bsky: add backup task

machines/bsky/backup.nix

@@ -0,0 +1,39 @@
+{ pkgs, config, ... }:
+let
+  borgJob = name: {
+    environment = {
+      BORG_RSH = "ssh -i ${config.sops.secrets.bsky-backup-ssh-key.path}";
+    };
+    repo = "ssh://zh2088@zh2088.rsync.net/./backups/bsky/${name}";
+    compression = "zstd,10";
+    startAt = "*-*-* 2:30:00";
+    extraInitArgs = "--make-parent-dirs";
+    archiveBaseName = name;
+
+    encryption = {
+      mode = "repokey-blake2";
+      passCommand = "cat ${config.sops.secrets.bsky-backup-pass.path}";
+    };
+
+    prune = {
+      keep = {
+        within = "1d";
+        daily = 7;
+        weekly = 4;
+        monthly = -1;
+      };
+    };
+  };
+in
+{
+  services = {
+    borgbackup.jobs = {
+      bsky-pds = borgJob "bsky-pds" // {
+        paths = [ "/var/lib/pds" ];
+      };
+    };
+  };
+
+  environment.systemPackages = [ pkgs.borgbackup ];
+
+}

machines/bsky/configuration.nix

@@ -12,6 +12,7 @@
     ../../users/root
     ../../users/erwin
 
+    ./backup.nix
   ];
 
   eboskma = {
@@ -98,6 +99,8 @@
   sops.defaultSopsFile = ./secrets.yaml;
   sops.secrets = {
     pds-env = { };
+    bsky-backup-ssh-key = { };
+    bsky-backup-pass = { };
   };
 
   system.stateVersion = "25.05";

machines/bsky/secrets.yaml

@@ -1,4 +1,6 @@
 pds-env: ENC[AES256_GCM,data:7igflP/eh4Mvz15Xh1B3R4WcZ51LTCcjBNYiBCu92ZaQvOTalquJqGdLRpaBx425NZjPGGAt6xibMLnbaXOrXpouVW3A+xPj0TzTO+K2ZObFAZgaFfLCDIUPgkc1PUGvvwg/jfU8xMaUvLRlaAQDo1SDfNbmszQrxZRTAJYL4doPHFGnUAKgAW36RQ3PmQKcDGC3Rdaf3Bzi5rU7PIgYmJKaQWDSsDBgD9z5oPd1w/1k1RgoTblHM4u7lk0d0itUeS0TYMkVL4w5+soye6R00wwQBXyIkwQ8fikJUa3GnbhPx67RSzPkwKg3tRIxAZyRfBHC9Cb52RhhhFmZG5AWdG3FLXGpelPO/fMhEZGhCbkDo3dJtDz+Ce567R/ud5cQCpwvTuHQoH1n7/IcROxAy5sf60bgV7eyhA==,iv:8b/U6vv/MHnr/U03vMxN8sr9csgPbpBBALrcehPop/A=,tag:bejYU4f4IA+TVcEfyFhkMA==,type:str]
+bsky-backup-ssh-key: ENC[AES256_GCM,data:Mdo1HHWtr/4QrTqEiRievi5qZ04hw+9/XnnqBF39Q61SO760LvDjD7DRszrFMReHpN4UbLnG9KaeaujZbure83aCTDxoc+P3VJ/HYrfaIh1zhxuOGg0D/gz42zOHHI1DOTIqIqB4ILf0ZLLRegmbSvEVq9/k9Wh+nTr4NklJqmWdI8pkPU79nycUFcOQPWUDslse0Q1uqCz3YACKpTp/efbFGbSr++bXxJQ9iEbB0v98AzGta2eypP6sUrH/iQn909dzwThCwHx9S6v5qxOXomLawiKm2zJMgNFnIemMWcpU2rWKL8sWwpj2UdDMByeIJ9YJFSj5vX9n9+4JY5i06h7QyPSbZX2k1K5nK8bY2S1J9Aq7UOAXUynZuxBDGfRW3iQulZ9mgk+9wYQGT05Y6cxBep7zkeNheeqr009u219MwwnYwU1Fw55TgA5zj2VX6qnfAXTLDqC9lehvOYVUiPQtpSdKJn5jQ4N53IvqZNT6kXhzT8HHB1ZdCuX2AOtmlR2TDv2NwOuQw4t23nBV,iv:URYCUXTHmc6iWvGZ+qCKUJa6eTOhGpf6ZGibZtq60nE=,tag:RClxYGvsfM2AvrLzpGJ5+Q==,type:str]
+bsky-backup-pass: ENC[AES256_GCM,data:pIwYD6GIudgTj0a8WYHOpGV74aixSbd+Anwr/20hyDWxjBn3W5UtkoRBQG7LCuZn4B/Ht3/kgKb45wTm56jJYRfyNjO6I1skGNh52ybfr/wFRnxzlufrexTcy0K/uhRpHJUtTkuLCcmGeZysFNPDOKVlxAbzz16rwGsxg702ZEo=,iv:M8B98X0DMPH7vWdP9ypCvyT7AtOCabYMdBlnlFxEyMY=,tag:cSwSXDD4zAzJjPDw3VzorA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -32,8 +34,8 @@ sops:
             TFRvdGkyb1czc21weVMyRHJGUlR3WEkKQPEoBJPPLijNmpGo8jngBfWUrkZZJwcg
             zdi6Wukj6tTS/rKyK0cCC8noyBVc0lLnpUMAemX9xs1dWkFrUBVQiw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-03T21:01:23Z"
-    mac: ENC[AES256_GCM,data:rjymp5a273Wx2K5WE8yVMRiJDyzz7y3UDLliJvAtUJLg72nx3KXbWFvHjio8BaEQxbobRxnLuPYyAXrGVwIdA14JJVBGFSc4jiJWFsVoX7Kh/7Iui4xkPO/3veoIVkvIzBYyRkPjB249ZwKbLaVR+NlraK7uHvL+Z9wFR+AY67E=,iv:hs6OUurXAApby6s7P0jr1Txplu8TC6DejvWT/87yrMA=,tag:L8+ZVgcwJZc67zd4NitXtQ==,type:str]
+    lastmodified: "2024-12-20T09:50:48Z"
+    mac: ENC[AES256_GCM,data:u+vDui46AnPiOaxPGovgAz4IcbDyqhVJm0su2IYlL1lN3TTJsEVjOmjYxD9Cb+OYpMupFHDuSLZVw3j5wp5o9vx4VGAtw0cmrUKq9hu48iGXBk0+zLVTImy5gZ82Bx0fy5rsHulM+QPKWio5zJqaq8Sy4ohib4bQSERR5i8vEFw=,iv:2jXWVmXVYLqRfuN7NH43S1XXvlnzbAd6L4T1YRJigQk=,tag:0eXDlb06a/qFA8+8ASNRdA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2