modules/nixos: github-org-backup

modules/nixos/github-org-backup.nix

@@ -0,0 +1,59 @@
+{ config, pkgs, ... }:
+{
+  # upstream docs show how to restore these backups
+  # https://github.com/gabrie30/ghorg/blob/92965c8b25ca423223888e1138d175bfc2f4b39b/README.md#creating-backups
+  systemd.services.github-org-backup = {
+    environment.HOME = "/var/lib/github-org-backup";
+    path = [ pkgs.git pkgs.ghorg ];
+    # exclude nix, nixpkgs and repos > 200MB
+    script = ''
+      ghorg clone nix-community \
+        --backup \
+        --clone-wiki \
+        --concurrency 2 \
+        --exclude-match-regex '^(all-cabal-json|dream2nix-nodejs-auto|nix|nixpkgs|nur-search)$' \
+        --no-token \
+        --path /var/lib/github-org-backup \
+        --prune \
+        --prune-no-confirm
+    '';
+    startAt = "daily";
+    serviceConfig.Type = "oneshot";
+  };
+
+  sops.secrets.hetzner-borgbackup-ssh = { };
+
+  systemd.services.borgbackup-job-github-org = {
+    after = [ "github-org-backup.service" ];
+    serviceConfig.ReadWritePaths = [
+      "/var/log/telegraf"
+    ];
+  };
+
+  services.borgbackup.jobs.github-org = {
+    paths = [
+      "/var/lib/github-org-backup"
+    ];
+    repo = "u348918@u348918.your-storagebox.de:/./github-org";
+    encryption.mode = "none";
+    compression = "auto,zstd";
+    startAt = "daily";
+    environment.BORG_RSH = "ssh -oPort=23 -i ${config.sops.secrets.hetzner-borgbackup-ssh.path}";
+    preHook = ''
+      set -x
+    '';
+
+    postHook = ''
+      cat > /var/log/telegraf/borgbackup-github-org <<EOF
+      task,frequency=daily last_run=$(date +%s)i,state="$([[ $exitStatus == 0 ]] && echo ok || echo fail)"
+      EOF
+    '';
+
+    prune.keep = {
+      within = "1d"; # Keep all archives from the last day
+      daily = 7;
+      weekly = 4;
+      monthly = 0;
+    };
+  };
+}