From 3610f51a9dde46774b7e8e4cf5412ed07bc2e784 Mon Sep 17 00:00:00 2001
From: mc-fucker <dev@mc-fucker.cool>
Date: Wed, 25 Mar 2026 15:19:27 +0100
Subject: [PATCH] init

---
 modules/borg_hetzner_nixos.nix | 54 ++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 modules/borg_hetzner_nixos.nix

diff --git a/modules/borg_hetzner_nixos.nix b/modules/borg_hetzner_nixos.nix
new file mode 100644
index 0000000..89ecc6a
--- /dev/null
+++ b/modules/borg_hetzner_nixos.nix
@@ -0,0 +1,54 @@
+{ config, pkgs, ... }:
+let
+  name = "hetzner_nixos";
+  hostname = config.networking.hostName;
+  remotehost = "u555679-sub2@u555679-sub2.your-storagebox.de";
+  backuppath = "/backup/snapshot";
+  borgHook = toString /etc/nixos/scripts/borgHook.sh;
+in
+{
+
+  sops.secrets."borg/hetzner/mcserver/${hostname}" = {};
+
+  services.borgbackup.jobs."${name}" = {
+    paths = [
+      "${backuppath}/etc"
+      "${backuppath}/home"
+      "${backuppath}/root"
+      "${backuppath}/var"
+    ];
+    exclude = [
+      "${backuppath}*/.cache"
+      "${backuppath}/home/*/build"
+      "${backuppath}/var/log"
+      "${backuppath}/var/lib/nextcloud/data/appdata_ocnc33s4dl6i/preview"
+      "${backuppath}/var/lib/postgresql/*/"
+      "${backuppath}/var/lib/mysql/*"
+      "${backuppath}/var/lib/containers"
+      "${backuppath}/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots"
+    ];
+    #repo = "borg@nasty:.";
+    repo = "ssh://${remotehost}:23/./${hostname}";
+    compression = "zstd,10";
+    encryption.mode = "repokey";
+    encryption.passCommand = "cat /run/secrets/borg/hetzner/mcserver/${hostname}";
+    environment.BORG_RSH = "ssh -i /root/.ssh/id_hetzner_nixos";
+    extraCreateArgs = "--verbose --stats";
+    extraArgs = [ "--remote-path=borg-1.4" ];
+    startAt = "00:10";
+    preHook = "${borgHook} pre ${backuppath}"; #create snapshot for consistent filesystem
+    postCreate = "${borgHook} post ${backuppath}"; #delete snapshot again
+  };
+
+  systemd.services."borgbackup-job-${name}" = {
+    environment = {
+      BORG_RELOCATED_REPO_ACCESS_IS_OK = "yes";
+    };
+    path = [ pkgs.btrfs-progs pkgs.mount pkgs.umount pkgs.lvm2 pkgs.bash ];
+    serviceConfig = {
+      ReadWritePaths = [ "/backup" "/var/lock/lvm" "/etc/lvm" ];
+    };
+  };
+}
+
+# vim: set et ts=2 sw=2 ai: