY_FILE=/run/credentials/${serviceName}.service/keyfile"
+      ];
+      LoadCredential = [
+        "ssh-identity:${config.sops.secrets."append.borgbase".path}"
+        "keyfile:${config.sops.secrets."yggdrasil.borgkey".path}"
+      ];
+    };
+  };
+
+  copyBorg = pkgs.stdenv.mkDerivation rec {
+    name = "copy";
+    src = ./copy.py;
+
+    phases = ["buildPhase" "checkPhase" "installPhase"];
+
+    python = pkgs.python39.withPackages (ps: with ps; [humanize tqdm dateutil xdg python-unshare halo]);
+
+    buildPhase = ''
+      substituteAll $src copy
+    '';
+
+    doCheck = true;
+    checkPhase = ''
+      ${python}/bin/python -m py_compile copy
+    '';
+
+    installPhase = ''
+      install -m 0755 -D -t $out/bin \
+        copy
+    '';
+  };
+in {
   config = {
     services.borgbackup.repos.jotnar = {
       path = "/srv/backup/borg/jotnar";
       authorizedKeysAppendOnly = let
         dir = ./jotnar;
         toAuthKey = fname: ftype: if ftype != "regular" || !(hasSuffix ".pub" fname) then null else builtins.readFile (dir + "/${fname}");
-      in filter (v: v != null) (lib.mapAttrsToList toAuthKey (builtins.readDir dir));
+      in filter (v: v != null) (mapAttrsToList toAuthKey (builtins.readDir dir));
     };
 
     boot.postBootCommands = mkBefore ''
@@ -25,5 +82,24 @@ with lib;
 
       Match All
     '';
+
+    sops.secrets."append.borgbase" = {
+      format = "binary";
+      sopsFile = ./append.borgbase;
+    };
+    sops.secrets."yggdrasil.borgkey" = {
+      format = "binary";
+      sopsFile = ./yggdrasil.borgkey;
+    };
+
+    systemd.services = listToAttrs (map copyService [{ repo = "/srv/backup/borg/jotnar"; repoEscaped = "srv-backup-borg-jotnar"; }]);
+
+    # systemd.timers."copy-borg@srv-backup-borg-jotnar" = {
+    #   wantedBy = ["multi-user.target"];
+      
+    #   timerConfig = {
+    #     OnCalendar = "*-*-* 00/4:00:00 Europe/Berlin";
+    #   };
+    # };
   };
 }