nix/modules/system/backups.nix

{ config, lib, pkgs, ... }:

/*
this module enables a backup script made with borg!
to use import & set the options below
to declare a backup add the following code
to a module and it will backup all listed paths
in a borg archive to the specified repo

      |     <3yy>    |
      V              V
  modules.system.backups.baks = {
    ${service} = { paths = [ cfg.data_dir ]; };
  };
*/

let
  cfg = config.system.backups;
  sec = config.sops.secrets;
  borg = "${pkgs.borgbackup}/bin/borg";
in
{
  options.system.backups = {
    enable = lib.mkEnableOption "enables backups with borg";
    baks = lib.mkOption {
      type = lib.types.attrsOf (lib.types.attrsOf (lib.types.listOf lib.types.path));
      default = {};
      description = "backup jobs, nested attribute sets should be <bak_name> = paths [<list_of_paths>]";
    };
    repo = lib.mkOption {
      type = lib.types.path;
      default = "/holocron/borg";
      description = "borg repository path";
    };
    passwd_file = lib.mkOption {
      type = lib.types.path;
      default = sec."borg_passwd".path;
      description = "borg repository passphrase file";
    };
    mode = lib.mkOption {
      type = lib.types.str;
      default = "split";  # "all"
      description = "choice between creating one archive of all paths or one archive per service";
    };
  };

  config = lib.mkIf (cfg.enable && cfg.baks != {}) {
    
    systemd.services.backups = {
      description = "backup service with borg!";
      path = [ pkgs.borgbackup ];
      serviceConfig = {
        Type = "oneshot";
#        EnvironmentFile = config.modules.system.backups.passphraseFile;
        # the actual script borg is using
        ExecStart = pkgs.writeShellScript "borg-backup" ''
          backup() {
            set -euo pipefail
            export BORG_PASSPHRASE="$(cat ${cfg.passwd_file})"
            export BORG_REPO="${cfg.repo}"
            timestamp="$(date +'%Y-%m-%d_%H:%M:%S')"
            mode=${cfg.mode}

            # init repo in needed
            if ! borg info "$BORG_REPO" >/dev/null 2>&1; then
              echo "Initializing Borg repo at $BORG_REPO"
              borg init --encryption=repokey "$BORG_REPO"
            fi

            borg break-lock "$BORG_REPO" || true

            echo "starting backup at $timestamp"

            if [ "$mode" = "split" ]; then
              # loop for each backup
              ${lib.concatStringsSep "\n\n" (lib.mapAttrsToList (bak_name: bak_paths:
                ''
                  echo "------------ Backing up ${bak_name} ------------"
                  archive="$timestamp-${bak_name}"
                  echo "backing up: ${lib.concatStringsSep " " bak_paths.paths} → $archive"
                  borg create \
                    --verbose \
                   # --filter AME \
                    --list \
                    --stats \
                    --show-rc \
                    --compression lz4 \
                    "$BORG_REPO::$archive" \
                    ${lib.concatStringsSep " " bak_paths.paths}
                echo "pruning old backups for ${bak_name}..."
                borg prune -v --list "$BORG_REPO" \
                  --glob-archives "*-${bak_name}" \
                  --keep-daily=7 \
                  --keep-weekly=52 \
                  --keep-monthly=-1
                echo "backup run complete at \"$BORG_REPO::$archive\""
                ''
              ) cfg.baks)}
                exit 0
            else
            # flatten all paths from cfg.baks into one big list
              all_paths="${
                lib.concatStringsSep " "
                (lib.flatten
                  (lib.mapAttrsToList (_: bak: bak.paths) cfg.baks))
              }"
                borg create \
                  --verbose \
                  --filter AME \
                  --list \
                  --stats \
                  --show-rc \
                  --compression lzma,9 \
                  "$BORG_REPO::$timestamp-${toString config.networking.hostName}" \
                  $all_paths

                echo "pruning old backups for ${toString config.networking.hostName}..."
                borg prune -v --list "$BORG_REPO" \
                  --glob-archives "*-${toString config.networking.hostName}" \
                  --keep-daily=7 \
                  --keep-weekly=52 \
                  --keep-monthly=-1
              echo "backup run complete at \"$BORG_REPO::${toString config.networking.hostName}\""
              exit 0
            fi
          }
          start_time=$(date +%s)
          backup
          end_time=$(date +%s)
          exec_time=$((end_time - start_time))
          cpu_usage=$(top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk '{print 100 - $1"%"}')
          echo ""
          echo "backup stats:"
          echo "exec time: $exec_time"
          echo "cpu usage: $cpu_usage"
        '';
      };
    };

    # create timer to run backups daily
    systemd.timers.backups = {
      description = "daily borg backup timer";
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
      };
    };

    # install borg binary
    environment.systemPackages = [ pkgs.borgbackup ];

    # declare secret for repo password
    sops.secrets = {
      "borg_passwd" = { 
        owner = "root";
        group = "root";
      };
    };
  };
}